Tailscale running in a LXC

An LXC is a lightweight way to run a virtualized Linux system. An unprivileged LXC is one where the root user (uid 0) within the container is mapped to an unprivileged user in the host system, making it possible to run an LXC more securely.

You can use Tailscale's cloud based Control Center or self-host one.

I have another post about using a VM – link and how to set up a local TCC – link

Set up a Container – CT/LXC

For this post I used a Debian Trixie Template.

Tailscale encapsulates its frames in UDP packets and therefore doesn't require kernel modules or other privileged operations to form tunnel connections. However, it does need access to a /dev/net/tun (TUN) device which unprivileged containers usually do not provide.

Create the Unprivileged Container

• Create a CT I use 10055 for this example.
  • CPU 1 core
  • RAM 512 KiB
  • DISK: 2-8 GiB
• Make sure the Nested flag is set
• Go to Resources → Add → Device Passtrough
  • Set the Device Path: to /dev/net/tun.
• Start the CT
• Upgrade: apt update && apt upgrade -y && apt install curl
• Create a non-root user e.g., nalle: adduser nalle
• Add the user to the sudo group usermod -aG sudo nalle
• Secure and Harden the CT – it's accessing the internet
• Restart the hardened CT and begin the Tailscale installation

Install Tailscale

From Tailscale we download the installation script, and then run it.

wget https://tailscale.com/install.sh
# Read the code and if you agree you can run it
sh install.sh 

Or if you trust it, just run it

curl -fsSL https://tailscale.com/install.sh | sh

Then

tailscale up --ssh

To authenticate, visit:

        https://login.tailscale.com/a/<string of charecters>

And copy the address into your browser and login to your Control Pain.

Routing Subnets

IP forwarding is required to use a Linux device as a subnet router. This kernel setting lets the system forward network packets between interfaces, essentially functioning as a router. The process for enabling IP forwarding varies between Linux distributions. However, the following instructions work in most cases.

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

Advertise subnet routes

After you enable IP forwarding, run tailscale set with the --advertise-routes flag. It accepts a comma-separated list of subnet routes.

sudo tailscale set --advertise-routes=192.0.2.0/24,10.10.100.0/24

Having a Firewall

If your Linux node uses firewalld, you might need to allow masquerading due to a known issue. As a workaround, you can allow masquerading with this command:

firewall-cmd --permanent --add-masquerade

Allow access with remotes

To allow traffic to between the sites

sudo tailscale set --accept-routes

To omit sudo

sudo tailscale set --operator=$USER

Full or Split tunnel

By using the Edit route settins

• Subnet routes you can use Split tunneling to all devices on your other site
  Connect to devices you can’t install Tailscale on by advertising IP ranges as subnet routes. Learn more
• Exit node you have Full tunneling from your device out from your lab
  Allow your network to route internet traffic through this machine. Learn more

Full tunneling is usable if you need to mess with the geolocation for a reason or another. Sometimes that is what we want from a VPN.

References

Tailscale ^[1] TUN device ^[2] Subnet routing ^[3] About IPs ^[4]