--- myst: html_meta: "description lang=en": "Running Kasm Workspaces with access to Tailscale virtual private networks. " "keywords": "Kasm, How to, How-to, Tailscale, VPN, Networking, Firewall" "property=og:locale": "en_US" --- ```{title} Running Kasm with Tailscale ``` # Running Kasm with Tailscale This guide will cover setting up a single server Kasm instance with a basic Tailscale configuration. If you are looking to run a Tailscale as a sidecar container to access other Tailscale devices only from stock Workspaces containers please see {doc}`VPN Sidecar Containers `. ```{contents} Table of Contents ``` ## Network architecture overview For our setup we had three nodes. - An Ubuntu 20.04 LTS graphical desktop running chromium to access the Kasm UI. - An Ubuntu 20.04 LTS server that we will perform a single server install of Kasm on. - An Ubuntu 20.04 LTS server that we configured as a Tailscale exit node. (This is only used in [Configuring Kasm with a Tailscale exit node](#configuring-kasm-with-a-tailscale-exit-node) ) ### Tailscale This guide uses Tailscale version 1.18.2. This guide assumes you already have a Tailscale account and are familiar with using Tailscale. #### Kasm with Tailscale without an exit node ```{figure} /images/tailscale/Tailscale_no_exit_node.png :align: center **Tailscale Without an Exit Node** ``` Setup a single server Kasm instance as described in the {doc}`single server installation guide <../install/single_server_install>`. Verify that you can access the Kasm web app running on port 443 at **https://\** Install Tailscale on the Kasm node following the instructions at [Tailscale Ubuntu 20.04 LTS install](https://tailscale.com/kb/1039/install-ubuntu-2004/) Take note of the Tailscale ip address for the Kasm server. ```bash sudo tailscale ip --4 ``` Verify you can access the Kasm web app at the Tailscale ip address from a Tailscale client. In order for clients to properly make connections to Kasm sessions when using a reverse proxy, the **Upstream Auth Address** setting for each {term}`Deployment Zone` must be updated. Update the **Upstream Auth Address** with the public (non-tailscale) IP or FQDN of the Kasm Workspaces server. See [Update Zones](reverse_proxy.md#update-zones) for more information. Kasm workspaces is now working with Tailscale. Outbound Kasm session traffic will go out the normal public ip, if the desire is to route traffic from Kasm sessions through a Tailscale exit node continue with [Configuring Kasm with a Tailscale exit node](#configuring-kasm-with-a-tailscale-exit-node). #### Configuring Kasm with a Tailscale exit node ```{figure} /images/tailscale/Tailscale_with_exit_node.png :align: center **Tailscale With and Exit Node** ``` Perform the setup in [Kasm with Tailscale without an exit node](#kasm-with-tailscale-without-an-exit-node). Once that setup is complete ensure that you have a Tailscale exit node configured. Instructions are available at: [Exit Nodes (route all traffic)](https://tailscale.com/kb/1103/exit-nodes/) Update the Tailscale configuration for the Kasm server with the new exit node. ```bash sudo tailscale up --exit-node= --exit-node-allow-lan-access ``` ```{note} Adding the `--exit-node-allow-lan-access` parameter is required to be able to access the Kasm web app. ``` Next we will need the IP address of the Kasm proxy server to update the **Upstream Auth Address** in the zone configuration. ```bash sudo docker exec -it kasm_proxy ip a ``` Use the non loopback address and update each {term}`Deployment Zone` with the new **Upstream Auth Address**. See [Update Zones](reverse_proxy.md#update-zones) for more information. ```{note} Uploading files to the Kasm session does not work with a Tailscale exit node configured. ``` #### Troubleshooting During our configuration of Tailscale we ran into issues with DNS. We were able to solve our issue by adding a public DNS server to the Tailscale administration page under [DNS](https://login.tailscale.com/admin/dns) (This step may not apply to all configurations of Tailscale)