Tailscale Cheatsheet
Tailscale ist eine moderne VPN-Lösung auf WireGuard, die sichere, verschlüsselte Netzwerke zwischen Geräten ohne die Komplexität traditioneller VPN-Setups schafft. Es bietet Null-Konfigurations-Netzwerke mit automatischer Schlüsselverwaltung, NAT-Traversal und nahtlose Verbindungen über verschiedene Netzwerke und Plattformen.
Überblick
Architektur und Design Philosophie
Tailscale arbeitet an einem Netznetzwerkmodell, bei dem jedes Gerät direkt mit anderen verbindet, wenn es möglich ist, zurück zu Relaisservern (DERP) fallen, wenn direkte Verbindungen nicht möglich sind. Der Service behandelt alle komplexen Netzwerke automatisch, einschließlich NAT-Traversal, Firewall-Konfiguration und Schlüsseldrehung.
Der Tailscale Koordinationsserver verwaltet Geräteauthentifizierung, Schlüsselverteilung und Netzwerktopologie, während der tatsächliche Datenverkehr direkt zwischen Geräten mit WireGuard-Verschlüsselung fließt. Dieser Ansatz bietet sowohl Sicherheit als auch Leistung bei gleichzeitiger einfacher Nutzung.
Schlüsselmerkmale
```bash
Core Tailscale Capabilities
- WireGuard-based encryption and performance
- Zero-configuration mesh networking
- Automatic NAT traversal and firewall handling
- Cross-platform support (Windows, macOS, Linux, iOS, Android)
- Magic DNS for easy device discovery
- Subnet routing and exit nodes
- Access control lists (ACLs) for fine-grained permissions
- SSO integration with major identity providers
- Audit logging and network monitoring ```_
Installation und Inbetriebnahme
Linux Installation
```bash
Install on Ubuntu/Debian
curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg|sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list|sudo tee /etc/apt/sources.list.d/tailscale.list sudo apt update sudo apt install tailscale
Install on CentOS/RHEL/Fedora
sudo dnf config-manager --add-repo https://pkgs.tailscale.com/stable/centos/8/tailscale.repo sudo dnf install tailscale
Install on Arch Linux
sudo pacman -S tailscale
Start and enable Tailscale service
sudo systemctl enable --now tailscaled
Authenticate and connect to your network
sudo tailscale up
Check status
tailscale status
Get your device's Tailscale IP
tailscale ip -4 tailscale ip -6
View network map
tailscale netmap
Check connection quality
tailscale ping
Enable SSH access through Tailscale
sudo tailscale up --ssh
Set up as exit node
sudo tailscale up --advertise-exit-node
Accept routes from other devices
sudo tailscale up --accept-routes
Set custom hostname
sudo tailscale up --hostname=my-server ```_
Windows Installation
```powershell
Download and install Tailscale for Windows
$TailscaleUrl = "https://pkgs.tailscale.com/stable/tailscale-setup-latest.exe" $TailscaleInstaller = "$env:TEMP\tailscale-setup.exe"
Invoke-WebRequest -Uri $TailscaleUrl -OutFile $TailscaleInstaller Start-Process -FilePath $TailscaleInstaller -Wait
Connect to network (run as administrator)
tailscale up
Check status
tailscale status
Enable as exit node
tailscale up --advertise-exit-node
Configure Windows firewall for Tailscale
New-NetFirewallRule -DisplayName "Tailscale" -Direction Inbound -Protocol UDP -LocalPort 41641 -Action Allow New-NetFirewallRule -DisplayName "Tailscale" -Direction Outbound -Protocol UDP -LocalPort 41641 -Action Allow
Set up automatic startup
$TailscaleService = Get-Service -Name "Tailscale" Set-Service -Name "Tailscale" -StartupType Automatic
PowerShell script for automated deployment
$TailscaleConfig = @" \\{ "AuthKey": "$env:TAILSCALE_AUTHKEY", "Hostname": "$env:COMPUTERNAME-tailscale", "AdvertiseExitNode": false, "AcceptRoutes": true \\} "@
$TailscaleConfig|Out-File -FilePath "$env:ProgramData\Tailscale\config.json" ```_
macOS Installation
```bash
Install via Homebrew
brew install tailscale
Or download from Mac App Store
https://apps.apple.com/us/app/tailscale/id1475387142
Start Tailscale
sudo tailscale up
Check status
tailscale status
Configure as exit node
sudo tailscale up --advertise-exit-node
Enable SSH access
sudo tailscale up --ssh
macOS-specific network configuration
Allow Tailscale through macOS firewall
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Tailscale.app/Contents/MacOS/Tailscale sudo /usr/libexec/ApplicationFirewall/socketfilterfw --unblockapp /Applications/Tailscale.app/Contents/MacOS/Tailscale
Configure launch daemon for automatic startup
sudo launchctl load /Library/LaunchDaemons/com.tailscale.tailscaled.plist ```_
Mobile Device Setup
```bash
iOS Setup
1. Download Tailscale from App Store
2. Sign in with your account
3. Device automatically appears in admin console
Android Setup
1. Download from Google Play Store
2. Sign in with your account
3. Grant VPN permissions when prompted
Generate auth keys for automated mobile deployment
tailscale up --authkey=tskey-auth-xxxxxx-xxxxxx
Create reusable auth key (admin console or API)
curl -X POST \ -H "Authorization: Bearer $TAILSCALE_API_KEY" \ -H "Content-Type: application/json" \ -d '\\{"capabilities": \\{"devices": \\{"create": \\{"reusable": true, "ephemeral": false\\}\\}\\}\\}' \ https://api.tailscale.com/api/v2/tailnet/$TAILNET/keys
Mobile device management via MDM
Example configuration for iOS/Android MDM systems
\\{ "authKey": "tskey-auth-xxxxxx-xxxxxx", "hostname": "mobile-device-001", "acceptRoutes": true, "exitNode": "exit-node-hostname" \\} ```_
Netzwerkkonfiguration
Subnet Routing
```bash
Advertise subnet routes
sudo tailscale up --advertise-routes=192.168.1.0/24,10.0.0.0/8
Accept subnet routes from other devices
sudo tailscale up --accept-routes
View available routes
tailscale status --peers
Enable IP forwarding (Linux)
echo 'net.ipv4.ip_forward = 1'|sudo tee -a /etc/sysctl.conf echo 'net.ipv6.conf.all.forwarding = 1'|sudo tee -a /etc/sysctl.conf sudo sysctl -p
Configure iptables for subnet routing
sudo iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o eth0 -j MASQUERADE sudo iptables -A FORWARD -i tailscale0 -j ACCEPT sudo iptables -A FORWARD -o tailscale0 -j ACCEPT
Persistent iptables rules (Ubuntu/Debian)
sudo iptables-save|sudo tee /etc/iptables/rules.v4
Advanced routing configuration
Route specific traffic through Tailscale
sudo ip route add 192.168.100.0/24 dev tailscale0
Set up policy-based routing
sudo ip rule add from 100.64.0.0/10 table 100 sudo ip route add default dev tailscale0 table 100
Configure multiple subnet advertisements
cat > /etc/tailscale/subnet-config.sh << 'EOF'
!/bin/bash
SUBNETS="192.168.1.0/24,10.0.0.0/16,172.16.0.0/12" tailscale up --advertise-routes=$SUBNETS --accept-routes EOF
chmod +x /etc/tailscale/subnet-config.sh ```_
Exit Nodes
```bash
Set up device as exit node
sudo tailscale up --advertise-exit-node
Use another device as exit node
tailscale up --exit-node=exit-node-hostname
Use exit node with specific IP
tailscale up --exit-node=100.64.0.1
Disable exit node usage
tailscale up --exit-node=""
List available exit nodes
tailscale status --peers|grep "exit node"
Configure exit node with specific routes
sudo tailscale up --advertise-exit-node --advertise-routes=0.0.0.0/0,::/0
Exit node health monitoring
cat > /usr/local/bin/tailscale-exit-node-monitor.sh << 'EOF'
!/bin/bash
LOG_FILE="/var/log/tailscale-exit-node.log"
check_exit_node() \\{ if tailscale status|grep -q "exit node"; then echo "$(date): Exit node is active" >> $LOG_FILE return 0 else echo "$(date): Exit node is not active, restarting..." >> $LOG_FILE sudo tailscale up --advertise-exit-node return 1 fi \\}
check_connectivity() \\{ if ping -c 1 8.8.8.8 >/dev/null 2>&1; then echo "$(date): Internet connectivity OK" >> $LOG_FILE return 0 else echo "$(date): Internet connectivity failed" >> $LOG_FILE return 1 fi \\}
main() \\{ check_exit_node check_connectivity \\}
main EOF
chmod +x /usr/local/bin/tailscale-exit-node-monitor.sh
Add to crontab for monitoring
echo "*/5 * * * * /usr/local/bin/tailscale-exit-node-monitor.sh"|crontab - ```_
Magic DNS Konfiguration
```bash
Enable Magic DNS (usually enabled by default)
tailscale up --accept-dns
Disable Magic DNS
tailscale up --accept-dns=false
Configure custom DNS servers
tailscale up --accept-dns --dns=1.1.1.1,8.8.8.8
View DNS configuration
tailscale status --json|jq '.DNSConfig'
Test Magic DNS resolution
nslookup device-name.tailnet-name.ts.net dig device-name.tailnet-name.ts.net
Configure split DNS
Add to /etc/systemd/resolved.conf (Linux)
[Resolve] DNS=100.100.100.100 Domains=~tailnet-name.ts.net
Restart systemd-resolved
sudo systemctl restart systemd-resolved
Custom DNS configuration for specific domains
cat > /etc/tailscale/dns-config.json ``<< 'EOF' \{ "nameservers": ["1.1.1.1", "8.8.8.8"], "domains": ["company.local"], "routes": \{ "company.local": ["192.168.1.1"], "internal.corp": ["10.0.0.1"] \} \} EOF ```_
Zugriffskontrolle und Sicherheit
Zugangskontrolllisten (ACLs)
```json // Example ACL configuration (tailnet policy file) \{ "tagOwners": \{ "tag:server": ["user@company.com"], "tag:client": ["group:employees"], "tag:admin": ["user@company.com"] \},
"groups": \{ "group:employees": ["user1@company.com", "user2@company.com"], "group:admins": ["admin@company.com"], "group:servers": ["tag:server"] \},
"acls": [ \{ "action": "accept", "src": ["group:employees"], "dst": ["tag:server:22", "tag:server:80", "tag:server:443"] \}, \{ "action": "accept", "src": ["group:admins"], "dst": [":"] \}, \{ "action": "accept", "src": ["tag:server"], "dst": ["tag:server:*"] \} ],
"hosts": \{ "database-server": "100.64.0.10", "web-server": "100.64.0.20", "admin-workstation": "100.64.0.30" \},
"autoApprovers": \{ "routes": \{ "192.168.1.0/24": ["tag:server"], "10.0.0.0/8": ["group:admins"] \}, "exitNode": ["tag:server"] \} \} ```_
Authentifizierung und SSO
```bash
Configure SSO with Google Workspace
(Done through Tailscale admin console)
Settings >`` SSO > Add Identity Provider
Configure SAML SSO
Upload SAML metadata or configure manually:
- Entity ID: https://login.tailscale.com/saml/acs
- ACS URL: https://login.tailscale.com/saml/acs
- Attribute mapping: email, displayName
Configure OIDC/OAuth
Provider: Custom OIDC
Client ID: your-client-id
Client Secret: your-client-secret
Issuer URL: https://your-provider.com
Force re-authentication
tailscale logout tailscale up
Configure device authorization
Require approval for new devices
Settings > Device Approval > Require approval
Set up device tags for automated approval
tailscale up --authkey=tskey-auth-xxxxxx --advertise-tags=tag:server
Configure session recording (enterprise feature)
Settings > Session Recording > Enable
Specify recording targets and retention policies
Multi-factor authentication
Configured at identity provider level
Tailscale inherits MFA requirements from SSO provider
```_
Schlüsselverwaltung
```bash
View device keys
tailscale status --json|jq '.Peer[].Key'
Rotate machine key
sudo tailscale up --force-reauth
Generate auth keys via API
curl -X POST \ -H "Authorization: Bearer $TAILSCALE_API_KEY" \ -H "Content-Type: application/json" \ -d '\\{ "capabilities": \\{ "devices": \\{ "create": \\{ "reusable": false, "ephemeral": true, "preauthorized": true, "tags": ["tag:server"] \\} \\} \\}, "expirySeconds": 3600 \\}' \ https://api.tailscale.com/api/v2/tailnet/$TAILNET/keys
Revoke auth key
curl -X DELETE \ -H "Authorization: Bearer $TAILSCALE_API_KEY" \ https://api.tailscale.com/api/v2/tailnet/$TAILNET/keys/$KEY_ID
Configure key expiry
tailscale up --authkey=tskey-auth-xxxxxx --timeout=24h
Backup and restore device configuration
Export device configuration
tailscale status --json > tailscale-backup.json
Key rotation automation script
cat > /usr/local/bin/tailscale-key-rotation.sh << 'EOF'
!/bin/bash
LOG_FILE="/var/log/tailscale-key-rotation.log" ROTATION_INTERVAL_DAYS=30
check_key_age() \\{ LAST_ROTATION=$(tailscale status --json|jq -r '.Self.LastSeen') CURRENT_TIME=$(date +%s) LAST_ROTATION_TIME=$(date -d "$LAST_ROTATION" +%s) AGE_DAYS=$(( (CURRENT_TIME - LAST_ROTATION_TIME) / 86400 ))
if [ $AGE_DAYS -gt $ROTATION_INTERVAL_DAYS ]; then
echo "$(date): Key is $AGE_DAYS days old, rotating..." >> $LOG_FILE
return 0
else
echo "$(date): Key is $AGE_DAYS days old, no rotation needed" >> $LOG_FILE
return 1
fi
\\}
rotate_key() \\{ echo "$(date): Starting key rotation" >> $LOG_FILE sudo tailscale up --force-reauth --authkey=$TAILSCALE_AUTHKEY if [ $? -eq 0 ]; then echo "$(date): Key rotation successful" >> $LOG_FILE else echo "$(date): Key rotation failed" >> $LOG_FILE fi \\}
if check_key_age; then rotate_key fi EOF
chmod +x /usr/local/bin/tailscale-key-rotation.sh ```_
Überwachung und Fehlerbehebung
Netzwerkdiagnose
```bash
Check Tailscale status
tailscale status
Detailed status with JSON output
tailscale status --json
Check connectivity to specific peer
tailscale ping device-name
Network map and topology
tailscale netmap
Debug connection issues
tailscale debug --help
Check DERP (relay) server connectivity
tailscale netcheck
View logs
sudo journalctl -u tailscaled -f
Debug specific peer connection
tailscale debug peer-status
Check NAT traversal
tailscale debug derp-map
Network performance testing
tailscale debug ping
Capture network traffic for debugging
sudo tcpdump -i tailscale0 -w tailscale-debug.pcap
Check firewall rules affecting Tailscale
sudo iptables -L|grep tailscale sudo ufw status|grep tailscale
DNS troubleshooting
tailscale debug dns-config nslookup device-name.tailnet.ts.net 100.100.100.100 ```_
Leistungsüberwachung
```bash
Monitor Tailscale interface statistics
watch -n 1 'cat /proc/net/dev|grep tailscale'
Bandwidth monitoring
iftop -i tailscale0 nethogs tailscale0
Connection quality monitoring
cat > /usr/local/bin/tailscale-monitor.sh << 'EOF'
!/bin/bash
LOG_FILE="/var/log/tailscale-monitor.log" PEERS_FILE="/tmp/tailscale-peers.txt"
Get list of peers
tailscale status --peers > $PEERS_FILE
Monitor each peer
while read -r line; do if [[ $line =~ ^([0-9.]+)[[:space:]]+([^[:space:]]+) ]]; then PEER_IP="$\\{BASH_REMATCH[1]\\}" PEER_NAME="$\\{BASH_REMATCH[2]\\}"
# Ping test
PING_RESULT=$(tailscale ping $PEER_NAME 2>/dev/null|head -1)
# Log result
echo "$(date): $PEER_NAME ($PEER_IP) - $PING_RESULT" >> $LOG_FILE
fi
done < $PEERS_FILE
Check overall network health
NETCHECK_RESULT=$(tailscale netcheck 2>/dev/null) echo "$(date): Network check - $NETCHECK_RESULT" >> $LOG_FILE EOF
chmod +x /usr/local/bin/tailscale-monitor.sh
Add to crontab for regular monitoring
echo "*/5 * * * * /usr/local/bin/tailscale-monitor.sh"|crontab -
Performance metrics collection
cat > /usr/local/bin/tailscale-metrics.sh << 'EOF'
!/bin/bash
METRICS_FILE="/var/log/tailscale-metrics.log"
Get interface statistics
RX_BYTES=$(cat /sys/class/net/tailscale0/statistics/rx_bytes) TX_BYTES=$(cat /sys/class/net/tailscale0/statistics/tx_bytes) RX_PACKETS=$(cat /sys/class/net/tailscale0/statistics/rx_packets) TX_PACKETS=$(cat /sys/class/net/tailscale0/statistics/tx_packets)
Get peer count
PEER_COUNT=$(tailscale status --peers|wc -l)
Log metrics
echo "$(date),$RX_BYTES,$TX_BYTES,$RX_PACKETS,$TX_PACKETS,$PEER_COUNT" >> $METRICS_FILE EOF
chmod +x /usr/local/bin/tailscale-metrics.sh ```_
Probleme bei der Fehlerbehebung
```bash
Connection issues troubleshooting
1. Check if tailscaled is running
sudo systemctl status tailscaled
2. Restart Tailscale service
sudo systemctl restart tailscaled
3. Re-authenticate
tailscale logout tailscale up
4. Check firewall rules
sudo ufw status sudo iptables -L
5. Verify network connectivity
ping 8.8.8.8 tailscale netcheck
DNS resolution issues
1. Check DNS configuration
tailscale status --json|jq '.DNSConfig'
2. Test Magic DNS
nslookup device-name.tailnet.ts.net
3. Reset DNS configuration
sudo tailscale up --accept-dns=false sudo tailscale up --accept-dns
4. Check system DNS settings
cat /etc/resolv.conf systemd-resolve --status
Performance issues
1. Check for direct connections vs DERP relay
tailscale status|grep "relay"
2. Test different DERP regions
tailscale netcheck
3. Check for packet loss
tailscale ping device-name
4. Monitor bandwidth usage
iftop -i tailscale0
Authentication issues
1. Check auth key validity
tailscale up --authkey=tskey-auth-xxxxxx
2. Verify SSO configuration
Check admin console for SSO errors
3. Clear cached credentials
rm -rf ~/.config/tailscale/ sudo rm -rf /var/lib/tailscale/
4. Force re-authentication
tailscale up --force-reauth
Subnet routing issues
1. Verify IP forwarding is enabled
cat /proc/sys/net/ipv4/ip_forward
2. Check iptables rules
sudo iptables -t nat -L
3. Verify route advertisement
tailscale status|grep "subnets"
4. Test connectivity to subnet
ping 192.168.1.1 # Replace with actual subnet IP
Complete reset procedure
sudo systemctl stop tailscaled sudo rm -rf /var/lib/tailscale/ sudo systemctl start tailscaled tailscale up ```_
API und Automatisierung
Tailscale API Verwendung
```bash
Set up API access
export TAILSCALE_API_KEY="tskey-api-xxxxxx" export TAILNET="your-tailnet.ts.net"
List devices
curl -H "Authorization: Bearer $TAILSCALE_API_KEY" \ https://api.tailscale.com/api/v2/tailnet/$TAILNET/devices
Get device details
curl -H "Authorization: Bearer $TAILSCALE_API_KEY" \ https://api.tailscale.com/api/v2/device/$DEVICE_ID
Update device settings
curl -X POST \ -H "Authorization: Bearer $TAILSCALE_API_KEY" \ -H "Content-Type: application/json" \ -d '\\{"name": "new-device-name"\\}' \ https://api.tailscale.com/api/v2/device/$DEVICE_ID
Delete device
curl -X DELETE \ -H "Authorization: Bearer $TAILSCALE_API_KEY" \ https://api.tailscale.com/api/v2/device/$DEVICE_ID
Create auth key
curl -X POST \ -H "Authorization: Bearer $TAILSCALE_API_KEY" \ -H "Content-Type: application/json" \ -d '\\{ "capabilities": \\{ "devices": \\{ "create": \\{ "reusable": true, "ephemeral": false, "preauthorized": true, "tags": ["tag:server"] \\} \\} \\}, "expirySeconds": 86400 \\}' \ https://api.tailscale.com/api/v2/tailnet/$TAILNET/keys
Get ACL policy
curl -H "Authorization: Bearer $TAILSCALE_API_KEY" \ https://api.tailscale.com/api/v2/tailnet/$TAILNET/acl
Update ACL policy
curl -X POST \ -H "Authorization: Bearer $TAILSCALE_API_KEY" \ -H "Content-Type: application/json" \ -d @acl-policy.json \ https://api.tailscale.com/api/v2/tailnet/$TAILNET/acl ```_
Infrastruktur als Code
```yaml
Terraform configuration for Tailscale
terraform \\{ required_providers \\{ tailscale = \\{ source = "tailscale/tailscale" version = "~> 0.13" \\} \\} \\}
provider "tailscale" \\{ api_key = var.tailscale_api_key tailnet = var.tailnet \\}
Create auth key
resource "tailscale_tailnet_key" "server_key" \\{ reusable = true ephemeral = false preauthorized = true expiry = 86400 description = "Server deployment key"
tags = [ "tag: server", "tag: production" ] \\}
ACL policy
resource "tailscale_acl" "main" \\{ acl = jsonencode(\\{ tagOwners = \\{ "tag: server" = ["user@company.com"] "tag: client" = ["group:employees"] \\}
groups = \\\\{
"group: employees" = ["user1@company.com", "user2@company.com"]
"group: admins" = ["admin@company.com"]
\\\\}
acls = [
\\\\{
action = "accept"
src = ["group: employees"]
dst = ["tag: server:22", "tag:server:80", "tag:server:443"]
\\\\},
\\\\{
action = "accept"
src = ["group: admins"]
dst = ["*: *"]
\\\\}
]
\\}) \\}
DNS configuration
resource "tailscale_dns_nameservers" "main" \\{ nameservers = ["1.1.1.1", "8.8.8.8"] \\}
resource "tailscale_dns_search_paths" "main" \\{ search_paths = ["company.local", "internal.corp"] \\} ```_
Ansible Playbook
```yaml
Ansible playbook for Tailscale deployment
- name: Deploy Tailscale hosts: all become: yes vars: tailscale_authkey: "\\{\\{ vault_tailscale_authkey \\}\\}" tailscale_hostname: "\\{\\{ inventory_hostname \\}\\}-tailscale"
tasks: - name: Add Tailscale repository (Ubuntu/Debian) block: - name: Add Tailscale GPG key apt_key: url: https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg state: present
- name: Add Tailscale repository
apt_repository:
repo: "deb https://pkgs.tailscale.com/stable/ubuntu focal main"
state: present
- name: Update package cache
apt:
update_cache: yes
when: ansible_os_family == "Debian"
- name: Add Tailscale repository (CentOS/RHEL)
yum_repository:
name: tailscale
description: Tailscale repository
baseurl: https://pkgs.tailscale.com/stable/centos/8/
gpgcheck: yes
gpgkey: https://pkgs.tailscale.com/stable/centos/8/repo.gpg
when: ansible_os_family == "RedHat"
- name: Install Tailscale
package:
name: tailscale
state: present
- name: Enable and start tailscaled service
systemd:
name: tailscaled
enabled: yes
state: started
- name: Connect to Tailscale network
command: >
tailscale up
--authkey=\\\\{\\\\{ tailscale_authkey \\\\}\\\\}
--hostname=\\\\{\\\\{ tailscale_hostname \\\\}\\\\}
--accept-routes
\\\\{% if tailscale_advertise_routes is defined %\\\\}
--advertise-routes=\\\\{\\\\{ tailscale_advertise_routes \\\\}\\\\}
\\\\{% endif %\\\\}
\\\\{% if tailscale_exit_node is defined %\\\\}
--advertise-exit-node
\\\\{% endif %\\\\}
register: tailscale_up_result
changed_when: "'Success' in tailscale_up_result.stdout"
- name: Enable IP forwarding (if advertising routes)
sysctl:
name: "\\\\{\\\\{ item \\\\}\\\\}"
value: "1"
state: present
reload: yes
loop:
- net.ipv4.ip_forward
- net.ipv6.conf.all.forwarding
when: tailscale_advertise_routes is defined or tailscale_exit_node is defined
- name: Configure iptables for subnet routing
iptables:
table: nat
chain: POSTROUTING
source: 100.64.0.0/10
out_interface: "\\\\{\\\\{ ansible_default_ipv4.interface \\\\}\\\\}"
jump: MASQUERADE
when: tailscale_advertise_routes is defined or tailscale_exit_node is defined
- name: Save iptables rules
shell: iptables-save > /etc/iptables/rules.v4
when: tailscale_advertise_routes is defined or tailscale_exit_node is defined
```_
Docker Integration
```dockerfile
Dockerfile with Tailscale
FROM ubuntu:20.04
Install Tailscale
RUN apt-get update && apt-get install -y curl gnupg && \ curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.noarmor.gpg|apt-key add - && \ echo "deb https://pkgs.tailscale.com/stable/ubuntu focal main" > /etc/apt/sources.list.d/tailscale.list && \ apt-get update && apt-get install -y tailscale && \ rm -rf /var/lib/apt/lists/*
Copy startup script
COPY start-tailscale.sh /usr/local/bin/ RUN chmod +x /usr/local/bin/start-tailscale.sh
Expose Tailscale port
EXPOSE 41641/udp
CMD ["/usr/local/bin/start-tailscale.sh"]
_bash
Docker startup script
!/bin/bash
start-tailscale.sh
Start tailscaled in background
tailscaled --state=/var/lib/tailscale/tailscaled.state &
Wait for tailscaled to start
sleep 5
Connect to Tailscale network
tailscale up --authkey=$TAILSCALE_AUTHKEY --hostname=$HOSTNAME
Keep container running
tail -f /dev/null
_yaml
Docker Compose with Tailscale
version: '3.8'
services: app-with-tailscale: build: . environment: - TAILSCALE_AUTHKEY=$\\{TAILSCALE_AUTHKEY\\} - HOSTNAME=docker-app volumes: - tailscale-data:/var/lib/tailscale cap_add: - NET_ADMIN devices: - /dev/net/tun sysctls: - net.ipv4.ip_forward=1 - net.ipv6.conf.all.forwarding=1
volumes: tailscale-data: ```_
Ressourcen
- [Tailscale Offizielle Website](LINK_5 -%20Schriftliche%20Dokumentation
- Tailscale GitHub Repository
- [WireGuard Protocol](LINK_5 -%20Nachhaltige%20API-Dokumentation