Skip to main content

Tailscale Configuration

Tailscale Configuration

Last Updated: 2025-12-26
Status: Production
Source: Converted from RTF documentation + network-infrastructure.md

Overview

Tailscale provides secure, private access to the BlueFly Agent Platform network through a zero-trust mesh VPN. All devices are connected via WireGuard encryption with identity-based access control.

Key Principle: Tailscale = Private Access ONLY. Cloudflare Tunnel = Public Ingress ONLY. These planes must NEVER be mixed.

Tailnet Information

  • Tailnet: tailcf98b3.ts.net
  • MagicDNS: Enabled
  • Funnel: Available (but should be OFF on production devices)
  • Zero Trust: WireGuard encryption
  • Account: flux423@mac.com
  • Subnet Routing: 192.168.8.0/24 advertised

@bluefly/agent-tailscale Package

Location: common_npm/agent_tailscale/

TypeScript package for Tailscale operations with distributed computing support.

Repository: https://gitlab.com/blueflyio/agent-platform/agent_tailscale

Key Features

  • Simple API for Tailscale CLI operations
  • Peer discovery and filtering based on OS, tags, and online status
  • Network topology mapping
  • Distributed computing resource discovery
  • Latency-based node selection
  • Integration with exo for distributed LLM inference

Key Components

  • TailscaleClient: Wrapper for Tailscale CLI providing status, IP, up, down, and ping information
  • TailscaleDiscovery: Peer discovery with filtering based on OS, tags, and online status
  • TypeScript types: Full type safety

GitLab CI/CD Integration

Location: gitlab_components/templates/infrastructure/

GitLab CI Component for Secure Runner Access via Tailscale:

Features

  • Identity-based access with tags
  • Works with managed runners
  • Zero Trust security (WireGuard encryption)
  • Ephemeral runner support
  • Granular access control per repo/job

Usage

include:
  - component: gitlab.com/llm/gitlab_components/infrastructure/tailscale-runner@<version>

variables:
  TAILSCALE_HOSTNAME: "gitlab-runner-${CI_PIPELINE_ID}"
  TAILSCALE_TAGS: "tag:ci-runner,tag:repo-${CI_PROJECT_NAME}"

Configuration Options

  • tailscale_authkey - Auth key for ephemeral runner
  • tailscale_hostname - Hostname in Tailscale network
  • tailscale_tags - Comma-separated tags for access control
  • tailscale_advertise_exit_node - Advertise as exit node
  • tailscale_advertise_routes - Routes to advertise
  • tailscale_timeout - Connection timeout (default: 30 seconds)
  • tailscale_verify_connection - Verify connection before proceeding

Agent-BuildKit Services

Location: agent-buildkit/src/services/tailscale/

25+ Tailscale-related services:

  • tailscale-acl.service.ts - ACL management
  • tailscale-api.service.ts - API integration
  • tailscale-app-connector.service.ts - App connector
  • tailscale-auth-keys.service.ts - Auth key management
  • tailscale-backup.service.ts - Backup operations
  • tailscale-certificates.service.ts - Certificate management
  • tailscale-cloudflare.service.ts - Cloudflare integration
  • tailscale-ddev.service.ts - DDEV integration
  • tailscale-dns.service.ts - DNS management
  • tailscale-docker.service.ts - Docker integration
  • tailscale-drupal.service.ts - Drupal integration
  • tailscale-ephemeral.service.ts - Ephemeral devices
  • tailscale-exitnode.service.ts - Exit node management
  • tailscale-funnel.service.ts - Funnel service
  • tailscale-ha.service.ts - High availability
  • tailscale-hardening.service.ts - Security hardening
  • tailscale-jit.service.ts - Just-in-time access
  • tailscale-kubernetes.service.ts - Kubernetes integration
  • tailscale-lock.service.ts - Device locking
  • tailscale-monitoring.service.ts - Monitoring capabilities
  • tailscale-serve.service.ts - Serve service
  • tailscale-service-discovery.service.ts - Service discovery
  • tailscale-split-dns.service.ts - Split DNS
  • tailscale-ssh.service.ts - SSH access
  • tailscale-subnet.service.ts - Subnet routing
  • tailscale-webhooks.service.ts - Webhook integration
  • tailscale.service.ts - Core service

Innovation: Distributed LLM Inference

Tailscale envisions a future where zero-configuration distributed LLM inference is seamlessly integrated into Tailscale mesh networks.

Key Innovations

  1. Mesh-native Inference

    • Eliminates need for VPNs and port forwarding
    • Efficient and secure data transmission across network
    • Native inference experience

  2. Smart Shard Placement Algorithm

    • Optimizes shard placement
    • 30-50% faster inference speed
    • Intelligent workload distribution

  3. Elastic Clusters

    • Nodes can join or leave dynamically
    • Optimal resource utilization
    • Automatic scaling

  4. Latency-optimized Routing

    • 3x faster response times
    • Minimizes latency
    • Efficient routing system

  5. Hybrid CPU/GPU Inference with Automatic Fallback

    • Combines CPU and GPU power
    • Automatic fallback to GPU when necessary
    • Consistent performance

Use Cases

  • Home lab + cloud hybrid
  • Multi-office deployment
  • Research collaboration across institutions

Integration Points

Knowledge Services

  • TailscaleNeo4jService: Distributed knowledge graphs
  • TailscaleQdrantService: Distributed vector databases

Agent Mesh

  • Tailscale-based distributed agent communication: Secure and efficient agent coordination

Service Registry

  • Tailscale integration in service discovery: Efficient service discovery and management

Examples & Documentation

  • gitlab_components/examples/tailscale-runner-example.yml: Complete CI/CD examples
  • Router setup guide with OpenWrt configuration: Detailed router setup instructions
  • ACL configuration examples: Access control list examples
  • Security best practices: Security guidelines

Related Documentation