How to create a Tailscale VPN connection to my Synology NAS

This article discusses how to create a Tailscale VPN connection to my Synology NAS. According to their documentation, Tailscale simplifies secure connections to your Network-Attached Storage (NAS) devices using WireGuard. Please see how to create New Users and Join Synology NAS to Active Directory, DSM Security: How to Protect Synology DS923+ NAS, and how to “Configure VPN on Windows Server: How…

View On WordPress

I decided that today I was going to set up torrenting on my NAS machine. I installed qbittorrent, got into the web UI, then lost contact with it somehow. So I reinstalled it and then tried to set up VPN. It did the thing I stopped using it for on Windows, which is completely failing to make any connections when you set up SOCKS proxy, so I backed up and decided I needed to install a VPN client on the machine.

The guide for setting up Wireguard strongly recommended installing a firewall first, and of course that makes sense, so I did that. And completely failed to allow SSH, therefore killing my access to the machine. The XU4 has no video output, it's completely headless, so I don't believe there was any way to fix that other than doing a clean install on the bootable SD card, which is what I did.

I took the opportunity to switch from OpenMediaVault, which doesn't actually seem to be doing anything for me other than the Samba share since they broke Docker integration, to CasaOS, which... also doesn't seem to be doing much for me but the Samba share since all of its apps are Docker containers and Docker really hasn't been working for me, but at least it's a nicer UI.

I had Jellyfin working before, the curl script just did its thing and I was in, but now it's hitting a dependency issue I had to join the Jellyfin forum to ask for help with. Fortunately I haven't fully migrated to Jellyfin and extra fortunately, I was able to set up the Samba share with exactly the same path so my Kodi library is unaffected.

Tailscale didn't want to start when I installed it, but then I noticed that the machine wanted to reboot for a kernel update and when it came back, Tailscale was working, so I think I have everything I was relying on back to the way it was. I was just really close to jumping to Jellyfin...

Travel Router

Over the last few weeks, I have made posts about different software I have implemented to make my cyber life more secure, efficient, and personal. This week I will cover the most recent piece of hardware I have added to my arsenal. The Beryl AX is a pocket-sized Wifi-6 travel router. Now why would you need a travel router and what does it do?

The Beryl AX provides multiple functions to keep you secure with high-speed internet on the go. It provides enhanced security on public networks, reliable internet performance, multiple device connections, customization with different internet sources, and most importantly it’s portable. On top of all this, it doesn’t break the bank in terms of cost.

(Picture for size reference)

Focusing on its travel application, it allows you to create a secure connection between your devices and any public network you would like to use. It does this by coming with a personal firewall, VPN services, and its ability to isolate your devices away from the public network and keep them on your private network that Beryl establishes. It also can boost weak Wi-Fi signals from a public Wi-Fi source, such as a hotel or café Wi-Fi. This, with its Wi-Fi 6 technology allows for faster and better-performing signals that would generally be pretty poor. Beryl’s UI is also extremely user-friendly and easy to navigate with many built-in features like adding Tor capabilities and even adding Tailscale (I wrote about Tailscale previously if you don’t know what it is). The GL.iNeT is still updating the Beryl and their other devices with new and improved capabilities. My first big experience with Beryl will be coming up soon when I travel to Bangkok for a vacation.

Source:

Hope it's alright if I add on to this - I'm seeing people in the notes who want to make their own FreakTV-style TV channels, and as someone who was inspired to set up something similar after first seeing these bumpers, I wanted to share some of the basics of my methods~ (continued below cut)

If you have a computer connected to the internet and the space to store the content you want to watch, you can use ErsatzTV (a personal IPTV server) and Jellyfin (my preferred personal media server (Plex or Emby are also options)) to set up any number of channels, and set them to play more or less anything you want on any schedule you want, as long as you have the files of the media you want it to play - the setup for both of these server programs is fairly straightforward, and both have a ton of accessible tutorials (like these) available on their respective websites. How you get media files of whatever shows you'd like to include is up to you to figure out.

If you want to share access to the servers (which host your TV channel/s) with friends but don't really know anything about networks, Tailscale is a VPN that assigns you a secondary IP as part of a virtual local network, but you don't really have to know what that means in order to use it. Since there aren't as many accessible tutorials for this specific use of Tailscale, here are the basics of copying my Tailscale setup, where I use Jellyfin's built-in IPTV support to watch my ErsatzTV channels:

1.) After setting up Jellyfin and ErsatzTV, make sure you've followed this tutorial for making your ErsatzTV channels accessible in Jellyfin 2.) Install Tailscale and create a Tailscale account on the computer running ErsatzTV/Jellyfin (you may want to set up 2 Tailscale accounts, one for users and one for admin - though doing this is a little more complicated than you'd expect, and just having 1 account is probably fine if you can't/don't want to figure it out) 3.) Install and log into Tailscale on whatever device you want to watch your TV channel/s on 4.) Go to the Tailscale dashboard in your browser, find the Tailscale IP address of the computer running ErsatzTV/Jellyfin, and copy it 5.) Paste that IP into your browser's address bar, and add ":8096" to the end of it (you can also follow this step in a Jellyfin client app instead of a browser, which I'd recommend at least trying out) 6.) The Jellyfin Web-UI should now be open in your browser, which you should be able to use to watch your ErsatzTV channels

For what it's worth, when I've used Tailscale to stream my TV channels or anything via Jellyfin to my phone, for reasons beyond my understanding, the quality has genuinely been flawless, even over mobile data - I can't recommend it enough.

As a disclaimer, there are probably faster ways of setting this up, but as I have enjoyed investing a lot of extra time into my Jellyfin server, I haven't done the experimenting to come up with any. If you really just want one TV channel and nothing else, setting all this up without also setting up a media server like Jellyfin is possible, but it would introduce a couple of new issues you'd have to find solutions for, one being that ErsatzTV doesn't come with a built-in player to actually watch your channels with. So, whether or not you want to experiment to find different methods is up to you.

Anyway, hope this is useful to some of you, go nuts ✌️

here's a compilation of Every FreakTV Bumper That I've Made, in chronological order of creation, along with titles and reviews of them.

FreakTV is a fake TV channel my friends and i created to be used as a discord bot that streamed randomly selected episodes from our favorite TV shows, 24/7, in a dedicated channel. between each aired episode there was a "coming up next" break, and one of hundreds of bumpers that all of us created over time

Tailscale VPN review | TechRadar

Tailscale VPN review | TechRadar

Many people are familiar with the security benefits of using a virtual private network, or VPN. By connecting to a VPN server, you can access an encrypted connection and mask your IP address from your ISP or bad actors looking to gain access to your accounts. But the best VPN services can also be used to securely connect to devices, whether to enable remote office work or just to share important…

View On WordPress

Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code

Tailscale is a zero config mesh "VPN" that runs atop other networks and effectively "flattens" networks and allows users/services to more easily (and securely) communicate with each other.

For example, I've written extensively on how to SSH into WSL2 on Windows 10 from another machine and you'll note that there is not only a ton of steps but there's more than one way to do it!

I have talked about this for SSH, but if you're an active developer and want to share the services and sites you're working on with your coworkers and collaborators, there's a non-trivial amount of setup, management, and maintenance to deal with.

Phrased differently, "wouldn't it be easier if we were all just on the same network and subnet?"

WSL1 shares its networking stack with Windows 10, so the "machine" is the same. Whatever YourMachineName is, running a service on 5000 is the same if it's a Windows service or an app running in Linux under WSL1. However, in WSL2, your Linux environment is "behind" your Windows host. While WSL2 makes it easy to hit http://localhost:5000 by transparent port-forwarding, your WSL2 Linux machine isn't really a peer on the same network as your other devices.

Using a zero-configuration networking system like Tailscale (and similar services) levels the playing field - and the network. Due to some characteristics of WSL2 there are a few gotchas. Here's how I got it working for me.

Tailscale on WSL2

Get WSL

Install WSL2 - follow the instructions here 

Install a Linux distro - I used Ubuntu 20.04

go through the process, make a user, etc.

Install the Windows Terminal - It's just so much better, and really makes your command line experience better

Get Tailscale

Install Tailscale - I used the Ubuntu 20.04 instructions

Modify WSL2

I can't get Tailscale today to startup on WSL2 with ipv6 install, so I disable it.

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

Run Tailscale

Here you startup the daemon. There's no systemd (yet) on WSL2, but if you're on a version over Windows 10 build 21286, there are ways run commands on startup in the Windows Subsystem for Linux. Personally, I just do this in a bash script.

sudo tailscaled

WSL doesn't have a way to do an interactive login process, so you wan tot create a pre-authentication key to authenticate a single machine. Then use that key, as I do here, to bring up Tailscale within WSL:

tailscale up --authkey=tskey-9e85d94f237c54253cf0

I like to keep this open in another Terminal Tab or Window Pane so I can watch the logs. It's interesting and verbose!

Within the Tailscale machines admin panel, you can see all the machines living on your new Tailscale network. Note that I have scottha-proto listed as Windows, and scottha-proto-1 listed as Linux. The first is my Host machine and the second (the -1) is my Linux WSL2 instance! They are now on a flat network! 

I was also able to invite a user from outside my network with the new (coming soon) Tailscale node sharing feature. My friend Glenn is NOT in my organization, but just like I use OneDrive or DropBox to create a link to access ONE entity but not the WHOLE system, I can do the same here.

Now I can have Glenn hit a service running in WSL2 from his house.

Make a Service and Bind it to the Tailscale Network

I've installed .NET 5 in my WSL2 Ubuntu system, made a folder, and run dotnet new web to make a Hello World microservice.

When I run the service - .NET or Node, or whatever - it essential that the service listen on the Tailscale network. Your Linux system in WSL2 is 'multi-homed' and is connected to multiple networks. By default my developer systems listen only on localhost.

For .NET there's several ways to listen on all networks (including Tailscale) but I used this one:

dotnet run --urls http://*:5100;https://*:5101

So here I've got myself connecting to the Tailscale IP that's associated with my WSL2 instance and hitting my Linux service running within:

How far can we take this? Well, since I'm on the Tailscale network and Glenn has connected to it, the whole network is flat, so hitting my service is trivial! Here I am on Teams with my desktop on the bottom and Glenn's desktop on the top.

Cool. How far can we go?

Add Visual Studio Code and the Remote Development SSH Extension

Ok, so flat secure network, no limits! Can I make my WSL2 instance be treated as a remote development system for Glenn? Sure, why not?

To be clear - this is just me talking and experimenting, but there's something here. This can also be cross platform, Mac to Windows to WSL2, etc. You can also certainly use this section to create a VM in any cloud host or hoster, install Tailscale, stop worrying about port forwarding, and use it as a development box. Yes, you can just use WSL local, but this is fun and can be exploited in other cool ways.

On my WSL2 machine, I'll start up the ssh service. I could share public keys and do proper key-based login, but for this I'll do it by username.

I'll edit /etc/ssh/sshd_config and set the port, ListenAddress, and PasswordAuthentication to Yes. Here's an example:

Port 22 #AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: PasswordAuthentication yes

I made glenn a local super user just in my WSL2 instance:

sudo adduser glenn usermoid -aG sudo glenn

Glenn then installs the VS Code Remote Development pack and connects using Remote via SSH to my Tailscale IP. Here you can see VS Code from Glenn's machine is actually installing the VS Code Server and remote developers, and Glenn and code with VS Code architecturally split in half with the client on his Windows machine and the server on my WSL2 instance.

Note in the lower left corner, you can see his VS Code is connected to my WSL2 Linux instance's Tailscale IP!

What do you think?

You may compare Tailscale to things like NGrok which offers a developer-oriented localhost tunneller, but there are some important differences. Do your research! I have no relationship with this company other than I'm a fan.

Sponsor: This week's sponsor is...me! This blog and my podcast has been a labor of love for 19 years. Your sponsorship pays my hosting bills for both AND allows me to buy gadgets to review AND the occasional taco. Join me!

© 2020 Scott Hanselman. All rights reserved.

      Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code published first on http://7elementswd.tumblr.com/

Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code

Tailscale is a zero config mesh "VPN" that runs atop other networks and effectively "flattens" networks and allows users/services to more easily (and securely) communicate with each other.

For example, I've written extensively on how to SSH into WSL2 on Windows 10 from another machine and you'll note that there is not only a ton of steps but there's more than one way to do it!

I have talked about this for SSH, but if you're an active developer and want to share the services and sites you're working on with your coworkers and collaborators, there's a non-trivial amount of setup, management, and maintenance to deal with.

Phrased differently, "wouldn't it be easier if we were all just on the same network and subnet?"

WSL1 shares its networking stack with Windows 10, so the "machine" is the same. Whatever YourMachineName is, running a service on 5000 is the same if it's a Windows service or an app running in Linux under WSL1. However, in WSL2, your Linux environment is "behind" your Windows host. While WSL2 makes it easy to hit http://localhost:5000 by transparent port-forwarding, your WSL2 Linux machine isn't really a peer on the same network as your other devices.

Using a zero-configuration networking system like Tailscale (and similar services) levels the playing field - and the network. Due to some characteristics of WSL2 there are a few gotchas. Here's how I got it working for me.

Tailscale on WSL2

Get WSL

Install WSL2 - follow the instructions here 

Install a Linux distro - I used Ubuntu 20.04

go through the process, make a user, etc.

Install the Windows Terminal - It's just so much better, and really makes your command line experience better

Get Tailscale

Install Tailscale - I used the Ubuntu 20.04 instructions

Modify WSL2

I can't get Tailscale today to startup on WSL2 with ipv6 install, so I disable it.

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1

Run Tailscale

Here you startup the daemon. There's no systemd (yet) on WSL2, but if you're on a version over Windows 10 build 21286, there are ways run commands on startup in the Windows Subsystem for Linux. Personally, I just do this in a bash script.

sudo tailscaled

WSL doesn't have a way to do an interactive login process, so you wan tot create a pre-authentication key to authenticate a single machine. Then use that key, as I do here, to bring up Tailscale within WSL:

tailscale up --authkey=tskey-9e85d94f237c54253cf0

I like to keep this open in another Terminal Tab or Window Pane so I can watch the logs. It's interesting and verbose!

Within the Tailscale machines admin panel, you can see all the machines living on your new Tailscale network. Note that I have scottha-proto listed as Windows, and scottha-proto-1 listed as Linux. The first is my Host machine and the second (the -1) is my Linux WSL2 instance! They are now on a flat network! 

I was also able to invite a user from outside my network with the new (coming soon) Tailscale node sharing feature. My friend Glenn is NOT in my organization, but just like I use OneDrive or DropBox to create a link to access ONE entity but not the WHOLE system, I can do the same here.

Now I can have Glenn hit a service running in WSL2 from his house.

Make a Service and Bind it to the Tailscale Network

I've installed .NET 5 in my WSL2 Ubuntu system, made a folder, and run dotnet new web to make a Hello World microservice.

When I run the service - .NET or Node, or whatever - it essential that the service listen on the Tailscale network. Your Linux system in WSL2 is 'multi-homed' and is connected to multiple networks. By default my developer systems listen only on localhost.

For .NET there's several ways to listen on all networks (including Tailscale) but I used this one:

dotnet run --urls http://*:5100;https://*:5101

So here I've got myself connecting to the Tailscale IP that's associated with my WSL2 instance and hitting my Linux service running within:

How far can we take this? Well, since I'm on the Tailscale network and Glenn has connected to it, the whole network is flat, so hitting my service is trivial! Here I am on Teams with my desktop on the bottom and Glenn's desktop on the top.

Cool. How far can we go?

Add Visual Studio Code and the Remote Development SSH Extension

Ok, so flat secure network, no limits! Can I make my WSL2 instance be treated as a remote development system for Glenn? Sure, why not?

To be clear - this is just me talking and experimenting, but there's something here. This can also be cross platform, Mac to Windows to WSL2, etc. You can also certainly use this section to create a VM in any cloud host or hoster, install Tailscale, stop worrying about port forwarding, and use it as a development box. Yes, you can just use WSL local, but this is fun and can be exploited in other cool ways.

On my WSL2 machine, I'll start up the ssh service. I could share public keys and do proper key-based login, but for this I'll do it by username.

I'll edit /etc/ssh/sshd_config and set the port, ListenAddress, and PasswordAuthentication to Yes. Here's an example:

Port 22 #AddressFamily any ListenAddress 0.0.0.0 ListenAddress :: PasswordAuthentication yes

I made glenn a local super user just in my WSL2 instance:

sudo adduser glenn usermoid -aG sudo glenn

Glenn then installs the VS Code Remote Development pack and connects using Remote via SSH to my Tailscale IP. Here you can see VS Code from Glenn's machine is actually installing the VS Code Server and remote developers, and Glenn and code with VS Code architecturally split in half with the client on his Windows machine and the server on my WSL2 instance.

Note in the lower left corner, you can see his VS Code is connected to my WSL2 Linux instance's Tailscale IP!

What do you think?

You may compare Tailscale to things like NGrok which offers a developer-oriented localhost tunneller, but there are some important differences. Do your research! I have no relationship with this company other than I'm a fan.

Sponsor: This week's sponsor is...me! This blog and my podcast has been a labor of love for 19 years. Your sponsorship pays my hosting bills for both AND allows me to buy gadgets to review AND the occasional taco. Join me!

© 2020 Scott Hanselman. All rights reserved.

      Using Tailscale on Windows to network more easily with WSL2 and Visual Studio Code published first on https://deskbysnafu.tumblr.com/

How to update Veeam Backup and Replication [VBR]

Veeam Backup and Replication is an advanced data protection and disaster recovery solution designed for virtual, physical, and cloud environments. It enables you to backup, restore your backup when disaster strikes. In this article, we will discuss how to update Veeam Backup and Replication [VBR]. Please see How to update Object First OOTBI Cluster, How to create a Tailscale VPN connection to…

Server misadventure report:

Tailscale will expire your devices' keys every few months by default, and I didn't realize my home server had expired until I couldn't connect to it from outside the house and saw on the admin console that it was offline and expired. I turned off key expiry and it was still offline. Okay, gotta log back in on the server itself. Fine.

When I got home, I TTYed into the server and I believe this is the order of events: I ran "tailscale up" to log back in. I checked my torrent client which is bound to the tailscale tunnel since I've only been able to get Mullvad to work on that device through Tailscale, and it still wasn't active. While I was trying to diagnose that, I ran "tailscale update" to update the version. I believe this is where the harder to solve problem happened.

While TS was updating itself, I realized the issue with the torrent client was that I had only joined the TS VPN but I hadn't connected to the Mullvad exit node. This is where the stupider problem happened, because you have to specify that you want to leave LAN access open when you connect to an exit node every time, and I forgot to do this when I used TTY over LAN to tell my headless server to connect to the exit node. Fortunately I got access back by removing the server from my VPN group and rebooting.

When the server was back up, responding to commands, and reauthorized on my TS VPN, I gave the appropriate command to connect to the Mullvad exit node and it gave an error. I thought I had selected the wrong address and told it to list available exit nodes, and it said no nodes found. This was the harder problem to solve. Rebooting didn't do it, it was already the most recent version. I had to leave it for a few days.

While I was trying to find a post online explaining why I couldn't find Mullvad exit nodes even though the device was authorized in my account to use Mullvad, I remembered that the last time it worked might have been before I updated the version. While I was wondering how to go about it back, I noticed that the update command in TS was flagged as "beta" and had a warning that it might not work correctly. I had Apt uninstall and reinstall Tailscale and everything worked correctly and I was finally back to normal.

VersaBank’s New High-Security VPN Proving Especially Valuable During COVID-19 Pandemic

LONDON, Ontario — VersaBank (TSX:VB) (“VB” or the “Bank”) today announced the implementation of its new high security Virtual Private Network (VPN) remote access software solution, developed in partnership with Tailscale, a leading provider of secure network connectivity solutions. The software enables VersaBank employees to securely and directly connect to all the Bank’s servers across multiple…

View On WordPress

Tailscale

As promised, I will talk about the software Tailscale this week. This do-it-yourself VPN allows you to create a mesh network of all your devices in a simple accessible and user-friendly manner. It’s a modern VPN solution focuses on making secure and private networking as easy as possible. It uses peer to peer, or decentralization, model meaning devices are connected without passing through a central VPN network. It’s like a co-op grocery store but for devices. This means that each device that has Tailscale and is on your tailnet can talk to each other directly no matter where they are in the world. This allows for a wide plethora of different applications.

One common application and one that I use as well is establishing a Network Attached Storage (NAS) on your tailnet. A NAS is a device or system that stores data and allows people to access this data over the network. It’s much like the cloud in a sense, but I have the physical server with me, and in my case, have control over how it works, can upgrade it, and change its configuration. With a NAS onboard the tailnet and the ability to talk between devices on the tailnet, I have just established my cloud. Wherever I am, as long as I’m on my tailnet with the device I’m using and my NAS is up, I can access it.

In addition to its other many customizable features, it also can use devices as exit nodes. In my case this allows me to have my Raspberry Pi on my tailnet use it as an exit node and reap the benefits of the Pi-hole application that’s established on it. If you don’t know what Pi-hole is, I made a post about it previously. So not only can I now access my storage system anywhere, but I can also have DNS blocking anywhere.

There are so many more applications I’m yet to discover with Tailscale and it’s a very much growing software. They are constantly updating it, adding new features, and combining it with different hardware and software. I encourage you to check it and establish it on a few of your devices.

Sources:

So my first month of Mullvad is ending, and honestly the ad blocking that I was mainly using it for on my phone is better than NordVPN, though Google made me prove I'm human more often.

I was never able to get OpenVPN to connect to Mullvad on my home server (and the Mullvad native client doesn't support ARM7 builds...) so I had to go back to using my desktop for torrenting, which is not ideal because I don't have a lot of free hard disk space.

However, Tailscale, which I was already using for remote access to my home server, offers a Mullvad exit node add on to your service. The first downside is that because Mullvad takes their customers' privacy so seriously they don't do recurring subscription, and Tailscale wants to charge you a recurring subscription to use their API access, you can't link an existing Mullvad purchase to Tailscale. The second is that the add-on is just the basic exit node service, none of the extras that you can get directly from Mullvad. So goodbye, ad blocking through VPN. But now that the first month that I paid for is over, I can start with the combination service and get back to torrenting much more comfortably on my home server.