Skip to content

Latest commit

 

History

History
432 lines (306 loc) · 16.8 KB

DOCS.md

File metadata and controls

432 lines (306 loc) · 16.8 KB

Home Assistant Community Add-on: Tailscale

Tailscale is a zero config VPN, which installs on any device in minutes, including your Home Assistant instance.

Create a secure network between your servers, computers, and cloud instances. Even when separated by firewalls or subnets, Tailscale just works. Tailscale manages firewall rules for you, and works from anywhere you are.

Prerequisites

In order to use this add-on, you'll need a Tailscale account.

It is free to use for personal & hobby projects, up to 100 clients/devices on a single user account. Sign up using your Google, Microsoft or GitHub account at the following URL:

https://login.tailscale.com/start

You can also create an account during the add-on installation processes, however, it is nice to know where you need to go later on.

Installation

  1. Click the Home Assistant My button below to open the add-on on your Home Assistant instance.

    Open this add-on in your Home Assistant instance.

  2. Click the "Install" button to install the add-on.

  3. Start the "Tailscale" add-on.

  4. Check the logs of the "Tailscale" add-on to see if everything went well.

  5. Open the Web UI of the "Tailscale" add-on to complete authentication and couple your Home Assistant instance with your Tailscale account. Note: Some browsers don't work with this step. It is recommended to complete this step on a desktop or laptop computer using the Chrome browser.

  6. Check the logs of the "Tailscale" add-on again, to see if everything went well.

  7. Done!

Configuration

This add-on has almost no additional configuration options for the add-on itself.

However, when logging in to Tailscale, you can configure your Tailscale network right from their interface.

https://login.tailscale.com/

The add-on exposes "Exit Node" capabilities that you can enable from your Tailscale account. Additionally, if the Supervisor managed your network (which is the default), the add-on will also advertise routes to your subnets on all supported interfaces to Tailscale.

Consider disabling key expiry to avoid losing connection to your Home Assistant device. See Key expiry for more information.

Note: Some of the options below also available on Tailscale's web interface through the Web UI, but they are made read only there. You can't change them through the Web UI, because all the changes made there would be lost when the add-on is restarted.

accept_dns: true
accept_routes: true
advertise_exit_node: true
advertise_connector: true
advertise_routes:
  - 192.168.1.0/24
  - fd12:3456:abcd::/64
funnel: false
log_level: info
login_server: "https://controlplane.tailscale.com"
proxy: false
proxy_and_funnel_port: 443
snat_subnet_routes: true
stateful_filtering: false
tags:
  - tag:example
  - tag:homeassistant
taildrop: true
userspace_networking: true

Option: accept_dns

If you are experiencing trouble with MagicDNS on this device and wish to disable, you can do so using this option.

When not set, this option is enabled by default.

MagicDNS may cause issues if you run things like Pi-hole or AdGuard Home on the same machine as this add-on. In such cases disabling accept_dns will help. You can still leverage MagicDNS on other devices on your network, by adding 100.100.100.100 as a DNS server in your Pi-hole or AdGuard Home.

Option: accept_routes

This option allows you to accept subnet routes advertised by other nodes in your tailnet.

More information: Subnet routers

When not set, this option is enabled by default.

Option: advertise_exit_node

This option allows you to advertise this Tailscale instance as an exit node.

By setting a device on your network as an exit node, you can use it to route all your public internet traffic as needed, like a consumer VPN.

More information: Exit nodes

When not set, this option is enabled by default.

Option: advertise_connector

This option allows you to advertise this Tailscale instance as an app connector.

When you use an app connector, you specify which applications you wish to make accessible over your tailnet, and the domains for those applications. Any traffic for that application is then forced over the tailnet to a node running an app connector before egressing to the target domains. This is useful for cases where the application has an allowlist of IP addresses which can connect to it: the IP address of the node running the app connector can be added to the allowlist, and all nodes on the tailnet will use that IP address for their traffic egress.

More information: App connectors

When not set, this option is enabled by default.

Option: advertise_routes

This option allows you to advertise routes to subnets (accessible on the network your device is connected to) to other clients on your tailnet.

By adding to the list the IP addresses and masks of the subnet routes, you can use it to make your devices on these subnets accessible within your tailnet.

If you want to disable this option, specify an empty list in the configuration ([] in YAML).

More information: Subnet routers

When not set, the add-on by default will advertise routes to your subnets on all supported interfaces.

Option: funnel

This requires Tailscale Proxy to be enabled.

Important: See also the "Option: proxy" section of this documentation for the necessary configuration changes in Home Assistant!

When not set, this option is disabled by default.

With the Tailscale Funnel feature, you can access your Home Assistant instance from the wider internet using your Tailscale domain (like https://homeassistant.tail1234.ts.net) even from devices without installed Tailscale VPN client (for example, on general phones, tablets, and laptops).

ClientInternetTailscale Funnel (TCP proxy) ⇒ VPNTailscale Proxy (HTTPS proxy) → HA (HTTP web-server)

Without the Tailscale Funnel feature, you will be able to access your Home Assistant instance only when your devices (for example, phones, tablets, and laptops) are connected to your Tailscale VPN, there will be no Internet ⇒ VPN TCP proxying for HTTPS communication.

More information: Tailscale Funnel

  1. Navigate to the Access controls page of the admin console:

  2. Restart the add-on.

Note: After initial setup, it can take up to 10 minutes for the domain to be publicly available.

Note: You should not use the port number in the URL that you used previously to access Home Assistant. Tailscale Funnel works on the default HTTPS port 443 (or the port configured in option proxy_and_funnel_port).

Note: If you encounter strange browser behaviour or strange error messages, try to clear all site related cookies, clear all browser cache, restart browser.

Option: log_level

Optionally enable tailscaled debug messages in the add-on's log. Turn it on only in case you are troubleshooting, because Tailscale's daemon is quite chatty. If log_level is set to info or less severe level, the add-on also opts out of client log upload to log.tailscale.io.

The log_level option controls the level of log output by the addon and can be changed to be more or less verbose, which might be useful when you are dealing with an unknown issue. Possible values are:

  • trace: Show every detail, like all called internal functions.
  • debug: Shows detailed debug information.
  • info: Normal (usually) interesting events.
  • notice: Normal but significant events.
  • warning: Exceptional occurrences that are not errors.
  • error: Runtime errors that do not require immediate action.
  • fatal: Something went terribly wrong. Add-on becomes unusable.

Please note that each level automatically includes log messages from a more severe level, e.g., debug also shows info messages. By default, the log_level is set to info, which is the recommended setting unless you are troubleshooting.

Option: login_server

This option lets you to specify a custom control server instead of the default (https://controlplane.tailscale.com). This is useful if you are running your own Tailscale control server, for example, a self-hosted Headscale instance.

Option: proxy

When not set, this option is disabled by default.

Tailscale can provide a TLS certificate for your Home Assistant instance within your tailnet domain.

This can prevent browsers from warning that HTTP URLs to your Home Assistant instance look unencrypted (browsers are not aware of the connections between Tailscale nodes are secured with end-to-end encryption).

More information: Enabling HTTPS

  1. Configure Home Assistant to be accessible through an HTTP connection (this is the default). See HTTP integration documentation for more information. If you still want to use another HTTPS connection to access Home Assistant, please use a reverse proxy add-on.

  2. Home Assistant, by default, blocks requests from reverse proxies, like the Tailscale Proxy. To enable it, add the following lines to your configuration.yaml, without changing anything:

    http:
      use_x_forwarded_for: true
      trusted_proxies:
        - 127.0.0.1
  3. Navigate to the DNS page of the admin console:

    • Choose a tailnet name.

    • Enable MagicDNS if not already enabled.

    • Under HTTPS Certificates section, click Enable HTTPS.

  4. Restart the add-on.

Note: You should not use the port number in the URL that you used previously to access Home Assistant. Tailscale Proxy works on the default HTTPS port 443 (or the port configured in option proxy_and_funnel_port).

Option: proxy_and_funnel_port

This option allows you to configure the port the Tailscale Proxy and Funnel features are accessible on the tailnet (in case of Tailscale Proxy is enabled) and optionally on the internet (in case of Tailscale Funnel is also enabled).

Only port number 443, 8443 and 10000 is allowed by Tailscale.

When not set, port number 443 is used by default.

Option: snat_subnet_routes

This option allows subnet devices to see the traffic originating from the subnet router, and this simplifies routing configuration.

When not set, this option is enabled by default.

To support advanced Site-to-site networking (eg. to traverse multiple networks), you can disable this functionality, and follow steps from step 3 on Site-to-site networking. But do it only when you really understand why you need this.

Option: stateful_filtering

This option enables stateful packet filtering on packet-forwarding nodes (exit nodes, subnet routers, and app connectors), to only allow return packets for existing outbound connections. Inbound packets that don't belong to an existing connection are dropped.

When not set, this option is disabled by default.

Option: tags

This option allows you to specify specific ACL tags for this Tailscale instance. They need to start with tag:.

More information: ACL tags

Option: taildrop

This add-on support Tailscale's Taildrop feature, which allows you to send files to your Home Assistant instance from other Tailscale devices.

When not set, this option is enabled by default.

Received files are stored in the /share/taildrop directory.

Option: userspace_networking

The add-on uses userspace networking mode to make your Home Assistant instance (and optionally the local subnets) accessible within your tailnet.

When not set, this option is enabled by default.

If you need to access other clients on your tailnet from your Home Assistant instance, disable userspace networking mode, which will create a tailscale0 network interface on your host.

If you want to access other clients on your tailnet even from your local subnet, follow steps from step 3 on Site-to-site networking.

In case your local subnets collide with subnet routes within your tailnet, your local network access has priority, and these addresses won't be routed toward your tailnet. This will prevent your Home Assistant instance from losing network connection. This also means that using the same subnet on multiple nodes for load balancing and failover is impossible with the current add-on behavior.

Network

Port: 41641/udp

UDP port to listen on for WireGuard and peer-to-peer traffic.

Use this option (and router port forwarding) if you experience that Tailscale can't establish peer-to-peer connections to some of your devices (usually behind CGNAT networks). You can test connections with tailscale ping <hostname-or-ip>.

When not set, an automatically selected port is used by default.

Changelog & Releases

This repository keeps a change log using GitHub's releases functionality.

Releases are based on Semantic Versioning, and use the format of MAJOR.MINOR.PATCH. In a nutshell, the version will be incremented based on the following:

  • MAJOR: Incompatible or major changes.
  • MINOR: Backwards-compatible new features and enhancements.
  • PATCH: Backwards-compatible bugfixes and package updates.

Support

Got questions?

You have several options to get them answered:

You could also open an issue here GitHub.

Authors & contributors

The original setup of this repository is by Franck Nijhof.

For a full list of all authors and contributors, check the contributor's page.

License

MIT License

Copyright (c) 2021-2024 Franck Nijhof

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.