Skip to content

atomicobject/terraform-aws-tailscale-router

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
examples
examples
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

terraform-aws-tailscale-router

Puts a Tailscale subnet router, running on AWS in an ECS container, into your VPC with minimal configuration.

You can read more about this module in "Get VPN access into your AWS VPC with Tailscale" at Atomic Spin.

Quick start

If you just want to deploy into the default VPC and default security group, data sources can get you everything you need save the auth key:

data "aws_vpc" "default" {
  default = true
}

data "aws_security_group" "default_vpc_default" {
  vpc_id = data.aws_vpc.default.id
  name   = "default"
}

data "aws_subnets" "default_vpc" {
  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }
}

Pick a name (this will be used for many things, including the ECS cluster that will be launched to contain your router), and you can add the router to your Terraform configuration:

module "router" {
  source  = "atomicobject/tailscale-router/aws"
  version = ">= 1.1.4, < 2.0.0"

  name               = "tailscale-subnet-router"
  tailscale_auth_key = var.tailscale_auth_key
  vpc_id             = data.aws_vpc.default.id
  subnet_ids         = data.aws_subnets.default_vpc.ids
  security_group_ids = [data.aws_security_group.default_vpc_default.id]
}

Other configurations are also possible.

Getting an auth key

An auth key is required to authenticate your router to your tailnet. Go to keys in Tailscale admin, and generate a new auth key here.

Once your router is authenticated, the auth key is no longer needed, as the node key will be used.

For more information, see the documentation.

Other configurations

Deploying into other VPCs is also relatively straightforward; you just need the VPC id and the subnet ids you want to launch into.

Depending on your setup, you may also need to launch your router into different security groups. The default security group AWS created allows traffic only from itself, so using it for the router will allow access to anything else in that security group.

If you want to use different security groups, you'll have to make sure there are appropriate ingress rules to support the router.

NEW in v1.1.0: You can ask Tailscale to advertise additional routes beyond the VPC (for example, if you want to route specific Internet hosts though the subnet router). Just use the "additional_routes" variable:

additional_routes = ["8.8.8.8/32", "8.8.4.4/32"]

Q&A

Why are subnet ids required? Can't the module determine the subnet ids automatically?

Yes, but if you are deploying your own VPC as part of the same configuration, depending on the subnet ids there is the cleanest way to make sure the subnets are provisioned before the router.

Thanks

Thanks to David Norton for writing Run a Tailscale VPN relay on ECS/Fargate, which inspired this module. Today, we're able to create containers based on the unmodified official Tailscale image instead of having to create our own images, which simplifies this process quite a bit.

About

deploys a Tailscale subnet router container into an AWS VPC

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

2 stars

Watchers

6 watching

Forks

3 forks
Report repository

Releases

7 tags

Packages

No packages published

Languages