Implement "Trusted Devices"

[Lokowitz]

Hey,

i just want you to show how i added "trusted devices" to my environment.
A trusted device is a device which is connected via wireguard to the vps and can bypass the authentification of specific resources (and you also get DNS blocking).
This is a workaround by using wg-easy and adguard.

Modify Pangoling compose.yml

services:
  pangolin: 
    ...
    networks:
      pangolin:
        ipv4_address: 10.2.0.2
  gerbil:
    ...
    networks:
      pangolin:
        ipv4_address: 10.2.0.3
  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome
    restart: unless-stopped
    ports:
      - 8443:80/tcp #use the port you want for the web ui
      - 53:53/tcp
      - 53:53/udp
      - 784:784/udp
      - 853:853/tcp
      - 3000:3000
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - ./data/workdir:/opt/adguardhome/work
      - ./data/confdir:/opt/adguardhome/conf
    networks:
      pangolin:
        ipv4_address: 10.2.0.4
  wg-easy:
    container_name: wg-easy
    image: ghcr.io/wg-easy/wg-easy
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    volumes:
      - ./data/etc_wireguard:/etc/wireguard
    environment:
      - LANG=de
      - WG_HOST=your.domain
      - WG_PORT=44401 #change to a port you want
      - WG_DEFAULT_DNS=10.2.0.4
    ports:
      - 44401:44401/udp #must match WG_PORT
      - 44301:51821/tcp  #use the port you want for the web ui
    networks:
      pangolin:
        ipv4_address: 10.2.0.5
networks:
  pangolin:
    driver: bridge
    ipam:
      config:
        - subnet: 10.2.0.0/24

Adguard config in webui

• Add a dns rewrite of your subdomains "*.your.domain" pointing to your gerbil ip "10.2.0.3"

Add rule to resource in Pangolin

• Add a "always allow" role with ip "10.2.0.5" to all your resources you want to bypass with your trusted devices.
• You can add a "always deny" role with ip range of "0.0.0.0/0" if you want to limit the access to only trusted devices.
• Don't add a "always allow" role with ip range "10.2.0.0/0" this would allow everyone to bypass because the requests are coming from gerbil "10.2.0.3"

[Lokowitz]

Short update on my setup.
I am now using a 10.0.4.0/22 network and split pangolin (10.0.4.0/24) and my services (10.0.5.0/24) into different networks to allow the whole network range in the pangolin resource rules.
To bypass authentification for all tailscale devices enable the subnet routes (10.0.4.0/22) for your machine deployed on the pangolin network and add a global nameserver 10.0.5.10 in your tailsacel DNS section. Exit node is not required.

Adguard compose

services:
  adguardhome:
    container_name: adguardhome
    image: adguard/adguardhome:latest
    restart: unless-stopped
    ports:
      - 44302:80/tcp
      - 53:53/tcp
      - 53:53/udp
      - 784:784/udp
      - 853:853/tcp
      - 3000:3000
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - ./data/adguard/workdir:/opt/adguardhome/work
      - ./data/adguard/confdir:/opt/adguardhome/conf
    networks:
      vps-backend:
        ipv4_address: 10.0.5.10
networks:
  vps-backend:
    name: vps-backend
    driver: bridge
    ipam:
      config:
        - subnet: 10.0.4.0/22

Pangolin compose

services:
  crowdsec:
    networks:
      vps-backend:
        ipv4_address: 10.0.4.30
  gerbil:
    networks:
      vps-backend:
        ipv4_address: 10.0.4.20
  pangolin:
    networks:
      vps-backend:
        ipv4_address: 10.0.4.10
networks:
  vps-backend:
    external: true

WG-easy compose

services:
  wg-easy:
    container_name: wg-easy
    image: ghcr.io/wg-easy/wg-easy:14
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1
    volumes:
      - ./data/wg:/etc/wireguard
    environment:
      - LANG=de
      - WG_HOST=<your.domain>
      - WG_PORT=<WGPORT>
      - WG_DEFAULT_DNS=10.0.5.10
    ports:
      - <WGPORT>:<WGPORT>/udp
      - 44301:51821/tcp
    networks:
      vps-backend:
        ipv4_address: 10.0.5.30
networks:
  vps-backend:
    external: true

Tailscaled compose

services:
  tailscale:
    container_name: tailscaled
    volumes:
      - /var/lib:/var/lib
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TS_AUTHKEY=tskey-auth-
      - TS_EXTRA_ARGS=--advertise-routes=10.0.4.0/22
    image: tailscale/tailscale
    networks:
      vps-backend:
        ipv4_address: 10.0.5.40
networks:
  vps-backend:
    external: true

[DennaGherlyn]

For people using headscale instead of tailscale, this is my setup:

• DNS through dnsmasq
• Tailnet control server with headscale
• Tailnet control server UI with headplane
• Normal pangolin setup

For my Pangolin & Headscale setup I based it on this tutorial: https://forum.hhf.technology/t/integrating-headscale-and-headplane-with-pangolin/930

I'll only list the changes I made.

The final result is, that I can use 10.0.5.40 (tailscaled) as an allow and 0.0.0.0/0 as block rule in Pangolin. Or only 10.0.5.40 if I want to expose the service through pangolin but with authentication.

docker-compose.yml

services:
  pangolin:
    image: fosrl/pangolin:1.5.1
    container_name: pangolin
    # ... Some other config stuff
    networks:
      pangolin:
        ipv4_address: 10.0.4.10

  gerbil:
    image: fosrl/gerbil:1.0.0
    container_name: gerbil
    # ... Some other config stuff
    networks:
      pangolin:
        ipv4_address: 10.0.4.20

  traefik:
    image: traefik:v3.4
    container_name: traefik
    # ... Some other config stuff

  headscale:
    image: headscale/headscale:0.26.1
    container_name: headscale
    # ... Some other config stuff
    networks:
      pangolin:
        ipv4_address: 10.0.5.30

  headplane:
    image: ghcr.io/tale/headplane:0.6.0
    container_name: headplane
    # ... Some other config stuff
    networks:
      pangolin:
        ipv4_address: 10.0.5.31

  tailscale:
    container_name: tailscaled
    image: tailscale/tailscale
    volumes:
      - /var/lib/tailscale:/var/lib/tailscale
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - NET_RAW
    environment:
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_EXTRA_ARGS=--authkey="TS_AUTHKEY" --login-server=https://headscale.sub.example.com --advertise-exit-node --advertise-routes=10.0.4.0/22 --accept-dns=true
    networks:
      pangolin:
        ipv4_address: 10.0.5.40

  dnsmasq:
    image: strm/dnsmasq
    container_name: dnsmasq
    restart: unless-stopped
    volumes:
      - ./headscale/dnsmasq.conf:/etc/dnsmasq.conf
    cap_add:
      - NET_ADMIN
    networks:
      pangolin:
        ipv4_address: 10.0.5.50

networks:
  pangolin:
    driver: bridge
    name: pangolin
    ipam:
      config:
        - subnet: 10.0.4.0/22

headscale/config.yml

# ... other config stuff
dns:
  magic_dns: true
  base_domain: ts.sub.example.com
  nameservers:
    global:
      - 1.1.1.1
      - 8.8.8.8
    split:
      sub.example.com:
        - 10.0.5.50
# ... more config stuff

config/config.yml (pangolin config)

# ... other config stuff
gerbil:
  start_port: 51820
  base_endpoint: "pangolin.sub.example.com"
  use_subdomain: false
  block_size: 24
  site_block_size: 30
  subnet_group: 10.0.5.0/24
# ... other config stuff

dnsmasq.conf:

#Define Port
port=53
domain-needed
bogus-priv

#dont use hosts nameservers
no-resolv

strict-order
#Use the default nameservers
server=8.8.8.8
server=1.1.1.1
expand-hosts

#serve all company queries using a specific nameserver
domain=sub.example.com

#explicitly define host-ip mappings
address=/sub.example.com/10.0.4.20

Sadly, I didn't figure out how to use headscales DNS functionality to achieve this. So, if someone knows, do tell.