hassio-addons/repository-beta
1
0
Fork 0
mirror of https://github.com/hassio-addons/repository-beta.git synced 2025-05-05 03:21:28 +00:00
Code Issues Projects Releases Packages Wiki Activity
repository-beta/tailscale/DOCS.md
Community Hass.io Add-ons Bot 259aa122c8 🎉 Release of add-on Tailscale 0.25.0
2025-02-20 21:19:11 +00:00

451 lines
18 KiB
Markdown
Raw Blame History

# Home Assistant Community Add-on: Tailscale
Tailscale is a zero config VPN, which installs on any device in minutes,
including your Home Assistant instance.
Create a secure network between your servers, computers, and cloud instances.
Even when separated by firewalls or subnets, Tailscale just works. Tailscale
manages firewall rules for you, and works from anywhere you are.
## Prerequisites
In order to use this add-on, you'll need a Tailscale account.
It is free to use for personal & hobby projects, up to 100 clients/devices on a
single user account. Sign up using your Google, Microsoft or GitHub account at
the following URL:
<https://login.tailscale.com/start>
You can also create an account during the add-on installation processes,
however, it is nice to know where you need to go later on.
## Installation
1. Click the Home Assistant My button below to open the add-on on your Home
Assistant instance.
[![Open this add-on in your Home Assistant instance.][addon-badge]][addon]
1. Click the "Install" button to install the add-on.
1. Start the "Tailscale" add-on.
1. Check the logs of the "Tailscale" add-on to see if everything went well.
1. Open the Web UI of the "Tailscale" add-on to complete authentication and
couple your Home Assistant instance with your Tailscale account.
**Note:** Some browsers don't work with this step. It is recommended to
complete this step on a desktop or laptop computer using the Chrome browser.
1. Check the logs of the "Tailscale" add-on again, to see if everything went
well.
1. Done!
## Configuration
This add-on has almost no additional configuration options for the
add-on itself.
However, when logging in to Tailscale, you can configure your Tailscale
network right from their interface.
<https://login.tailscale.com/>
The add-on exposes "Exit Node" capabilities that you can enable from your
Tailscale account. Additionally, if the Supervisor managed your network (which
is the default), the add-on will also advertise routes to your subnets on all
supported interfaces to Tailscale.
Consider disabling key expiry to avoid losing connection to your Home Assistant
device. See [Key expiry][tailscale_info_key_expiry] for more information.
```yaml
accept_dns: true
accept_routes: true
advertise_exit_node: true
advertise_connector: true
advertise_routes:
- 192.168.1.0/24
- fd12:3456:abcd::/64
funnel: false
log_level: info
login_server: "https://controlplane.tailscale.com"
proxy: false
proxy_and_funnel_port: 443
snat_subnet_routes: true
stateful_filtering: false
tags:
- tag:example
- tag:homeassistant
taildrop: true
userspace_networking: true
```
> [!NOTE]
> Some of the configuration options are also available on Tailscale's web
> interface through the Web UI, but they are made read only there. You can't
> change them through the Web UI, because all the changes made there would be
> lost when the add-on is restarted.
### Option: `accept_dns`
If you are experiencing trouble with MagicDNS on this device and wish to
disable, you can do so using this option.
When not set, this option is enabled by default.
MagicDNS may cause issues if you run things like Pi-hole or AdGuard Home
on the same machine as this add-on. In such cases disabling `accept_dns`
will help. You can still leverage MagicDNS on other devices on your network,
by adding `100.100.100.100` as a DNS server in your Pi-hole or AdGuard Home.
### Option: `accept_routes`
This option allows you to accept subnet routes advertised by other nodes in
your tailnet.
More information: [Subnet routers][tailscale_info_subnets]
When not set, this option is enabled by default.
### Option: `advertise_exit_node`
This option allows you to advertise this Tailscale instance as an exit node.
By setting a device on your network as an exit node, you can use it to
route all your public internet traffic as needed, like a consumer VPN.
More information: [Exit nodes][tailscale_info_exit_nodes]
When not set, this option is enabled by default.
### Option: `advertise_connector`
This option allows you to advertise this Tailscale instance as an app connector.
When you use an app connector, you specify which applications you wish to make
accessible over your tailnet, and the domains for those applications. Any traffic
for that application is then forced over the tailnet to a node running an app
connector before egressing to the target domains. This is useful for cases where
the application has an allowlist of IP addresses which can connect to it: the IP
address of the node running the app connector can be added to the allowlist, and
all nodes on the tailnet will use that IP address for their traffic egress.
More information: [App connectors][tailscale_info_app_connectors]
When not set, this option is enabled by default.
### Option: `advertise_routes`
This option allows you to advertise routes to subnets (accessible on the network
your device is connected to) to other clients on your tailnet.
By adding to the list the IP addresses and masks of the subnet routes, you can
use it to make your devices on these subnets accessible within your tailnet.
If you want to disable this option, specify an empty list in the configuration
(`[]` in YAML).
More information: [Subnet routers][tailscale_info_subnets]
When not set, the add-on by default will advertise routes to your subnets on all
supported interfaces.
### Option: `funnel`
This requires Tailscale Proxy to be enabled.
**Important:** See also the "Option: `proxy`" section of this documentation for the
necessary configuration changes in Home Assistant!
When not set, this option is disabled by default.
With the Tailscale Funnel feature, you can access your Home Assistant instance
from the wider internet using your Tailscale domain (like
`https://homeassistant.tail1234.ts.net`) even from devices **without installed
Tailscale VPN client** (for example, on general phones, tablets, and laptops).
**Client** &#8658; _Internet_ &#8658; **Tailscale Funnel** (TCP proxy) &#8658;
_VPN_ &#8658; **Tailscale Proxy** (HTTPS proxy) &#8594; **HA** (HTTP web-server)
Without the Tailscale Funnel feature, you will be able to access your Home
Assistant instance only when your devices (for example, phones, tablets, and laptops)
are connected to your Tailscale VPN, there will be no Internet &#8658; VPN TCP
proxying for HTTPS communication.
More information: [Tailscale Funnel][tailscale_info_funnel]
1. Navigate to the [Access controls page][tailscale_acls] of the admin console:
- Add the required `funnel` node attribute to the tailnet policy file. See
[Tailnet policy file requirement][tailscale_info_funnel_policy_requirement]
for more information.
1. Restart the add-on.
**Note**: _After initial setup, it can take up to 10 minutes for the domain to
be publicly available._
**Note:** _You should not use the port number in the URL that you used
previously to access Home Assistant. Tailscale Funnel works on the default HTTPS
port 443 (or the port configured in option `proxy_and_funnel_port`)._
**Note:** _If you encounter strange browser behaviour or strange error messages,
try to clear all site related cookies, clear all browser cache, restart browser._
### Option: `log_level`
Optionally enable tailscaled debug messages in the add-on's log. Turn it on only
in case you are troubleshooting, because Tailscale's daemon is quite chatty. If
`log_level` is set to `info` or less severe level, the add-on also opts out of
client log upload to log.tailscale.io.
The `log_level` option controls the level of log output by the addon and can
be changed to be more or less verbose, which might be useful when you are
dealing with an unknown issue. Possible values are:
- `trace`: Show every detail, like all called internal functions.
- `debug`: Shows detailed debug information.
- `info`: Normal (usually) interesting events.
- `notice`: Normal but significant events.
- `warning`: Exceptional occurrences that are not errors.
- `error`: Runtime errors that do not require immediate action.
- `fatal`: Something went terribly wrong. Add-on becomes unusable.
Please note that each level automatically includes log messages from a
more severe level, e.g., `debug` also shows `info` messages. By default,
the `log_level` is set to `info`, which is the recommended setting unless
you are troubleshooting.
### Option: `login_server`
This option lets you to specify a custom control server instead of the default
(`https://controlplane.tailscale.com`). This is useful if you are running your
own Tailscale control server, for example, a self-hosted [Headscale] instance.
### Option: `proxy`
When not set, this option is disabled by default.
Tailscale can provide a TLS certificate for your Home Assistant instance within
your tailnet domain.
This can prevent browsers from warning that HTTP URLs to your Home Assistant instance
look unencrypted (browsers are not aware of the connections between Tailscale
nodes are secured with end-to-end encryption).
More information: [Enabling HTTPS][tailscale_info_https]
1. Configure Home Assistant to be accessible through an HTTP connection (this is
the default). See [HTTP integration documentation][http_integration] for more
information. If you still want to use another HTTPS connection to access Home
Assistant, please use a reverse proxy add-on.
1. Home Assistant, by default, blocks requests from reverse proxies, like the
Tailscale Proxy. To enable it, add the following lines to your
`configuration.yaml`, without changing anything:
```yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
```
1. Navigate to the [DNS page][tailscale_dns] of the admin console:
- Choose a tailnet name.
- Enable MagicDNS if not already enabled.
- Under HTTPS Certificates section, click Enable HTTPS.
1. Restart the add-on.
**Note:** _You should not use the port number in the URL that you used
previously to access Home Assistant. Tailscale Proxy works on the default HTTPS
port 443 (or the port configured in option `proxy_and_funnel_port`)._
### Option: `proxy_and_funnel_port`
This option allows you to configure the port the Tailscale Proxy and Funnel
features are accessible on the tailnet (in case of Tailscale Proxy is enabled)
and optionally on the internet (in case of Tailscale Funnel is also enabled).
Only port number 443, 8443 and 10000 is allowed by Tailscale.
When not set, port number 443 is used by default.
### Option: `snat_subnet_routes`
This option allows subnet devices to see the traffic originating from the subnet
router, and this simplifies routing configuration.
When not set, this option is enabled by default.
To support advanced [Site-to-site networking][tailscale_info_site_to_site] (e.g.
to traverse multiple networks), you can disable this functionality, and follow
steps in the [Site-to-site networking][tailscale_info_site_to_site] guide (Note:
The add-on already handles "IP address forwarding" and "Clamp the MSS to the
MTU" for you).
**Note:** Only disable this option if you fully understand the implications.
Keep it enabled if preserving the real source IP address is not critical for
your use case.
### Option: `stateful_filtering`
This option enables stateful packet filtering on packet-forwarding nodes (exit
nodes, subnet routers, and app connectors), to only allow return packets for
existing outbound connections. Inbound packets that don't belong to an existing
connection are dropped.
When not set, this option is disabled by default.
### Option: `tags`
This option allows you to specify specific tags for this Tailscale instance.
They need to start with `tag:`.
More information: [Tags][tailscale_info_tags]
### Option: `taildrop`
This add-on support [Tailscale's Taildrop][taildrop] feature, which allows
you to send files to your Home Assistant instance from other Tailscale
devices.
When not set, this option is enabled by default.
Received files are stored in the `/share/taildrop` directory.
### Option: `userspace_networking`
The add-on uses [userspace networking mode][tailscale_info_userspace_networking]
to make your Home Assistant instance (and optionally the local subnets)
accessible within your tailnet.
When not set, this option is enabled by default.
If you need to access other clients on your tailnet from your Home Assistant
instance, disable userspace networking mode, which will create a `tailscale0`
network interface on your host. To be able to address those clients not only
with their tailnet IP, but with their tailnet name, you have to configure Home
Assistant's DNS options also.
If you want to access other clients on your tailnet even from your local subnet,
follow steps in the [Site-to-site networking][tailscale_info_site_to_site] guide
(Note: The add-on already handles "IP address forwarding" and "Clamp the MSS to
the MTU" for you).
**Note:** In case your local subnets collide with subnet routes within your
tailnet, your local network access has priority, and these addresses won't be
routed toward your tailnet. This will prevent your Home Assistant instance from
losing network connection. This also means that using the same subnet on
multiple nodes for load balancing and failover is impossible with the current
add-on behavior.
**Note:** The `userspace_networking` option can remain enabled if you only need
one-way access from tailnet clients to your local subnet, without requiring
access from your local subnet to other tailnet clients.
**Note:** If you implement Site-to-site networking, but you are not interested
in the real source IP address, i.e. subnet devices can see the traffic
originating from the subnet router, you don't need to disable the
`snat_subnet_routes` option, this can simplify routing configuration.
## Network
### Port: `41641/udp`
UDP port to listen on for WireGuard and peer-to-peer traffic.
Use this option (and router port forwarding) if you experience that Tailscale
can't establish peer-to-peer connections to some of your devices (usually behind
CGNAT networks). You can test connections with `tailscale ping
<hostname-or-ip>`.
When not set, an automatically selected port is used by default.
## Changelog & Releases
This repository keeps a change log using [GitHub's releases][releases]
functionality.
Releases are based on [Semantic Versioning][semver], and use the format
of `MAJOR.MINOR.PATCH`. In a nutshell, the version will be incremented
based on the following:
- `MAJOR`: Incompatible or major changes.
- `MINOR`: Backwards-compatible new features and enhancements.
- `PATCH`: Backwards-compatible bugfixes and package updates.
## Support
Got questions?
You have several options to get them answered:
- The [Home Assistant Community Add-ons Discord chat server][discord] for add-on
support and feature requests.
- The [Home Assistant Discord chat server][discord-ha] for general Home
Assistant discussions and questions.
- The Home Assistant [Community Forum][forum].
- Join the [Reddit subreddit][reddit] in [/r/homeassistant][reddit]
You could also [open an issue here][issue] GitHub.
## Authors & contributors
The original setup of this repository is by [Franck Nijhof][frenck].
For a full list of all authors and contributors,
check [the contributor's page][contributors].
## License
MIT License
Copyright (c) 2021-2025 Franck Nijhof
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
[addon-badge]: https://my.home-assistant.io/badges/supervisor_addon.svg
[addon]: https://my.home-assistant.io/redirect/supervisor_addon/?addon=a0d7b954_tailscale&repository_url=https%3A%2F%2Fgithub.com%2Fhassio-addons%2Frepository
[contributors]: https://github.com/hassio-addons/addon-tailscale/graphs/contributors
[discord-ha]: https://discord.gg/c5DvZ4e
[discord]: https://discord.me/hassioaddons
[forum]: https://community.home-assistant.io/?u=frenck
[frenck]: https://github.com/frenck
[headscale]: https://github.com/juanfont/headscale
[http_integration]: https://www.home-assistant.io/integrations/http/
[issue]: https://github.com/hassio-addons/addon-tailscale/issues
[reddit]: https://reddit.com/r/homeassistant
[releases]: https://github.com/hassio-addons/addon-tailscale/releases
[semver]: https://semver.org/spec/v2.0.0.html
[taildrop]: https://tailscale.com/taildrop
[tailscale_acls]: https://login.tailscale.com/admin/acls
[tailscale_dns]: https://login.tailscale.com/admin/dns
[tailscale_info_exit_nodes]: https://tailscale.com/kb/1103/exit-nodes
[tailscale_info_app_connectors]: https://tailscale.com/kb/1281/app-connectors
[tailscale_info_funnel]: https://tailscale.com/kb/1223/funnel
[tailscale_info_funnel_policy_requirement]: https://tailscale.com/kb/1223/funnel#requirements-and-limitations
[tailscale_info_https]: https://tailscale.com/kb/1153/enabling-https
[tailscale_info_key_expiry]: https://tailscale.com/kb/1028/key-expiry
[tailscale_info_site_to_site]: https://tailscale.com/kb/1214/site-to-site
[tailscale_info_subnets]: https://tailscale.com/kb/1019/subnets
[tailscale_info_tags]: https://tailscale.com/kb/1068/tags
[tailscale_info_userspace_networking]: https://tailscale.com/kb/1112/userspace-networking
Reference in a new issue View git blame Copy permalink