A Mesh VPN For Everyone

How to use Tailscale (wireguard based) mesh VPN to connect everything

What is Tailscale? It’s a mesh VPN based on the wireguard open source project. It’s a secure network to connect your own devices no matter where they are.

Tailscale is free to use with one account and up to 100 devices, which is enough to see how well this can work to connect up servers, storage and desktops. They have paid plans for teams and enterprise.

Tailscale macOS app icon

macOS and iOS

To start, download Tailscale on your Mac or iPhone then find your IP address. Once you are signed in and have your IP address you can connect easily between devices. For example, on your iPhone open the Tailscale app and see your installed devices. Click on your Mac and the IP will be copied into the clip board. Use this to connect with app such as Secure shellfish for SSH or VNC viewer for remote login. When you’re in the same network it’s impressive, but when you’re on a different network, separated far away, It’s magic.

The real test for me was to install Tailscale on some backup servers I manage to make it more secure and more convenient to access them. I had used a variety of remote control for business services and well, Tailscale is easier, quicker and much more awesome. All the other software I tried was much less awesome.

After using Tailscale mainly for remote control, I tested Tailscale to securely connect my remote Macs to my own MunkiReport server. I use Munki and MunkiReport to manage Macs and having Tailscale allows me to securely connect endpoints to the server without opening up ports on my router. MunkiReport allows me to detect malware (with DetectX plugin) or check on backup jobs with Archiware P5 backup software (using a module I wrote) or a multitude of other diagnostics such as disk space free, apps installed, and all kinds of great hardware and software metrics. So much reporting. And MunkiReport doesn’t need Munki specifically, so if Tailscale is installed for remote control why not report on everything else.

DSM Package Center: Tailscale (and Archiware P5) app on Synology NAS

Synology DSM

Having Tailscale installed in all the Synology NAS I manage in various physical locations allows me to securely connect to all of these NAS from anywhere. With remote work using a NAS is a great way to sync data between locations. Synology has a lot of great built-in tools to make this happen and a very robust quick connect feature combined with ddns, and let’s encrypt certificates to support it. After setting up a few to sync one location to another I was constantly getting notifications of IPs being blocked on my firewall. I had to open a port on my firewall to let in the ssh / rsync traffic through and despite a strong set of firewall rules with a geo block there were still connection failures and password attempts. Using Tailscale I can now have a P5 server set up on one Synology NAS connecting to the Tailscale IP of other remote units and it can easily backup, sync or archive the data from the various locations.

To install the Synology Tailscale package check out this GitHub page. Download the app then side load it (manual install in package center). To enable it you will have to have ssh on, a user with permission to use it, and one command to type.

sudo tailscale up

In one case I didn’t have SSH enabled on the remote unit so I remoted into a Mac on the same network, enabled an admin user, turned on ssh with a time limit on the account, and then logged in. Once the above command is run you will get a link to a website to authenticate the device with your account.

Linux (CentOS)

I have also installed and tested Tailscale on a Linux (CentOS) storage server. In my case a Jellyfish which has a ZFS volume shared over direct 10GbE for Final Cut Pro video editors using nfs or smb. the Jellyfish works well on premise, but wouldn’t it be nice to capture camera cards to the remote storage server via Tailscale? Oh yes it would. And what about playing back some of the video files via VLC on your iPhone! Or Files.app! Yes, to all the above. All made possible with Tailscale. And a huge shout out for their great documentation. Installing Tailscale on CentOS was super simple. Add a yum repo, install, tailscale, and then bring the service up. Couldn’t be easier.

sudo yum-config-manager --add-repo https://pkgs.tailscale.com/stable/centos/7/tailscale.repo

sudo yum install tailscale

Shared Devices

A small, but very exciting, feature was added part way through my testing of Tailscale which made it infinitely more awesome, shared devices. The concept is you are authenticated to your devices and can see in the Tailscale app all the IPs to connect to, but what if you could share one device (computer, server, NAS) with another person? Well, now you can. In the Tailscale admin console choose a device and send a share link to someone, they then will see this devices in their device list as shared. Home users can set up Tailscale to access all their own devices, but now can also choose to share access with a device in particular. For example, if you create an account, open a service (file sharing) and send a share link then the other person will login with the account you create and access the one thing you want them to. Maybe it’s a smb share to drop files. Works great for video collaboration and other kinds of teams.

There’s a whole lot more you can do with Tailscale (and wireguard) mesh VPN but I hope this gives you all some ideas to start with.

2021: Thunderbolt Shared Storage Report

It’s 2021 and what is the state of Thunderbolt Shared Storage?

Thunderbolt Shared Storage is a RAID which you connect to with Thunderbolt (and Ethernet) which can be shared with other workstations. It’s a Thunderbolt SAN. Shared by Thunderbolt.

I’ve long been a fan of Apple’s Xsan and other SAN products that use Fibre Channel (or iSCSI) to connect clients to super fast block storage. It acts like a fast direct attached RAID but you can share it with others. The sharing part is crucial to collaborative workflows. We used XSAN when I was in VFX and I now use XSAN for post production workflows. Editors like to edit, have large video files, and often work in teams. All those camera files aren’t getting any smaller. So you need a lot of storage that can be shared by a team of editors, colourists, motion graphic artists, producers, etc

What you don’t often want is a complicated network infrastructure or a server room with fibre channel switches and fibre channel RAIDs and assorted other equipment. You don’t want that. You’d have to call me and pay me to set up your storage, backup and archive workflow. While it is always recommended to work with a trusted contractor it can be expensive. For small teams a shared Thunderbolt storage SAN can be quick to set up, doesn’t take much room and can easily connect 4-8 editors. Thunderbolt 3 passive copper cables extend up to 2m but optical Thunderbolt cables are available up to 60m.

I want to review one such example of shared Thunderbolt storage that stands out, the Symply Workspace. It’s a RAID, but it’s a SAN too. It is storage you plug into with Thunderbolt, but with an extra ethernet cable you make it a SAN. Inside the storage it has Quantum StorNext which runs most of the world’s expensive enterprise SANs, but it’s in the Symply Workspace and it works with Apple’s Xsan client software (included free with macOS since macOS Lion 10.7 !!). So basically, it is enterprise storage in a Thunderbolt box. One more thing, add a 5 seat license to a simple but powerful media asset management (MAM) tool axle.ai to organize your assets, add keywords and access from anywhere. Almost too good to be true, so I had to test it and see.

I received a Symply Workspace to test with. I like testing storage. My clients always need more storage. I keep telling them to not fill it up, but they do. That’s why we have LTO, nearline and cloud archive with Archiware P5 but that’s another story. For now, let’s test this storage: how easy is it to setup, how awesome is it to edit with, and what is a MAM good for anyway? Let’s find out.

It starts with a box. You open the box. You take the drives out of the box. Two trays of drives. Then there’s the RAID itself. Put the drives in the RAID. No screwdriver or tools necessary, just slide and click. Next step read all documentation online, ha ha, just kidding, don’t read anything keep going. Ok, kidding a bit. There’s an info card in the box with a website link to help explain the setup. But I didn’t read it all, uh, I know Xsan, I can do this, ok, what’s the link? now back to building.

The tricky part is plugging in a few cables, which will be improved in the shipping production version with stenciled labels of where to plug in what. There’s three cables after the power cable. One Thunderbolt to a Mac, that’s easy. One ethernet to your local network, no problem. And lastly one more ethernet to your new SAN production network (aka metadata). Ok, what’s that? Add a 5-port switch and plug in all clients and the storage to this network for SAN private metadata. It really is a SAN. Like Apple’s Xsan or Quantum StorNext, you need a data pipe (40GbE Thunderbolt 3 in this case) to transfer the data, and a metadata network, to talk about the data (1GbE ethernet to our extra switch). The public network will be used to talk to Axle MAM or for re-sharing out the volume to non-Thunderbolt connected Macs.

Once the Symply Workspace is wired up and powered on you’ll be able to reach the unit via a local bonjour name in your web browser (http://symplyworkspace.local:8088) and from there a simple web interface allows you to monitor the status of the unit, download drivers to configure a Mac or Windows client, restart or shutdown, contact support or start troubleshooting if needed. It’s a great tool to do the few things you need to.

So with everyone working remotely how do we connect to our shared storage? I’m glad you asked. There are a lot of good options. My favourite is Tailscale a mesh VPN (based on the open source Wireguard project) which you would install on a locally connected Mac then you can remote in and share a screen or the storage. There’s also the Axle 5-seat license included with the Symply Workspace which can scan your storage, make proxies and serve it all via a website which can also be accessed from anywhere.

To be continued…

Update: Added a clarification that there is an included 5 seat license to Axle media asset management in the Symply Workspace