Configuring Tailscale¶
Tailscale is a zero-trust network provider which gives administrators fine-grained control over the traffic on their network. Combined with NF and an identity provider you can build system with fine-grained access control which should satisfy all but the most stringent security requirements.
Tailscale configuration¶
Before beginning to configure NF, you should first create a Tailscale organization with MagicDNS and HTTPS enabled.
Because most identity providers will not work correctly with non-secure origins, you should plan on using Tailscale HTTPS or other system to provision certificates for your devices.
Logging in and Issuing Certs¶
After deploying NF with tailscale, you must authenticate each node with Tailscale. Using Docker to obtain a shell in the Tailscale conatiner:
$ docker exec -it nf-sdk_tailscale_1
# tailscale up
Tip
If you are going to assign your nodes friendly names in tailscale, make sure to update those before issuing the certificates.
Then issue your node an SSL certificate. Envoy expects the key and
certificate to be named /tailscale-certs/server.key and
/tailscale-certs/server.crt, respectively. Use the tailscale cert
command to issue a certificate and symbolically link it to the right name.
## in the tailscale pod with a volume mount at /tailscale-certs
# cd /tailscale-certs
# tailscale cert
Usage: tailscale cert [flags] <domain>
For domain, use "txr6.tailnet-e340.ts.net".
# tailscale cert txr6.tailnet-e340.ts.net
# chmod a+r txr6.tailnet-e340.ts.net.key
# ln -s txr6.tailnet-e340.ts.net.crt server.crt
# ln -s txr6.tailnet-e340.ts.net.key server.ley
Warning
You should take care to properly secure the tailscale certificates using separate volumes and approprate file ownership.
Finally, set the TAILSCALE_HTTPS=1 environment variable on the envoy
service to cause it to use these certificates. When in SSL mode,
Envoy will bind port 4443 inside its container.