Headscale

https://github.com/juanfont/headscale/
https://headscale.net

Пример headscale для docker swarm stack c доступом через traefik и ограничением по IP:

docker-compose.yaml

services:
  headscale:
    image: headscale/headscale:latest
    entrypoint: headscale serve
    volumes:
      - /data/docker/headscale/config:/etc/headscale
      - /data/docker/headscale/data:/var/lib/headscale
    networks:
      - traefik-public
    deploy:
      labels:
        - traefik.enable=true
        - traefik.swarm.network=traefik-public
        - traefik.http.routers.headscale.rule=Host(`DOMAIN.COM`)
        - traefik.http.routers.headscale.entrypoints=https
        - traefik.http.routers.headscale.tls=true
        - traefik.http.routers.headscale.tls.certresolver=le
        - traefik.http.routers.headscale.middlewares=headscale-cors,headscale-ipallowlist
        - traefik.http.routers.headscale.service=headscale
        - traefik.http.middlewares.headscale-cors.headers.accessControlAllowMethods="GET,POST,PUT,PATCH,DELETE,OPTIONS"
        - traefik.http.middlewares.headscale-cors.headers.accessControlAllowHeaders="Authorization,Content-Type"
        - traefik.http.middlewares.headscale-cors.headers.accessControlAllowOriginList="https://DOMAIN.COM"
        - traefik.http.middlewares.headscale-cors.headers.accessControlMaxAge=100
        - traefik.http.middlewares.headscale-cors.headers.addVaryHeader=true
        - traefik.http.middlewares.headscale-ipallowlist.ipallowlist.sourcerange=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
        - traefik.http.services.headscale.loadbalancer.server.port=8080

networks:
  traefik-public:
    external: true

Команды

Сервер

Создать API ключ для ступа к headscale, например через UI:

headscale apikeys create

Создать пользователя:

headscale users create user1

Создать многоразовый ключ пользователю истекающий через 24ч (для подключения нод):

headscale preauthkeys --user user1 create --reusable --expiration 24h

Зарегистрировать ноду на сервере, после получения ключа ноды:

headscale nodes register --user user1 --key W4D7f0Um2pJl2r0TX0FrFJ09

DERP

https://headscale.net/development/ref/derp/

Включить свой сервер DERP:

config.yaml:

derp:
  server:
    enabled: true
    ipv4: IP.V4.ADDR.SERVER

Клиент

Запросить ключ ноды для регистрации на сервере:

tailscale up --login-server=https://DOMAIN.COM --accept-dns=false --accept-routes

или сразу зарегистрировать клиента с указанем ключа пользователя:

tailscale up --login-server=https://DOMAIN.COM --auth-key=dc0018d10c5ec398a972cf060603be276fc602c9861850de --accept-dns=false --accept-routes

Показать маршруты:

ip route show table all oif tailscale0
#или
ip route show table 52

Отключить SNAT на клиенте предоставляющего подсети (только для linux):

tailscale up --snat-subnet-routes=false

https://tailscale.com/kb/1019/subnets#disable-snat

ACL

https://headscale.net/stable/ref/acls/

Для работы с ACL добавить в config.yaml:

policy

policy:
  mode: database

UI

https://headscale.net/stable/ref/integration/web-ui/

https://github.com/GoodiesHQ/headscale-admin

docker-compose.headscale-admin.yaml

services:
  headscale-admin:
    image: goodieshq/headscale-admin:latest
    container_name: headscale-admin
    networks:
      - traefik-public
    restart: unless-stopped
    deploy:
      labels:
        - traefik.enable=true
        - traefik.swarm.network=traefik-public
        - traefik.http.routers.headscale-admin.rule=Host(`DOMAIN.COM`) && PathPrefix(`/admin`)
        - traefik.http.routers.headscale-admin.entrypoints=https
        - traefik.http.routers.headscale-admin.tls=true
        - traefik.http.routers.headscale-admin.tls.certresolver=le
        - traefik.http.routers.headscale-admin.middlewares=headscale-ipallowlist
        - traefik.http.services.headscale-admin.loadbalancer.server.port=80

networks:
  traefik-public:
    external: true

https://github.com/gurucomputing/headscale-ui

docker-compose.headscale-ui.yaml

services:
  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    container_name: headscale-ui
    networks:
      - traefik-public
    restart: unless-stopped
    deploy:
      labels:
        - traefik.enable=true
        - traefik.swarm.network=traefik-public
        - traefik.http.routers.headscale-ui.rule=Host(`DOMAIN.COM`) && PathPrefix(`/web`)
        - traefik.http.routers.headscale-ui.entrypoints=https
        - traefik.http.routers.headscale-ui.tls=true
        - traefik.http.routers.headscale-ui.tls.certresolver=le
        - traefik.http.routers.headscale-ui.middlewares=headscale-ipallowlist
        - traefik.http.services.headscale-ui.loadbalancer.server.port=8080

networks:
  traefik-public:
    external: true

https://github.com/tale/headplane

docker-compose.headplane.yaml

services:
  headplane:
    image: ghcr.io/tale/headplane:latest
    container_name: headplane
    networks:
      - traefik-public
    restart: unless-stopped
    volumes:
      - /data/docker/headscale/headplane:/etc/headplane
      - /data/docker/headscale/config:/etc/headscale
    deploy:
      labels:
        - traefik.enable=true
        - traefik.swarm.network=traefik-public
        - traefik.http.routers.headscale-headplane.rule=Host(`DOMAIN.COM`) && PathPrefix(`/admin`)
        - traefik.http.routers.headscale-headplane.entrypoints=https
        - traefik.http.routers.headscale-headplane.tls=true
        - traefik.http.routers.headscale-headplane.tls.certresolver=le
        - traefik.http.routers.headscale-headplane.middlewares=headscale-ipallowlist
        - traefik.http.services.headscale-headplane.loadbalancer.server.port=3000

networks:
  traefik-public:
    external: true

Ссылки

https://tailscale.com/download - загрузить ноду (клиент)
https://lanrat.github.io/openwrt-tailscale-repo/ - клиент для OpenWrt 19.07