for a long time i have wanted to setup a mesh network. in the meantime i used Wireguard which are great network legos, but not as robust in every situation as i would have liked. i also don’t enjoy debugging routing issues on new clients so i was looking for something with batteries included.
i’ve now finally settled on tailscale which is an emerging tool for mesh networks based on Wireguard, and i used their open-source server headscale as my backend!
is this a css post? no!
Tailscale is a cool vpn client software built by Tailscale Labs. they also maintain headscale which is an open-source backend you can hold yourself without signing up anywhere.
or if you want an easy life, they provide a free software service that abstracts the hassle of hosting your coordinating server. The end result is the same and will give you a private subnet of clients in a VPN using tailscale to effortlessly handle the routing issues. i’ve had great success using on Linux, iOS, and Android! the deciding factor for me is the support for selfhosting a backend. 😻
if you have a spare machine and time, you’ll find it easy to use their open-source headscale package. there is minimal configuration required, and some extra flags you’ll need to get up and running, but the end result is a extremely robust private mesh network. it’s modern, has wide support, can be used to trivially link and access a fleet of machines reliably.
headscale node setup
if you’re using Arch Linux, you’ll find headscale in the AUR. you can get the package with a helper or git
git clone https://aur.archlinux.org/headscale
cd headscale
makepkg -sricanother perk is that even on machines without recent packages built, it’s pretty simple to build through go
go install tailscale.com/cmd/headscale@latest
go install tailscale.com/cmd/tailscale@latest
go install tailscale.com/cmd/tailscaled@latestif you do not plan to self host the backend and prefer to use the official Tailscale service, you can skip onto the next section.
if you have headscale installed now, hopefully yours came with a systemd service file. before we start that, there are two defaults we’ll want to change.
server_url: http://192.168.2.2:8080
listen_addr: 0.0.0.0:8080this is a simple way to expose the ports on an interface that your clients will be able to setup. there is more you can configure, but this is the minimum you need to start the service and connect clients!
sudo systemctl enable --now headscalenote: you headscale server is not inside the mesh by default. you can follow the Tailscale client setup steps on the same machine to add it!
tailscale client on Linux
now, you’re ready to configure the tailscale client and use the preauthkeys to log in. here are the steps you can use to set it up on a Linux client as an example.
tailscale up \
# the preauthkey you generated
--auth-key=tskey-abcdef1234567890 \
# the server_url in /etc/headscale/config.yaml
--login-server=http://192.168.2.2:8080
tailscale statusafter that, you’re all set and can run tailscale for more commands.
checking what works
if you’re running a backend such as Headscale or using the default login servers, you should now be able to access all clients in the mesh from eachother!
first you might check your current ip address
ip route get default
tailscale ipthis will show you the subnet and current ip of your active client only! this will help you
if you decided to run the headscale service, you can use this command to get an overview of all the clients in your mesh:
headscale nodes listfinal thoughts
this is just an example of the minimum setup required to test the mesh network. looking forward, consider deploying a reverse proxy, setting up https, integrating other plugins, and exploring alternative auth methods. it’ll be fun!
i use this to connect a GPU with the miraj.cloud frontend for example! another use case is having a static address to access my local media center. it’s also great for hosting your own DNS and NTP servers.