[10:29:07]
<cptcurk> hello !
I've install tailscale the purpose is to run through a vps. But when I'm using tailscale on my client (computer), I don't have access to internet anymore. Just got access to my intranet. How could I get access to internet also through that vps ? :)
I used this tutorial by titus : https://forum.yunohost.org/t/create-your-intranet-with-a-vpn-and-your-own-dns-with-yunohost-adguard-and-headscale/37393/10
May be someone know ? I don't succed to find the way to unlock that..
If someone knows, I'd love a hint !
[11:12:09]
*tituspijean titus hides in the bush
[11:14:16]
<tituspijean> cptcurk: can you try disabling the DNS from the VPN? I can't recall the option if you only have the CLI, but the tailscale doc is pretty good, you should be able to find it.
[13:43:51]
<rodinux> in the admin ui in nextcloud you can add an external storage, but perhaps you also need some permissions to adapt, not sure it's easy to configure... nextcloud have files with owner `nextcloud:nextcloud` and my_webapp with `my_webapp:www-data` ??
[14:21:51]
<cptcurk> I'm reading on and on the doc. And I'm not able to find the information. I don't really understand the Adguard part. Is it like Internet \<-> adguard \<-> tailscale ?
Should I add a DNS like 9.9.9.9 somewhere ? Or is it the whole ipv4 which should be ?
Is that "advertise exit node" https://tailscale.com/docs/features/exit-nodes/how-to/setup ? I don't really understand terms... Saddly ! Sorry for being such noob. I've found this page a lot of time, but I'm scared to make a mistake !
[18:21:47]
<tituspijean> @cptcurk:matrix.orghey, sorry I was at work. I may help you tonight (CET zone, at least).
Can you check the contents of `/etc/resolv.conf` on the VPS? It should say `nameserver 127.0.0.1`
[18:35:59]
<tituspijean> @cptcurk:matrix.orghey, sorry I was at work. I may help you tonight (CET zone, at least).
Can you check the contents of `/etc/resolv.conf` on the client? It should say `nameserver 127.0.0.1`
[18:36:03]
<tituspijean> @cptcurk:matrix.orghey, sorry I was at work. I may help you tonight (CET zone, at least).
Can you check the contents of `/etc/resolv.conf` on the client?
[18:36:07]
<tituspijean> On my client settings, I have "Accept DNS" enabled:
[18:36:09]
<tituspijean> https://aria.im/_bifrost/v1/media/download/Acc7Md6-EM6154YZhbwF6m09-F4eW3cbIOpG5rgrUxuD_RgqA8wT9_Qmz_9ztcLbFxxzP8CamjkkPcCp6Jj7ighCedMJUUgwAG1hdHJpeC5vcmcvVlRlekVvZ1JaQ1liY1dFRldaR0VPRE92
[18:36:12]
<tituspijean> (though in the scope of the tutorial, I think "Accept Routes" should stay disabled)
[20:56:39]
<cptcurk> well thank you to take some time anyway. I'm not fuly available either unfortunaly.
The /etc/resolv.conf on the VPS give the internal nameserver 127.0.0.1
on my macbook, I'm running scutil --dns and got a resolver 1 with my local router ip, and this :
resolver #2
search domain[0] : vpn.internal
nameserver[0] : 100.100.100.100
nameserver[1] : ipv6
if_index : 44 (utun15)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
[20:57:28]
<fipaddict> Hi ! Sorry if I'm wrong or not in good place but **ci-apps-dev** is KO ? https://ci-apps-dev.yunohost.org/ci/
(I don't really know how can I take my first PR to the nexp : https://github.com/YunoHost-Apps/isso_ynh/pull/23)
[20:57:37]
<cptcurk> I got the "use tailscale dns setting", and it's clearly showing vpn.internal and the 100.64.0.1
[20:57:39]
<cptcurk> https://aria.im/_bifrost/v1/media/download/AeFmiU0GpphBS6UqhUPRqP82aW3s3cUd0-sn4cLTQpdwTLg6dp_KJeNvVR-SvlS3Wprmvfo3f_PJki_UNrKqMKdCedMRafzAAG1hdHJpeC5vcmcvU0pZS0xRa1FXbndOcGlyWUhXaENkeHVm
[20:57:41]
<cptcurk> I'm wondering if this adguard setup is messing up with the exit node ?
[22:07:40]
<tituspijean> @cptcurk:matrix.orgthese settings look good. Indeed, the next thing to check is your VPS and Adguard.
Can you check that your VPS has `100.64.0.1` as IP address with `ip -br a`?
Can you also check that step 5B of the tutorial has been correctly done, i.e. the VPS' tailscale address is listed in the `dns.bind_hosts` setting in `/var/www/adguardhome/AdGuardHome.yaml`?
[22:08:48]
<cptcurk> isn't it that the resolve.conf VPS side should be nameserver 8.8.8.8 or 1.1.1.1 or 9.9.9.9 ? I've done that and it works. But my be it's a bad decision ?
My VPS has indeed 100.64.0.1/32 using ip -br a. And in headscale panel, and I'm actually connecting to it using ssh and this ip.
All argument have been check like 10 times... Really think it's my bad, but I think not, and with you're super tutorial with picture, how could I be mistaken ^^'
[22:09:00]
<tituspijean> > isn't it that the resolve.conf VPS side should be nameserver 8.8.8.8 or 1.1.1.1 or 9.9.9.9 ? I've done that and it works. But my be it's a bad decision ?
Normally on your server you should always have `nameserver 127.0.0.1` in `/etc/resolv.conf`. It effectively ensures it uses Adguard when it's installed (or dnsmasq if there is no adguard).
Using Google's or Cloudflare's DNS is as bad as you want it to be, but since we're all about selfhosting, let's don't. :p
[22:09:10]
<tituspijean> > All argument have been check like 10 times... Really think it's my bad, but I think not, and with you're super tutorial with picture, how could I be mistaken ^^'
The tutorial is definitely not perfect, 'coz of your current predicament 😇
[22:09:14]
<tituspijean> On your macbook, can you run `dig yunohost.org @100.64.0.1` ?
[22:09:17]
<tituspijean> (If my search-fu is right, that command should exist on the system)
[22:09:19]
<cptcurk>
; <<>> DiG 9.10.6 <<>> yunohost.org @100.64.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57712
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yunohost.org. IN A
;; ANSWER SECTION:
yunohost.org. 10800 IN A 80.67.164.12
;; Query time: 340 msec
;; SERVER: 100.64.0.1#53(100.64.0.1)
;; WHEN: Fri Mar 27 00:00:53 EET 2026
;; MSG SIZE rcvd: 57
[22:09:22]
<cptcurk> I added 9.9.9.9 to get it not that bad !
But as you suggest, I just came back to "not working state" haha
Above is the dig :)
[22:09:23]
<cptcurk> So may be, as I though it's about adguard. I'm going to check again !
[22:09:29]
<tituspijean> with that successful `dig`, it means the DNS is fine
[22:09:32]
<tituspijean> the bing ip?
[22:09:34]
<cptcurk> Liaison avec les adresses IP publiques ?
[22:09:36]
<cptcurk> bind IP
[22:09:38]
<cptcurk> the first of the two option to tick while installing adguard
[22:09:40]
<cptcurk> ahhh
I just remember. The only thing different that I had to do.. Was activating in adguard the bind* ip (because it's not working otherwise, troubleshooting said that to me !)
[22:09:42]
<tituspijean> ah yes I see. I don't think it's relevant here, but let me check what the package does when you enable this. (I wrote the tutorial on my home server, not a VPS)
[22:18:24]
<tituspijean> OK I see, so basically it tells YunoHost to make sure port 53 is opened, so it's not relevant here (though your DNS might be opened to all the internets, which is not great. Let's go back to that point later)
[22:23:06]
<cptcurk> I just saw that. And found out a bit about DDoS
[22:23:08]
<tituspijean> I think one solution might be to remove your public address from the bind_hosts setting in Adguard. The port might still be open, but nobody would answer.
[22:23:11]
<tituspijean> Back to the VPN: when you did that `dig` command, the VPN is active and you have no internet connection?
To be more precise, you cannot browse? (Since I guess you still have SSH connection, it's only DNS being the issue, not routing)
[22:23:13]
<cptcurk> hum... I just did try again (after feleting the lines in the resolve.conf). tailscale down & tailscale up
And now it works.
[22:23:15]
<cptcurk> I did while being with internet ! vpn connected, but no exit node.
[22:23:17]
<cptcurk> it looks like having that resolv.conf updated.. Made it work
[22:31:08]
<cptcurk> it was exclty DNS, not routing !
[22:31:08]
<tituspijean> So, by reverting `/etc/resolv.conf` back to `nameserver 127.0.0.1`, you have no issue, exit node disabled or not?
[22:31:09]
<cptcurk> yes
[22:31:10]
<tituspijean> (insert "it's not DNS" meme here)
[22:31:10]
<cptcurk> I did again cat /etc/resolv.conf and it's back to 127.0.0.1
[22:31:11]
<tituspijean> It's still unclear to me why it was not working before you tweaked resolv.conf, but eh, victory. :p
[22:31:11]
<cptcurk> now I need to look for what you previously said ; remove your public address from the bind_hosts setting in Adguard
SO.. I'll look into it ! :D
[22:31:12]
<cptcurk> I've never used in my life AI (mistral here) but that kinda lead me to that conf file. And then it's weird... Love Aleks sign sentence : there's alway something behind the keyboard. But this one ^^' I changed almost nothing !
For the DNS and binding ip, it says to use white list. Do you know what should I ad specifically ?
[22:40:01]
<tituspijean> For once the AI might not be telling bullshit. You could add `100.64.0.0/10` in the whitelist range, as well as your home's public address.
[22:40:01]
<cptcurk> https://paste.yunohost.org/raw/uwadiyodom
This is the problem if I disable it.
[22:40:01]
<tituspijean> Ah I see, I was thinking of manually tweaking the config file of Adguard 😅 , but yeah it's cleaner to use the config panel. In this instance, I think I need to discuss with the packager of the app, it's a tad too tricky to fix right now.
[22:40:02]
<tituspijean> let's add headscale's ipv6 range too: `fd7a:115c:a1e0::/48`
[22:53:26]
<tituspijean> Anubis would be great, but I think it would require the same level of NGINX wizardry that was pulled to integrate the TLS/SNI passthrough
[22:53:28]
*tituspijean is logging off for now, good night!
[22:53:28]
<cptcurk> well you made my day !
THANK YOU ! :D
[22:53:28]
<cptcurk> have a great night. I call it a night also. :D