Tailscale

• Tailscale Website
• GitHub
• CLient open source, original control server component not, although there's
  • Headscale
  • ionscale

Docs

• How Tailscale works
• Configuring Linux DNS
• Manage your Tailscale resources with Terraform
  • tailscale terraform provider
• Network access controls (ACLs)
• Tailscale on Kubernetes

Install

Linux client

• Client in Golang, packages in a PPA
• Repology.org
• tailscale snap is outdated
• Download tailscale

Arch:

sudo pacman -S tailscale

Debian:

curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.noarmor.gpg \
  | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/debian/trixie.tailscale-keyring.list \
  | sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt-get update
sudo apt-get install tailscale

Raspberry Pi

Install Tailscale on Rasperry Pi

sudo apt-get install apt-transport-https
curl -fsSL https://pkgs.tailscale.com/stable/raspbian/$(lsb_release  -cs).noarmor.gpg \
  | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
curl -fsSL https://pkgs.tailscale.com/stable/raspbian/$(lsb_release  -cs).tailscale-keyring.list \
  | sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt-get update
sudo apt-get install tailscale

Android client

• Headscale docs: Connecting an Android client
• Docs
• Play store
• F-Droid
  • Is multiple minor versions behind (as of 2025-10)

Ansible role

see headscale.md

Tailscale on Kubernetes

• Tailscale on Kubernetes
• Helm Charts repository
  • Contains currently only the helm chart for Tailscale K8s operator
• K3s Tailscale integration

Config

• tailscaled config: /etc/default/tailscaled
• state directory: /var/lib/tailscale/

Show _profiles value in /var/lib/tailscale/tailscaled.state:

jq -r "._profiles" /var/lib/tailscale/tailscaled.state | base64 -d | jq .

Show client config (the same as the default profile value in /var/lib/tailscale/tailscaled.state):

tailscale debug prefs

Issues

• How to work around tailscale breaking IPv6 on the host

Recover from TPM failures

❯ tailscale status
# Health check:
#   - State store failed to initialize, Tailscale will not work
#     until this is resolved.
      See https://tailscale.com/s/state-store-init-error.
# Error: failed to unseal state file: failed to unseal encryption key with TPM:
# tpm2.Load: TPM_RC_INTEGRITY (parameter 1): integrity check failed
#     - Tailscale is stopped.

unexpected state: NoState

• Tailscale docs: Recover from TPM failures
• So if you transfer your disk to another device you need to re-add the device to the tailnet again.