🔐 Administrator Documentation

Complete guide to managing your Tailscale/Headscale VPN network

📑 Table of Contents

🌐 Network Overview

Your Network Configuration:
  • VPN Network: 100.64.0.0/24
  • Exit Node IP: 64.20.46.182
  • Headscale Server: Running on port 8080 (internal)
  • Available Domains: tappedin.fm, raywonderis.me, devine-creations.com, devinecreations.net

Users in System

User Type Domain Purpose
dom Personal raywonderis.me Personal network
tappedin Business tappedin.fm Business network
devinecr Business devine-creations.com Development network

🔑 Authentication Methods

Method 1: Pre-Authentication Keys (Recommended)

Most Secure Easiest Setup

What it is: Generate a one-time or reusable key that allows devices to join automatically.

Via Web UI:

  1. Go to Admin Dashboard → "Generate Access Key"
  2. Select user (dom, tappedin, devinecr)
  3. Set expiration time
  4. Choose: Reusable (multiple devices) or Single-use
  5. Copy the generated key
  6. Share with user securely (Signal, encrypted email, etc.)

Via Command Line:

# Create a key that expires in 7 days
headscale preauthkeys create --user dom --expiration 7d

# Create a reusable key
headscale preauthkeys create --user dom --expiration 30d --reusable

# Create a key that never expires (not recommended)
headscale preauthkeys create --user dom --expiration 90d --reusable
⚠️ Security Note: Always set expiration times. Never share keys in plain text messages or public channels.

Method 2: Manual Registration

Requires Admin Approval

Process:

  1. User connects device without auth key
  2. Device appears as "pending" in admin dashboard
  3. Admin manually approves the device
  4. Device gains network access

Command Line Approval:

# List pending devices
headscale nodes list

# Approve a device
headscale nodes register --user dom --key nodekey:xxxxxx

Method 3: Web Authentication URL

Interactive

When a device connects, Tailscale generates a registration URL:

https://headscale.tappedin.fm/register/DEVICE_KEY

User opens this URL in browser to complete registration.

👥 User Management

Creating New Users

# Create a new user
headscale users create matt-turner

# List all users
headscale users list

# Delete a user (WARNING: removes all their devices)
headscale users destroy matt-turner

User Settings (via Admin Dashboard)

💡 Best Practice: Set device limits based on user needs. Personal users: 5-10 devices. Business users: 15-20 devices.

📱 Device Management

Viewing Connected Devices

Admin Dashboard shows all devices with:

Removing Devices

# List all devices
headscale nodes list

# Remove a specific device
headscale nodes delete --identifier 1

# Force remove offline device
headscale nodes delete --identifier 1 --force

Device Expiration

By default, devices do not expire. To set expiration:

# Expire a device manually
headscale nodes expire --identifier 1
⚠️ Important: Removing a device immediately cuts off network access. Make sure users are aware before removal.

🛡️ Access Control & Security

ACL (Access Control List)

Control which users/devices can communicate with each other.

ACL File: /etc/headscale/acl.yaml

Example: Allow All Traffic

{
  "acls": [
    {
      "action": "accept",
      "src": ["*"],
      "dst": ["*:*"]
    }
  ]
}

Example: Restrict Access

{
  "acls": [
    {
      "action": "accept",
      "src": ["dom"],
      "dst": ["dom:*"]
    },
    {
      "action": "accept",
      "src": ["tappedin"],
      "dst": ["tappedin:*", "dom:80,443"]
    }
  ]
}

Firewall Ports (Already Configured)

Port Protocol Purpose
8080 TCP Headscale API (localhost only)
443 TCP Web UI (HTTPS)
3478 UDP Tailscale STUN
41641 UDP Tailscale DERP

🌍 Exit Node Configuration

✅ Exit Node Status: Configured and Active
Public IP: 64.20.46.182

How Exit Nodes Work

Exit nodes allow devices to route all internet traffic through the VPN server, making it appear as if they're browsing from the server's location.

Approving Exit Node Routes

# List routes that need approval
headscale routes list

# Approve exit node for a device
headscale routes enable --identifier NODE_ID --route 0.0.0.0/0
headscale routes enable --identifier NODE_ID --route ::/0

Use Cases

💡 Tip: Enable "Allow Exit Node Usage" in user settings to grant permission before approving routes.

🔧 Troubleshooting

Dashboard Not Showing Devices

# Check Headscale is running
systemctl status headscale

# Check PHP-FPM
systemctl status ea-php81-php-fpm

# Test API directly
curl -sk "https://tailscale.tappedin.fm/api/nodes"

# Restart services
systemctl restart headscale
systemctl restart ea-php81-php-fpm
systemctl reload nginx

Device Can't Connect

  1. Verify auth key hasn't expired: headscale preauthkeys list --user USERNAME
  2. Check device is using correct login server URL
  3. Verify firewall ports are open
  4. Check Headscale logs: journalctl -u headscale -n 50

Exit Node Not Working

# Verify NAT rules
iptables -t nat -L POSTROUTING -n | grep 100.64.0.0

# Check IP forwarding
sysctl net.ipv4.ip_forward

# Re-apply exit node config
/usr/local/bin/setup-exit-node.sh

Check Service Status

# Monitor all services
/home/devinecr/apps/hubnode/monitoring/universal-service-monitor.sh

# View monitoring logs
tail -f /var/log/universal-service-monitor.log

📞 Support & Resources

⬇️ Download Tailscale Clients

Direct download links for all platforms:

🪟 Windows:
→ Windows Installer (.exe)
→ Windows MSI (x64)
🍎 macOS:
→ macOS Installer (.pkg)
🐧 Linux:
→ Linux x64 (amd64)
→ Linux ARM64
📱 Mobile:
→ iOS (App Store)
→ Android (Google Play)

Last Updated: 2025-10-09 | Headscale v0.23.0