Replies: 1 comment
-
This is awesome. I'm going to try this out right now, hopefully this can get some more attention! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Rationale: when away from home, be able to access all services on home server, plus all other machines on home network, while at the same time, without changing any settings, browse internet privately through VPN. Previously, having both mobile VPN client and Tailscale mobile client installed, switching between the two is inconvenient, and after a certain number of switches, breaks networking, requiring reboot.
Tailscale allows use of Mullvad servers as exit nodes, but the subscription must be purchased through Tailscale. When the feature was first offered, they were enabling Mullvad customers who already had paid in advance. Tailscale is awesome for being able to access home network from anywhere, without exposing the network to the internet, but with their default exit node feature all traffic outside the home network is not private.
So, I was looking for a way to use Mullvad via Gluetun as a Tailscale exit node. After some trial and error, I have it working. At least, when I load mullvad.net/en/check, with Tailscale enabled on my mobile device, I appear to be using Mullvad and it passes all the security checks.
Here is my setup...
gluetun docker compose (relevant parts only, indentation broken on paste)
tailscale docker compose (relevant parts only)
tailscale dashboard settings -- machines (https://login.tailscale.com/admin/machines):
click on your server (hostname set as above)
subnet routes 192.168.1.0/24 (same as TS_ROUTES above) --> check box
use as exit node --> check box
tailscale dashboard -- dns (https://login.tailscale.com/admin/dns)
nameservers > global nameservers --> enter IP of your server
override local DNS --> (enable slider)
magicDNS --> disable
tailscale mobile client settings
open app > 3 dots in upper right > use exit node... > click on server hostname
AdGuardHome (or PiHole) settings (Docker container on same server as Gluetun and Tailscale)
filters > DNS rewrites --> domain: *.lan (any custom local suffix) answer: 192.168.1.87 (server LAN IP)
Not necessary but makes it easy to browse to jellyfin.lan or jf.lan rather than 192.168.1.87:8096, for example.
caddy-docker-proxy settings (https://github.com/lucaslorentz/caddy-docker-proxy)
e.g. jellyfin docker compose (partial)
auto-generates this snippet in Caddyfile when jellyfin container starts. Can also manually write and mount into Caddy container.
Install root certificate on devices that will access resources through Caddy, so that security warnings are not generated
get root certificate from caddy container > /data/caddy/pki/authorities/local/root.crt
google how to install to your OS and/or browsers
Honestly, I'm not sure how exactly everything works together here, so this may be a spaghetti mess that could be simplified or improved. But for me at least, it works. Happy to receive any feedback.
There is one open issue #1854, that links to a post I also found helpful https://lemmy.world/post/7281194. However, their setup doesn't allow for remote access of the entire home network, nor does it allow for custom DNS settings.
Beta Was this translation helpful? Give feedback.
All reactions