 Tom here for more systems. And I've talked a lot about overlay networks. I've talked about tail scale specifically and including its latest integration into pf sense. Thanks to the pf sense team for developing that. And also thanks for the tail scale team who also offered to contribute to that. So there's definitely more development coming on it. But let's now talk about how to use tail scale without actually using the tail scale web control. Now, tail scale is fully open source in terms of the client software, the way they do things, the protocol they use in the back end, they use of course as WireGuard for facilitating the VPN connections. But what if you didn't want to use the tail scale web interface? Well, that's where head scale comes in if you wanted to self host it. But I want to start with there are some limitations. First one is this is command line only. Second, it does not have current phone support. So as of now, July 2022, there is no ability to make this connect with your phone unless you take the time to compile the Android app yourself. I'm not sure how to do this. And currently I don't see any way to do this, I should say for the Apple iOS one. So there are some limitations. And of course, if you're using this in Windows, there's a few manual registry settings you'll have to set. So those being out of the way, if you are interested in hosting the control plane for tail scale with using head scale to connect your tail sale clients, that's what this video is going to be covering today. I will be leaving links down below to my previous videos on tail scale pf sense. And of course, all the documentation including a forum post where I'll have all these commands documented. So you can copy and paste them to make it pretty easy. They do have some documentation as well. I'll be referencing and that's actually where we're going to get started on it. But before we dive into those details, let's first are you an individual or company looking for support on a network engineering storage or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we also offer fully managed or co managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structured cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our hire us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in hiring us but you're looking for other ways you want to support this channel, there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel. And now back to our content. Now the first and best place to start is always reading the documentation and reading it properly. They just had a release just two days ago of v.160. That's the latest one. That is what we're running right here. There are quite a few contributors to this project and I said it's very actively developed. They have lots of descriptions here. They have a discord server. They have descriptions of, as I said, what this is a tail scale front end replacement. But as I said, there's no web interface, so we're going to go through all the commands. Now the first thing I want to mention is that we're going to be running this on Linux specifically Ubuntu. That is a prerequisite that you have a modern Linux distribution. I'm sure it works on a lot more than just Ubuntu because pretty much everything is self-contained in the binary. I'm not going to go through the details of compiling it. If you want to, they do have instructions on that. Also, they have good instructions here on how to set up the head scale, where to put the binary when you download it. And then we'll go down a little further here, creating each of these steps to get it just generally installed. I want to focus on the configuration because their documentation, all of this is accurate. I follow this instruction. I went and got each of these, including the example configuration, but we'll go ahead and show you how I customize their example configuration. And then I also set it up so we have system D set up so we have it set up as a service that you can start and stop. I do encourage you to do this if you plan to make this permanent. If you don't, you can just go ahead and set it up to, you know, start just running off the binary and serve. And then it's not registered as a service at that point, but I went and followed all of these instructions. Do pay attention to this one right here in the config YAML. I did change this just as it said, but I didn't find anything in here troubling or erroneous, or I would have actually reached out to them to correct it, but all these instructions work perfectly fine. So let's start by talking about one more prerequisite and we'll demonstrate that in the config file. And just for reference, I put Neofetch around this command so you can see that I'm running Ubuntu 20.04.4 LTS. Nothing special, no special install. I did not install anything else. So as a prerequisite, you don't need to install SQL or ACME or any of the other things on here. We just downloaded the binary on a pretty generic install of Ubuntu. We're going to go ahead and look at this config.yaml and we'll talk about how I customized it. And that first step was setting up DNS so we can reach this IP address. Now I'm running this in a public IP in a digital ocean droplet. I also do support digital ocean. We have an affiliate link, or if you'd like to support the Home Lab show, we have an affiliate link for Linode to get you started. But I do recommend you keep this in some type of public IP accessible space. Yes, you could run this in your Home Lab, but you have to make sure you have an accessible static IP address and then that you have DNS working because DNS is an important key to make this all work properly. Specifically, we have the severe URL as headscaldemo.laurancesystems.com colon 443, but have to specify the port. And please note it is HTTP S right here. And then we bound the list and address to 0000, which means any other IP address is on here 443. This is critical because it has the ACME protocol built in for let's encrypt certificates that's built into the binary. It's going to go out and get it provided you have this properly set up and you have DNS working. And this will be our registration URL. Now, even though it's an HTTPS server, there's not going to be anything there. I'll show you the response when we get to that part what you get, but there's no web page there. You're not servicing it through a web interface. This is all going to be command line driven. Everything else from here on down for the most part, I left all default with a few minimal exceptions. So this is all the same, but I did want to enable the DERP server and it merges into the rest of the DERP config, the Haskell server URL defined above must be using HTTPS. DERP requires TLS to be in place. True. You can look up what the DERP server is, but it's a way that it can support relaying if no other available ways for these devices to communicate can be established. So I went ahead and enabled that. But as I said, that is an important reason you also need that to be working with the HTTPS and the let's encrypt. Scroll down a little further. These are all things I left at default. And we'll get down here. Now, in the instructions, you do not have to load SQLite or anything like that. It's all integrated. You just have to touch and create this particular file, db.sqlite. I will scroll down a little further. And the TLS configuration for the let's encrypt ACME service. There when an ACME email address you'd like to have notifications sent to and then your TLS let's encrypt hostname, which for me, again, is headscale demo dot Lawrence systems.com. Go on further. You have the cache. All this is all up to default and everything else in the bottom here, all left at default, nothing that I changed from the default config. Those are the only settings that really need to be changed within here. The next step I want to do is verify that the service is running. So system control status headscale service. And I can see that it's up and running. And we're going to go ahead and close out of that. The next thing that I do recommend you do and it's bash completion. And the reason why is because there's a lot of different commands in here's headscale. And if we type in completion, and I'm just hitting tab to do that, it shows you how to do the different systems for bash, fish, PowerShell or ZSH. So if we type bash completion and we put bash after it, it will dump the bash completion necessary. And in order to actually get this working, the command is and the command for this is headscale completion bash. And we're outputting that to head completion, call it what you want. Head completion seemed fun to me. And that allows you to add it to the bash completion.d file. And then when you log in and out, you will then have bash completion in there. So that's an optional step. But hey, why not? It makes my life easier. Now the next step is to create a namespace. And please note, if you're running headscaling, you didn't install it as a service. If headscales not running, these commands won't work. It does have to be running in the background for those of you that may have just say, hey, I just want to kick off the binary or just run the commands binary. Just at the operating in the background and a running status as a service status in order for this to work. That's why I made sure the service was running. So headscaled namespaces create LTS demo press center namespace created. So now we can go headscale and we'll say namespaces. And I think list is one of the commands autocomplete will finish that for me. Hey, great. We now have a namespace. The next step and we're going to register my PFSense box first. And by doing that, we need to create a key for registration for PFSense. So let's go ahead and get this key created. And the command for that is going to be headscale namespace LTS demo, the one we just created create off keys create at an expiration time of 10 minutes. This is kind of up to you how long you want the expiration to last. I say 10 minutes because well, I can get that key completed in 10 minutes. There are other flags you can use such as reusable. So you can create a reusable key to register many things at once and maybe have them expire in 10 minutes. But please note, if you do three usable keys, that means a lot of systems can be registered to here. And that may or may not be ideal by doing a one key at a time. Once that key is used, that device is registered and we have to generate a new key just kind of for security. I feel like creating one key at a time. But if you're doing a large scale out system, yeah, you may have to create quite a few of them. So let's go ahead and create that key. Then we're just going to copy this key. And we're going to put it over here in PFSense by pasting it here. Please note the login server I've changed from the default that PFSense has, which is the HETPS headscaledumble.launchsystems.com. Please note that is it S in there as well. So we're doing a secure one and we're going to go ahead and hit save. Now, Tailscale is not running until you go back over here and we're going to hit save again and refresh. And it's working now. Now something of note, advertises exit node is on, but except subnet routes is not on. But advertised routes is the reason that's important. I would like to advertise this route and by default, even though this node is now registered in advertising routes, they're not going to be accepted. So the next couple of steps is going to be one, make sure the node's online, which the node already told me it is. And secondly, making sure we are allowed to accept those routes. So we'll do a headscaled node list and strength the screen a little bit here so you can see when all the columns are lined up. It looks like that. Go ahead and make it big again for easier to read. But yes, that node's registered. It's online. It's registered as node one. That's important because now we need to do a scale routes list. You notice doesn't really list anything. I need to list the identifier unit of the nodes. So dash I and then we're going to say it's node one. So there we go. But now we have to enable it because this only identified that this node is ever typing routes, but to actually enable them, we're going to go headscaled routes, enable a for all the routes that are being advertised. I for identifier and one for the node ID. So now we've set all these from false to true. These are all accepted and being advertised. So things on this 192 168 1.0 slash 24 network. Anything that my PF sense has on that network will be advertised to my other tail scale nodes that I add. So let's start adding other tail scale notes. And for that, we're not going to generate another key, although we could do it that way. We're actually going to show you another way you can register nodes. And it's by going to do tail scale up. Make sure you implicitly say accept routes, because I would like this particular node to be able to accept routes that are advertised by other nodes. Then we're going to say login server and we're specified a GPS headscaled up orange systems.com. And by doing this, it's going to prompt me for this. And then we're stopped right here with, Hey, how do we get this node authenticated? And we do that by copying this link, pasting the link in. And we can see that we have a machine registration complete. Now, as I said before, there's our headscale demo lower systems.com. But what if we open this up in a new window just like that? That's all you're going to get. You're not going to get anything in there. But when you pass it a registration key, and that's what's passed across here, then you get this prompt that says, Hey, copy and paste this in there. Well, we want to copy and paste it in, but we do want to change the namespace. So we'll go ahead and select this and copy it, go back over to our headscale server. I'm going to delete where it says namespace and type LTS demo, because it doesn't know what namespace you want to assign it to. We want to assign to this namespace so it can communicate with the other nodes that are in there. So by doing this right here, machine has been registered and our prompt over here says success. That's it. Now this one's registered. So now we should be able to ping 192 and 681.8. And I'm able to ping something that is on that node ID. And if we type in if config, we're able to see our tail scale ID of 100.64.0.2. So if we were to ping, because the other one is that one rps sense, we're able to ping that as well. So I'm able to get back and forth on the addresses. Now one more thing I wanted to cover on here and we'll do it this way. We're going to go ahead and ping 192.168.1.8. So there's going through tail scale, the network and these two devices are not on the same network. They're completely separate from each other. It's using tail scale to route. But let's go ahead and stop. So if we know the services running now, but we're going to stop tail scale from running on the server. Well, headscale from running on the server. So let's go ahead and system patrol, stop the headscale service. So now we stopped it. We go over here to the status. Headscale is now stopped headscale controller, but our ping still going on over here. Now what happens is, even though tail scale is not online, we have established connections. That address is 1055.55241641 connecting to 192.168.3.199. These connections are already established because they were established when the headscale server was running. They will continue until those sessions expire. So I can keep pinging devices that are across the network. I can ping the other tail scale node just like this and it will continue to work. But if we were to go into PF Sense here and let's say restart the service, it's going to break that connection and you can see our pinging stopped because the service is down. But all we have to do to get it back up and running is quit this, change that to a start. So now the service is back up and running. We go back over to PF Sense. It'll eventually reconnect. It may take a second, but we can force it to say restart. Tail scale is back online. Then we can go back over here. And the pings have already started again because it's able to reestablish the connections. So as long as the nodes are connected because they don't actually relay data, headscale is just being a coordination server to say server A, talk to server B, or node A to node B, essentially, then you are able to keep these connections going. So if you had to service or update or, you know, restart your server node with headscale, it won't affect the existing connections as long as they're already established. You just can't establish any new connection points between the different nodes. So pretty simple and straightforward how that works. And that's really it to get it up and running. Overall, I found headscale relatively easy to set up. I found their instructions accurate. I just wanted to make sure you were aware of those couple extra little things like enabling the routes, doing that from the command line to one, enable the advertisement of routes from a node and also enable the nodes to accept those routes. Once you've got that coordinated, it's easy enough to get all the different functions and pieces working. One thing I will note though, someone may ask, is this production ready for my enterprise environment? Well, headscale is a pretty actively developed project, but I don't know how well it's been security vetted or if it's been security vetted well enough that it would make a great enterprise solution for those of you that would prefer to have a self-hosted controller. But overall, I didn't find any flaws in it, but I'm also not a pen tester, so don't take that as a blessing that there are no flaws that someone couldn't figure out a way to add some node through some way. But as there's a lot of people looking at it, maybe as this project matures, it will turn into something that will go through more time and more vetting, but at least the backend and the protocols it's using are just tail-scaled. Those are well-vetted, so the transport method isn't really the part you need to be concerned with. And obviously with any of these servers, if you have them public-facing, take the time to lock them down, take the time to put proper SSH keys on them, etc., anything that's publicly accessible will be poked at. That's just the rule of the internet and how things work. I'll leave links to the forum post and all the other things that I mentioned as far as documentation, which is easy enough to find over on their GitHub. Have fun setting it up and let me know how it goes, either as a comment down below or for a more in-depth discussion over in our forums. Thanks. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly, so check back frequently. And finally, our forums. Forums.LauranceSystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.