Tailscale, anyone using it?

I installed Tailscale since some of my streaming apps do not allow anymore to watch when outside the country… I have at home a rpi with homeassistant running so was thinking I could use Tailscale for this. The homeassistant is defined as ‘exit-node’ and on the iPad i’m using this HA als exit node. Seems like I don’t have internet anymore when activating exit node, without exit node I still have internet but then streaming apps still detect that i’m outside the country…

If you guys want to access homeassistant from anywhere and own a domain name, you can also use Cloudflare and a Cloudflared tunnel to do that. There is no need for any sort of VPN connection on any devices, running apps or anything else. HA creates an encrypted tunnel to cloudflare which you can access via your custom subdomain. You can also add an additional layer of security by putting a login with GitHub or another SSO provider in front of it.
I recently created a new addon to use Cloudflare, so feel free to check it out and let me know what you think:

Included in the following addon repository:

2 Likes

this issue with this owning a domain name, which itself will be costly.

Interesting, but you might want to document a bit the cloudflare bits.
I wasn’t aware of this capability, and I still don’t know where to start :wink:

Ah, nevermind. I was expecting the explanation on the github README

Well there is. Your addon installs the clouflare client rather than the tailscale one :wink:

Their way of working is extremely similar, creating a tunnel between your host and a central point acting as a router, although cloudflare seem to be based on a proprietary solution (albeit open-source) rather than the Linux standard wireguard.
Nabu Casa works the same way as well, although limited to HA itself and HA doing the client-side job.

EDIT: Actually, tailscale manages to do p2p connection when possible, so, contrary to what I thought, there is no central router: your connection are peer-to-peer, most of the time, removing a point of failure.

You can use tailscale status to check the connectivity between hosts of your tailscale ring, and see how that connection was made, whether “direcy” or through a “relay”/router.

Now, I’d really like to understand how tailscale manages to do a ipv6 connection inside my network without me opening any ports on the firewall :fearful: :wink:

I recently posted an article about how to get a domain name for free and utilise the different offerings of Cloudflare with it. If you are interested, you can have a look:

1 Like

Following your excellent guide, I successfully created the domain. Now I need to access home assistant through HTTPS protocol to use home assistant cast. Home Assistant Cast - Home Assistant

1 Like

I would be careful about Freenom.
Nothing is free in this world (besides open-source done by crazy people :smiley: ) and their business model is not clear.

Even if this is paranoia, keep in mind you don’t “own” the free domain you get from them, they just lease it to you and can get it back anytime. You basically have no rights on the domain.

Not much of an issue if this is just for exposing HA, though.

Fronting Home Assistant with Cloudflare Single Sign On won’t work with the mobile apps right?

Tailscale is nice in that you can still use the mobile apps as usual.

Using Cloudflare SSO does work with the mobile app. I am running it with GitHub as ID provider and have no issues at all.

Hmm I need to give this a try then because that sounds very interesting, my understanding of Cloudflare SSO is it just puts an authenticating reverse proxy in front of the backend, which I wouldn’t have thought the Home Assistant companion app would support as suddenly all requests need to be authenticated with cookies and not all requests from the companion app originate from the webview.

1 Like

Hi @stijnd! Have you manage to make your exit node working?
I’m planning to plug a privacy zigbee button that would start the exit node for each active node on my tailscale network. But first I have to find a way to make it work…

Ok! I found!!! :slight_smile:

1 Like