VPN (Headscale / Tailscale)

The VPN connects all zones and remote machines: Headscale 🡕 is the coordinator (on the HCS), Tailscale 🡕 is the client on each node. Overview in Network.

Enabling the VPN

Enabling coordination and declaring the HCS (profile: hcs) is sufficient:

etc/config.yaml

network:
  coordination:
    enable: true
    hostname: "hcs"
    domain: "headscale"

Roles are derived from each host’s profile:

• HCS: mesh coordination (Headscale).
• Gateway: subnet router + exit node: publishes its zone’s subnet.
• Other nodes: Tailscale clients.

Registering a gateway

1. On the HCS: create the attachment user and a key

   just enter hcs
   sudo headscale users create nix --display-name "Nix Admin" --email "nix@domain.tld"
   sudo headscale preauthkeys create --reusable --expiration "1d" --user 1

   Not modifiable

   A user’s email and display name are not modifiable after creation.

2. Fill in the key in secrets

   just sops      # edits usr/secrets/secrets.yaml → tailscale/authKey key

   The gateway then registers automatically (on the next just apply).

3. On the gateway: advertise the subnet

   sudo tailscale set --advertise-routes 10.0.0.0/16 --advertise-exit-node \
     --accept-routes --accept-dns=false --ssh --snat-subnet-routes=false

   Manual for now

   These options are not yet set at startup: they must be applied once with tailscale set.

4. On the HCS: approve the routes

   sudo headscale nodes list                       # find the gateway ID
   sudo headscale nodes approve-routes --identifier <id> --routes 10.0.0.0/16

Administration

The headscale command (alias h = sudo headscale) on the HCS:

sudo headscale users list      # users
sudo headscale nodes list      # connected clients
sudo headscale nodes routes    # advertised / approved routes

Access from outside

To join the network from outside a zone, see Connecting from outside.