Artificial truth

archives | latest | homepage | atom/rss/twitter

The more you see, the less you believe.

Running tailscale inside of a proxmox container
Thu 08 July 2021 — download

Since the war on COVID is going better than the war on drugs, odds are that I'll eventually be allowed to roam wild and free outside of my flat. Meaning that I'll need a VPN: I don't trust commercial ones, maintaining a PKI sucks almost as much as dealing with IPSEC or OpenVPN, so I gave a try at tailscale's free plan, since I've heard good things about it, and a friend of mine is working there.

I'm using proxmox at home, with everything neatly packed into small unprivileged lxc containers, and since tailscale is packaged in Alpine Linux, deploying it shouldn't be much of a hassle.

The hardest part was to allow the container to use a TUN device, but fortunately, the kernel's documentation on the topic is pretty straightforward

root@proxmox:~# ls -l /dev/net/tun 
crw-rw-rw- 1 root root 10, 200 Feb 12  2017 /dev/net/tun
root@proxmox:~# echo 'lxc.cgroup.devices.allow: c 10:200 rwm' >> /etc/pve/lxc/102.conf
root@proxmox:~# echo 'lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file' >> /etc/pve/lxc/102.conf
root@proxmox:~# pct enter 102
~ # apk add tailscale
~ # rc-update add tailscale
~ # echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf
~ # echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf
~ # sysctl -p /etc/sysctl.conf
~ # reboot

plus a couple of clicks in tailscale's admin interface, and everything just works: DNS, exit nodes, sharing, subnet routers, … it's glorious.

edit: the procedure is now documented on tailscale's website.