Tailscale Setup

Updating this to correct a few things, and also to not encourage a single command for fetching a script and running it without checking it first. I will leave the original authors on here in case it still works for a previous version of qubes. The way I am adding works for 4.2.1

Create template and install Tailscale:
Create a new template VM to install tailscale into, I will be using a Fedora-39 template as the base for the new template. Inside that new template, we will follow the directions on the Tailscale website with some modifications, the link is there for if you’d like to verify.

sudo dnf config-manager --add-repo https://pkgs.tailscale.com/stable/fedora/tailscale.repo
sudo dnf install tailscale
sudo systemctl stop tailscale

It will ask you to verify Tailscale’s signing key fingerprint before it installs, which will look like this:

Importing GPG key 0x957F5868:
 Userid     : "Tailscale Inc. (Package repository signing key) <info@tailscale.com>"
 Fingerprint: 2596 A99E AAB3 3821 893C 0A79 458C A832 957F 5868
 From       : https://pkgs.tailscale.com/stable/fedora/repo.gpg
Is this ok [y/N]: 

Confirm that fingerprint is correct and respond y. Frustratingly they don’t post that on their website, but web of trust it and search around to make sure it is accurate.

Set up sys-tailscale:
Now create an app-vm based on your new tailscale template you just made. Make sure you check the box for provides network to other qubes. I called mine sys-tailscale. Start up a terminal for sys-tailscale and set up your bind-dirs to have the login persist across reboots:

sudo mkdir -p /rw/config/qubes-bind-dirs.d
sudo nano /rw/config/qubes-bind-dirs.d/50_user.conf

Yes, I know, nano, get over it, it works well lol. Within 50_user.conf add the following:

binds+=( '/var/lib/tailscale' '/var/cache/tailscale' '/var/log/tailscale' '/etc/default/tailscaled' )

Now time to finish setting up your binds. In order to do that we need to create those directories we added to 50_user.conf

sudo mkdir -p /rw/bind-dirs/var/lib/tailscale
sudo mkdir -p /rw/bind-dirs/var/cache/tailscale
sudo mkdir -p /rw/bind-dirs/var/log/tailscale

Now lets check to make sure we got it right:

[user@tailscale-checker ~]$ tree /rw/bind-dirs/
/rw/bind-dirs/
└── var
    ├── cache
    │   └── tailscale
    ├── lib
    │   └── tailscale
    └── log
        └── tailscale

Set up the commands we need in rc.local to have Tailscale set up and running on reboot

sudo nano /rw/config/rc.local

Add the following two lines at the bottom of the file

systemctl start tailscaled
tailscale up

You do not need to use add sudo on there on the commands in rc.local. I reboot sys-tailscale at this point, probably not necessary I just like to verify everything is there before logging in.

P.S: Instead of modifying rc.local, you can enable the service in the template with sudo systemctl enable tailscaled. In fact, it is enabled by default, so this step is excessive.

Log in to Tailscale

sudo tailscale up

It will now prompt you to login in to a link it provides. Do that, then once you have logged in make sure to activate the machine in your Tailscale admin console

Check to make sure you are logged in:

tailscale status

If you are logged in you should see the list of your machines running Tailscale starting with their IPs.

Now time to reboot again and make sure your login persisted. Once rebooted just run tailscale status again, and if all went well you will still be logged in.

You are now done and have a working sys-tailscale that you can use as the net vm for any qube you want to give access to your tailnet.


This document was migrated from the qubes-community project
  • Page archive
  • First commit: 18 Feb 2023. Last commit: 18 Feb 2023.
  • Applicable Qubes OS releases based on commit dates and supported releases: 4.1
  • Original author(s) (GitHub usernames): kennethrrosen
  • Original author(s) (forum usernames): @kenosen
  • Document license: CC BY 4.0
1 Like

Followed community guide to install tail scale in template, and bind relevant directory/modify config of an app vm.

I assume that the chmod 777 needs to be applied to 50_user.conf and
“binds+=( ‘/var/lib/tailscale’ )” needs to be entered into the file body.

I have completed the steps. Rebooted and see that my app qube is listed in my tailscale devices. I also enabled a pfsense to advertise one network.

The pfsense tailscale IP however is not reachable from my appvm, I am unable to ping it or connect to services on that network from qubes.

Is the guide incomplete, what must be changed to successfully connect tailscale devices ?

2 Likes

Moved your post to the corresponding topiic, so the discussion is easy to find for users

1 Like

I am updating this so that it will work, but I left the original authors version on there also in case it works for others. Big thank you to apparatus for helping me figure out why I couldn’t get Tailscale working

I’ve edited the headline as a spelling error was introduced, and removed the older, quicker setup.

Summary

For what it’s worth, I followed the other thread and couldn’t figure out why these issues were occuring for you. I use the original method and still never have issues, 4.1-4.2, and on. Glad it’s now working as intended!

Has anyone been able to setup a firewall on an appVM running Tailscale to limit outgoing connections to only other systems running Tailscale?

I have Tailscale running in an appVM at the moment and am able to use Taildrop without issue with the firewall set to allow all outgoing connections.

I tried to limit outgoing connections to 100.0.0.0/8 However after doing that Taildrop stops working.

No need to mkdir -p /etc/default/tailscaled, because it is a file, not a directory. I edited the post to fix it.

To setup firewall of sys-tailscale, set at least these rules:

accept tcp *:443
accept udp *:3478
accept udp *:41641

See the official documentation for more information.

If it’s a file and then you still need to create the directory with file in bind-dirs e.g.:

sudo mkdir -p /rw/bind-dirs/etc/default/
sudo cp /etc/default/tailscaled /rw/bind-dirs/etc/default/

It looks like it’s created automatically.

I deleted the bind-dirs/etc directory, but after restarting it was created all the way down to the file.

But, of course, the changes began to be saved only after this file appeared. Your method also needs a restart to make the files linked, so I think my method is a bit simpler, but yours is more reliable, as it does not rely on automatic creation. So I’m not sure what would be the best practice here

The '/etc/default/tailscaled' in /rw/config/qubes-bind-dirs.d/50_user.conf won’t automatically create /rw/bind-dirs/etc directory, you need to do it manually.
You can check it in a new app qube.

Correction: if the file /etc/default/tailscaled exists in the template then the tailscaled file in /rw/bind-dirs/etc will be created automatically.

You also need to add

TS_DEBUG_FIREWALL_MODE=nftables

in /etc/default/tailscaled to use nftables. It may become unnecessary or incorrect in the future, so check the documentation.


To use Tailscale DNS, set nameserver 100.100.100.100 in /etc/resolv.conf in each App qube or set up dns forwarding in your nftables in sys-tailscale, as you would for VPN.

I wanted a way to get DNS working for any VM that’s using sys-tailscale for its networking, and I managed to get that done using nftables on the sys-tailscale VM (or more specially the TemplateVM). I documented the process here: Configure Tailscale DNS on Qubes OS · kalbasit