Tailscale Setup

Original forum link
https://forum.qubes-os.org/t/19004
Original poster
kenosen
Editors
Captain_Unicorn, deeplow, michael, qubalker, taradiddles
Created at
2023-06-02 05:26:30
Last wiki edit
2024-10-08 13:09:17
Revisions
11 revisions
Posts count
15
Likes count
4
Tags
configuration, networking

Updating this to correct a few things, and also to not encourage a single command for fetching a script and running it without checking it first. I will leave the original authors on here in case it still works for a previous version of qubes. The way I am adding works for 4.2.1

Create template and install Tailscale: Create a new template VM to install tailscale into, I will be using a Fedora-39 template as the base for the new template. Inside that new template, we will follow the directions on the Tailscale website with some modifications, the link is there for if you'd like to verify.

sudo dnf config-manager --add-repo https://pkgs.tailscale.com/stable/fedora/tailscale.repo
sudo dnf install tailscale
sudo systemctl stop tailscale
It will ask you to verify Tailscale's signing key fingerprint before it installs, which will look like this: 
Importing GPG key 0x957F5868:
 Userid     : "Tailscale Inc. (Package repository signing key) <info@tailscale.com>"
 Fingerprint: 2596 A99E AAB3 3821 893C 0A79 458C A832 957F 5868
 From       : https://pkgs.tailscale.com/stable/fedora/repo.gpg
Is this ok [y/N]:
Confirm that fingerprint is correct and respond y. Frustratingly they don't post that on their website, but web of trust it and search around to make sure it is accurate.

Set up sys-tailscale: Now create an app-vm based on your new tailscale template you just made. Make sure you check the box for provides network to other qubes. I called mine sys-tailscale. Start up a terminal for sys-tailscale and set up your bind-dirs to have the login persist across reboots:

sudo mkdir -p /rw/config/qubes-bind-dirs.d
sudo nano /rw/config/qubes-bind-dirs.d/50_user.conf
Yes, I know, nano, get over it, it works well lol. Within 50_user.conf add the following: 
binds+=( '/var/lib/tailscale' '/var/cache/tailscale' '/var/log/tailscale' '/etc/default/tailscaled' )
Now time to finish setting up your binds. In order to do that we need to create those directories we added to 50_user.conf

sudo mkdir -p /rw/bind-dirs/var/lib/tailscale
sudo mkdir -p /rw/bind-dirs/var/cache/tailscale
sudo mkdir -p /rw/bind-dirs/var/log/tailscale

Now lets check to make sure we got it right: 

[user@tailscale-checker ~]$ tree /rw/bind-dirs/
/rw/bind-dirs/
└── var
    ├── cache
       └── tailscale
    ├── lib
       └── tailscale
    └── log
        └── tailscale

Set up the commands we need in rc.local to have Tailscale set up and running on reboot

sudo nano /rw/config/rc.local
Add the following two lines at the bottom of the file 
systemctl start tailscaled
tailscale up
You do not need to use add sudo on there on the commands in rc.local. I reboot sys-tailscale at this point, probably not necessary I just like to verify everything is there before logging in.

P.S: Instead of modifying rc.local, you can enable the service in the template with sudo systemctl enable tailscaled. In fact, it is enabled by default, so this step is excessive.

Log in to Tailscale 

sudo tailscale up
It will now prompt you to login in to a link it provides. Do that, then once you have logged in make sure to activate the machine in your Tailscale admin console

Check to make sure you are logged in: 

tailscale status
If you are logged in you should see the list of your machines running Tailscale starting with their IPs.

Now time to reboot again and make sure your login persisted. Once rebooted just run tailscale status again, and if all went well you will still be logged in.

You are now done and have a working sys-tailscale that you can use as the net vm for any qube you want to give access to your tailnet.

This document was migrated from the qubes-community project