In this post, I'll talk about three features of tailscale: the ability to connect securely to devices on my home network, automatic DNS entry creation, and free TLS certificates for devices on my private network.
Tailscale is a mesh VPN product, meaning that devices on the network connect to each other directly, rather than through a central funnel like OpenVPN. To use Tailscale, you install a client which will establish an overlay network atop your existing network.
Tailscale is (as of this writing) free for up to 3 users and 100 devices. In my case, I want to expose my home linux server to my Macbook, which may be on the road with me. This lets me run heavier workloads without draining my laptop's battery (2013 was peak Macbook). Without additional configuration, this won't touch any of my regular internet traffic, and it won't expose my home linux server to the public internet - it will only be visible from other devices connected to tailscale on my account.
Note that we're not talking about using the VPN to browse the web anonymously. You can see here that my default route is unaffected, and only two CIDR blocks get routed through the tunnel.
Each machine is given an IP on the private network, as well as a human-friendly DNS entry based on the machine's hostname. For example, bowser.tail966571.ts.net resolves to the private IP of the linux machine on my home network, 100.102.249.68.
Setup is a two-part process.
On linux, a shell script will set up a daemon process and place the tailscale command in the $PATH.
On desktop systems, tailscale will run from the system tray.
Tailscale will issue free TLS certificates for your hosts using its own tailscale command line app. You'll need to enable the https beta in your tailscale settings at https://login.tailscale.com/admin/dns. With that done, setting TLS certificates for your node is as easy as running sudo tailscale cert.
This isn't quite "certbot" wizzy, but it's good enough for development, and easier than some of the other methods for trying to get certificates for a private network like using email verification or managing your own CA. Certificates will be generated for <hostname>.<your-tailscale-domain>.ts.net.
I have kubernetes workloads running on my linux machine, so I can import the certificates and create an ingress controller.
Et voila, I can develop remotely, securely, and no more untrusted browser warnings!
You can, of course, configure something line an nginx reverse proxy to use your tailscale-generated TLS certificates. Either way, we like the ease with which tailscale lets us establish a private network with simple DNS entries and TLS certificates, all at little or no cost.
Answers are just an email away. Drop us a line and the right person will get back to you as soon as possible.