私たちの研究室
アドベントカレンダー14日目〜
Mesh VPNs with Tailscale
Article by エスカーニョ マルケス、ユイス
みんなで、こんにちは!
Today we will practice some English and learn about mesh VPNs!
TL;DR:
We use a mesh VPN to connect all our devices together through the Internet, allowing them to interact with one another in a virtual network, and we use Tailscale as the coordinator service.
My problem
What's the point of this? What can be used for?
You may be asking yourself these questions... let me introduce you my current situation. I have the following devices I want to interconnect:
- Laptop at the university's laboratory in Kyotanabe, Japan. This is my main computer.
- Server in London, United Kingdom. This is a publicly facing server to host websites such as kitsune.cat.
- Mini-PC at my grandmother's house in Menorca, Spain. This PC acts as a backup server and hosts some docker web services like my private Nextcloud instance.
- Raspberry Pi in Madrid, Spain. This is my proxy to interact with Spanish websites from Spain.
These computers need to interact in the following way:
- Laptop → Server to upload and update files in my websites.
- Laptop → Mini-PC to create remote backups of my data.
- Laptop → Raspberry Pi to route my web traffic through an Spanish IP.
- Server → Mini-PC to allow accessing the Nextcloud service from the Internet.
- Mini-PC → Server to automatically create backups of the server's database
By creating the mesh VPN, these devices will be able to communicate with one another regardless of the protections and firewalls in their local network. Moreover, once set up, the process will be automatic and machine to machine communications can run unsupervised, such as the automated backups of the database.
To achieve this, I will use Tailscale to manage my mesh VPN.
What is a VPN
To start with, let's review what a VPN is. A Virtual Private Network, or VPN is a connection between two networks. For instance, at home we have a network between the router, our phone and our computer. This network is isolated from the Internet through the router, that has a firewall and some other security protections to prevent people from the Internet to connect to the local devices, but it allows outgoing traffic for web browsing and other activities. Moreover, at the laboratory at Doshisha we have another network, the NISK50 Wi-Fi that has all the laptops and phones of the students doing research. But this network is isolated from our home network, so devices from one network can't talk to the other network. Here is where the VPN comes into place, it creates a virtual tunnel through the Internet that allows one device to participate in a foreign network.
Mesh VPN
A VPN allows connecting two networks together, however, what if we have more than one device? Like one computer at home, another at the University, and a third one at a friend's house?
We can create multiple VPNs that bridge all these networks together, and that's exactly what a mesh VPN is, a combination of VPNs to allow multiple devices to interact from different networks, not just two. There are two main ways to create a mesh VPN network:
Centralized mesh VPN
A centralized mesh VPN relies on a central server. All the devices open a VPN tunnel to the main server, and all the mesh traffic is routed through the central server. This is the easiest approach, but implies a big load over the central server and presents a single point of failure.
Decentralized/peer-to-peer mesh VPN
On the other hand, a decentralized mesh VPN establish connections directly between the devices itself. Which removes the burden over the central server, and allows for more efficient connections since they can go directly between the peers. The p2p mesh can be fully decentralized, by letting the devices explore and manage their own list of peers and IPs, or it can be a coordinated mesh, in which a central server has all the information, and simply informs the other peers when a device has connected or disconnected.
The most practical approach is the coordinated mesh VPN, since its easy to set up, maintain and can react faster to devices disconnecting or reconnecting.
Tailscale
Tailscale is a mesh VPN coordinator service that will do all the work of coordinating the VPN tunnels. Under the hood it uses WireGuard and NAT-Traversal technologies to create the tunnels between the peers that want to connect. It has a user-friendly web panel to control who can connect to our virtual network, and clients for Linux, Mac, Windows, Android, iOS... that make the setup process very easy.
An important advantage of using Tailscale is that all the communications are encrypted, making it a safe option to transfer personal files, database backups, server keys, and any other private data.
Moreover, Tailscale will create DNS names for each service, so you don't need to remember the IP address assigned to each peer, and instead use the hostname directly. I will show an example of the DNS names further down the road, but let's start from the begining:
Step 1: create a Tailscale account.
Go to login.tailscale.com/start and create an account. You can create a free account with up to 5 devices, which is more than enough for my use case.
And specify that you want to use the account for personal use:
Step 2: Install Tailscale on the device you want to connect
In my case, I already have Tailscale on my devices, but the website has easy instructions for any operative system you may have. For instance, if you have a Linux server, you can just run:
curl -fsSL https://tailscale.com/install.sh | sh
Step 3: Add devices
This are the steps to setup a Linux server, but Tailscale's website has detailed instructions for your device of choice. In my case, I run the following command:
sudo tailscale up
And I get a URL to login with my Tailscale user:
The machine will get registered and appear at the Tailscale control panel:
In Linux you might need to manually enable the Tailscale service at boot, which can be done with this command:
sudo systemctl enable tailscaled
We repeat this step until all the devices are in the pool.
Done!
And that's it. I can already connect to my different devices through the VPN without worrying about firewalls, security, encryption... all that is being handled by the Tailscale client and the coordinator server. Let's test with a simple ping:
lluis@my-favorite-pc:~$ ping minipc
PING minipc(minipc (fd7a:115c:a1e0::2)) 56 data bytes
64 bytes from minipc (fd7a:115c:a1e0::2): icmp_seq=1 ttl=64 time=1654 ms
64 bytes from minipc (fd7a:115c:a1e0::2): icmp_seq=2 ttl=64 time=601 ms
64 bytes from bichito (fd7a:115c:a1e0::2): icmp_seq=3 ttl=64 time=294 ms
64 bytes from bichito (fd7a:115c:a1e0::2): icmp_seq=4 ttl=64 time=283 ms
As you can see, I am able to connect to the Mini-PC, named minipc despite it being hidden behind a firewall. Furthermore, I can use the name minipc to address the device, instead of its IP address, making it very convenient to use.
lluis@minipc:~$ ping webserver
PING webserver(webserver (100.64.0.1)) 56(84) bytes of data.
64 bytes from webserver (100.64.0.1): icmp_seq=1 ttl=64 time=43.0 ms
64 bytes from webserver (100.64.0.1): icmp_seq=2 ttl=64 time=42.2 ms
64 bytes from webserver (100.64.0.1): icmp_seq=3 ttl=64 time=42.6 ms
64 bytes from webserver (100.64.0.1): icmp_seq=4 ttl=64 time=42.2 ms
With this we verified that the Mini-PC can communicate with the web server. And this applies to all devices, as they can freely connect to one another.
Conclusion
To sum up, today you learned what a Mesh VPN is, and how to setup your own virtual network to interconnect your computers throughout the world. You can achieve this by freely using Tailscale service, all with open-source technologies and high standards of security. You could use this knowledge in the future if you have multiple computers physically separated from one another, and you wish to let them easily communicate.
More information
WireGuard
WireGuard is an open source network tunneling protocol for creating encrypted communication channels. It’s designed to replace other VPN protocols, such as OpenVPN and IPSec, as a simpler and lighter-weight alternative. The protocol maintains concurrent connections with minimal overhead per session. Independent cryptographers have reviewed the WireGuard protocol, and security auditors have examined the code implementation, identifying and allowing for the correction of minor issues. You can learn more about WireGuard's technical details in their whitepaper.
See: About WireGuard in Tailscale's documentation
NAT-Traversal
Most home routers will create a NAT firewall. This firewall creates a local IP space, called LAN, where computers can talk to one another, and allows outgoing connections to be forwarded to the Interact. However, it blocks connections from the Internet to the computers inside the LAN, blocking the VPN tunnels from being created from one computer to another if they are hidden behind a NAT.
NAT-Traversal is a group of techniques to circumvent this block, normally using a STUN server, which is an intermediate that mediates the connection between the two peers to trick the NAT into letting the two peers communicate.
Learn more about NAT-Traversal and how Tailscale uses it at How NAT traversal works in Tailscale's documentation.
The end
Article by エスカーニョ マルケス、ユイス
▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁▁
░▇▇▇▇▇▇▇▇▇░░░░░░░░░░░░░▇▇▇░░░▇▇▇▇▇▇▇▇▇▇▇░
░░░░░░░░▇▇░░░░░░░░▇▇▇▇▇░░░░░░░░░░░░░░▇▇░░
░░░░░░░░▇▇░░░░░▇▇▇░░▇▇░░░░░░░░░░░░░▇▇░░░░
░░░░░░░░▇▇░░░░░░░░░░▇▇░░░░░░░░░░░▇▇▇░░░░░
░░░░░░░░▇▇░░░░░░░░░░▇▇░░░░░░░░░▇▇░░░▇▇░░░
░▇▇▇▇▇▇▇▇▇▇▇░░░░░░░░▇▇░░░░░░░▇▇░░░░░░░▇▇░
▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Discussion