My manual wireguard site to site solution worked but had latency issues. I wanted a more streamlined way to get my site to site VPN working properly. I decided to finally try out tailscale but didn’t want to rely on their servers, so I spun up headscale and hosted the control server myself.
My sites have disparate routers which don’t lend to installing the tailscale client, so I opted to spin up dedicated subnet router nodes and then tell the firewalls at each site to forward the routes for the other sites’ subnets to their local subnet router.
The documentation is quite good and it didn’t take long for me to get a working solution.
Configuration
- Install headscale
- Configure URL, DNS, ACL
- Allow all:
{} sudo docker exec headscale <command>
- Set up subnet routers
- Advertise routes:
sudo tailscale set --advertise-routes=192.0.2.0/24,198.51.100.0/24
- Advertise routes:
- Advertise exit node, specify login server, set hostname, accept routes
sudo tailscale up --hostname <HOSTNAME> --login-server=<HEADSCALE_URL> --accept-routes --advertise-exit-node
Troubleshooting
CONFIG_TUN error
is CONFIG_TUN enabled in your kernel? modprobe tun failed with: modprobe: FATAL: Module tun not found in directory /lib/modules/6.8.8-4-pve
Solution found here: https://diegocarrasco.com/install-tailscale-proxmox-lxc-container-almalinux-9
You need to edit the conf file for your LXC and allow/mount /dev/net/tun to your container:
vi /etc/pve/lxc/<LXC_NUMBER>.conflxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file