-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathREADME.md.gotmpl
99 lines (72 loc) · 2.39 KB
/
README.md.gotmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
{{ template "chart.header" . }}
{{ template "chart.deprecationWarning" . }}
{{ template "chart.badgesSection" . }}
{{ template "chart.description" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.maintainersSection" . }}
{{ template "chart.sourcesSection" . }}
{{ template "chart.requirementsSection" . }}
Using a Tailscale exit node allows you to route traffic from your Tailscale network to the internet through a kubernetes nodes outside of your network. This can be useful for a variety of reasons, such as accessing geographically-restricted content or improving network performance.
## Prepare the nodes
Add to node config:
```yaml
allowed-unsafe-sysctls: net.ipv6.conf.all.forwarding
```
## Deploy
Install the Tailscale client on each Kubernetes `VPN` node role.
```shell
helm upgrade -i -n vpn -f vars/tailscale.yaml tailscale oci://ghcr.io/sergelogvinov/charts/tailscale
```
Helm values vars/tailscale.yaml
```yaml
# helm values
tailscale:
# Tailscale authentication key
TS_AUTH_KEY: tskey-auth-XXX
TS_TAGS: tag:vpn
useDaemonSet: true
nodeSelector:
node-role.kubernetes.io/vpn: ""
podSecurityContext:
sysctls:
- name: net.ipv6.conf.all.forwarding
value: "1"
```
Result:
for each node will create a secret taiscale state.
You can rename the client on the Portal.
By default the nodes have name `$REGION-$NODE`
```shell
# kubectl -n vpn get pods
NAME READY STATUS RESTARTS AGE
tailscale-2bqk4 1/1 Running 0 46d
tailscale-484sl 1/1 Running 0 46d
...
# kubectl -n vpn get secrets
tailscale-node-1 Opaque 5 46d
tailscale-node-2 Opaque 6 46d
```
## Tailscale Access Controls
Tailscale acls https://login.tailscale.com/admin/acls
```json
{
"tagOwners": {
"tag:vpn": ["email-who-created-token"],
},
"autoApprovers": {
// A device tagged security can advertise exit nodes that are auto-approved
"exitNode": ["tag:vpn"],
},
// Access control lists.
"acls": [
{
"action": "accept",
"src": ["autogroup:members"],
"dst": ["autogroup:internet:*"],
},
],
}
```
It's important to note that Tailscale exit nodes are intended for personal use only,
and should not be used for commercial purposes or to violate the terms of service of any websites or services you are accessing through the exit node.
{{ template "chart.valuesSection" . }}