Build Your Own VPN with Headscale & Tailscale

  Рет қаралды 40,080

Jim's Garage

Jim's Garage

Күн бұрын

Пікірлер: 117
@CyanureNeko
@CyanureNeko 5 ай бұрын
"Not going to explain this in detail again" - * Proceeds to explain in detail* 💜
@basdfgwe
@basdfgwe 5 ай бұрын
Jim - not going to lie. This looks super complicated, and I sometimes watch your videos because of your calming voice.
@hyperprotagonist
@hyperprotagonist 5 ай бұрын
I feel like I could fall asleep if he narrated cosmology videos.
@Jims-Garage
@Jims-Garage 5 ай бұрын
I wish it would work on my kids! WireGuard is probably the right choice for most people. I'm experimenting with headscale but I'll see how it works out.
@LtdJorge
@LtdJorge 5 ай бұрын
@@Jims-Garage Narrate how to create your own VPN to them 😂
@omerta3393
@omerta3393 5 ай бұрын
Currently I use headscale on all my devices, I did it based on your old video, thanks for update
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@omerta3393 hey, that's awesome.
@rodrimora
@rodrimora 5 ай бұрын
Are you comfortable using a deployment with alpha versions and spotty web UI? Provided you are going abroad and would want to have the most stability possible as in case it goes down your out of luck :/ Are you planning a redundant access like wire guard or the cloud Tailscale just in case? I really prefer selfhosted but I don’t know how polish this is.
@Jims-Garage
@Jims-Garage 5 ай бұрын
Typically no, but it's very close to tailscale and semi supported. I do have fallback to WireGuard if needed. It's not me going on vacation, it's my mini server. That's why I'm setting this up so I can remote manage/use it.
@rodrimora
@rodrimora 5 ай бұрын
@@Jims-Garage sorry I misunderstood what is going on vacation hahahah! Thanks for the response. I’m in a similar situation but it’s me who is going on vacation and got really paranoid about remote access to my homelab. And thought about the most robust solution considering I have a dynamic ip. A couple docker ddns containers updating a duckdns and a cloudflare dns to work with wireguard as it requieres an ip/domain to work. A wireguard docker+wireguard vm in another bare metal server just in case (I found the docker wireguard to have less performance, ok for ssh but lackluster for remote gaming) But what has never failed me was Tailscale, the home assistant raspberry with an addon, a docker Tailscale, a vm running Tailscale… no need to worry about dynamic IP or ports, and works every time, maybe not as performant as a direct connection to wireguard but good enough for ssh/webserver/troubleshooting
@OM-rnd
@OM-rnd 5 ай бұрын
Hi Jim. Thank you for your channel. It was one of the things why I decided to start my home server journey. It’s absolutely fantastic to have comprehensive information how to setup things. My setup is going great and growing every day. One thing I’m struggling now is how to structure my network regarding I’m being CGNAT. Your videos about NetBird and Headscale helped a lot. Could you consider to make a video for newbies with general overview how to structure setup for those pure things stucked without port forwarding. E.g. you have your docker containers, their networks, network of Proxmox VM, your Opnsense/Pfsense and VPS for self hosting NetBird/Headscale and maybe few more things in docker. How to configure flow of data, do you need to have reverse proxy at home and/or at VPS in this setup, do you need DMZ and so on. Just traffic flow and general structure, considering that all vms and basic networks already set up. It sounds like a lot but such video would be a lifesaver for those who just starting out and don’t understand why one needs certain things.
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@OM-rnd thanks, that's a good topic, I'll consider that (it's a little more difficult as I don't have that problem so I need to replicate). In my head I'd still be using a reverse proxy (DNS challenge) to make sure all services are SSL etc and play nicely within the browser.
@substandard649
@substandard649 5 ай бұрын
Excellent demo Jim. I'm planning try all of the self hosted SDN options before I commit. Bit concerning that it's been 12 months since the last production release, i wonder if Netbird is more active.
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@substandard649 I was also surprised by the distance between releases. I will be checking out netbird soon.
@d1wepn
@d1wepn 5 ай бұрын
@@Jims-Garage +1 for a netbird video plz 😁
@BenThatOneGuy
@BenThatOneGuy 5 ай бұрын
I went with Netbird, and love it. Headscale was just not streamlined or robust enough for my tastes.
@kafadek825
@kafadek825 2 ай бұрын
The reason why the Nodes and Routes do not work in headscale-admin is because you have Legacy API (Headscale < 0.23) ticked in settings. Thanks so much for this
@Jims-Garage
@Jims-Garage 2 ай бұрын
@@kafadek825 thanks, I did test both on and off and it didn't seem to make a difference. Perhaps a quirk of my setup, or it's been fixed now.
@alex.prodigy
@alex.prodigy 5 ай бұрын
SQLite is actually quite fast even with heavy usage , the problem is that you usually want to run your DB and your App separately and that's a non-starter for sqlite. So if you are fine with running your app and db on the same system , sqlite is a good choice in my opinion.
@HunterGeophysicsAustralia
@HunterGeophysicsAustralia 5 ай бұрын
Hi Jim. Love all your videos. Just wondering if you could please make a tutorial for installing OpenProject (as a Docker container) using Traefik as the load balancer? The official documentation only provides instructions for Nginx or Apache, and I'd rather use Traefik as I have no other need for those two and have plenty of other needs for Traefik, so would rather just use that if it's possible. Thanks for considering.
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@HunterGeophysicsAustralia thanks, I'll take a look at it
@HunterGeophysicsAustralia
@HunterGeophysicsAustralia 5 ай бұрын
@@Jims-Garage thank you heaps for considering it. I've been wracking my brain trying to get it to work for the last few weeks. 🤦‍♂
@demanuDJ
@demanuDJ 5 ай бұрын
Hey Jim, great video. Any chance for self hosted netbird demo?
@Jims-Garage
@Jims-Garage 5 ай бұрын
Yes, I'm going to netbird in the near future.
@espressomatic
@espressomatic 2 ай бұрын
Here's a fall 2024 update. As of October 2024, Headscale-admin is unable to set/activate the API key and doesn't seem to work with the stable 0.23.0 Headscale release. Issue on github as-yet unaddressed.
@Jims-Garage
@Jims-Garage 2 ай бұрын
Thanks for the feedback. I've since moved over to Netbird, works well and having the UI built in is wonderful.
@moeinio
@moeinio 15 күн бұрын
Thank you for the great video. I see that Traefik is not included in this docker-compose file. Assuming it is already installed and running, would you mind sharing the file or the video for that too?
@Jims-Garage
@Jims-Garage 15 күн бұрын
@@moeinio it's on my channel, search for Traefik
@pksrbx292
@pksrbx292 5 ай бұрын
I thought you would do a net bird one
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@pksrbx292 it'll be in the near future. I mention it at the end of the video.
@PW-72648
@PW-72648 5 ай бұрын
​@@Jims-Garage Is the netbird better in your opinion?
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@PW-72648 I haven't used it enough, but from a technical perspective they're basically the same.
@departuring
@departuring 5 ай бұрын
@@Jims-Garage self hosted netbird was unstable
@Justin-cy8de
@Justin-cy8de 5 ай бұрын
@@Jims-Garage in my experience netbrid is a lot more refined than headscale. requires more ressources to run, but gives you a great UI for management.
@yifeiren8004
@yifeiren8004 Ай бұрын
You can setup authentik with headsacle, create a pipeline for self registration. Then you can manage through authentik for users
@espressomatic
@espressomatic 2 ай бұрын
It'd be cool to rip out the Traefik stuff and maybe give an example of using other reverse proxies. Good overview nonetheless.
@Jims-Garage
@Jims-Garage 2 ай бұрын
I've considered it a few times but it would be hard work doing it for the other big 2 as well. If I don't use a proxy then people will ask for it...
@jonathandoe7490
@jonathandoe7490 2 ай бұрын
I think people who are familiar with traefik will know exactly how to make this work with it versus someone who uses the other 2 won't know what to take out that would likely break the container and make it not work.​@@Jims-Garage
@espressomatic
@espressomatic 2 ай бұрын
@@jonathandoe7490 That's what I was thinking.
@HunterGeophysicsAustralia
@HunterGeophysicsAustralia 5 ай бұрын
At 22:17, it shows the IP address and MAC address of your phone. The IP and MAC are identical on my screen for my phone. I assume this is a bug...?
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@HunterGeophysicsAustralia the IP is likely the first in the default range, the MAC is probably a similar thing (not sure why it's random though). Good spot!
@AlexandroSanchez
@AlexandroSanchez Ай бұрын
That's not a MAC address, but a IPv6 address. It's the same on your phone because that's the first (IPv4, IPv6) address pair allocated.
@userou-ig1ze
@userou-ig1ze Ай бұрын
Some thoughts why wouldn't use: a) feels unsafe to have a docker container take care if your secure connections (what if the container is out of date too much, or the compose content changes without users noticing...) b) it would be great if it offered some onion routing between nodes (and interchangable exit nodes) c) what happens if the server goes down? Doesn't it create another, single poinr of failure for the entire network?
@urzaaaaa
@urzaaaaa 5 ай бұрын
I noticed, you are creating a user per device. Is that recommended way? Would there be some disadvantage to have one user per multiple devices?
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@urzaaaaa you could do either, I was simply using a user per device.
@mankala8
@mankala8 5 ай бұрын
If you delete a user, I think it deletes your devices. My plan is to have users tied to people and devices to their devices. I'm the admin, so the infrastructure is probably going to be tied to my user. Though maybe I'll make a user for myself and a user for admin separately? It's probably more important once you start adding ACLs.
@Ogk10
@Ogk10 3 ай бұрын
On the exit nodes do you have to turn the feature on/off if you don't want to route all of the traffic between clients? For example if I watch youtube on client A does it go through client B? Basically can it do split tunneling to route only the home lab services and not the whole internet? Still waiting for that offsite NAS video btw ;)
@Jims-Garage
@Jims-Garage 3 ай бұрын
@@Ogk10 thanks for the reminder, it's in the works! Whichever exit node you select, that is where traffic is routed through. You can split tunnel so that only local goes over the mesh VPN and internet is routed out locally.
@Ogk10
@Ogk10 3 ай бұрын
@@Jims-Garage Awesome, thanks!
@JoeRoux-vm2wh
@JoeRoux-vm2wh 2 ай бұрын
dont you have a writeup on this? I have now tried 3 diffrent explenations but get to a point where i cant see to get an iphone to register. it keeps opening port 8080 and i have a reverse proxy
@Jims-Garage
@Jims-Garage 2 ай бұрын
@@JoeRoux-vm2wh no, sorry, it's the docker compose and video. Sounds like you need to loadbalance 8080 to something like 443.
@IgnoreMyChan
@IgnoreMyChan 5 ай бұрын
Hi Jim, is there a backup of your plex video that got taken down? Maybe on peertube or Odysee?
@Jims-Garage
@Jims-Garage 5 ай бұрын
It's on X
@IgnoreMyChan
@IgnoreMyChan 5 ай бұрын
@@Jims-Garage Do you have a direct link? Without account I can not see your posts.
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@IgnoreMyChan x.com/jimsgarage_/status/1808231260583530826?t=lNv6MA-VnGeRuC--G8VIrw&s=19
@IgnoreMyChan
@IgnoreMyChan 5 ай бұрын
@@Jims-Garage Awesome! Thank you so much! ❤
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@IgnoreMyChan you're welcome
@ggsap
@ggsap 5 ай бұрын
8:26 "because it was created elsewhere, when I setup traefik" huh? what am I supposed to do?
@Jims-Garage
@Jims-Garage 5 ай бұрын
You simply need to change the proxy network to whatever network your proxy is on. If you don't have one check out the video I discussed (I use Traefik).
@ggsap
@ggsap 5 ай бұрын
@@Jims-Garage That makes sense. I am using caddy bare metal though.
@b3lt3r-t8q
@b3lt3r-t8q 4 күн бұрын
Hmmm. About to try and setup Headscale with a GUI called Headplane which seems to be the closest thing to the official Tailscale one. This is still somewhat opaque to me - if user and device is 1:1 then what is the difference between them? If Headscale uses WG under the covers then does an LXC host need to be configured to allow net device config? Some tutorials do and others ignore (or maybe run in VM not LXC). I guess the major gap is the network/route allocation. In my head I would want all my devices configured in the system but then (eg) set up a network (route?) so that devices A, B and D can see each other but C cannot. and maybe A and C have their own network which B and D know nothing about. Every tutorial I've watched so far follows this videos' approach and does all to all which surely is not what you'd want especially if you allow access from other people. Like I said - I'm going to try and use it as that's how I learn best but I think some network pictures would really help people get a grip on this.
@javisartdesign
@javisartdesign 5 ай бұрын
thanks for the video, very detailed. There is a way to share some ip ranges of your internal network from headscale without installing tailscale or adding routes?
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@javisartdesign there's an option to allow LAN access per client. This will use NAT to enable it.
@javisartdesign
@javisartdesign 5 ай бұрын
@@Jims-Garage thanks, I will take a look
@GundamExia88
@GundamExia88 5 ай бұрын
Great video! How would you compare Twingate vs Headscale/Tailscale?
@Jims-Garage
@Jims-Garage 5 ай бұрын
Thank you. I'm yet to test out Twingate, I'll be doing it in the near future (hopefully!).
@jonathandoe7490
@jonathandoe7490 2 ай бұрын
Does anyone have a docker compose of the headscale admin UI without the traefik stuff ? wish i knew how to remove it and have the container work myself.
@Jims-Garage
@Jims-Garage 2 ай бұрын
@@jonathandoe7490 delete the labels, the proxy network and add the ports. That's all that's needed.
@TheXalloumi
@TheXalloumi 5 ай бұрын
hello! thanks for your explanatory videos. i am unfortunately unable to access my internal services which are behind reverse proxy (traefik) through the headscale network, using the https address . (this address works locally, e.g without the tailscale network), if i use the ip address it works without any problems. any solution?
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@TheXalloumi it's probably the DNS setting for the client. Change it to use your internal DNS and ensure it can reach it.
@TheXalloumi
@TheXalloumi 5 ай бұрын
@@Jims-Garage thanks for your reply. unfortunately that is not working. i have changed the dns settings in the application to not using the tailscale dns, i also changed the dns settings of the config.yaml file, but without success. is that working for anybody?
@ashoktvm
@ashoktvm 4 ай бұрын
How to get headscale URL if running on selfhost?
@Jims-Garage
@Jims-Garage 4 ай бұрын
You need to register a domain. Check my Traefik video. You'll also need to port forward if possible.
@john__johnson
@john__johnson 5 ай бұрын
Another great tutorial. I had better performance with wireguard in my testing but good to have options.
@Jims-Garage
@Jims-Garage 5 ай бұрын
Yes, I suspect WireGuard will be faster. I'm going to do some testing though.
@john__johnson
@john__johnson 5 ай бұрын
@@Jims-Garage it's very close speed wise but I had much more artifacts when streaming games with moonlight/sunshine when using tailscale vs WG.
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@john__johnson interesting, I'll be sure to check that out
@WillHung
@WillHung 5 ай бұрын
I'm curious about why the ugreen is on permanent vacation. A little hint?
@Jims-Garage
@Jims-Garage 5 ай бұрын
I'll be using it as a remote server
@kiloy1006
@kiloy1006 5 ай бұрын
as always, high quality content and I was able to spin up headscale and register android and windows devices. I have one question though, what would be an advantage of running self-hosted headscale instead of using official one? I know free tier limits users and devices, but I wonder if there's any other good reason to run the headscale in my home server? again, thank you for the video!
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@kiloy1006 the real answer is not really, but it does help with privacy as tailscale won't know your node IPs. There is a case when traffic can be rooted through tailscale servers but even then it's end to end encrypted
@mankala8
@mankala8 5 ай бұрын
Does headscale-admin work better if you uncheck "legacy api (headscale < 0.23)"? Because you're running the 0.23 alpha. I'd imagine the checkbox is for people who don't want to run the alpha.
@Jims-Garage
@Jims-Garage 5 ай бұрын
Good spot, forgot to discuss that. It made no difference in my testing.
@mankala8
@mankala8 5 ай бұрын
@@Jims-Garage The api node access stuff _looks_ correct in the headscale-admin code at a cursory glance. Headscale docs say you need to be running headscale over TLS/https for remote access to work with 50443 open to allow in the rpc traffic. You're running behind traefik, but headscale itself is running through http, so that could possibly be a problem? If that was the problem, though, I don't know why headscale-ui would work but -admin wouldn't. I've just been looking into it for a very short period of time, though, so I don't know whether rpc is what they're using for the api. I don't run my headscale behind a reverse proxy, and it only works with https, and the api seems to be what headscale-admin is looking for, but I'm running v0.22.3, so unfortunately it's annoying for me to dig into it more without a big chunk of time.
@liduke2970
@liduke2970 3 ай бұрын
hey i'm worry about that everyone has your headscale -ui ip and port can add their own user, would it be dangerous?
@AndrewHargreave
@AndrewHargreave 5 ай бұрын
Perfect timing.....almost. I'm in the middle of doing what you're planning. I have a Synology NAS that I've been backing up to iDrive E2 block storage. I've maxed out the tier I'm on....and tired of paying $300US/yr. I bought a 16TB external USB drive and connected a Raspberry Pi4 to it and using is as an ssh remote target for Synology HyperBackups. I have a little vacation trailer on a lake and finally got a decent internet connection there so I'm going to use this as my offsite backups. Been looking for a solution better then a simple OpenVPN link. I like that this solution would give me access into the network there as well. I await your followup video on how you get that working...hope it's not too far in the future :)
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@AndrewHargreave it'll be the next video, but I'm also going to check out netbird as an alternative. I'd be careful with a USB, I'd certainly recommend a HDD over it (2 if budget permits).
@DominikSchmid
@DominikSchmid 5 ай бұрын
Thank you for this compréhensive tutorial. I love your curated videos! Could you also make a video about nebula overlay network. This would be great! There are only very few tutorials to be found about it.
@Jims-Garage
@Jims-Garage 5 ай бұрын
Thanks, I'll take a look at it.
@mastermoarman
@mastermoarman 3 ай бұрын
Will theas work on tje vps you set up ?
@Jims-Garage
@Jims-Garage 3 ай бұрын
Should do
@jomijohn7068
@jomijohn7068 4 ай бұрын
Does is it work without public static ip?
@Jims-Garage
@Jims-Garage 4 ай бұрын
@@jomijohn7068 yes, I have a dynamic IP. Checkout DDNS
@UniversScience
@UniversScience 4 ай бұрын
"Has more features, but the features are broken" 😂
@Jims-Garage
@Jims-Garage 4 ай бұрын
Haha, yes. I hope it's updated soon and they work again!
@Snoekverslaafde
@Snoekverslaafde 5 ай бұрын
How to do this on a NAS lets say Synology? Cant use ports like 80 there etc. And what if we dont use proxy as network? EDIT: Tried lots of things. But it wont work for me.
@wh1t3lotus19
@wh1t3lotus19 5 ай бұрын
Not recommended to newbie there head and tail will spin all day try it on simple but really easy to understand and you can tell the video is heavily edited most people like to see you do it on screen so they can follow your video.
@Jims-Garage
@Jims-Garage 5 ай бұрын
Not sure I follow, I did do it on screen and referenced previous videos for more details where necessary.
@antoniomax3163
@antoniomax3163 5 ай бұрын
pls add info about defguard
@brksnunes
@brksnunes 5 ай бұрын
Hi Jim, greetings from Brazil! I've been loving your content and rebuilding my homelab following your videos! I'm eagerly waiting for the video about Netbird, as I found the service very interesting. Keep up the good work!
@Jims-Garage
@Jims-Garage 5 ай бұрын
@@brksnunes thanks, I almost have it working. Video as soon as I do
@BenjaminBenStein
@BenjaminBenStein 5 ай бұрын
@bluesquadron593
@bluesquadron593 5 ай бұрын
first
@johannesnguyen1090
@johannesnguyen1090 5 ай бұрын
4
@HarishPillay
@HarishPillay 5 ай бұрын
first++
@emanuelpersson3168
@emanuelpersson3168 3 ай бұрын
Change Hostname: sudo sqlite3 /var/lib/headscale/db.sqlite UPDATE nodes SET hostname = "new_hostname" WHERE given_name = "current_name_NOT_hostname"; ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Change ID: sudo headscale nodes rename -i ID # ID is the ID number of the device as shown in "headscale nodes list"
Create Your Own Private VPN with Netbird
37:05
Jim's Garage
Рет қаралды 31 М.
All You Need Is An Old Device...
28:13
Jim's Garage
Рет қаралды 21 М.
Сестра обхитрила!
00:17
Victoria Portfolio
Рет қаралды 958 М.
Try this prank with your friends 😂 @karina-kola
00:18
Andrey Grechka
Рет қаралды 9 МЛН
Self Host Tailscale with Headscale - How To Setup
21:51
Jim's Garage
Рет қаралды 81 М.
Zitadel, Single Sign On, and OAuth. It's Impressive!
24:20
Jim's Garage
Рет қаралды 46 М.
Tailscale Is Awesome - Deployment, Testing, ACLs, and Exit Nodes
29:23
Split A GPU Between Multiple Computers - Proxmox LXC (Unprivileged)
25:59
Ente - End to End Encrypted Photo Storage For FREE!
36:14
Jim's Garage
Рет қаралды 17 М.
host ALL your AI locally
24:20
NetworkChuck
Рет қаралды 1,5 МЛН
The Homelab Show Episode 64: Tailscale and Headscale
54:11
Lawrence Systems
Рет қаралды 10 М.
Сестра обхитрила!
00:17
Victoria Portfolio
Рет қаралды 958 М.