Introducing Cloud VPN, which can be used from Raspberry Pi.
The service is called “Tailscale” and is available as a free plan for personal use.
The word on the street is that Tailscale is a super easy VPN, and I really feel that way when I actually use it.
Traditional VPN is a concept with a central VPN gateway. The famous WireGuard is popular because it routes a little more efficiently than that.
Tailscale was an even more advanced concept. It is unique in that it does not have an authentication server.
There are several explanatory articles on the official website. If you are interested, please visit them.
This time I tried it with the PL-R5m with industrial Raspberry Pi CM5.
OS is Raspberry Pi OS bookworm and it is connected with a wired LAN cable instead of Wi-Fi.
You can set it up the same way with Pi 5. with Pi 5 or CM5, Gigabit Ethernet, perfect performance, power saving and quiet, so it seems expedient to turn it into a dedicated VPN server.
The article shows the order in which the settings work, but if you want to connect to your home NAS from the outside anyway, install Tailscale after signing up and start with the settings including subnetting from the beginning at the end of the article.
Register with Tailscale (sign up)
First, you need to register.
Register and log in with your identity provider Gmail, Microsoft account, Office365, or other authentication system.
Tailscale does not have an authentication system, so you will have to register with an account such as Gmail.
Since you are only registering, you can do so either on the desktop of your Raspberry Pi or on your main machine, and you can access the following URL and proceed using a web browser.
https://login.tailscale.com/startThere are more and more of these registration services that need no further explanation. Please register with the account you have.
Since you registered with a Gmail account, simply select your Gmail account for your Tailscale login.
I chose “Personal Use” for the first question because it is free for personal use. The rest can be left as you wish.
Following the initial device registration, I chose Linux since it is a Raspberry Pi.
Select the OS and you will get the installation script code. Run this on the Raspberry Pi CM5 side.
Once registered & logged in, you will be taken to the registration screen for the second unit, but you can choose to view the console screen.
Once you are on the console screen, leave it as it is and continue with the configuration on the Raspberry Pi side.
To connect from outside, the iPhone will also be registered as a second device later.
At least two devices must be registered to confirm VPN connection from the outside.
The client application runs on multiple platforms, including the operating system used on the phone. (Windows, macOS, Linux, iOS, Android) It can also be used on a Raspberry Pi or even an iPhone.
Installing Tailscale (Raspberry Pi OS)
To connect with Tailscale, client software must be installed.
On the Raspberry Pi CM5 side, perform the following
- [I] The official website listed the installation instructions as bullseye for the Raspberry Pi OS. However, since bookworm was not available, we tried using a common Linux installation script. The repository that was actually installed was Debian bookworm.
curl -fsSL https://tailscale.com/install.sh | shWhen the installation is finished, the command to start the system is displayed and the process is complete.
Installation complete! Log in to start using Tailscale by running:
sudo tailscale upWe will start it up as soon as possible.
Launch Tailscale
Run with administrator privileges.
sudo tailscale upWhen executed, the URL to the screen to be authenticated is displayed on the terminal screen.
You will have to access the site with a web browser and log in.
To authenticate, visit:
https://login.tailscale.com/a/1774610d018f66
Success.Login screen
You will be using a web browser; it does not have to be the Raspberry Pi’s web browser.
When you access the URL displayed in the terminal, you will be asked to log in, and if you successfully log in with your Google account, the terminal will display Success.
After this, you will be able to make some settings on the console screen (the management screen opened in the web browser mentioned earlier).
Check on console screen
CM5 is shown on the machine tab on the console screen (administration screen) after login.
The image shows two iPhone app client applications that were also installed and authenticated from the App Store.
The IP address was assigned automatically. In this case, it can be used without awareness.
Incidentally, when I checked the billing item from the menu of the console screen, I found that the plan was properly an individual plan.
- [I] This is because I chose Personal Use when I registered my account and it was a gmail account. If you have a corporate email address, you may be on a different plan. In that case, the official website says you can choose a trial (opt-out).
We see that the free plan allows up to 3 users and 100 devices. That is sufficient for personal use.
Once confirmed, you may leave the screen as it is. You will operate it again later.
Subnet router configuration
As it is, they simply enter the same tailscale network each.
If you want to access devices in CM5’s network that are connected by VPN, you need to set up a subnet router to connect to them.
There is already a NAS running on the network where the Raspberry Pi CM5 is located.
The same is true if you install the client app, but some devices, such as printers, do not allow the client app to be installed. If you enable the subnet router functionality in the client app installed in CM5, you can access devices that do not have the Tailscale client app installed.
Now, use the tailscale command to configure your home local network as a subnet router from CM5.
- [I] The IP address you specify should be read as your home IP address. The default IP address range for a typical router is 192.168.0.0/24 if the router is 192.168.0.1, or 192.168.8.1.0/24 if 192.168.1.1 is the router.
Since it depends on the router and individual configuration, look up the IP address and subnet mask using the ip acommand, for example.
In this article, 192.168.0.1is the router and the subnet mask is 255.255.255.0, so specify the following
To route a local network in your home, simply run it with the option.
tailscale set --advertise-routes=192.168.0.0/24You will need sudo to run the command.
Register an existing user with the following command so you can run it without sudo. This only needs to be run once.
You can add sudo each time, or this is optional.
sudo tailscale set --operator=$USERI’ll check it out.
Once you have configured the subnet router, go back to the administration page to check it.
Immediate reflection.
Open route settings from the three-point reader menu in the Raspberry Pi CM5 line in the machine column.
There is an IP address range specified earlier, check the box to activate it.
When I saved and returned to the list, it was tagged SUBNET.
However, there is a “! mark” is attached.
When I check the same screen again, oops, there is some kind of message.
If you see “Unable to relay traffic” above, it is because routing permissions (rules) have not been set.
As it is, even if I can connect via VPN, I cannot access the NAS in my home.
route setting
The reason you got a warning and could not connect is because you did not give routing permission to CM5.
In Raspberry Pi OS, create and enable a conf file that gives permission to the following /etc/sysctl.d/.
- [I] Different directories for different operating systems.
Rule making:
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.confNow the subnet tag “! mark” will disappear, and you will be able to access the NAS in your home if you connect to it via VPN.
Try it from your iPhone
I’ll use my iPhone to make a VPN connection and take a look at the NAS in my home.
The iPhone must also be allowed to join the Tailscale network, so a client application is installed.
Authentication from the application is the same as before, just log in with your Gmail account.
You can see that the iPhone has also been added to the Tailscale console screen.
At this point, no extra configuration was required for either the iPhone application or the console screen.
Just put up a VPN to connect.
On the iPhone, go to Settings — > VPN and Device Management — > VPN — > VPN Status and follow the instructions to turn on the connection and select the appropriate VPN.
Or enable the VPN connection from the Tailscale app.
Turn on the VPN from the iPhone’s VPN settings.
VPN can also be turned on from the Tailscale APP.
Now I can VPN to my Raspberry Pi CM5 at home with Tailscale.
Turn off Wi-Fi or try to connect to the NAS as usual when the Wi-Fi environment in your home is out (out of the house).
Access the NAS from the standard iPhone app or my preferred FileBrowserGO.
Since the NAS is already connected from the iPhone at home, the connection destination is registered, so if the IP address of the NAS is selected, the file is displayed without any problem.
As you can see, we were able to access files in the home from the outside, as indicated by 4G and VPN in the top bar.
On the iPhone side, I just installed the Tailscale client app.
The same is true for laptops: simply download the OS-specific client application and register it as a device in Tailscale.
Include subnets in the configuration from the beginning.
This time I wanted to make sure it worked, so I set them up in order. It may have seemed a little long.
This level of VPN connection can be set up at once after installing Tailscale.
In the article, it was set up with the tailscale setcommand. You can start it while configuring it with the tailscale upcommand to start it.
It is the same up to installation.
You can then optionally add the settings to the command to be started.
I also enabled ssh.
sudo tailscale up --advertise-routes=192.168.0.0/24 --ssh You must allow the Raspberry Pi side to configure the routing, so the next three lines should be executed.
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.confThe options for the command can be seen by executing tailscaleor tailescale set.
There are many options. Please refer to the official page for details.
VPN service that can only be described as easy
As a result, all I had to do was run a few commands in CM5 with Tailscale installed and check the box on the console screen.
It is significantly easier than building and configuring a VPN server using the same Raspberry Pi.
Best of all, no router port forwarding configuration is required. Moreover, the IP address of the Raspberry Pi is not fixed, so the ease of setup is remarkable.
This is really the only way to connect.
Tailscale Features:
- No router configuration required
- No need to fix IP addresses.
- Install Tailscale and execute only a few lines of command
- Web browser console screen immediately reflects and is easy to understand
- For personal use, you can start with a free plan (3 users, 100 devices)
- Many platforms that can be used with the Raspberry Pi series
What was the VPN I had set up on my Raspberry Pi? It was so easy to connect to the service that it made me think so.
Even for commercial use, the fee is low and can be installed immediately.
Since you don’t have to open ports on your router, it’s easy for beginners to set up. For individuals, there is a free plan, so it is easy to use.
I found the VPN connection with Tailscale + Raspberry Pi to be very practical. Please refer to the article to give it a try.
Tailscale Official: https://tailscale.com
Article contributed by Raspida
Raspberry Pi information site that even non-engineers can enjoy using raspida.com a Raspberry Pi information site that even non-engineers can enjoy and handle. He also contributes technical blog articles to the PiLink site on the Raspberry Pi for industrial use.