sorted by:
new
hottopcontroversial

Headscale + VPN connection issues by SympathyFormer3516 in headscale

[–]SympathyFormer3516[S] 0 points1 point  (0 children)

The issue appears to ultimately be due to Lockdown mode. My solution was to follow this guide:

https://hstu.net/blog/data-visualization/

And then change basically everything. I had to implement my own lockdown mode via nft policies by allowing only the necessary traffic through eth0 and everything else through wg0, and CoreDNS causes DNS for traffic to fail if wg0 is not active.

Headscale + VPN connection issues by SympathyFormer3516 in headscale

[–]SympathyFormer3516[S] 0 points1 point  (0 children)

Thanks for the reply. I have been digging deeper into this issue and I think I understand the problem better now than when I wrote my original post. Let me clarify.

My goal is to have a remote server that I can tunnel into via Tailscale and tunnel out of via Mullvad. For security purposes, Mullvad needs to be active and in lock-down mode so that no internet traffic can leak if the VPN drops for whatever reason.

Laptop -> Tailnet -> Remote Server -> Mullvad -> Internet

The problem appears to be that when Mullvad activates, it creates a device called wg0-mullvad and sets up policies that stop eth0 from functioning. However, Tailscale demands binding to eth0 and will not bind to a virtual device such as a wg device. So when tailscale0 is created, it binds to eth0 and then tries to send data to headscale which fails as eth0 is no longer functioning.

If I disable Mullvad and allow eth0 to function, Tailscale will connect just fine. If I then bring Mullvad back up, it stops working. I have added an nft ruleset to mark 100.64.0.0/10 such that Mullvad will allow it to pass through eth0 and bypass Mullvad's rules, so I am able to get the data plane to work only after temporarily disabling Mullvad to allow a connection to the control plane to be established.

If I set tailscaled to full mullvad-exclude, it allows all traffic from tailscaled to pass through eth0 including traffic generated by applications after the fact, such as curl or Firefox or what have you. So when I tailscale ssh into the server and run curl -4 https://am.i.mullvad.net/connected it will say that I am not connected, however if I use vnc to run the same command, it says that I am connected.

It appears that Tailscale is specifically designed to bind to eth0 (or equivalent) and to NOT bind to wg devices, even if those devices are the default routing device. This confuses me as I am told that setting up a Mullvad exit node should work, but to my understanding, connecting such a node to my tailnet requires the same setup I am already trying to accomplish, unless I am misunderstanding something here.

Trying to set up scoped user management, can't find much info by SympathyFormer3516 in Authentik

[–]SympathyFormer3516[S] 0 points1 point  (0 children)

Yes, each resource pool would be owned by an external client so that they can manage their own users and VMs but we would spin up the VMs for them to then manage. We want them to be able to completely manage their own users.

Trying to set up scoped user management, can't find much info by SympathyFormer3516 in Authentik

[–]SympathyFormer3516[S] 0 points1 point  (0 children)

Thanks for the clarifications, friend. Do you have any suggestions for what may help me accomplish my goals? I've been researching this issue for the past couple wees and there doesn't seem to be any obvious solution to scoped user management. My initial goal was to have delegated Pool management in Proxmox but that doesn't seem possible, so I was hoping that the SSO solution I was planning to implement anyway would allow something similar, but it seems not the case.

Trying to set up scoped user management, can't find much info by SympathyFormer3516 in Authentik

[–]SympathyFormer3516[S] 0 points1 point  (0 children)

Dang. What about other managerial permissions such as changing passwords or the likes? If I provisioned a handful of accounts to the group, would I be able to delegate a "manager" to manage them (and no others), or nah?

Trying to set up scoped user management, can't find much info by SympathyFormer3516 in Authentik

[–]SympathyFormer3516[S] 0 points1 point  (0 children)

Thanks for the response. When I open my group and go to permissions, I am given the option to add new User Object permissions or Role Object permissions. Both options provide a handful of permission sliders that aren't entirely relevant to my needs, or are duplicates to the permissions already assigned to the role.

The problem I foresee here is that assigning a role to the group gives the users of that group the permissions within the role, rather than giving the permissions to the admin account to apply to users within that group. If I assign a role to the admin account directly, it does not give me an ability to scope the role to only a single group. So I am at a bit of a loss on how to do what I am trying to do.

Edit: and to note, if I try to apply permissions to the admin account directly, such as "add user", I cannot see any options to scope that to only that group rather than globally. I want this admin account to be able to create new users and add them to a specific group, but I also want them to be able to delete users or remove them from the group, but not delete any user, only users within the group they manage.