组网
tailscale
两台机器:
curl -fsSL https://tailscale.com/install.sh | sh
连接到控制台
--accept-dns=false : 禁用 Tailscale 的 DNS,用于解决与clash的冲突
--netfilter-mode:自动防火墙开关
https://blog.nipx.cn/pages/17a0b1/#%E8%AE%BE%E7%BD%AEopenwrt
tailscale up --accept-dns=false --accept-routes
启用子网路由;
-
--advertise-routes:声明要暴露的内网网段(根据你的内网调整)。 -
--accept-routes:允许其他节点接收此路由
# 停止现有 Tailscale 服务
sudo tailscale down
# 重新通告 Docker 网络子网(172.18.0.0/16)
sudo tailscale up --advertise-routes=172.18.0.0/16 --accept-routes
# 其他
sudo tailscale up --advertise-routes=172.21.0.0/24 --accept-routes
启用子网转发:
# 重启 Tailscale 并接受路由
sudo tailscale down
sudo tailscale up --accept-routes
# 检查路由表(应显示 172.18.0.0/16 路由)
ip route show | grep 172.18.0.0
5. 验证网络状态
在任意节点检查节点列表和路由:
tailscale status
输出
100.88.126.125 node1 linux -
100.108.103.82 ubuntu-78 linux idle, tx 1672 rx 1352
证书
查阅: https://tailscale.com/kb/1153/enabling-https
tailscale cert
tailscale netcheck
Report:
* Time: 2025-03-21T10:31:58.816180828Z
* UDP: true
* IPv4: yes, 159.75.231.54:53619
* IPv6: no, but OS has support
* MappingVariesByDestIP: false
* PortMapping:
* CaptivePortal: false
* Nearest DERP: Tokyo
* DERP latency:
- tok: 120.1ms (Tokyo)
- sin: 143.4ms (Singapore)
- sfo: 149.1ms (San Francisco)
- hkg: 152.2ms (Hong Kong)
- lax: 168.3ms (Los Angeles)
- sea: 176.6ms (Seattle)
- den: 187.8ms (Denver)
- nue: 199.3ms (Nuremberg)
- hnl: 203.4ms (Honolulu)
- dfw: 206.4ms (Dallas)
- tor: 222.6ms (Toronto)
- nyc: 228ms (New York City)
- iad: 229.5ms (Ashburn)
- ord: 229.6ms (Chicago)
- mia: 229.6ms (Miami)
- ams: 236.7ms (Amsterdam)
- par: 240.3ms (Paris)
- fra: 240.7ms (Frankfurt)
- hel: 246.2ms (Helsinki)
- mad: 249.1ms (Madrid)
- lhr: 255.2ms (London)
- blr: 259.9ms (Bangalore)
- waw: 265.5ms (Warsaw)
- syd: 324.7ms (Sydney)
- dbi: 345ms (Dubai)
- sao: 371.4ms (São Paulo)
- jnb: 390.6ms (Johannesburg)
- nai: 401.2ms (Nairobi)
K8s
https://tailscale.com/kb/1236/kubernetes-operator#cilium-in-kube-proxy-replacement-mode
如果你在kube-proxy 替换模式下运行 Cilium, 必须在 Pod 的命名空间中启用绕过套接字负载均衡器:
cilium upgrade cilium/cilium \
--namespace kube-system \
--reuse-values \
--set socketLB.hostNamespaceOnly=true
- Expose a Kubernetes
Serviceto your tailnet usingtailscale.com/exposeannotation.
使用tailscale.com/expose注释将 KubernetesService公开到您的尾网。
通过Connector公开serviceCIDR 范围。
cat > /home/kubernetes/tailscale/ts-pod-cidrs.yml <<EOF
apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
name: ts-pod-cidrs
spec:
hostname: ts-pod-cidrs
subnetRouter:
advertiseRoutes:
- "10.40.0.0/14"
EOF
kubectl apply -f ts-pod-cidrs.yml
kubectl get connector ts-pod-cidrs
kubectl describe connector ts-pod-cidrs
其他节点加入
sudo tailscale up --accept-routes
测试:
关键点是上面的注��解tailscale.com/expose: "true",Tailscale operator会自动创建一个对应的statefulset和service
kubectl run kuard -l app=kuard --image 163751/kuard:green
cat > test-kuard.yml <<EOF
apiVersion: v1
kind: Service
metadata:
name: kuard-tailscale-svc
annotations:
tailscale.com/expose: "true"
labels:
app: kuard
spec:
ports:
- port: 8080
protocol: TCP
name: kuard
selector:
app: kuard
type: ClusterIP
EOF
kubectl apply -f test-kuard.yml
cat > kuard-ingress.yml <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kuard-ingress
spec:
defaultBackend:
service:
name: kuard-tailscale-svc
port:
number: 8080
ingressClassName: tailscale
EOF
kubectl apply -f kuard-ingress.yml
访问: 进入到https://login.tailscale.com/admin/machines 然后查询当前svc 的IP
curl http://100.100.22.103:8080
删除
kubectl delete -f test-kuard.yml
kubectl delete -f kuard-ingress.yml
缺点
可能无法直接与 Clash 等代理使用