Skip to main content

Hi everyone!
I wanted to write today about a tool that happily surprised me and now has made my life easier, related to VPN and connectivity, its called Tailscale

The main slogan says :

Secure remote access to shared resources

Tailscale connects your team's devices and development environments for easy access to remote resources.

I’ll try to put it on my own words, in my use case, I’ve been using it at the beginning to connect to my Home Lab remotely from my house to my “Jump Station” over RDP, then, I started to use some advanced features:

  • VPN Access to a single client
  • VPN to Remote Site, to access other devices not capable to install the Client
  • Proxy / Traffic router when Im out of the house or in a untrusted network
  • Web central console for configurations, users creation and management.
  • Easy to use client for Linux, Windows, Android, OSX, iOS, etc.

The client is very neat, clean and easy to use, 
also the documentation is great!
Im gong to post a few screenshots and will make a future entry with an example setup.

The “Free” version comes with great features to start using it, as I said, in my case, at my home lab,

https://tailscale.com/pricing/

One of the positive things for me, is that I dont need to setup a firewall + opening ports for connecting from / to my hose / homelab, the Iphone / Ipad client works “like a champ” and I can access all I need, and secure my traffic navigating from my home when needed.

Web Main Console
OSX Client
Iphone Client

 

Hopefully you like it and if you give it a try lets comment the use cases and features you like the most.

I will try to post in a few days a “demo” or test with different machines.

 

thanks

 

Luis.

Looks like a nice, clean, simple, yet powerful tool. Thanks for sharing Luis!


Looks like an interesting tool Luis.  Thanks for sharing.


Awesome @HunterLAFR! The free version looks great. I will test and blog about it https://tailscale.com/pricing/


Can confirm this is an excellent product!

 


Tailscale is a service with great features. I use it to access my homelab, for that I have a rasberry pi connected to tailscale where I propagate the internal subnets of my homelab. Best of all, you don't need to have dedicated public IPs and everything is securely connected.


I’m sold. I was looking into this for work already but will move to the homelab next. Great writeup


Hello, Thanks,

I am thinking about switching my existing/working homelab VBR from local ip to tailscale.
Right now, there is one VBR and one VAgent running on my laptop.

Currently, if I am traveling, from my laptop, I start a openvpn connection to my home.
and run VAgent. That works fine.


The VBR and VAgent both use hostnames/ipaddresses on a 192.168.62.x subnet.

Now, how can i convert existing VBR from using local ipaddress to tailscale without a full uninstall/reinstall/setup?
 


 


Hello, Thanks,

I am thinking about switching my existing/working homelab VBR from local ip to tailscale.
Right now, there is one VBR and one VAgent running on my laptop.

Currently, if I am traveling, from my laptop, I start a openvpn connection to my home.
and run VAgent. That works fine.


The VBR and VAgent both use hostnames/ipaddresses on a 192.168.62.x subnet.

Now, how can i convert existing VBR from using local ipaddress to tailscale without a full uninstall/reinstall/setup?
 


 

Would you not just install Tailscale on the VBR server then in the Agent configure the repository if you are using one on VBR to point to it?

You should be able to install it on your laptop as well to connect to the server.  It is a VPN client so should work similar to openvpn.


Would you not just install Tailscale on the VBR server
I have had tailscale on that server and laptop for over a year now.

then in the Agent configure the repository if you are using one on VBR to point to it?
Sorry, not understanding?

The VBR and client are setup to use local hostnames/ipaddress.
Need to convert that to use tailscale hostnames/ipaddresses?
How do I convert that setup to use tailscale without uninstalling anything?

The VBR seems to be able to use local and tailscale sometimes?

but here VBR entry is using only DNS name

 

See that my laptop, EN10, uses only 192.168.62.235.
How do I switch that to tailscale ip without having to delete and re-create it?

 

Another way to look at it, forget about tailscale, for a moment.
Let’s say that my local lan changes from 192.168.62.x to 192.168.22.x
What are the minimal changes in VBR and VAgent that are required?

 


Would you not just install Tailscale on the VBR server
I have had tailscale on that server and laptop for over a year now.

then in the Agent configure the repository if you are using one on VBR to point to it?
Sorry, not understanding?

The VBR and client are setup to use local hostnames/ipaddress.
Need to convert that to use tailscale hostnames/ipaddresses?
How do I convert that setup to use tailscale without uninstalling anything?

The VBR seems to be able to use local and tailscale sometimes?

but here VBR entry is using only DNS name

 

See that my laptop, EN10, uses only 192.168.62.235.
How do I switch that to tailscale ip without having to delete and re-create it?

 

Another way to look at it, forget about tailscale, for a moment.
Let’s say that my local lan changes from 192.168.62.x to 192.168.22.x
What are the minimal changes in VBR and VAgent that are required?

 

You would need to change IPs and ensure DNS gets updated with the new IP addresses.  That would be the minimal changes and then ensure the Veeam Console launches and all the Managed Servers show without errors and you can rescan them.

It seems that you need a new Reverse IP Zone in DNS with the IP for the VBR server and the Agent.  Then adding the records for the VBR server and Agent so they have two each - 1 to the normal IP and 1 for the Tailscale IP.  It all comes down to the configuration of DNS to enable name resolution if you are going to use that but if you use IP then it should work with the IP for tailscale on each device.


Please ignore,


Please ignore,

Did you fix the issue?


Did you fix the issue?
I believe so, so far, I have tested the following.

Triggered backups of my laptop using:

  • VBR console running on VBR server
  • VBR console running on laptop
  • VAgent GUI
  • VAgent command line.
    "C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Manager.exe" /backup "7409d307-9c4a-4983-84c6-dffff4c5cc5f"

Did you fix the issue?
I believe so, so far, I have tested the following.

Triggered backups of my laptop using:

  • VBR console running on VBR server
  • VBR console running on laptop
  • VAgent GUI
  • VAgent command line.
    "C:\Program Files\Veeam\Endpoint Backup\Veeam.EndPoint.Manager.exe" /backup "7409d307-9c4a-4983-84c6-dffff4c5cc5f"

Great! Glad to hear you addressed the issue.


For anybody else wanting to convert VAgent from local ip to tailscale ip.
Very easy to do, no need to uninstall/reinstall, no need to change DNS.

1. from VBR, find the agent machine and ‘Remove from configuration.
2. from VBR, add the machine using tailscale ipaddress


For anybody else wanting to convert VAgent from local ip to tailscale ip.
Very easy to do, no need to uninstall/reinstall, no need to change DNS.

1. from VBR, find the agent machine and ‘Remove from configuration.
2. from VBR, add the machine using tailscale ipaddress

Thanks for posting the solution as I am sure it will help others.


Hi All, Now a new issue.

I am on the road, not at homelab.

I tried to do a backup and VAgent is stuck for over 20 minutes, trying to connect to VBR in my home lab at using local lan ip of 192.168.62.233 but it should be using the tailscale ip which is 100.122.213.46
So why is VAgent using local lan instead of tailscale?

See that VAgent is using my laptop has correct tailscale ip 100.109.123.23

Here is the full error message

Error: Connection problems. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.62.233:10005

FWIW, ping works fine
Reply from 100.109.123.23: bytes=32 time<1ms TTL=128

just now, using my python backup script, no problem backuping to home server over tailscale.
and i am RDP to my homeserver over tailscale

and with tailscale

and see inside VBR, see that my laptop EN10 is connected to VBR over correct tailscale ip and is Online

So I cannot figure out why VAgent is not using tailscale and is using home private lan ip?
Thanks, David


So based on the message it is a connection problem to the required ports for Veeam.  I know ping works but that is a basic test to ensure response.  Check the log files on VBR to see if there is any more details there that might lead you to why - C:\ProgramData\Veeam\Backup\AgentJob

Also is VBR controlling the Agent backup or is the Agent controlling itself?  Maybe check the configuration of the Agent for the repository being used on the VBR server and how it was added.


I figured it out.

Up above, I listed two steps required to switch VBR/VAgent from local ip to tailscale ip,
tho, should apply to changing network subnets, for example, from 192.168.1.0 to 192.168.2.0

So here are the updated steps. so far ;wink

From VBR:
1. Find the agent machine and ‘Remove from configuration’.
2. Re-add that agent machine using tailscale ip address.
3. For each backup, change the backup server to use the VBR tailscale ip.

 


 


I figured it out.

Up above, I listed two steps required to switch VBR/VAgent from local ip to tailscale ip,
tho, should apply to changing network subnets, for example, from 192.168.1.0 to 192.168.2.0

So here are the updated steps. so far ;wink

From VBR:
1. Find the agent machine and ‘Remove from configuration’.
2. Re-add that agent machine using tailscale ip address.
3. For each backup, change the backup server to use the VBR tailscale ip.

 


 

Great to hear you were able to fix this piece too.  It is also great to learn how to use Tailscale for backups.  😎


Hey, this is a great “troubleshooting”.

one thing, I’ve been using Tailscale, but with the magic DNS, so no IP addresses involved here,

just using the hostname, if is local, local DNS will take care of resolution, if is Tailscale routing will use the Magic DNS from Tailscale.

hope this little trick works for you as well.

cheers.


hope this little trick works for you as well
Good point, I am aware of that, but I ran into a problem using magicdns on local.
Maybe you know a workaround.

Warning: Off topic

To fully use magicdns, I need to `net use` on local machine using tailscale dns
That works using tailscale ip, but not tailscale dns

Below, the first three command work, but not the fourth command.
I need the fourth command to work
and I just found out, that tailscale forum is read-only now ;woof

 

On my laptop,

:: works → mount using local ip
net use \\127.0.0.1\sharename /user:username "password"
The command completed successfully.

:: works → mount using local hostname
net use \\localhost\sharename /user:username "password"
The command completed successfully.

:: works → mount using tailscale ip
net use \\111.111.111.111\sharename /user:username "password"
The command completed successfully.

:: NOT work → mount using tailscale dns
net use \\ts-en10.tail00000.ts.net\sharename /user:username "password"
System error 86 has occurred.
The specified network password is not correct.


hope this little trick works for you as well
Good point, I am aware of that, but I ran into a problem using magicdns on local.
Maybe you know a workaround.

Warning: Off topic

To fully use magicdns, I need to `net use` on local machine using tailscale dns
That works using tailscale ip, but not tailscale dns

Below, the first three command work, but not the fourth command.
I need the fourth command to work
and I just found out, that tailscale forum is read-only now ;woof

 

On my laptop,

:: works → mount using local ip
net use \\127.0.0.1\sharename /user:username "password"
The command completed successfully.

:: works → mount using local hostname
net use \\localhost\sharename /user:username "password"
The command completed successfully.

:: works → mount using tailscale ip
net use \\111.111.111.111\sharename /user:username "password"
The command completed successfully.

:: NOT work → mount using tailscale dns
net use \\ts-en10.tail00000.ts.net\sharename /user:username "password"
System error 86 has occurred.
The specified network password is not correct.

 

Ok. I see the example, thanks for the info.
have you tried to use in the 4th command the magic DNS name WITHOUT the FQDN?
only the ts-en10 , Tailscale should complete the rest on the fly is the client is up and running.

The error message that says that the password is incorrect, I had an issue in the past and I solved it like this.

please test it and let us know.

cheers.


I see the example, thanks for the info
Thank you for taking the time to understand the issue.

The error message that says that the password is incorrect
For sure, that is not the issue. I test using a script and the password is set as a variable used for all commands.

have you tried to use in the 4th command the magic DNS name WITHOUT the FQDN?
only the ts-en10 , Tailscale should complete the rest on the fly is the client is up and running.

Yes, initially, I did try that. I did not post as the four examples was enough to reproduce the issue. That fails the same exact way

net use \\ts-en10\sharename /user:username "password"
System error 86 has occurred.

 

The same issue on my home server, windowz server 2022 datacenter.

net use \\127.0.0.1\sharename /user:username "password"
The command completed successfully.

net use \\localhost\sharename /user:username "password"
The command completed successfully.

net use \\100.122.213.46\sharename /user:username "password"
The command completed successfully.

net use \\ts-vserver03.tail03374.ts.net\sharename /user:username "password"
System error 86 has occurred.
The specified network password is not correct.

net use \\ts-vserver03\sharename /user:username "password"
System error 86 has occurred.
The specified network password is not correct.


OK, I get it, what is the Windows Server Version you are using?

you should continue troubleshooting, it can be a character (special) that the connection does not like.

Also, checking around the internet, it should be the case that  the NTLM negotiation is not working properly, should be v2. you can give that a shot.

just easy question, have you tried the script without the variable, writing the password manually in that step? or written directly? just to ensure that is not other thing, like previous login attempts or so.

hope it helps.
cheers.


Comment