This is an example of using the Tailscale mesh VPN on a Raspberry Pi 4 powered by Balena.
This repository contains an example for running Tailscale on a Raspberry Pi 4. Tailscale is a system that makes it easy to manage the configuration of many devices in a WireGuard VPN setup. WireGuard is a modern mesh VPN implementation that requires tunnel configurations to be configured on each device. This is what Tailscale makes easy and reliable on a global scale using a centralized control plane.
The Tailscale node is managed by Balena, an IoT platform for managing and deploying applications to IoT devices. Balena is built on top of Docker, the Yocto project and other open source technologies.
The Go clone of the Librespeed speedtest application has been included as a demo application of what is possible when setting up a WireGuard tunnel configured by Tailscale.
The speedtest service can be used to test the performance of your Tailscale (well, WireGuard) VPN connection.
Requirements:
- A Balena account
- A Tailscale account
- A Raspberry Pi (this project has been tested with RPi 3)
- Another device with Tailscale installed
You need to create a new Balena application or use an existing one and prepare an SD Card with balenaOS.
The example has currently been tested successfully with a Raspberry Pi 4 (using balenaOS versions 2.95.8 and balenaOS 2.56.0+rev2.prodTBD) using the current Dockerfile.template file.
In case a different balenaOS version is used, the tailscale Dockerfile.template may have to be updated to use a different version also, otherwise there may be issues when retrieving the kernel headers or compiling the WireGuard kernel module.
Using the Balena CLI you can run this project as follows:
# login to Balena
$ balena login
# push the application to Balena (or to your device in local mode)
$ balena push <application>This can take a while, depending on internet speeds, speed of the Balena builders and whether (some of your) layers were cached before.
After the build process is finished and your device has downloaded the updated images, the tailscale and speedtest services will be started.
The first time the tailscale service will exit early, because the TAILSCALE_KEY environment variable is not set and tailscale will thus not be able to authenticate itself to the Tailscale servers.
You can create a (reusable) key here.
After creating a key, it should be made available as a Service Variable for the tailscale service in your application in Balena.
After adding the variable, the tailscale service will restart and it should show logs similar to the following in the Balena web console:
......
20.11.20 17:06:24 (+0100) tailscale wireguard version: 1.0.20201112
20.11.20 17:06:25 (+0100) tailscale logtail started
20.11.20 17:06:25 (+0100) tailscale Program starting: v1.2.8-tcde3a23b6-g1f7ecb611, Go 1.15.4-tsf9db43b: []string{"tailscaled", "-state=/tailscale/tailscaled.state"}
20.11.20 17:06:25 (+0100) tailscale Starting userspace wireguard engine with tun device "tailscale0"
20.11.20 17:06:25 (+0100) tailscale CreateTUN ok.
20.11.20 17:06:25 (+0100) tailscale Creating wireguard device...
20.11.20 17:06:25 (+0100) tailscale Bringing wireguard device up...
......
After the tunnel is up, you can check your (online) devices in the Tailscale dashboard. You can also find the IP address that Tailscale assigned to the Raspberry Pi in the Tailscale dashboard as well as in the Balena dashboard. You can browse to the IP of the RPi on the other Tailscale connected device to run a speedtest over the WireGuard tunnel.
The code in this repository was inspired by the contents available on the links below:
- How to run Wireguard VPN in balenaOS
- Setting up Tailscale on Raspbian Buster
- klutchell/balena-wireguard
- jaredallard-home/wireguard-balena-rpi
- kazazes/balena-tailscale
- tailscale/tailscale#504
- Tailscale Kubernetes Operator gist
- TBD