My pleasure! And thank you!

also you can host your own derp server which will be 100% self hosted.

hahahahah. Adding Firezone and DefGuard to my list for future coverage! Very cool!

I tried several, I showed headscale-ui on the video, but believe I also ended up on headscale-admin.

I have timestamps in the description, which is how the chapter markers used to be made. Not sure if KZbin changed how to do that and I missed it. I'll check and see...but weird. I open ports because I run NGinX Proxy Manger on a different host than I run most of my other applications. You can absolutely do it the way you are saying though.

Fantastic!

You bet.

Glad you like it!

You are welcome, and hopefully recording this evening!

Reverse proxy generally runs as a way to route traffic around your internal network of services. So, auth.mydomain.com goes to your authentication tool, chat.mydomain.com goes to your matrix server, and vpn.mydomain.com might go to your headscale UI. The other part is that, in this case, we can point a domain to our headscale network, and allow clients to connect, so the revese proxy says I see your request for xy.mydomain.com, and I have a matching entry at 10.20.30.40, let me send you to that machine on port 29897. Something like taht.

Awesome! It works quite well.

I've been tackling that topic myself. I have the basic ACLs working between users / groups, and device access, but I haven't gotten the ACL for me to access another groups exit route to their LAN setup properly yet. Let me get a bit further, and I'll definitely do one.

I’ll have to look into it again. When I looked last it was very sparse on details and it seemed to have some parts still reliant on Zerotier services. Maybe it’s gotten better.

Oh I see, so seems like this is just wireguard without port forwarding through the tailscale client?

It doesn't. Just 80 and 443 on the network if you're inside a LAN. In my case I forward 80 and 443 to my reverse proxy, and let that deal with calls to the headscale server.

Great tip! Thanks for that!

I'll see what I can do.

As far as I know, there are no hard (preset / programmatic) limits on number of clients.

Thank you.

I personally like the ease of setting up routing rules in Netbird. This can be done with Headscale, but it's all done through Yaml files, and it's a bit convoluted as it is today. Other than that, both are rock-solid for connecting.

@@AwesomeOpenSource I think also, Netbird server is easier to setup than Headscale. Netbird Client is also easy to download. Thanks. You have a lot nice Tutorial.

Sorry to hear that.

Anyway, great tutorial like many other from you.

Super glad it's working for you.

You might check the permissions of the folder it's trying to create the key in, and make usre it can write a file there.

Hello ! @@AwesomeOpenSource I have exactly the same problem, I have absolutely no idea where I should give write or read rights... Can you help us with this?

@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.

@@alexfields1334 This fixed the problem for me as well

Sorry you had a hard time with Netmaker, but maybe Headscale will give you what you need.

You mean nginx proxy manager? I believe they are admin@example.com and changeme if you mean the defaults.

@@AwesomeOpenSource yes they were !

Awesome. I think you'll love how easy it really is in the end. And honestly, the ease is because people wayyyy smarter than me are creating these amazing open source tools that make everything a lot easier.

Hmmm. I'll have to take a look. This isn't that old of a video. As for Headscale UI it was the best one I found as far as functions. Do you have any others I could look into?

@@AwesomeOpenSource yes, since i finaly succeed in using it, i can even help you if necessary. The best one i found is headscale-admin wich is the best so far with a lot of improvements. the only problem is for nginx proxy manager (be careful, npm latest version is broken with sub domains). I can give you my config files wich will make you gain a few hours of work and avoid trial and errors like i did.

@@AwesomeOpenSource i've tried to answer you a few times but it's deleted each time. try headscale admin. i've all the necessary config if you want them i would be glad to help you and give it

@@Virtualchronos KZbin will delete comments from viewers if it has a URL or link in it. But if you will jump over to discuss.opensourceisaaesome.com, I’d love to see what you have. I’m mickintx

@@AwesomeOpenSource I didn't included any link. i suspect youtube to ban some specific terms I maybe used without noticing. I'll send you msg there, count on it ^.^

I think in the client config you want to set the DNS to a provider you like, then set allowed IPs to be 0.0.0.0/0, and that should do it.

In docker containers, if you are running other containers, common ports are often already in use on the host. The ability to map a different port number is a great feature in docker. It allows you to run multiple services on the same host that may need the same port. So, in order to avoid 8080, I changed it to a less common port.

You should forward port 80 and 443 to the ip ending in .11. Then on NGinX proxy manager create your entry for headscale. Now just enter port 80 in the first tab, then request a new certificate on the SSL tab, and agree to the TOS. Save. This should get you going.

@@AwesomeOpenSource Thanks. Yeah there many details that I had to try it. Because of the magic of ZFS, any changes I made to the nginx server or headscale server, I have reverse it back using snapshot. So I can try different things. I finally manged to get it to work. So now the client will be using https to connect to headscale server. But its frustrating that I do not know many of the details. Let me list these question, you dont have to answer it. I am already grateful for you videos. I learned so much about nginx and not to mention the webserver for nginx and for headscale, which I knew nothing about. Question #1: when creating port forward in the router, there are two ports that I need to specify; I am assuming that one is for the port the router is listening from the internet. The other port is used to talk to the internal server (in this case its the nginx server). Can these two port be different? Question #2: I am right to assume that for nginx requires two ports: one to listen signals from the router (from port forwarding, the port used to talk to internal server) and the other port that will be used to talk to the headscale server. So the talking and liseterning port between the router and the nginx must be the same. IN the same way, the talking and the listening port between the nginx and the headscale must also be the same.

@@AwesomeOpenSource Another question that you don't have to answer, since the SSL cert is in nginx, that means the encryption data transfer is used between teh client and nginx. And since headscale server is listering to port 80 and in your video, you did not specify ssl cert, the communcation between the nginx and the headscale server is not encrypted, which is find becuase they both are behind the firewall. So if I specify the ssl cert in headscale, do I still need to specify ssl cert in nginx? Probably the answer is "up to me". If no ssl between the internet and nginx, there will be no encryption between the internet and nginx server. But there will be encryption between nginx and headscale. So it is a waste of time to specify ssl in heascale. SSL is only used one time during the machine registration between the headscale server and the tailscale client right? Afterward it does not matter anymore. The wireguard connection will be established between the cliient and the headscale directly, bypassing nginx. Or everytime I switched off tails scale and then turning it back on, it will go through the nginx server to re-establies the connection. Once the connection is established, nginx is no longer needed. I guess nginx is used used to pass secure information to build the tunnel between the client and the headscale server. After the tunnel is created, it is the encryption TLS from writeguard that will guard the data exchange between the twos.

True. Depending on what costs more you could potentially setup your server on a VPS for a few bucks a month, or maybe using the Oracle Free Tier. Then use that as your public IP.

You're very welcome!

Sorry you had that trouble. Did you create an issue for the developer of NGinX Proxy Manger?

Setup a subdomain of the DDNS, and make sure the ports are setup properly coming into your network. You can still use NGinX proxy manager to proxy the request for the DDNS subdomain around your network as needed.

Maybe they took down latest for some reason.

are you putting "ladmin"? or "/admin"?

I don't know specifically what specs you need. I am running on docker, as you know. Currently with about 10 connections it's using 28 MB RAM, and goes from 0 to 4% of a single CPU. It's not using much of anything at all really. So I think you could easily run it on a low cost VPS from DO or Linode, etc. I do think there is an RPi version you can run, and seems like I've seen posts from folks who run it on that hardware. I run it on a VM with Docker, and it's running fine so far.

Hmmm. Not sure then.

@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.

If you are trying to run it on a machine with no desktop interface / browser, then it will hang because it's waiting for the auth-key. If you are trying to make it open your Auth screen on a desktop and it's not opening, then I also saw it hang a few times. Just took persistence for me.

@@AwesomeOpenSource because my android can not popup that window， I test other platform and found Tailscale hangs in Linux terminal. then I found I can fix it by change server_url in config.yml of headscale, from to , but don’t know why.

If you already have port 80 and 443 open, then that's it. The rest is done through that.

Glad it was helpful!

I do, I just like for folks to be able to follow what I'm doing, especially those who may be more new to the command line. But I still appreciate you sharing the tips with me. Keep 'em coming.

@@AwesomeOpenSourcegreat explanation, thanks a lot.

I believe if you look at "Exit Route" or "Exit Node"' on the headscale and tailscale documentation, you'll be able to find how to do this.

@@AwesomeOpenSource That's it, I already did it! Incredible, after searching and analyzing on my own and obviously because of the support in the videos, I managed to do it, I can now pass all the traffic through a node and not only that, many other things, fantastic! :)

I haven't. I'm not an Android user, and don't even have a test device. The Headscale documentation indicates that it and iOS should work, but I also have difficulty getting my iOS app to let me use my own server. I'm still working on it, so I'll update when / if I get it working.

Oddly enough. I just tried it again, and now it's letting me add my phone. It essentially loaded a browser window with the command, and a key I need to use to register my device to my server. I had to reset the tailscale app in my settings, then kill the app, reboot the phone, then start the app again.

@@AwesomeOpenSource I have done the same in Android...and it runs too. Thanks.. greetings from Germany ... Michael ..

My pleasure!

Cert shouldn't matter. I had the tailscale up command get me a couple of times too. It was just a matter of me digging in. On an LXC in Proxmox I found I had to pass through the proxmos setting to the LXC container for this to work, as the LXC couldn't access the tun0 that it needed for Tailscale to work. You might make sure the tailscaled service is active, and if not, check the logs. if it is restart tailscaled, and try again.

Thank you my friend, Glad you enjoyed!

Netmaker is great, and for a newer user, IMO, easier to get certain things setup like exiting into an entire LAN from the Wireguard network. Making an Exit Node so all traffic goes through Wireguard out to the internet, etc. That said, Headscale is not super difficult to use, but going between the headscale docs and Tailscale docs is a bit annoying at times. Overall though, it just takes some experimentation.

I was using GoDaddy at the time, but moved that domain to Hover now.

Glad you liked it!

Just depends on how much you are using it. Should runfine. Essentially Wireguard creates a nice peer-to-peer network. Some devices need the relay server, but desktop and laptops can usually navigate a P2P connection. Mobile devices can as well, it's really the cell network that interferes from what I understand.

I'm already using Authentik, but it's actually quite "simple" once you get your head around what you need to do. It may translate to Zitadel as well. I'll look into it to see what I can figure out.

I'm not 100%, as I didn't setup that part. Here's what's in their documentation thought: "WebSockets support is required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our config-example.yaml." Hope that helps.

Yes done that. Acme throws weird certificate errors. Kindly consider a short follow up video on running the embedded derp server as it will truly make the headscale private.

Download the Tailscale client, then change the server you want to authenticate with, or use the terminal to connect using the command I used in the video.

@@AwesomeOpenSource I am trying... just found the CLI there as well but not yet successful ;-)

ok, macbook done, now fighting with the obvious things that were "one clik" step in tailscale - approving exit nodes and routes etc - yeap, tailscale made it easy

If you want to set it up for access over the internet, then it will. You could setup the control server on a VPS with a public IP, and it will coordinate your clients to all find each other as an alternative.

Sometimes, copying yaml, for whatever reason, seems to either include some special hidden character, or not include something needed. I've found I just have to manually type it, or use an online yaml checker to try and figure out what's wrong with it.

Thanks Brian, now that is seemingly working but it freezes when adding a client with an auth key?

@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.

My pleasure!

Thank you so much 😀

I haven't. I tried to get it all setup a couple of years ago, but it was a bit difficult at the time. I should re-visit it.

@@AwesomeOpenSource thanks. I've been using tailscale for years, and have my own list of next best things to try like Zerotier and Nebula, but never got time

Let me see what I can figure out.

For me, they both have pros and cons. Netmaker, IMO, once up and running is much easier to just start using, and the built on Web Admin panel is really great. Things like the subnet routing (getting onto a LAN from the wireguard VPN) is also quite a bit easier with Netmaker. Alex really has done a ton of work to make everything very easy. Headscale, is a bit more piece-meal, and you need to read a bit to find the right commands to do various things. The tailscale client is good, but again, no GUI from Tailscale for linux...thus Trayscale comes into play as yet another piece you can add on. You can do all the same things, but Netmaker still makes it easier as a fully self hosted solution.

You could probably use the IP only, but https is just for the Web UI that's separate from Headscale itself.

@@AwesomeOpenSource ya. im trying to install headscale UI and it doesnt work with IP only. https is a must for web UI?

Not for the web ui specifically. The https requirement will be to get you mobile device to connect to the headscale server. You need to have a valid cert on an iOS device, but not sure about Android's requirements.

You can run the tailscale client on the same server as your nextcloud, then add the tailscale IP to your nextcloud allowed origins configuration.

It's a pain to get the mobile clients setup for it, but once I got them setup, they just work. Turn them on, turn them off, just works.

@@AwesomeOpenSource Change Server worked. But it is too unsafe for a productivity System...I switched back to the original Service.

I'll check it out and see what I find.

Tailscale has apps for both iOS and Android. They should work with Headscale as well.

@@AwesomeOpenSource yeah but there is no option for choosing custom server, like if you use bitwarden it gives me option to select server (vault waden works) here there are no such options 😕

It's pretty awesome!

That's a shame, docker is really a great way to run your services. You can install any project directly on your system as well. Docker just makes that a bit easier by 1. scripting out the installation, 2. using a very minimal image to install it on, and 3 making it a very lean virtual machine (container) which segregates it from the rest of the system unless you make the in-roads for it.

I speak from experience, eg. 10x ram usage and 5x cpu usage for pi-hole This is not viable for any efficiency minded individual or server admin@@AwesomeOpenSource

yes all the work you save by the scripting is lost by having to forward all kinds of things between systems@@AwesomeOpenSource

Thanks for adding what you did to solve the issue.