[HowTo] Install Tailscale in a Jail

Joined
Feb 11, 2022
Messages
4
So in the past few days I have been playing around with Tailscale for the one day when I finally get back on the road for work and I want to access things at home like my files or my Plex instance when I finally get around to uploading media to my NAS. I looked around and fond that the maintainers of the FreeBSD Tailscale package finally got it working in a jail and with a little bit of sleuthing I have figured out how to not only get Tailscale working in a normal jail, but also in a plugin jail.

So hold on to your hats.

Step 1: Cut a hole in the box... Oh wait! wrong tutorial...

Most importantly when you create your jail or plugin select advanced options fill in all of the relevant Information like name whether you want it NAT'd or not etc, then go to the Custom Properties section and check allow_tun
Screen Shot 2022-02-11 at 9.55.35 AM.png


Then create your jail/plugin

Step 2: [When 1.20 makes it to Quarterly this step will become irrelevant]
Then go to your Jail's shell and edit the file /etc/pkg/FreeBSD.conf
You want to change the line url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly", so that it says url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",

Then to make sure you're using the correct repository run pkg search tailscale and verify that it's tailscale-1.20.3

Step 3:
run pkg install tailscale and enter y

Step 4:
run service tailscaled enable

Step 5:
run service tailscaled start

Step 6:
make sure tailscaled is running service tailscaled status

Optional Step 7:
Go to tailscale.com and create an Auth key, you can create a single key that will allow you to auth all of your jails/plugins or you can create one per jail/plugin

Step 8:
run tailscale up click on the link it gives you and sign in, or if you create an authkey run tailscale up --authkey <your auth key here>

Optional Step 9:
go to your list of machines on Tailscale.com and disable key expiry for your jails and plugins

FIN

So far I have successfully installed Tailscale in one standalone jail and advertised my home network as a subnet and installed it in three plugins and successfully connected to them from outside my home LAN
 

cornail

Cadet
Joined
Feb 22, 2022
Messages
3
Thank you for this thorough tutorial, it helped me set up Tailscale in a jail (not NAT'd). I wonder if it is possible to use the jail as a jump host to access some services (such as SSH, webui, NFSv4 etc) on the TrueNAS host only, without turning the jail into a Tailscale subnet router using --advertise-routes.

I have fiddled around with ipfw inside the jail without any success so far, unsurprisingly, since I am new to TrueNAS Core and BSDs in general and only have basic knowledge in network configuration either.

Have you perhaps tried anything like that?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
Have you perhaps tried anything like that?
Maybe the kind of thing you're thinking about is a reverse proxy like caddy or nginx... a quick search in the forum should produce a couple of how-tos for those.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
You could also go a little different way and look for the thread on guacamole... that allows for RDP/VNC and SSH connection from the jail, so would be more like an actual Jump-host.
 
Joined
Feb 11, 2022
Messages
4
So my initial reason for trying Tailscale and even getting the $48 paid version so I could have two shared networks (home, and my travel router so my Roku could talk to Plex without ingress rules punched in my NAT) was exactly so that I could also do things like access SMB shares. That has been problematic. Right now I'm settling on using a Nextcloud jail with tailscale so I can get access to files on the NAS if I'm on the road and theorhetically if my travel router and another tailscale machine are sharing their networks I 'should' be able to access SMB shares via IP at least.
 

luckyal

Dabbler
Joined
Aug 4, 2017
Messages
32
So in the past few days I have been playing around with Tailscale for the one day when I finally get back on the road for work and I want to access things at home like my files or my Plex instance when I finally get around to uploading media to my NAS. I looked around and fond that the maintainers of the FreeBSD Tailscale package finally got it working in a jail and with a little bit of sleuthing I have figured out how to not only get Tailscale working in a normal jail, but also in a plugin jail.

So hold on to your hats.

Step 1: Cut a hole in the box... Oh wait! wrong tutorial...

Most importantly when you create your jail or plugin select advanced options fill in all of the relevant Information like name whether you want it NAT'd or not etc, then go to the Custom Properties section and check allow_tun
View attachment 53040

Then create your jail/plugin

Step 2: [When 1.20 makes it to Quarterly this step will become irrelevant]
Then go to your Jail's shell and edit the file /etc/pkg/FreeBSD.conf
You want to change the line url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly", so that it says url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",

Then to make sure you're using the correct repository run pkg search tailscale and verify that it's tailscale-1.20.3

Step 3:
run pkg install tailscale and enter y

Step 4:
run service tailscaled enable

Step 5:
run service tailscaled start

Step 6:
make sure tailscaled is running service tailscaled status

Optional Step 7:
Go to tailscale.com and create an Auth key, you can create a single key that will allow you to auth all of your jails/plugins or you can create one per jail/plugin

Step 8:
run tailscale up click on the link it gives you and sign in, or if you create an authkey run tailscale up --authkey <your auth key here>

Optional Step 9:
go to your list of machines on Tailscale.com and disable key expiry for your jails and plugins

FIN

So far I have successfully installed Tailscale in one standalone jail and advertised my home network as a subnet and installed it in three plugins and successfully connected to them from outside my home LAN
Just stumbled on this post. Thank you for sharing. How can I expose the rest of LAN that's on the same Subnet as my Tailscale Jail? I see instructions for Linux and other OSs but not for FreeBSD.
 

Owen__

Cadet
Joined
May 17, 2022
Messages
2
Hey great tutorial! Helped me install Tailscale successfully, however I noticed now that is knocked my file share offline on the local network even after stopping Tailscale. What configuration do I need to have my share visible on the local network and over VPN?
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
What configuration do I need to have my share visible on the local network and over VPN?
First thing to try would be to restart your SMB service. (I don't think it's necesarily a directly connected issue)
 

Owen__

Cadet
Joined
May 17, 2022
Messages
2
First thing to try would be to restart your SMB service. (I don't think it's necessarily a directly connected issue)
I did restart my SMB Share and it showed up again on the local network, however it didn't show up over my VPN now.
 

LibertyBeta

Cadet
Joined
Aug 9, 2022
Messages
2
How are you getting the services to route through the jail. I'm rather stumped on this step.
 

sretalla

Powered by Neutrality
Moderator
Joined
Jan 1, 2016
Messages
9,702
How are you getting the services to route through the jail. I'm rather stumped on this step.
Tailscale allows a node to advertise subnets to all (other) connected nodes... have your jail advertise your home subnet (which has all your jails and other stuff on it) and then use your regular addresses (like 192.168.1.x) to connect when on VPN.
 

rmblr

Dabbler
Joined
Jul 16, 2019
Messages
13
Getting tailscale working in a jail is quite simple, thanks to @AndrewShumate for the steps. When combined with the advertise routes feature, it makes for an easy VPN into the local network. From your workstation that also has tailscale installed, you can use that jailed tailscale to access the Truenas admin interface or ssh directly to Truenas.

However, a use case that doesn't seem possible yet is replication. That is, replicating a Truenas Core box to another Truenas Core.

Truenas replication requires a direct SSH connection between the to Tuenas boxes. Does anyone have an idea how this might be achieved over tailscale?

One idea is to run a socat daemon on on the tailscale-jail of the Truenas instance that starts the SSH connection. socat would be configured as a tcp proxy to the remote Truenas (accessible via the subnet routing over tailscale).

Another idea would be to disable NAT on the tailscale router jail, and setup a static route for the tailnet. But that requires admin access to the router/dhcp server where the truenas server is.
 

gravewass

Cadet
Joined
Aug 30, 2022
Messages
1
So in the past few days I have been playing around with Tailscale for the one day when I finally get back on the road for work and I want to access things at home like my files or my Plex instance when I finally get around to uploading media to my NAS. I looked around and fond that the maintainers of the FreeBSD Tailscale package finally got it working in a jail and with a little bit of sleuthing I have figured out how to not only get Tailscale working in a normal jail, but also in a plugin jail.

So hold on to your hats.

Step 1: Cut a hole in the box... Oh wait! wrong tutorial...

Most importantly when you create your jail or plugin select advanced options fill in all of the relevant Information like name whether you want it NAT'd or not etc, then go to the Custom Properties section and check allow_tun
View attachment 53040

Then create your jail/plugin

Step 2: [When 1.20 makes it to Quarterly this step will become irrelevant]
Then go to your Jail's shell and edit the file /etc/pkg/FreeBSD.conf
You want to change the line url: "pkg+http://pkg.FreeBSD.org/${ABI}/quarterly", so that it says url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",

Then to make sure you're using the correct repository run pkg search tailscale and verify that it's tailscale-1.20.3

Step 3:
run pkg install tailscale and enter y

Step 4:
run service tailscaled enable

Step 5:
run service tailscaled start

Step 6:
make sure tailscaled is running service tailscaled status

Optional Step 7:
Go to tailscale.com and create an Auth key, you can create a single key that will allow you to auth all of your jails/plugins or you can create one per jail/plugin

Step 8:
run tailscale up click on the link it gives you and sign in, or if you create an authkey run tailscale up --authkey <your auth key here>

Optional Step 9:
go to your list of machines on Tailscale.com and disable key expiry for your jails and plugins

FIN

So far I have successfully installed Tailscale in one standalone jail and advertised my home network as a subnet and installed it in three plugins and successfully connected to them from outside my home
Thanks for the help, I have been digging around to use Tailscale in truenas vm. i am very new to all this and want to learn how to integrate Tailscale with other plugins like NextCloud or Plex. Regards
 

cornail

Cadet
Joined
Feb 22, 2022
Messages
3
Many thanks for you support, @AndrewShumate and @sretalla . For a while, I have been running Tailscale in a VM on TrueNAS Core but I find it too heavyweight for the purpose. Recently, on TrueNAS Core 13.0, I've managed to get Tailscale work in a jail without making the Tailscale client a subnet router. I have documented the process in a guide, available at https://github.com/KornelJahn/truenas-core-tailscale-jail
I am only a IT hobbyist, so any constructive criticism is most welcome.
 
Top