Sidebar
linux:network:vpn
Table of Contents
VPN
openVPN
TBD
Headscale / Tailscale
Headscale is the open source variant of Tailscale Server.
Headscale Server
Install it on your Server: https://headscale.net/running-headscale-linux/
Proxy it via nginx to get httpS. Nginx Example Config:
map $http_upgrade $connection_upgrade {
default keep-alive;
'websocket' upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <YOUR DOMAIN>;
ssl_certificate /etc/letsencrypt/live/<YOUR DOMAIN>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<YOUR DOMAIN>/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass https://<HEADSCALE SERVER IP>:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
}
Tailscale Clients
Install: https://tailscale.com/download/linux
Then run:
tailscale up --login-server https://<YOUR DOMAIN>
which will give you the server Add command in the browser.
Enable service:
systemctl enable tailscaled.service
Mission complete :)
LXC Tun
Inside an LXC Container, the VS config must be setup for a TUN device:
# Create minimal /dev inside VS lxc.autodev = 1 # (cgroup v2) Allow access to /dev/null (major:minor 1:3) lxc.cgroup2.devices.allow = c 1:3 rwm # TUN for Tailscale (major:minor 10:200) lxc.cgroup2.devices.allow = c 10:200 rwm # /dev/net and /dev/net/tun mounts lxc.mount.entry = /dev/net dev/net none bind,create=dir lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file
tinc
apt install tinc net-tools
Generate keys:
tincd -n <netname> -K8192
Setup tinc.conf, tinc-up, tinc-down
Configure the /hosts/<hostname> file like:
Address = <myip> Port = 55555 Subnet = 10.5.0.xxx
Copy the generated hosts/<hostname> file to *all* other servers and get the other host files
Start tinc:
tincd -n <netname>
For debugging, do not detach:
tincd -n <netname> -D
Enable at boot via systemd
systemctl enable tinc@vpnname
linux/network/vpn.txt · Last modified: 2025/10/23 18:29 by tkilla
