Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller

21 comments

1. How to Setup The Tailscale VPN and Routing on pfsense
   https://youtu.be/P-q-8R67OPY

   Linode Offer https://www.linode.com/homelabshow

   How Tailscale Makes Managing Wireguard Easy
   https://youtu.be/bcRVkoeSN0E

   Forum Post With Commands
   https://forums.lawrencesystems.com/t/setting-up-headscale-video-commands/14803

   Headscale GitHub
   https://github.com/juanfont/headscale

   Headscale Linux Setup
   https://github.com/juanfont/headscale/blob/main/docs/running-headscale-linux.md

   ⏱ Timestamps ⏱
   00:00 Headscale Tutorial
   02:31 Headscale Documentation
   03:01 Server Requirements
   04:47 Customizing The Config File
   07:30 headscale bash completion
   08:13 Creating a Namespace
   09:01 Creating keays
   10:39 Allowing Routes
   11:41 Node Web Registraion
   13:16 Testing Connections

2. tbh, I don't understand how you have not yet lost your respect for Netgate/pfSense after the FreeBSD wg driver drama. Let's hope it's not due to finacial reason.

   When the drama first broke out, I wasn't so mad when I found that Netgate hired a troubled programmer to write this driver for FreeBSD. I saw the buggy code, including the `printf`s, and hard-coded values that should never have been hard-coded unless you just want a MVP. At that time, I just blamed the troubled dev for being a lazy ass.

   But when one of Netgate engineers (let's call him Mr.Nobody) published a blog post defending Netgate by referencing the company's (and to some extent, FreeBSD's) code review process, and mentioning that the reviewers already greenlighted the clearly subbpar code into the tree, I was hit with disgust.

   I knew this from ArsTechnica article, and the disgust hit even harder when I saw the email thread between the ungrateful Mr.Nobody and our guy Jason Donenfeld. Jason was probably trying to help, and he did so by committing his own time and effort to unfuck Netgate code by reimplementing the driver because FreeBSD 13.0 release date was nearing.

   After all this, I finally realized that pfSense is just actually the PHP web UI. There's nothing technically innovative or challenging about the product, and the devs usually just work on very high-level of the software (they hired someone else for the wg driver after all). I began to understand how such bugs would pass code review – it's because the reviewers aren't competent at the low-level. Donenfeld saw the code and knew it was wrong right away after all. (So do I, who couldn't tell those `hard-coded return true`s in functions are bab?)

   The event also killed my respect for FreeBSD, for letting this code into tree without a proper review. FreeBSD is nowhere near the quality of OpenBSD. It's funny how FreeBSD devs and users frequently loudly talk about how "BSD" code in general is reviewed more thouroughly reviewed, more correct, and of higher quality versus GNU and Linux. Man, this driver code wouIdn't pass even my company's review process. I began to read more FreeBSD security problems and decisions, and yeah, no more respect for it. And the reason they think their code is better and has less bugs is because less people are using it, let alone the edge cases.

   As a note that this is not some stupid attack:

   I'm a Linux user since 2018. My first BSD install was FreeBSD 12.0 on a ThinkPad x230 when 12.0 released, and that made me admire pfSense. In 2020 I started using OpenBSD on my Vultr machines, and I fall in love instantly due to how everything is included in the base system without being bloated at all, how everything is straightforward, and problem-free. I have since used it for personal website and got an OpenBSD puffy tattoo on my shoulder. By 2020 my laptop/desktop/homeserver were all Arch Linux, because FreeBSD is not so practical on these platforms. Thanks god I didn't get FreeBSD tattoo.

   Seeing the drama unfolded, I felt disillusioned. I began subscribing to your channel I think since 2019-20, and always thought highly of pfSense. I'm a dev and usually have to be the guy who setup devops, and I always watched your channel for all the good stuff you posted.

3. Thank you for commenting on my reddit post ❤ love your video

4. cant wait for it to solve the issue you mention at the start of the video

5. While it's always preferred to self-host these things, I feel it is too much trouble and not ready at this stage. I will keep an eye on its development. No iOS support is a deal breaker.

6. It has some bugs with the exit node function

7. Many thanks for this. Can you please share your config file? I followed all instructions but keep getting this error: "While parsing config: yaml: line 12: did not find expected key"

8. I'm sorry, because I'm a Chinese, so my English is not very good, this sentence is translated by translation software, please forgive me if there are grammatical errors，
   Please ask, how does headscale set the Exit Node, I want to use the network node traffic at home outside.

9. The android client is ready now 🙂

10. Acceptable alternative to Tailscale』s own management control plane but who would want to add an extra tool to manage unless the organisation has plenty of money to hire an employee and pay 💰

11. I like the concept behind headscale. The fact that it runs wireguard really ruffles my jimmies. The only issue is that it is not scalable yet. Excited to see headscale mature. I've been running zerotier for a while and wish they would add wireguard support.

12. Great tutotial. Could you please make a video on Magic DNS. Thanks

13. Can Headscale support routing for Subnets on a Tailscale Client Node? For instance if I have LXD or Docker Containers on a Tailscale Client Node they will be on their own 10.x.x.x networks.
    If there are multiple of these Client Nodes (possible different clouds or Data Centers) that 10.x.x.x Containers on one Node talk Layer 2 to Containers on a different Node?

14. headscale_1 | 2022-07-30T16:10:45Z FTL go/src/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key: failed to save private key to disk: open : no such file or directory

15. Does it really need to be a static ip? It seems like it's accessed via hostname, which can be kept updated.

16. I set this up last night and struggled a lot but once I did it works so well. Not yet figured out how to add my own DERP servers but I will keep trying it out. It is impressive how well the LetsEncrypt certificates work out of the box without any tinkering.

17. Please also do for zero-ui zerotier

18. First

19. Would like to see you review the head scale ui that's under development

20. We just got to now wait for ios and android apps to app their support for custom servers. I hear it's in the works.

21. Let's go!

Comments are closed.