The Ultimate Guide to Tailscale on Unraid Artwork

The Uncast Show

Owning an Unraid server gives you the ultimate control over your data and reduces your dependence on The Cloud. Join host Ed Rawlings to learn how to get the most out of your Unraid server, stay up to date on relevant news and topics, and get to know members of the Unraid community!

All Episodes

The Uncast Show

The Ultimate Guide to Tailscale on Unraid

December 10, 2024 • Unraid

Dive into the ultimate guide to using Tailscale on Unraid 7! This comprehensive video tells you everything you need to know about integrating Tailscale into your Unraid life. Whether you're just starting or looking to master advanced features like the brand new Docker integration, Tailscale SSH, Exit Nodes, setting up a travel router for seamless remote access, and more, we've got you covered on this episode of the Uncast Show!

Chapters

00:00 Introduction to Unraid 7 and Tailscale Integration

02:45 Understanding Tailscale and Its Benefits with Unraid

06:19 Use Cases for Tailscale in Unraid

12:23 Traveling? Set up Tailscale on a travel router like the Beryl AX 3000 for seamless, safe access to your Unraid server and Tailnet:

13:52 For podcast listeners, now might be a good time to pause and switch to Youtube as there is much more screen sharing going forward.

14:15 Integrating Tailscale into Docker Containers with real-world examples

18:45 Installing Tailscale on Unraid Server + Subnet routing

31:25 Setting Up Exit Nodes and Tailscale SSH

38:45 Using Rsync over Tailscale SSH

42:47: Tailscale Lock

45:45 Diving into Docker and Tailscale

49:30: Tailscale Serve + Easy Remote Sharing

56:40 Setting Up Pihole in Tailscale

01:05:15: Global Nameservers, overriding local DNS and secondary DNS

01:13:08 Utilizing Tailscale for Windows Containers + KVM

01:17:30 Steam Headless Gaming + Tailscale = Gaming from anywhere!

01:25:25 Tailscale + travel router = a great travel hack for RVers, Roadtrippers, Cruisers, mobile banking, and many other use cases by

Key Links:
Beryl AX 3000 Travel router

Tailscale Docs for Unraid:
https://docs.unraid.net/unraid-os/man...

Adding Tailscale to Docker containers:
https://docs.unraid.net/unraid-os/man...

Don’t miss this opportunity to unlock the full potential of Tailscale on Unraid! Like, subscribe, and share for more tutorials and tips.

Send us a text

Other Ways to Connect with the Uncast Show

Speaker 1: 0:21

Hi there, guys, and welcome to another episode of the Uncast Show. Now today, I'm afraid I'm not going to be talking to a guest on today's show. Yeah, I know it's terrible, you're just going to have to be listening to me today. Now I might not have an actual guest on the show, who's an actual person, but you could say my guest is some game-changing features in Unraid that you'll be seeing in Unraid 7, of which the RC1 has just been released. So now you can do everything that we're going to be talking about on today's show yourself at home. Now, in my opinion, this new feature is unlike anything we've ever seen before in any home or small office server OS before. So if you've ever wanted secure, remote access to your server without the headache of port forwarding and that kind of thing, or if you're just curious about how you can actually isolate specific Docker containers with individual networking, well this episode is just for you. So if you watched my last video with Alex Kretschmar, who's the head of developer relations over at Tailscale, you'll know that Unraid have recently partnered with Tailscale. You didn't know that? Well, I did announce it in the last video. So here's me from the past just to give you a recap, I've got something very exciting for all of the audience listening that I can announce on the show today and this is the first place that you're going to be hearing it Tailscale is officially coming to Unraid and is going to be built right into the OS. The team's been working with Derek Kayser, who's the author of the Unraid plugin, to basically make that happen and have it become part of the OS.

Speaker 1: 2:03

Now I know some of our listeners, alex. They might not be familiar with Tailscale or why it's such a game changer. So, alex, could you start by explaining what Tailscale actually is and why it's so important for us kind of home server enthusiasts and home labbers, etc. Yeah, well, for those of you that are listening that don't know, I cut my teeth on it, right? Anyway, if you haven't seen that video yet, why don't you check it out? Alex is not only involved with Tailscale, but he's also one of the super knowledgeable hosts of the self-hosted podcast and, as well as that, a founding member of Linux Server IO. Oh yeah, and did I say he's a super nice guy to boot as well? Well, of course he is, isn't he? He's a fellow Brit.

Speaker 1: 2:41

Anyway, as I was saying before, this is the first time a NAS or home server OS has integrated Tailscale this deeply. It's not just a feature, it's a partnership that puts secure networking at the heart of Unraid. Unraid integrates Tailscale not only into the base OS itself, but now you can also integrate Tailscale into any Docker container you currently have or install in the future, with just a click of a few buttons in the Docker template. Now you can probably tell I'm really excited about this. It's just so super cool. But I've got to remember that some of you watching you may not know exactly what Tailscale is, and if you do know what it is and you use it already, you may wonder if you've got it on the server itself, why would you actually want to install it into individual Docker containers as well?

Speaker 1: 3:29

Anyway, let's start with what actually Tailscale is. So Tailscale, it's a modern, secure networking tool that creates a private, encrypted mesh network between your devices. Think of it as a way to connect all of your devices securely, no matter where they are, without complicated setups like VPNs or having to keep track of your IP address and no port forwarding. It just works. So I mentioned a mesh network. So you know what is a mesh network? Well, devices on tail scale. They form direct connections with each other, no matter where they are at home, at a coffee shop or anywhere across the world. So it's basically like having your own LAN expanded anywhere to a place where you can receive internet. Pretty cool, hey. And as well as that, it uses something called Zero Trust. And what's that? Well, in basic terms, only devices you authorize can connect to it. So it keeps your devices and data secure. And, as I've been mentioning, another really cool thing about Tailscale is just ease of use. You know, forget manual configurations, tailscale, it handles everything for you. So it's a perfect fit for us on Raiders.

Speaker 1: 4:40

Now for those of you who kind of wonder what's under the hood of Tailscale, it's basically WireGuard. So what Tailscale does is it makes the actual introduction connections you could call it to the devices and then those two devices. They make a direct WireGuard connection to each other wherever possible. Now, I'd say probably about 90% of the time these direct connections are possible. Now, I'd say probably about 90% of the time these direct connections are possible. But there are certain networking conditions where a direct connection might not be possible, where maybe both sides behind carrier grade NAT or both sides are double NATed Some unusual situation. Well then, what Tailscale will do is use what's called a DERP server, where it routes the traffic through one of Tailscale's own servers, but all of this is encrypted as it goes through, so even Tailscale can't see it. And in these unusual situations, your traffic will be routed through a DERP server. But what this does is it makes sure that a hundred percent of the time, you will have connections with your devices. So, just to recap, what Tailscale will do is it will try its hardest to make direct connections with all devices. It always wants that as the first priority, and if it can't do that, then it will use a DERP server. So all Tailscale does is initiate the connections between the two devices, and this is just to get around any networking issues, and that's why we don't have to do things like port forwarding or tracking our IP. Okay, so that's what Tailscale is. It's a way for us to securely and easily connect our devices together.

Speaker 1: 6:14

So the next question is why do we want to do this? So what's in it for us on Raiders? Well, obviously there's the two use cases one, the integrated server integration, and one, being able to integrate Tailscale into individual Docker containers. Now let's start with integration into the server itself. So, as soon as we install the official Unraid plugin and configure it on our servers, our server then joins what's called our tailnet. So what is a tailnet? Well, basically, this is our virtual LAN. It's our mesh network that I was talking about earlier, and Tailscale basically call this a tail net. It's basically a virtual LAN.

Speaker 1: 6:57

Okay, so the most obvious use case for this would be to access our server remotely. We can log into the web UI. We can start up Docker containers. We can log into the web UI. We can start up Docker containers. We can shut them down. We can install containers, vms, everything that we could at home. We can even stop the Docker service, stop the array. We can do all of that.

Speaker 1: 7:16

Now, you might remember there was a Docker container for Tailscale. Now, this is actually different to the actual Docker integration that I'm going to be talking about in a moment. There used to be well, there still is, in fact, a actual Docker container for tail scale that allows us to access our server using tail scale. Now, it's not as good as the official plugin. I have to be honest. It's not as good because, basically, it's harder to set up and also what happens if you stop the docker service. Well, if tailscale is running in the docker service, you'll lose access to your server. With the official plugin, you can do everything. You can start the server, stop the server, start the array, stop the array. You can do everything you could as if you're at home. So that's why it's better now if you've previously installed and used the Dockerized version of Tailscale. Well, it did its job at the time and I'd like to thank the author who actually made that. But I'd suggest going forward. You uninstall it and use the official Unraid version, use the plugin version going forward, because the integration is so much more highly integrated and it's just better in 2024.

Speaker 1: 8:28

So why else would you want to use Tailscale on your server? What other use cases can we think of? Well, we can actually link two different servers together in different locations. You know why would we want to do that? Well, we can actually do backups. Well, we could use rsync and do an rsync backup across the internet, over Tailscale, securely to another trusted server elsewhere. We could do the same with GFS replication. We could do a backup that way.

Speaker 1: 8:54

But let's think of something else we could also. I guess we could actually use a server somewhere as a CCTV kind of backup location. Well, not a backup location. We could actually record directly from some cameras. Say, we had like a business, we had like a small store. We could have CCTV cameras there and then we could actually use Tailscale to actually link back to our Unraid server at home and we could record the footage at home. So I guess then if any bad guys broke into the shop they can't smash the CCTV system and get rid, record the footage at home. So I guess then if any bad guys broke into the shop they can't smash the CCTV system and get rid of the footage. Now I haven't tried that myself, so you know I can't tell you how to do it, but it's for sure possible.

Speaker 1: 9:37

Anyway, how about things that are a bit easier to do. What else can we do using Tailscout, our server at home? Well, we can do something called subnet routing and in one of my Space Invader 1 videos I showed how to set that up. So what it is is basically, with subnet routing we can, through Tailscale, allow devices to be able to access the whole of our LAN at home, or we can choose certain ranges of the LAN to be able to be accessed. So say, I wanted to be able to access my router at home through Tailscale on the server. If I did subnet routing, I could go to 192.168.1.1 and access my router over Tailscale as well as just the server. So subnet routing, that's another pretty cool thing.

Speaker 1: 10:26

And something else we can do is we can use something that's called an exit node. Now I'm sure a lot of you out there have used a kind of commercial VPN service like Private Internet Access, mulvad, that kind of thing. So what they do is they exit all of the internet out of a node. So you call that an exit node. So what we can do is we can do the same at home. So we can set up an exit node and then when we connect to our tail net we can say we want to use this exit node. Then all of our internet will go through our house. So on my server behind me there I've got Tailscale running and when I go away I can actually access everything in the house through subnet routing.

Speaker 1: 11:11

But using the exit node, I can also basically have my home IP address. So if I want to go abroad and I want to watch, say, iPlayer, which is the BBC, which is like a local TV channel over here. You can't watch it outside of the UK but because I'm routing all of my traffic through my home IP address then I can watch it. So it gets round geo restrictions like that. Also, you know, if I go away and I want to access my bank, say I go across to the USA. If I try and access my banking website or apps, it doesn't like it. It kind of thinks you know what am I doing in the USA? Am I trying to kind of hack my bank and it won't let me. So using the Tailscale exit node, it thinks I'm at home here in the UK and I have no problem accessing my bank. So exit nodes, pretty cool. Problem accessing my bank? So exit nodes, pretty cool.

Speaker 1: 12:09

And talking of exit nodes, we can also use a travel router and we can put Tailscale on that and then connect that back to our Unraid server, to our exit nodes if we're using it, and to subnet routing. So I'm not sure if you've ever seen one of these before. It's an AX3000 and later in this video I'll show you how to set it up, install Tailscale on that and then we can use that to actually connect to our Unraid server at home or anything on our Tailnet. So again with the travel router. What's pretty cool about it is you can connect it to any Wi-Fi. So I'm not sure if you've been to a hotel before and you have these kind of portals that you have to go into and you kind of put in a username and password and you might pay for a certain amount of time for a certain amount of devices. So whilst you're at the hotel, say for a week, you'll pay X amount of dollars and that will give you access for one device. Well, here's your one device, okay, and then you connect all of the other devices that you've got that your family might have, so the kids might have their phones, tablets, and it shares that internet. So you don't have to pay for additional ones for each one of the family. So it's pretty cool. And, as well because the router is connected to Tailscale, we can connect to devices on our tailnet that can be Docker containers or the server itself.

Speaker 1: 13:32

So, talking of Docker containers, this is what I think is the really, really, really big deal, the real game changer that has come to Unraid recently. It is just really pretty amazing and, like I keep saying, I don't think there's been anything else like this at all. This really is a world first. Now, for those of you who are listening to the audio version of this podcast, now would be a good time to switch over and continue following along on YouTube, because I'm going to be sharing my screen quite a lot and, without the context of seeing that what I'm saying, it may well not make sense. But anyway, for those of you who are watching on YouTube, let's continue.

Speaker 1: 14:12

So let me talk about how Unraid lets us easily install Tailscale directly into individual, specific Docker containers. So you might be thinking, why would you want to do this? Containers? So you might be thinking, why would you want to do this? We can all we can always access unraid, it through its web ui and then access containers that way. But that's only half the story.

Speaker 1: 14:32

When we integrate tailscale directly into a container, we can just do so much more, for example, let's take jellyfin, for instance. Well, so many people, Jellyfin you see them just open port 8096 on their router and point it to their Unraid server. It's not really very secure, a lot of people. They don't even use a reverse proxy. But using Tailscale directly into Jellyfin, we can have the Jellyfin container, have its own IP address and even its own fully qualified domain name, so it could be jellyfinmytailnettsnet, and that's with a full SSL certificate from let's Encrypt. So it's totally secure.

Speaker 1: 15:18

Now as well. It's not accessible to anyone who isn't a member of your tail net. So what you can do for friends and family is you can, from Tailscale, send them a link, send them a message via email and it lets them join your tail net and then they can access Jellyfin as well. So it's a totally private way of accessing your media server via a direct WireGuard connection using Tailscale between your friends and family. So it's really, really cool. And also because it's directly in the container, they can't access your server at all. They can't access your web UI, they can't access your shares. You are just giving them permission to access just that container. Now, you may have seen my recent video on the Space Invader 1 YouTube channel, where I show you how to install a Steam headless container. Now you may have seen my recent video on Space Invader 1 YouTube channel, where I show you how to install a Steam headless container.

Speaker 1: 16:10

Now, for those of you who don't know what that is, that allows you to play video games via Steam on a headless server. So it doesn't have basically the screen showing, but it passes through a GPU to the Docker container and then somewhere else in your LAN, like in your house, you can play the game. I do it on my Nvidia Shield in the bedroom so I can just sit in bed and play my video games. But if you integrate Tailscale into that Docker container, well, we can then play our Steam library on any device from anywhere in the world, so long as it's got a decent internet connection, obviously.

Speaker 1: 16:48

Now something else a lot of people they use Piehole. Well, piehole's great for blocking ads. But when you leave the house you can't use it anymore because obviously it's running in the house and you wouldn't want to expose it to the internet. But if you install Piehole and then you install Tailscout into Piehole, you can then give that container on your tail net to friends and family and then they're going to have no ads as well. It will all be done through your Piehole container. But as well, put it on your own laptop and wherever you go you're going to have no ads. Now, another container I really like is one called Forget. Now Forget is a self-hosted search engine. It's really nice for privacy. So if you install Tailscale into that, well, we can actually set that as our default search engine on our browser and, because it's connected to Tailscale, wherever we go in the world, we can have our private browser with our search engine that way.

Speaker 1: 17:48

And obviously, another thing game servers. I know a lot of you guys out there you like running things like Minecraft servers, ark survival servers. I don't run any, so I couldn't tell you which ones are good, etc. Which ones are good, etc. But it means that you can actually share them with your friends, your own servers, on your tail net by integrating the actual tail scale into these Docker containers. Anyway, I'm not going to talk too much about it because there is a section of this video where we're going to go into a lot more depth. This is just basically an overview.

Speaker 1: 18:24

So I really think that Unraid 7 and Tailscale integration is a game changer and I think let's just start and have a look at it on the server. First, let's see how to install it on the Unraid server and then we'll go on to looking at Docker containers. Okay, so end of the introduction. I'm going to go across to my other server now and let's install it over here on another server and we'll start with installing the Tailscale integration directly into the server. Okay, so I'm going to go across here onto my backup server, which I call Imperial Walker, and I'm going to log in.

Speaker 1: 19:07

Now. The first thing to do is just check that you don't have the Docker container version of Tailscale installed. If you do, then just make sure to remove that, because we won't be needing it anymore. And so, with that removed, I'm going to go to the Apps tab here and you guessed it I'm going to search for Tailscale. So what we're looking for here is the Tailscale plugin. Here we can see the official Unraid one, which is also the monthly spotlight. So I'm going to click on to install here and download and install the container.

Speaker 1: 19:38

Ok, so with the plugin installed, we just need to go across to settings here and here. Now we can see there's a new icon under network services. Here's our tailscale plugin. So if I click onto this now, that brings us to a page where it says re-authenticate. Now it says re-authenticate, but we are in fact only authenticating for the first time. But let's click onto this. And then now, with Tailscale, we need to sign in with one of these providers. Now I'm going to use Google here and I'm going to use this email address here, specially set up for doing this video. So I'm going to click onto next here and pop in my password, and so now, when I click onto connect, that's going to connect my Unraid server here onto my tail net. So let's do that and I'm going to click here to visit the console. Okay, so here we can see my server, imperial Walker, and here we can see the various different ways that we can connect to it. So it's got its own IP address here and also we can see it's got the name here, imperial Walker, and then my tail net address here.

Speaker 1: 20:48

Now one thing I'd suggest to do is let's change the actual tail net to something a bit more fun. Now let's go across here to DNS, and here I can rename the tail net, because really, taylor36d8btsnet well, pretty boring, so let's rename it. So it's always best to do this right at the beginning, because if you rename your tail net later on, well, it could cause you issues to use things that are already set up. So that's why I suggest you do this first. So I'm going to click I understand here, and then it gives us a few different options that we can choose. Now I don't really like any of those. So I'm going to click re-roll options and again I'm going to click re-roll and I don't know I'm going to go for Fox Gary Boldy here. So I'm going to click rename tail net. And now we can see my tail net is renamed.

Speaker 1: 21:45

Now, if I go back to machines now and I look here we can see here now it's imperialwalkerfox-garyboldytsnet. Now I can't actually access any of these things at the moment because I don't have TailScale installed on my Mac. So we're going to need to do that. So now I want to add my Mac. So at the top here we can see download. So I'm going to click there and here we can choose the OS that we're using. So I'm going to click download Tailscale for Mac. Okay, so it's pretty easy to install. Just install for whatever OS you need. And again you're going to need to do very similar to what we did on the Unraised server, by just signing in with the same credentials as we did before, and you can see here I'm connecting my Mac to the same tail net. So now we can see both machines are in my tail net.

Speaker 1: 22:41

Now there's one thing you can do. I don't really like the name of this here, so if I click onto it and I go to machine settings, here I can edit the machine name. So instead of having it auto generate from the OS host name, I'm going to uncheck that here and I'm just going to call it MacBook Pro. So now both machines are here and so let's have a look here. Now, if I grab this IP address and I paste that into a browser window and this will bring me across to my Unraid server. Now this would work from anywhere I am in the world with this IP address and it would just be the same username and password that I'd normally use to log into the server. So next, if we go back to machines here and I'm going to grab this name here the imperialwalkerfox-garyboldy let's pop this in here so we can see this is a domain name. So if I click enter again, that brings us straight the way through. Now one thing to notice is currently you'll see here that it says not secure. That's because we don't yet have an SSL certificate, but we'll worry about that later.

Speaker 1: 23:59

Now let's go back to the settings page here and go back to Tailscale, and here we can see various things about this device on our tail net. Here we can see it says the Tailscale key will expire here for me in 183 days. I'm logged in with dragontailscale at gmailcom and I'm currently viewing here. I can see the various different ways I can connect to this server. We can see here it says this is not an exit node. Here if I click view device details, you can see a little bit more information about this device in tailscale and here under subnet router. If I click here, we can see that there's no actual routes being displayed. So also finally here Tailscale SSH server. We can see that that's not running here.

Speaker 1: 24:57

Now the first thing we'll do on this page is it says here the key's going to expire. Now I really recommend that we make it so keys they don't expire on devices that we permanently have connected to the tail net. It's good to have keys to expire on things you might give to guests when you share things out and we'll talk about more about sharing things in a moment but devices that are permanently connected it's best to have the key to never expire. So to do that we need to go back across to our tail net on the tail scale website here and you can see I've actually added another server behind the scenes here. We'll have a look at that at the moment. But here here's imperial walker. So what I want to do is click on the three dots here and I'm going to click on here disable key expiry. And I'm going to do that to this other server here called Andromeda. I'm going to disable the key on that and also my MacBook Pro. So now none of these will actually expire. And if we go back to the page here and I refresh this page, we can see here it doesn't say the key is going to expire Now.

Speaker 1: 26:07

Earlier on I mentioned about subnet routing, which basically means we can actually access things on our local LAN here in the house or wherever our server is running on devices that we have connected to our tail net. Now here, if I click onto onto this, you can see it says not advertising any routes. So here, where it says viewing, now I can click onto this and then, if I click here, sign in to confirm identity. In fact, because I'm already signed into Tailscale, I didn't have have to put in my username and password. If you weren't signed in you would have to. And here now, if I click onto subnet router, here I can advertise a new route.

Speaker 1: 26:51

Now I'm never sure whether to say subnet router, which we say here in the uk, or subnet router, because I thought you guys in the states you call it a router. So I've kind of started saying that. But then a friend of mine over in the States who's a boat builder says when I say router he thinks of a machine in a shop. So I don't know, excuse me if I'm saying it wrong. Anyway, so what we can do here is we can put in a subnet. So for me my subnet is 10.10.20.0, forward slash 24. So I'll explain what that is. My server, its normal IP address is 10.10.20.199. So to kind of write a subnet in what's called a CIDR, yep, like the drink. We just put the last number on the end as a zero, then forward slash 24. That gives us every IP in between 1 and 254. So if I click advertise routes here, we can see here that we're wanting to be able to have Tailscale through my server here, be able to give devices access to anything on this subnet. Here Now a lot of people you might have something like 192.168.0.0, forward slash 24.

Speaker 1: 28:16

So there's one kind of caveat here is if you're in a coffee shop and you wanted to access something on your homeland that's on 192.168.0.1, say you want to access your router at home. So if you're in a coffee shop and their router is also on 192.168.0.1 and you're in the coffee shop, how does it know which one you want to actually access? Because there's going to be two lots of 192, 1680 and whatever number on the end. Yeah, so I always recommend on your home network, have an obscure subnet. That's why I use 10.10.20.0 forward slash 24, because I'm never going to go to a coffee shop, an airport, they're not going to have that same subnet range. So it always just means that I can connect back to my subnet and it won't clash with the subnet I'm connecting from. You know, I hope that makes sense, but it's just something to think about. Now I'm going to click stop advertising on this one here, because that's not a subnet for me at home. But you can see here it says pending approval. So underneath here to approve root we need to go to the admin console. So I can just click here and here under subnets we can see here it says waiting approval. So I'm going to click here on review. I'm going to check this one and I'm going to click save. And so now, if we go back to the unraid server. Here we can see it says this route's approved. Now, so that's all good. And here we can see, under subnet router it says there's one route that's been approved.

Speaker 1: 30:03

Okay, we'll talk about the Tailscale SSH server in a moment, but, as you saw a moment ago, I have added this server here called Andromeda. Now this is a server that I have in a data center over in Finland, so it's a long way away. So anyway, let's connect to this server here. So I going to grab its ip address, open a new tab and just paste the address in here and just log in. Now the first thing I'm going to look at is I'm using unraid connect on this server here and I've got a little error message here. So here we got what's called a cause error, and so what I need to do is I need to add the tail scale IP here. So let's copy that onto the clipboard and click here to go to connect settings. And here we've got unraid API extra origins. So I'm going to paste in the tail scale IP address here and click apply, and now if we go back we can see it's gone. So just a little thing, but yep, worth doing. Now I'm going to go here to settings and I'm going to go to tail scale. So exactly the same as the other server, except I'm not exposing any subnet routes and we can see the key is not set to expire.

Speaker 1: 31:23

Now what I want to show you here is we're going to set up what's called an exit node, so that will allow me at home to actually route my traffic through this server over in Finland. Now I'm going to open up a terminal window here just to show you something, and I'm going to check my IP address. So to do that I can type curl ifconfigio. Now if I hit enter here it will give my public IP address. I don't really want this online, so I'm going to put forward slash here, then country underscore code and now if I hit enter here, it's going to tell me basically the country code of where the IP address is from. So you can see here fi for Finland. So let's close this now.

Speaker 1: 32:12

Okay, to set up an exit node. It's super easy now at the moment here you can see that we can't actually do anything, so that's because we're on viewing mode again. So if I click onto here and then click sign in to confirm identity, it will ask me to sign in and then we'll get some additional option. So you can see here that I'm signed in. And so now you can see here under exit node I can click this little arrow and I can click here run as exit node. So I'm going to do that. And now we can see we're running as an exit node and we've got a button here to disable it if we wanted to cancel this. But we can see here it's pending approval. Just in the same way as earlier when we did subnet routing, we need to actually approve this in the tailscale actual web UI itself. Let's go to the Tailscale website here and here we can see it says the Andromeda is running as an exit node. So let's click onto it. And here under routing settings, here we can see awaiting approval. So let's just click edit and I'm going to check here use as exit node node and I'm going to click on to save. Okay, so that's all done. So now my server here over in Finland we can see it says it's running as an exit node. So now, whenever I want to, I can route all of my internet traffic through Finland out through this Unraid server. Okay, so now let's test that.

Speaker 1: 33:45

Let's go on to my Mac. Now, the first thing I'm going to do is I'm going to open up a terminal window and again here I'm going to type curl ifconfigio forward slash, country underscore code. So this will tell us our country code for where our internet is currently, and we can see here it says GB, which is the UK, great Britain. Ok, so let's minimize this now. And here at the top, here is my tail scale icon on the Mac, and here we can see my network devices. The other ones here Andromeda and Imperial Walker. Well, andromeda is the server in the data center. So what I can do here is on exit nodes, I can actually choose the exit node to be Andromeda. So I'm going to click onto that and we can see a little arrow here on the tail scale icon. I'll try and zoom in on that, but it's pretty small. Hopefully you'll be able to see it. So now let's open up the terminal window again and run the same command. And there we are.

Speaker 1: 34:56

Our internet is now going through Finland. So now, if I was to open up a browser, well, I'd get a whole load of language that I don't understand and a whole load of adverts that are all from a different region. So basically a really useful feature. Great for getting around geo-locked applications. So you might want to do some online banking while you're abroad. Well, it's going to look like it's coming straight from the IP address of your house, so absolutely perfect. And also, you might want to watch a streaming service that you pay for at home that you can't watch abroad, but obviously, because you're routing it straight through your home IP, it's going to work absolutely fine. Okay, so that's exit nodes.

Speaker 1: 35:37

So now let's have a think about tailscale ssa now on the server andromeda in the data center. We can see this isn't running. Now let's go back across here to the main server in the uk and I'm going to open up a terminal window. So obviously I can ssh in the normal way to the unraid server, just using the standard tailscale IP, and it's going to ask me to put in the password because I'm going to need credentials. Okay, we got a couple of errors there, nothing to worry about, but we can see. Now we're logged in via SSH into Andromeda. So let's actually exit this now and log out Now. Yes, we could exchange SSH keys with this server in the normal way that we would, but we're not going to do that, we're going to use the tailscale SSH server.

Speaker 1: 36:31

So let's go back across to Andromeda here and we can see it says the tailscale SSH server is not running. So I'm going to click on viewing here and I'm going to sign in and I need to open up this pop-up window. It's been blocked by Safari and now if I click on Tailscale SS8 Server, now I'm actually authenticated. I can toggle this here and I can click run Tailscale SS8 Server. Okay, so let's go back to the main server in the UK and open up a terminal window again. Now let's run the same command, just SSH, then the username, which for Unraid is root, then the tail scale IP. So now if I hit enter, we can see here it says tail scale requires an additional check and it gives us a url to actually go to where we can sort this out. So I'm going to click onto that link and it says that authorization successful. And now here on andromeda we can see that ssh is enabled.

Speaker 1: 37:37

Okay, so now we can see that we're logged in via sH into Andromeda. So let's exit that and let's run the same command again and we can see we can SSH directly in into the server without having to have any SSH keys exchanged or without having to put a password in. So let's try exactly the same from the Mac. Let's copy this command here and open a terminal window on the Mac here. So this is the MacBook, so I'm going to again just SSH in from here and because the Mac is on my tail net, I'll be able to get in without a password. It's going to ask me if I want to continue. I'm just going to click yes. But we can see here I'm straight in without a password. Now, if I exit and let's clear the screen, now if we run the command again, we're straight in. So that's a really useful feature, in my opinion, to be able to do SSH between two machines, not having to do any SSH key exchange and doing it passwordless.

Speaker 1: 38:42

So why would we want to be able to do this? Well, let's have a little example. Let's have a look on my server here in the UK. I've got this share here called test. If we have a look inside, there's a picture of my old lovely dog there before she passed away. If we go across to Andromeda here, you'll see I've got the same share here. That's currently got nothing inside. So if I go across to the UK server here. I'm going to open a terminal window Now you'll probably want to script this.

Speaker 1: 39:12

We'll just put this in as a command. What we can do is we can easily actually back up that share using rsync over the tailscale network, using ssh, without any key exchange or without any passwords. So let's hit enter, okay, so we can see that file's been sent across. So let's go back across to the server in finland here and we can see here the picture of lovely mia has been transferred and backed up over onto my server in Finland. So really useful being able to use rsync over the Tailscale SSH, in my opinion.

Speaker 1: 39:50

Now I really want to start talking about Docker integration with Tailscale on Unraid. But there's still a few things about the Tailscale integration on the actual server that I want to talk about first. So let's go back across to the UK server here and let's go to settings and back to the Tailscale icon here. So we can see here along the top we've got various tabs. So the first tab here is settings. Now for most people we don't need to touch anything here. Now it's recommended on the tailscale outbound networking that we leave use subnets and tailscale DNS. We leave these settings to no, it only affects outbound network traffic, nothing actually coming into the server. Now a couple of things here. We can actually restart the tailscale service by clicking this button and if we wanted to erase the configuration say we wanted to join a different tail net maybe we can erase the configuration here and reset everything back to defaults.

Speaker 1: 40:54

Okay, so let's have a look at the next tab here. I think this is a very interesting tab, the status tab. Here now we can see there's three things I've got here on this tail net. So I'm currently on the MacBook Pro making this video and obviously we can see it's a direct connection. Now I have another server here. This is just a Ubuntu server in a data center in the UK. Now I can ping this here and doing that we can see that this is also a direct connection, not going through any relay, straight to that server in that data center and here we can see its IP address. So this is the public IP address of that Ubuntu server.

Speaker 1: 41:35

But for my Mac, because it's on the same network as what Imperial Walker is, we see the connection is direct over the LAN. So the IP address of the Mac is 10.10.20.186. So we see that IP here. Now if I ping Andromeda, the server in the Hetzner data center in Finland. So here now we can see that a direct connection couldn't be established and we can see the connection type is a relay. Now I've got the firewall very strict over in the hetzner data center in finland, so that's why it's going through a relay, so we can see these two are direct. This is a relay. So instead of seeing an ip address here, we actually see the actual relay that's being used to make this connection. And ams, I think that stands for Amsterdam. So basically my traffic is being relayed through the DERP server in Amsterdam across to Finland for me to connect to this server. So I think this is really useful to be able to have a look and analyze your tail net, see what's going on.

Speaker 1: 42:40

So let's move on to the next tab here, this one called lock, now tailscale lock. What actually is this? Well, to explain that, I'm going to go here onto the tailscale website. Now, before going into this, I just want to explain. For 99% of us, we don't actually need to worry about this. It does make things much more complicated and for most of us we don't need to worry about it. But just to be complete. I wanted to explain what it is Okay.

Speaker 1: 43:08

So normally when we add a device, as you've seen earlier, all we need to do is log into the actual Tailscale website. For me, using my Gmail account here, dragontailscale at gmailcom, with my really strong password, and also I use two-factor authentication. But what would happen if someone actually was able to access this page? Well, they could actually add a rogue node to my tailnet and with that rogue node, they could then probably access various machines on my tailnet. Now, it's pretty unlikely. If you have really good security, you use strong passwords and 2FA. But if you wanted the very best security and maybe you're running a business or something, well, you might want to enable the tail net lock. So to do that, you go across the settings here and you go to device management. Now, here you'd enable tail net lock.

Speaker 1: 44:02

Now what happens with tail net lock is we add something called signing nodes. Now, these signing nodes, we add them from the existing devices on our tail net and then when a new device is added, it has to basically be approved via that signing node that's on our tail net. So it means that things can't actually be added, even if people can access the actual Tailscale website. So it basically locks everything down for adding new nodes. Now, probably for most of us on Raiders this is kind of overly complex and it does have a downside. If you don't have access basically to the signing nodes, then you can't add new devices and you get given what's called a disablement secret, which is the only way you can actually turn this off after it's been enabled. So if you lose that secret, you can't turn it off and you can pretty much just lock yourself out of the system. So if you want the best security, add it. If you're a business, add it. But me personally I don't bother with tail scale lock. I'm just happy with a strong password and 2fa. But that's what tail scale lock is.

Speaker 1: 45:09

Okay, the next tab let's go on to info here. Basically info just about this node which is imperial walker here just tells me a bit of info about it. Help, obviously, just a help page and log. That's the Tailscale logs for this device. Okay, so I think that's everything to do with Tailscale when it's installed and integrated directly into the Unraid server. So let's move on now to my favorite bit. What I've been waiting to tell you guys about is the Unraid Tailscale integration into individual Docker containers. Okay so, tailscale and Docker.

Speaker 1: 45:47

Now let's go across to the server in the data center in Finland and we can see here that I've got Jellyfin running here. Now, for those of you who have used Tailscale before on Unraid, you'll know that we can actually access Jellyfin through the web UI when using Tailscale. But if I click on this here and I click web UI, it's not actually going to open. Now, the reason being is because it tries to open it using the local IP address and the port number for that container. So what I could do is I could just put the port number at the end onto the end of the Tailscale IP and that will get us in straight away. And there you can see my Jellyfin server with one of my favorite TV shows, andromeda. Okay, so, as you can see, whilst we can actually access things through Tailscale running on the server, it's not the actual ideal situation.

Speaker 1: 46:47

Now I'm going to show you something super cool. So let's shut down Jellyfin now, and this will work with any container If I click onto it and I go to edit here. Okay, so now you'll notice in the Docker template that we've got this extra part here. We've got a toggle where we can turn tail scale on and off. So I'm going to select use tail scale and set that to on, and first I'm just going to set this up very simply. I'm just going to give it a name. So this is the name that it will be on my tail net. I'm going to call it Jellyfin. Now, for the moment I'm not going to mention what all of these do. We will come back to that. But one thing I'm going to do is I'm going to where it says tail scale serve. I'm just going to, for the moment, put that as no, and you'll see why in a moment.

Speaker 1: 47:34

Okay, so if I scroll down to the bottom of the page now and click apply, we can see it says the command has finished successfully. So now I need to click this button here, view container log. And so now we can see it says the command has finished successfully. So now I need to click this button here, view container log. And so now we can see at the top here it says to authenticate, visit this address. So all I need to do is to click onto this link and it will open it up in another page. So now what I'm doing is I'm authenticating the Jellyfin container as a separate device on my tail net. So with that done, I'm just going to visit the console and here we can see Jellyfin is connected. Okay, great. So let's minimize this page here and we can now close the log and we can click done. So what you can see now is we've got a nice little icon here that says Tailscale, giving us information about this node.

Speaker 1: 48:27

Okay, so now if I click on Jellyfin here now we can see we've got two different web UIs. So now if I click on Tailscale web UI, I log straight in. So we're straight into the container through Tailscale without having to amend any ports. And if I click on play on any of my videos, you can see it's working absolutely fine, okay.

Speaker 1: 48:49

So one thing here is, if we click on here and go to Tailscale web UI at the moment we can see here it's accessing Tailscale through its own individual Tailscale IP address for this particular container. Now, obviously, this is different to the tailscale IP address for my server, but you'll notice here it says it's not secure. That's because it doesn't have an SSL certificate. It's totally private. If we wanted to, we could have a fully qualified domain name with an SSL certificate. So let me show you how to do that. So let's go back to the server and click onto the container here and go to edit, and all we need to do is, where it says tailscale serve, change that from no onto serve. So you can see, here it says we need to enable HTTPS on our Tailnet account to be able to use either serve or funnel. So let's go across to our TailScale web UI now and for that we need to go to DNS and if we scroll down here, just two things we should check we want to make sure that MagicDNS is enabled and also, obviously, https certificates. So let's click on enable here.

Speaker 1: 50:01

Now there's one thing to notice when, let's Encrypt certificates are created, they basically go on a public ledger. So all certificates created, they are visible to the public. But to see them, obviously you'd need to know the tailscale domain, or really any domain for that matter and you go to a website such as crts8 and paste in the domain and click search and that will tell you currently if any certificates have been created for this domain. And at the moment none have been created. And normally after you've created a certificate, it will take anything between one and four hours to show on this site.

Speaker 1: 50:43

Okay, so let's go back now. So you may be wondering why would anyone actually be worried about a certificate being public record? Well, for me, here my host name is called Jellyfin, so that's all someone's going to know. But imagine if I was a company and maybe I had I don't know a private name for a certain computer, like maybe a government computer, and I didn. I don't know a private name for a certain computer, like maybe a government computer, and I didn't really want anyone to be able to look up that name. So just remember, whatever name that you choose for your devices on your tail net, if you create a certificate for them, they are actually public record and if someone knew your tail net name, they could search this name and then see what devices are registered with certificates. But really not much of a big deal, so just something to keep in mind.

Speaker 1: 51:31

Ok, so with that done, let's click on Apply and done. And now we can see here, if I click onto Jellyfin and go to Tailscale Web UI, this time we're accessing Jellyfin, we've got our little padlock here, so we've got SSL and through a fully qualified domain name. So for me, jellyfinfox-garyboldytsnet. Now one thing to remember now this is only accessible to devices that are connected to my TailNet, so only me at present. So if anyone else online actually typed that in, it's not going to go anywhere.

Speaker 1: 52:09

But what I can do if I want to invite friends and family is I can go back across to the TailScale website here and then I can go to Jellyfin and I can click on to share, and here we just need to pop in the email address of anyone we want to share the particular container or really anything on our tail net and we just click share and that will be emailed through to her. Now that's one way to share things, but you can actually share your whole tail net. With the personal version of tail scale, you can actually have three users on your tail net, so you could actually give a full username to any friends and family that you wanted to. But just remember, if you do that, they will have access unless you set up some ACLs for everything on your tail net. So my preferred way is make people sign up for their own Tailscale account and then just share any device that you want them to have access to. So the great thing about having Tailscale directly in the Jellyfin container is when I share this out to other people. This container is the only thing that they can access. They have no access to my server, even though I'm running Tailscale on the server as well. So really cool.

Speaker 1: 53:20

Okay, so it's some time later now. So now, if I go back to crtsh, let's do a search now for my Tailscale subdomain. So I'll pop that in and I'm going to click search. So now here we can see all of the certificates that have been created off my subdomain. We've currently got Andromeda and Jellyfin here. So, like I said, if privacy is really important to you, then either don't use Tailscale serve or make sure your names are very non-descript.

Speaker 1: 53:52

Okay, so that's our first container with Tailscale installed. Now you can see, now I've installed a second copy of Jellyfin so we can make some comparisons and that way, be able to understand what's happening. Okay, so we can see here that with Tailscale installed, that we've got this extra volume mapping here which we're using for Tailscale. But there's something else as well that's important that we know about, which also happens when we install Tailscale into a Docker container. It saves what's called the Tailscale states file, which is basically like its configuration by default, normally into forward slash config, which is in the app data. So let me just bring up a screenshot of when we installed Jellyfin earlier and we can see here it says settings Tailscale state directory is in forward slash config dot tailscale, underscore state. So let's close this and have a look in the app data folder for jellyfin, so there we can see what it's created and here's basically the config for our tailscale for this particular container.

Speaker 1: 55:00

Now, for most containers this works absolutely fine. But let's just go across onto my main server here and we can see all of these docker containers. So we can see most of them have got the forward slash conf directory. Is pretty standard in most containers. But if we go down here and we look at, say, steam headless, headless here, well, this doesn't have a forward slash conf directory and, yep, steam Headless. I have got this going through Tailscale and I'll show you that a bit later on. It's really, really awesome. Now, although Steam Headless doesn't have a forward slash conf directory okay, so you might be wondering if this container it doesn't have a forward slash conf directory, then where's it going to save its actual tailscale states? Where's it going to save the tailscale configuration? Well, various containers that are known to have slightly different environments. Well, the team they've actually built in. So when we install these containers it puts it in a different place.

Speaker 1: 56:01

Now for Steam Headless. This has been done and let me bring up a screenshot of when I was installing this. So we can see here that for this container the tailscale states directory were put into forward slash home default dot, tailscale underscore state. So this directory again is in the app data data, so we don't have to do anything at all. Now, looking down here, at another container here, this piehole container, you can see this is also running through tail scale as well and this one also doesn't have a ford slash conf. And this container it hasn't been auto configured to put the states directory inside of the app data, hasn't been auto-configured to put the state's directory inside of the app data. So what I think we're going to do is I'm going to show you exactly how to set up this PiHole container and I tell you, setting up PiHole in Tailscale is really, really cool. Let's go back across to the server over in Finland and set it up there. Okay. So let's get rid of this Jellyfin2 here. Okay then. So let's set up a PiHole container on our Unraid server and have Tailscale integrated into that container.

Speaker 1: 57:14

Now, for those of you who don't know what PiHole is, basically, it blocks ads on your network. And you might think, well, why do we need to install Tailscale into it? Well, I'm going to show you a way how we can install Tailscale into this container and then anything on your tail net, if you want it to, it, can actually block ads. So it's going to make PiHole be able to work from anywhere in the world. So you take your laptop on holiday. You don't want ads? Well, you're not going to have them. Now you might be wondering well, what happens if the PiHole container actually stops? Will you still get internet? Yes, you will. I'm going to show you some special DNS settings we can use in Tailscale and we can make sure that PiHole will work seamlessly, okay?

Speaker 1: 58:01

So first let's install the container. So let's do a search for PyHole and we're going to install the official one here, binhex's official PyHole. So let's click on to install. And also, obviously, another reason I'm showing you how to set up this container is because I want to show you, when a container doesn't have a forward slash conf, how we can actually put the states directory where we want it to be. So, always, with a container doesn't have a forward slash conf, how we can actually put the states directory where we want it to be. So always with a container I think, at least for the moment when we're installing Tailscale into the container.

Speaker 1: 58:32

Let's have a look down here, look at all the paths and see if you've got a forward slash config on the container side. Now, just to double check, you can just click on to edit and the container path. You should have a container path forward slash conf. Now. If you do, then everything's good and you don't need to do any type of special configuration for your container. Now you can see here I don't have that. But what I can see here is I've got two separate locations that are going into the app data. So what I'm going to do here is I'm going to use this location and choose this location here, this location inside of the container path. I'm going to copy it to my clipboard because I can see that's mapped into the app data for this container. So I'm going to click cancel here.

Speaker 1: 59:26

Now let's scroll up and enable Tailscale. So obviously I'm going to call this PiHole and I don't want it to be an exit node. I don't want it to use an exit node and I'm going to keep Tailscale serve enabled. And here now the important bit I'm going to click on here show advanced settings. Now there's various advanced settings here. Now, like I said, mostly we don't need to use these, but what I'm looking for here is the TailscaleState directory at the bottom here. So what I'm going to do is I'm going to paste in that location that I know is mapped across into my app data and then forward slash dot tailscale underscore state. So, with that done, let's scroll down to the bottom and pull down the container.

Speaker 1: 1:00:15

Okay, so, as always, let's click on to view log and we can see that tailscale is initiating and it's being downloaded. And we can see that Tailscale is initiating and it's being downloaded and here we can see the Tailscale state directory has been set to what we just made it. Okay. So let's authenticate this container with Tailscale and connect PyHole into our tail net. Okay, so that's done and we can see PyHole here. Okay, so let's close this and close these two. And here we can see that PI holes running. So let's click onto it and go to Tailscale web UI. Here and here we are at the login page and we can see the address. Here is piholefox-garryboldytsnet. So I can access this page from anywhere in the world, so long as I'm connected to my tail net. Now I don't actually know what the password is. So let's click on the plus here and we need to copy this command and this will allow us to reset the password. So let's go back to the docker tab here, click onto the container and go to console. So let's just paste that command in and type in a password. Ok, so the password's set, so we can close this and go back to Pihole here and we can now log in. Ok, so this brings us on to the Pihole dashboard.

Speaker 1: 1:01:35

Now a couple of things I'm going to do before actually using this. I'm going to go down here to where it says add lists, and by default we've got the Stephen Black ad list here, which is a pretty good list, but we can actually add more lists into here. So what I'm going to do is, up here where it says address is, I'm going to paste another list in here. Now, these will be in the show notes. So in a comment I'm going to put AdGuard. Now a good website if you want to read about block lists is Ethan Wren's site here. Again, this will be linked in the description. Have a read through here. And also another good block list here.

Speaker 1: 1:02:12

This block list has 2.7 million domains in and blocks mainly ads and telemetry, and so it's basically the info from a few lists all merged together. So I'm going to copy this one and add this as well. Okay, so I've got three lists in here now. Okay. So with these extra ad lists added, if I go to the dashboard here, we can see that the domains on the ad list are remaining the same. And if I go to ad lists here and I click on here, we can see that it says the list has not been downloaded. So to actually download the list, we need to go to tools here and we need to go on this button here update gravity and then click on to update. So what this will do now is download all of the lists and update everything. Okay, so we can see it was successful. And now, going back to dashboard, we can see we've got over 2 million different domains on our block list.

Speaker 1: 1:03:06

Great, now I'm not going to go into great detail about setting up PiHole, but this will definitely be enough to get you started. Now, if we go to settings here, we can see here we've got DNS DHCP. Now I'd recommend not to run this as your DHCP server, especially if you're going to be using this over Tailscale, but under DNS here. Here we can choose what Pihole uses for its upstream DNS. At the moment it's set for Google. I'm going to uncheck that and I'm going to use OpenDNS, quad9 and Cloudflare, so those are my preferred DNSs here and Cloudflare. So those are my preferred DNSs here. Now some of you might want to check use DNSSEC here, but personally I don't bother.

Speaker 1: 1:03:48

Okay, so let's scroll down to the bottom and click on save Right. So PiHole is now all running and we can see here if I ever wanted to come into PiHole say, a family member at home they can't access a website. Wherever I am in the world. I can go to piholefox-garyboldytsnet. Well, that's quite a mouthful, but I can go here and I could log in and either temporarily disable the blocking, whatever I need. It'll be really easy for me to fix.

Speaker 1: 1:04:18

Okay, so how do we actually use this for our DNS? So now, before we look at integrating this into our system, I'm going to just go over to this website here Now. I'm sure you've all heard of this website before, speedtestnet. Now I'm using Safari here to open this, because the browser I was just in actually has built-in ad blocking anyway. But we can see here there's a whole bunch of adverts.

Speaker 1: 1:04:42

So let's minimize this window here and go on to our tail net, and here we can see the PiHole container, and what I'm going to do here is I'm going to copy its IPv4 address and now let's go across here to DNS. Now if I scroll down we can add global name servers. So I'm going to add a name server and the primary one I want is going to be the IPv4 address of the PiHole container. So I'm going to click on to save. So now the global name server for my tailnet is the PiHole container and if I toggle this button here, override local DNS. What this will do is it will make sure that devices connected to the tail net won't use their own DNS, but will use the tail scale DNS instead. So what's going to happen is magic DNS, this quad 100 here. This will resolve all of my tail net stuff and then anything it can't find. It will then be sent to this upstream global name server here which is my pihole container, and so then pihole will use these upstream dns servers to resolve the queries but also block any ads based off my ad list. And also what pihole does is it does actually cache dns. So it does resolve things pretty fast.

Speaker 1: 1:06:04

Now let's go back across to the tail scale web UI here. Now there's one problem with how I've got these things set up. So how this is set up is if my Pi-Hole container goes down, then I will lose internet access. So let's just have a look at that before we go any further forward. Now what I normally do here is I actually disable the magic DNS and then straight away afterwards just re-enable it. Now I find this kind of resets the DNS. It might just be me, I don't know, but there's no harm in doing it. And also, if we go up to my tail scale icon up here and I'll zoom in so you can actually see that also I recommend we just disconnect from the tail net and then reconnect again. And if I go down to settings here, we can see here that use tail scale DNS settings. This is enabled. And if I click manage here here we can see the resolvers that my computer is going to be using.

Speaker 1: 1:07:05

So there is the Pi hole container. It's IPv4 address is there. So I'm going to click onto done and close this, and let's zoom back out. Now I'm just going to open a terminal window and I'm going to just flush the DNS on my Mac and now I'm going to reopen the speedtestnet website. So here we can see it with all of the adverts. So now if I refresh this, theoretically, if all goes well, all of these ads should just disappear. So let's give that a go. Okay, perfect, no ads here at all.

Speaker 1: 1:07:42

Now one thing we need to actually think about is let's minimize this and go across to Andromeda here. If I stop the actual Pi hole container now and now let's just go back to Safari, and now, if I try and go somewhere else, we can see nothing here is working. So let's bring back up our terminal window here and let's just try a simple ping googlecom. So, as we can see, it can't resolve it at all because pi holds down. So this could be a bit of a problem. So what we can do is we can actually go back to the dns settings in tailscale and we can add another name server. So I'm going to add quad9 here and it says it's also adding three more. So now I've added an extra DNS server. If I go back across to our Safari page. Here, here we are. We can see everything's resolving. If I go back now, we can see because Pi holds down, well, all of our ads are back Now. So this might seem the perfect solution and I'd say it is 99% the perfect solution.

Speaker 1: 1:08:55

But there are a couple of things we need to keep in mind. Now, if I go across to the tail scale documentation here, it just gives us some nuance about the order of DNS resolvers. It's not always going to just choose like a top down list, and start with the one at the top and then, if that doesn't't work, go back down to the one underneath, although, like a lot of times, it may well do that. But if the primary pie hole container is always really slow giving back its responses, it can just use the secondary one, even though pie hole is actually up and running. So that is something to keep in mind. So if you wanted to be a hundred percent sure that it will always use the Pi-Hole container, then you're going to have to just put just Pi-Hole on its own with nothing else. But I guess there's something else you could do is if you've got multiple Unraid servers or an Unraid server in another location. Well, you can have your secondary global name server as the second Pi piehole container. You know that's something you could do if you wanted to, but I think this works pretty well.

Speaker 1: 1:10:01

If I start back up the piehole container now and now. With the container back up and running now, if we go back across to Safari, if I refresh the page, then probably these ads are still going to be here. So let's try that now. Yep, we can see the ads are still going to be here. So let's try that now. Yep, we can see the ads are still here. So let's go back across to our tail scale here and I'm going to disconnect from tail scale, I'm going to open up my terminal window here and I'm going to flush all the DNS. Okay, so let's reconnect back onto tail scale and whilst we're here, let's go to settings and have a look here at our DNS. So we can see here the pie holes at the top, and then there's quad nine here and then there's three other DNS servers that got added in automatically by Tailscale. So now we've done that, let's close this and refresh this page. Okay, so we've still got a bit of an issue here. So let's minimize this, go back to the Tailscale website, and here I'm going to disable magic DNS and then enable it again, okay.

Speaker 1: 1:11:03

So, like I said, I think this sometimes kind of resets the DNS, so hopefully it will consider this one a viable DNS to use again, because it was down a moment ago ago. It probably thinks that this one's faster and may just be querying this on its own, so let's try again. So there we are. No ads at all. Ad blocking's working, but that's one thing to keep in mind is, if you're using a full back server, well, sometimes you might find you'll get ads. If the piehole container is too slow, it will just use Quad9. But anyway, I think that's a really cool use of tail scale inside of a Docker container. Being able to block ads worldwide, wherever we are on our tail net is pretty cool.

Speaker 1: 1:11:47

But we do need to consider is our Pi hole going to always be up and running? If it is and we're 100% sure, we can omit putting in a secondary name server here. But I think just for safety, just so you don't get a load of hassle if it goes down from family members, I'd recommend just putting in a secondary DNS as well. But also remember, if you don't put in a secondary DNS and you just rely on PyHole, and PyHole does go down down. Well, you can just go across and you can go onto your tail scale application here and go to settings and you can just untick use tail scale dns setting. So of course, with tail scale dns disabled, the internet's going to work fine. But one thing we'll have problems with is actually connecting onto our tailnet domain names. That doesn't mean we couldn't still be able to just take the IP address and paste that in along with its port number and be able to access our tailscale containers that way. So not the end of the world if you wanted to not have a secondary DNS on your tail net if you're using PiHole. But there's just a few different options for you to think about.

Speaker 1: 1:12:59

Anyway, I think let's move on from this now and let's go on and have a quick look at a couple of other containers that I think are quite fun to install Tailscale into. Okay, so now you can see these two containers here, and it's the same container twice, but they are slightly different. Now I'm not sure if you guys may have seen my recent video. I'm not sure if that video is going to be released before this Uncast episode, but I have a video where we install this Windows in Docker container. Now it's really awesome. What this allows us to do is basically install a fully functioning Windows install inside of Docker. Now what it does is it does actually use KVM, but it Dockerizes it and you can actually access it through a web UI, or you can use something like RDP or even something like Splashtop. So let me just show you something here, just while we're here, and you'll notice all of the different versions of Windows that can be installed. Now you still do need to have a Windows license, so all of this is perfectly legal. In case you're wondering, but again, for full details of setting this up, then please see my video about this container. Then please see my video about this container. So let's install Tailscale into this now. So I'm going to call this Windows 11. Well, actually Windows 11 container. I think I don't want it to be an exit node and I don't need it to use an exit node, and we're going to keep tailscale serve enabled. Then we can access this basically through windows11containerfox-garyboldytsnet.

Speaker 1: 1:14:43

Now, before we go ahead and actually install this container, this container is very similar to PyHole in the fact that it doesn't have a forward slash conf directory. So what I'm going to do is I'm going to use this directory here, as this is in the app data for the tailscale states directory. So let's go back into the container, toggle our advanced settings for tailscale and the state directory. I'm going to paste that in here, okay, so let's scroll down to the bottom of the page, okay, so let's install tailscale into this container, okay, okay. So again we need to click on view container log and here we can see the authentication link here. So obviously, let's authenticate this container. Okay, so now that's connected, we can see it here. So now I'm going to close the log and click onto done, and also I'm going to put Tailscale into this second one here and click onto done and also I'm going to put Tailscale into this second one here. Great, so let's click view log and authenticate this container, and here we can see both of our new containers. So let's have a look.

Speaker 1: 1:15:46

Okay, so let's start with the first one. So now, if I click Tailscale web UI, there we are, I'm straight into, and so this is basically a fully working Windows instance that I can basically just access over my tail net, straight over the internet, and we can see here at the top, the name is windows11-containerfoxgaryboldytsnet and I could give access to anyone on my tail net to this particular VM in a Docker container. So really, really cool, I think. Now let's have a look at the other one here Again, let's go to Tailscale Web UI and here we are with good old Windows XP running in a Docker container using KVM. So pretty cool, I think, and it's totally secure. So you might be thinking well, we could have actually set up a VM here and then, because we got Tailscale actually on the server itself, we'll be able to open up the VNC window over Tailscale. Well, that's correct, we can do that, but remember, it's opening up using the IP address here, which is the Tailscale IP, which is the same IP as that of this server. The person with whom I shared this with would actually have access to the whole of this server. So that's one of the real advantages with being able to install Tailscale in individual containers is it keeps it all separate, compartmentalized and very secure if we want to share things out, as well as it making it super easy for us to be able to access any of these things.

Speaker 1: 1:17:22

Okay, so before we move on and have a look at the travel router, I think let's just have a look at one more container with Talescale running in it and, again, let's do a fun container for all you people that like gaming out there. Let's go across to one of my servers here where I'm running the Steam headless container. Now, for those of you who don't know how to install this container, well, there will be a video very shortly on my channel showing you how to do this, but basically what it is. If I go here and click web UI and then connect, if I go here and click Web UI and then connect, we can see here we're logged into a headless Steam where, using this, I can stream my games to another client somewhere on my local network. So what we can actually do we can install Tailscale into this container and then we can stream games when we're not at home. So long as we've got a good internet connection and a direct connection with our Tailscale, well, we can do gaming over the Tailscale network.

Speaker 1: 1:18:20

So let's close this and shut down the container and let's install Tailscale into Steam Headless. So, as always, we just need to toggle, use Tailscale on to on, and I'm going to name this Serenity Steam. Now I'm calling it Serenity, as that's the name of this server. Now, everything else we can leave as is, but in fact, we will be coming back here momentarily and we'll be enabling this as a Tailscout exit node. Now, you'll see why later on. I just want to show you why we need to do that, and so I'm going to show you it.

Speaker 1: 1:18:55

Not with that. In order to do that Now, even though this container, it doesn't have a forward slash conf with this container, we don't need to specify where the tailscale states directory is. This one is known to the tailscale docker integration and it will put its states directory into the container's app data here. Okay, so let's get that done and click view container log. So I'm going to authenticate this into my tail net, and here we can see the steam container in my tail net. What I'm going to do is I'm now going to connect an NVIDIA shield to this network, so let's do that now. Okay, so here we are on the NVIDIA Shield. So I'm going to go across to the Google Play Store here and I'm going to install the Tailscale app. Okay, so let's open that up and click on Get Started. Okay, so we're being asked if we want to set up a VPN connection and yes, of course we do so.

Speaker 1: 1:19:57

When installing Tailscale on Android TV devices such as the Nvidia Shield, we don't actually log into the Tailscale website like we normally do. We just scan a QR code with our cell phone and then log in from the cell phone, and what that will do on your cell phone is bring you into a login page like this, and we just sign in and then connect the device to our tail net. Okay, so here we can see the Nvidia Shield TV has joined the tail net, and we can see the same here on the Nvidia Shield. Okay, so next we're going to install Steam Link here. Okay, so let's open up Steam Link. Okay, so now let's click on Get Started.

Speaker 1: 1:20:38

Now we can see here that it says it can't find any computers. Now, this is normal, because it's not detecting anything on our local network, and that's because we didn't install Tailscale, allowing it to be an exit node. Now you may think, well, yes, we can actually add a PC this way. So, yes, we could click on other computer here and add the PC that way. It will then give us a number to put in our actual Steam. But the problem is, is it tends to use. I think it uses basically Steam's own remote gaming session where it tries to actually connect our two computers together, and I found that a lot of times that doesn't work very well for me and that's why I prefer Tailscale. Now we could continue here, open up our Tailscale web UI into the Steam container and then follow the instructions here to enter that number into Steam. But, like I said, that's Steam's own remote gaming service and if it doesn't detect the Tailscale network, it's not going to use that to make the connection.

Speaker 1: 1:21:43

So anyway, let's go back now and redo it, but let's add to the container the Tailscale exit node. So what we want to do is make sure that the Steam Link software it sees Steam Headless as a local device on the local network. And to do that is really easy. All we need to do is click edit here and if we go down to the tail scale features, we want to tell this. We want this to be an exit node. But as you can see here, we're not able to allow this to be an exit node because user space network is enabled. Now, user space network is always enabled when we have the network type set as host.

Speaker 1: 1:22:24

So the difficulty is is the steam headless container doesn't work in a bridge mode, but what we can do is we can give it a custom IP. So I'm going to run it on this network here, bond zero, and I'm going to give it an IP. Let's give it 10.10.20. And something that I'm probably not using, I don't know 233. Oops, 233. I'm sure there's nothing on my network using that. So now, when I scroll down to here, I can now allow this to be a tail scale exit node. So with that done, if we scroll down to the bottom and click on to apply and I'm going to click view container log again here and we can see that Tailscale is being injected again, and if we see here it says the exit node has not yet been approved, and so that's because we need to go back into the Tailscale web UI here and under the steam container, if we go to the right and click the three dots here, we need to just click Edit Root Settings and then allow this to be an exit node. So I'm going to click on to Save here.

Speaker 1: 1:23:25

So now let's go back across to the NVIDIA Shield. Now what I'm going to do is I'm going to uninstall Steam Link and just start again from the beginning. So let's reinstall it again from the beginning. So let's reinstall it. And before we do anything, let's just double check that I am still connected to the cell phone and yep Galactica 2 I'm still connected. So next I'm going to go back to Tailscale now and then, under exit node, I'm going to choose. I want to use Serenity Steam.

Speaker 1: 1:23:54

So now, hopefully, when we go back and we run the Steam Link software, we can notice this time it can see in the Steam Headless container here. So it sees it as if it's running locally. So I'm going to click on the Steam Headless here and it wants us to enter this code. So I'm going to open the Tailscale web UI here. I'm using the Tailscale web UI just because if we were doing this away from home, then we'd still be able to actually access the container. So three, two, double, nine, okay, so I can now exit this here and the network test is complete. So now I can grab my controller and click on to start playing. And so let's play Black Mesa, what I'm thinking? Okay. So I think that's pretty cool. It's one way to do gaming when we're away from home. Now, obviously, you don't need to use Steam Link. You can just have Steam installed on another laptop and stream directly to that.

Speaker 1: 1:25:21

Now, talking about being away from home, I think it's time that we have a look at a travel router. So let's unbox this. I'm going to go over to the other desk here and let's get that done. So let's open and set up this Beryl AX3000 Wi-Fi router from GLInet. Okay, so the first thing to do is open up the box and get everything out of the box. Let's put it all onto the desk here. Okay.

Speaker 1: 1:25:45

So, as we can see here, the router depending on how you say it is pretty small. Obviously it needs to be, because it's going to go in our suitcase or our bag when we're out and about. You can see the aerials there. They're pretty nice. They just fold down and fold up, and if we take a look at the power brick here, we can see that's USB-C. So that's nice. And also there's different power heads for it. So wherever you go in the world, you should be able to plug it into a power socket so I can power it up over here where I live in the UK. Obviously, I'm going to be putting on the UK power head and it's really simple. You're just going to twist it around and it goes on nice and easy. And again, it's USB-C, so the power just plugs into the back of the router. Here you can also see there's two LAN ports, or one is a WAN and one is the LAN. I believe it's programmable. Of course, you get a LAN cable and the instruction booklets here.

Speaker 1: 1:26:41

Now, there's not really that much about setting up it in detail, it's just very basic. But because you're watching this video, you're not even going to need to read that. Okay, so I've just pulled up to a diner here where there's going to be public Wi-Fi and we can set up the travel router. Now I thought it's good to set up the travel router here because I want to show how easy it is to set it up from defaults when you're away from home. All we need to do is connect it to some internet and we can set it up and add it to the tail net from anywhere we are in the world. And we can set it up and add it to the tail net from anywhere we are in the world. So if you happen to buy this when you're not home, you can set it up and then use it to connect back to your tail net Now so I don't have to plug it into a power socket. Whilst I'm here, I've brought a power bank battery, so because it's USB-C, I can easily use this and plug it in.

Speaker 1: 1:27:33

Anyway, I'm going to go and get myself a coffee and I'll see you inside. Okay, so I'm in the coffee shop at the moment, but it's a bit loud in here. Too much music. It will get me a copyright strike. So I'm actually going to go and sit outside and continue setting up the Wi-Fi router there. So it's a bit chilly outside, but still, I'm going to make the video out here so we can see here.

Speaker 1: 1:27:57

Here is the public Wi-Fi, which is Molly's Wi-Fi, and we can see. Now we can see the GLMT3000, which is the barrel Wi-Fi router. So I'm going to connect onto that now. Now, obviously, the Wi-Fi password is on the back of the router, so we just need to pop in IP address, which is 192.168.1.8. And then we're brought up into a setup wizard. So obviously we choose our language, and so now we just need to make an admin password that will allow us to access the Wi-Fi router.

Speaker 1: 1:28:32

Ok, so once we're in here, we're on this setting here Internet. So there's three different ways we can set this up as a repeater, tethering or with cellular data. Now I don't have a modem plugged in and I don't want to tether it to my phone, so I'm going to use here the Wi-Fi router as a repeater and connect onto the public Wi-Fi. So let's click on to, and so here we can see the public Wi-Fi that I'm going to connect the router onto now. So here we've got different MAC address modes where we can have a random MAC address. We can click on clone here, which will clone the MAC address of various devices, such as my MacBook Pro, or I could even just put in a random Mac address here Factory. This is the Mac address of the actual router itself. I'm going to leave it on random here.

Speaker 1: 1:29:25

Now, one thing to remember is we're always going to go through this join network if we move the travel router somewhere else. So with that done, I'm going to click on to apply, and so now here we can see the IP address that the router from the public wi-fi has given this and the gateway and the DNS that's being used. So I'm going to see if we can actually connect to something on the internet and we do have internet because I'm still connected to the router here, okay. So here I am connected to my YouTube channel, so everything's working fine, okay. So now we know we've got internet, the first thing to do is go down to here where it says system and we need to set our time zone. So for me that's the UK, and so next what we want to do is check we're on the latest firmware. So if we go to upgrade here and we can see, for me the firmware is all up to date.

Speaker 1: 1:30:17

Now you might think to use Tailscale. We go to VPN here, but we've only got the OpenVPN client and the WireGuard client available here. So what we need to do is we go to applications here and we can see at the bottom here we've got a Tailscale application. So I'm going to click onto that and enable Tailscale. Okay, so Tailscale is all enabled now, and so now we need to link this device onto the Tailnet. So to do that we need to click the device bind link here, and so here's the link. I'm going to click onto that and connect the router onto my Tailnet, and we can see here the router's added on and here's our ip. Now I'm currently actually connected to my tail net here, so I'm going to turn tail scale off on my actual laptop and so with tail scale off, let's test if I can connect to andromeda. So I'm going to copy its IP here, open a new tab and paste in the IP of Andromeda. Now we're not actually going to be able to connect, but this is actually expected.

Speaker 1: 1:31:24

Now, before we do anything else, what I'm going to do is I'm going to type what is my IP and we can see here the IP address of the public Wi-Fi that I'm connected to here in Bristol, england. So what I'm going to do now is I want to actually connect this router here to an exit node. So I'm going to toggle exit node on here and if I press here, this will look at the exit nodes that I have on my network, and this one here ending in 119 is the data center in Finland. So I'm going to use that one here. So with that done, I'm going to click on to apply. We can see we get this warning saying we need to actually add this here, this subnet to subnet routing, before we actually do this. So I'm going to click cancel here and turn this off for a moment and then, on the bottom here, allow remote access LAN. I'm going to toggle this onto yes and click apply. And so now, if I go back to my tail net, and here we can see that the subnets here are exposed, but we just need to click on these three dots here, go to edit route settings and then just click on here and click save. So so, with that done, now we can go back here and we can toggle here the custom exit node, click onto the dropdown and here I'm going to choose my exit node in Finland. So what an exit node will do is it will route all of the traffic from our travel router through whichever exit node that we choose. So if the exit node's running on your home internet, it will exit all of the traffic out of your IP address at home. So wherever you are in the world, it will look like you're actually at home. So I'm going to click on to apply here and it's just warning us that we must enable subnet routing, which we've already done. So let's click on to apply.

Speaker 1: 1:33:14

Now one thing you'll notice is this actually isn't enough to give us internet. If I go across here now and I try and go back to my YouTube channel, we can see that this isn't going to happen. So what we need to do is we go across back to the admin panel, click onto system and go to advanced settings. Now here we need to log into the open WRT. So this is the underlying system that runs the travel router. So we just click log in here and the password is exactly the same as what we set up earlier for the main admin page when we went through the wizard. Okay, so, once here, we just click onto network and then go to firewall and here we can see three zones. We want to select WAN, and on the right hand side here click onto edit. Then we just go across to advanced settings here and under covered devices. If we select the drop down here, we'll see here ethernet adapter, tail scale zero. So we want to select that, click save and then at the bottom here, save and apply. Okay, so that's done so.

Speaker 1: 1:34:17

Now, if I go back across here and let's check our external IP address, okay, so cool. You can see here we're now connected through Finland's internet. Now, back on the Talesco admin console, I'm going to copy the IP address of Andromeda and paste it in, and even though my MacBook is not itself directly connected to the tail net, because it's connected to the travel router or everything connected to the travel router, can access things on the tail net. Okay, so that's how to set up the travel router, and we did it all from a coffee shop. So now I'm going to take this home, plug it in there and you'll see it works exactly the same. Okay, so I'm back at home and I've connected to the travel router's wi-fi. So now I'm just going to log in. And so now I'm going to connect onto my home internet here and we can see I'm connected. So now I don't actually need to do anything with tail scale. I should be connected straight away. We can see here. It says it's connecting and now we're connected. Now again, I'm not actually connected to my Tailnet on the Mac. I'm only connected to Tailnet through the travel router. So let's see if we can connect to Andromeda using the Tailscale IP, and here we are straight in. And now again, let's go to what is my ip addresscom. And still, our internet is being routed out of my unraid server in the data center in finland.

Speaker 1: 1:35:42

Okay, guys, so that brings us to the end of this really long uncast episode. Now for those of you who managed to actually watch it right from the beginning right to the end. Well, congratulations, that was certainly long, and thanks for sticking with me. And for those of you who are watching this in pieces, then please check out all of the other segments of this Uncast show, as we talk about a whole load of things that are pretty interesting and really fun. Anyway, guys, please all subscribe to the Uncast show. Let's try and get a few more people and get the subscriptions up. And please, if you like this video, please give it a thumbs up and check back for more great interviews and other content on the Uncast Show. Thanks a lot, guys, and see you again soon. You.

People on this episode

Ed Rawlings

Host