Tailscale Setup

Updating this to correct a few things, and also to not encourage a single command for fetching a script and running it without checking it first. I will leave the original authors on here in case it still works for a previous version of qubes. The way I am adding works for 4.2.1

Create template and install Tailscale:
Create a new template VM to install tailscale into, I will be using a Fedora-39 template as the base for the new template. Inside that new template, we will follow the directions on the Tailscale website with some modifications, the link is there for if you’d like to verify.

sudo dnf config-manager --add-repo https://pkgs.tailscale.com/stable/fedora/tailscale.repo
sudo dnf install tailscale
sudo systemctl stop tailscale

It will ask you to verify Tailscale’s signing key fingerprint before it installs, which will look like this:

Importing GPG key 0x957F5868:
 Userid     : "Tailscale Inc. (Package repository signing key) <info@tailscale.com>"
 Fingerprint: 2596 A99E AAB3 3821 893C 0A79 458C A832 957F 5868
 From       : https://pkgs.tailscale.com/stable/fedora/repo.gpg
Is this ok [y/N]: 

Confirm that fingerprint is correct and respond y. Frustratingly they don’t post that on their website, but web of trust it and search around to make sure it is accurate.

Set up sys-tailscale:
Now create an app-vm based on your new tailscale template you just made. Make sure you check the box for provides network to other qubes. I called mine sys-tailscale. Start up a terminal for sys-tailscale and set up your bind-dirs to have the login persist across reboots:

sudo mkdir -p /rw/config/qubes-bind-dirs.d
sudo nano /rw/config/qubes-bind-dirs.d/50_user.conf

Yes, I know, nano, get over it, it works well lol. Within 50_user.conf add the following:

binds+=( '/var/lib/tailscale' '/var/cache/tailscale' '/var/log/tailscale' '/etc/default/tailscaled' )

Now time to finish setting up your binds. In order to do that we need to create those directories we added to 50_user.conf

sudo mkdir -p /rw/bind-dirs/var/lib/tailscale
sudo mkdir -p /rw/bind-dirs/var/cache/tailscale
sudo mkdir -p /rw/bind-dirs/var/log/tailscale
sudo mkdir -p /rw/bind-dirs/etc/default/tailscaled

Now lets check to make sure we got it right:

[user@tailscale-checker ~]$ tree /rw/bind-dirs/
├── etc
│   └── default
│       └── tailscaled
└── var
    ├── cache
    │   └── tailscale
    ├── lib
    │   └── tailscale
    └── log
        └── tailscale

Set up the commands we need in rc.local to have Tailscale set up and running on reboot

sudo nano /rw/config/rc.local

Add the following two lines at the bottom of the file

systemctl start tailscaled
tailscale up

You do not need to use add sudo on there on the commands in rc.local. I reboot sys-tailscale at this point, probably not necessary I just like to verify everything is there before logging in.

Log in to Tailscale

sudo tailscale up

It will now prompt you to login in to a link it provides. Do that, then once you have logged in make sure to activate the machine in your Tailscale admin console

Check to make sure you are logged in:

tailscale status

If you are logged in you should see the list of your machines running Tailscale starting with their IPs.

Now time to reboot again and make sure your login persisted. Once rebooted just run tailscale status again, and if all went well you will still be logged in.

You are now done and have a working sys-tailscale that you can use as the net vm for any qube you want to give access to your tailnet.

This document was migrated from the qubes-community project
  • Page archive
  • First commit: 18 Feb 2023. Last commit: 18 Feb 2023.
  • Applicable Qubes OS releases based on commit dates and supported releases: 4.1
  • Original author(s) (GitHub usernames): kennethrrosen
  • Original author(s) (forum usernames): @kenosen
  • Document license: CC BY 4.0

Followed community guide to install tail scale in template, and bind relevant directory/modify config of an app vm.

I assume that the chmod 777 needs to be applied to 50_user.conf and
“binds+=( ‘/var/lib/tailscale’ )” needs to be entered into the file body.

I have completed the steps. Rebooted and see that my app qube is listed in my tailscale devices. I also enabled a pfsense to advertise one network.

The pfsense tailscale IP however is not reachable from my appvm, I am unable to ping it or connect to services on that network from qubes.

Is the guide incomplete, what must be changed to successfully connect tailscale devices ?

1 Like

Moved your post to the corresponding topiic, so the discussion is easy to find for users

1 Like

I am updating this so that it will work, but I left the original authors version on there also in case it works for others. Big thank you to apparatus for helping me figure out why I couldn’t get Tailscale working

I’ve edited the headline as a spelling error was introduced, and removed the older, quicker setup.


For what it’s worth, I followed the other thread and couldn’t figure out why these issues were occuring for you. I use the original method and still never have issues, 4.1-4.2, and on. Glad it’s now working as intended!

Has anyone been able to setup a firewall on an appVM running Tailscale to limit outgoing connections to only other systems running Tailscale?

I have Tailscale running in an appVM at the moment and am able to use Taildrop without issue with the firewall set to allow all outgoing connections.

I tried to limit outgoing connections to However after doing that Taildrop stops working.