DEV Community

Matthew Scharley
Matthew Scharley

Posted on • Edited on

Installing Tailscale on immutable Linux distros

Recently I've been testing OpenSUSE Kalpa, one of the recent batch of immutable operating systems. One of the first things I wanted to setup was Tailscale so that the laptop could connect back into my home network. For anyone unfamiliar, Tailscale is a really cool product for doing mesh VPNs.

The following instructions should work on any system with distrobox available, but it's especially useful for Kalpa and other immutable operating systems.

There's no official instructions for getting things going with distrobox, but thankfully it takes basically no extra effort.

Installing Tailscale

First, you need to create a new root distrobox with init system support:

sudo mkdir /var/run/tailscale
distrobox create --root --name tailscale --image registry.opensuse.org/opensuse/tumbleweed:latest --volume /var/run/tailscale:/var/run/tailscale:rw --image registry.opensuse.org/opensuse/tumbleweed:latest --init --additional-packages "systemd"
distrobox enter --root tailscale
Enter fullscreen mode Exit fullscreen mode

Since this is a root distrobox, you'll be asked for a password for access to the distrobox. Once you're fully inside the distrobox, follow the normal installation instructions.

sudo rpm --import https://pkgs.tailscale.com/stable/opensuse/tumbleweed/repo.gpg
sudo zypper ar -g -r https://pkgs.tailscale.com/stable/opensuse/tumbleweed/tailscale.repo
sudo zypper ref
sudo zypper in tailscale
sudo systemctl enable --now tailscaled
# Allow using tailscale without two passwords
sudo tailscale set --operator $USER
# Expose the binaries to the host system
distrobox-export --bin /bin/tailscale
Enter fullscreen mode Exit fullscreen mode

Now you can drop back out of the distrobox container and use tailscale as normal, eg. tailscale up to login and get setup.

Start on boot

This setup will not start on boot, but will start when the distrobox starts. If you want it to start automatically on boot then you can start distrobox at login using a systemd service.

First, create a small shell script which will start the container. I use /root/bin/start-tailscale.sh for this.

#!/usr/bin/env bash

# Precreate the volume that distrobox expects
mkdir -p /run/tailscale
# Start the container manually
podman start tailscale
Enter fullscreen mode Exit fullscreen mode

Make sure to set this as executable with chmod a+x /root/bin/start-tailscale.sh. After this, create a new systemd service file in /etc/systemd/system/tailscale.service:

[Unit]
Description=Tailscale VPN
After=network.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/root/bin/start-tailscale.sh

[Install]
WantedBy=multi-user.target
Enter fullscreen mode Exit fullscreen mode

Once this file is created, you can use the following commands to test the new service:

# Tell systemd to load the new service file
systemd daemon-reload
# Do a test start
systemd start tailscale
# Enable on next boot
systemd enable tailscale
Enter fullscreen mode Exit fullscreen mode

Caveats

sudo tailscale

Anywhere you see sudo tailscale in the documentation, you can just use tailscale instead. Distrobox will install the binary stub into your local user account and deal with sudo for you. If you try to use sudo yourself, then it's likely that it won't be able to find the tailscale stub since it's installed into your home folder and won't be on the sudo $PATH.

The client socket

The setup above will map the client socket to the host machine correctly, but in my testing unless you also setup the on-boot startup then flatpaks will not be able to access the socket correctly. I haven't managed to fully identify why this happens, but it's working for me properly now. Without the systemd service, Trayscale would simply time out while trying to connect to the unix socket.

MagicDNS

I haven't fully tested MagicDNS yet, but I suspect it doesn't work properly with this setup as tailscale status will complain about not being able to manage resolve.conf.

Billboard image

Monitoring as code

With Checkly, you can use Playwright tests and Javascript to monitor end-to-end scenarios in your NextJS, Astro, Remix, or other application.

Get started now!

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay