OpenRelik with Tailscale

This guide outlines the process of integrating your OpenRelik server with Tailscale, allowing secure access to your server from anywhere on your Tailscale network.

Reference: Official Tailscale guide for using Tailscale with Docker: https://tailscale.com/kb/1282/docker

Prerequisites:

• An installed and functioning OpenRelik server.
• A Tailscale account with administrative privileges.

Steps:

1. Install OpenRelik: Follow the standard OpenRelik installation instructions to set up your server. Installation instructions

2. Obtain your Tailscale Name: Identify your Tailscale network name, which usually follows the format yourname.ts.net.

3. Generate a Tailscale AuthKey:

   • Log in to your Tailscale admin console at https://tailscale.com.
   • Navigate to Settings -> Personal settings -> Keys
   • Click “Generate auth key…”
   • Provide a descriptive name for your key (e.g., “OpenRelik”)
   • Enable the “Reusable” option to use the same key for both API and UI servers
   • Copy the generated key for later use

4. Create Configuration Directories: In your OpenRelik directory, create the following directories:

   tailscale-nginx-api/config
   tailscale-nginx-ui/config

5. Configure Tailscale for OpenRelik API: Create the file tailscale-nginx-api/config/openrelik-api.json with the following content:

   {
     "TCP": {
       "443": {
         "HTTPS": true
       }
     },
     "Web": {
       "openrelik-api.yourname.ts.net:443": {
         "Handlers": {
           "/": {
             "Proxy": "http://127.0.0.1:8710"
           }
         }
       }
     }
   }

   Important: Replace yourname.ts.net with your actual Tailscale network name.

6. Configure Tailscale for OpenRelik UI: Create the file tailscale-nginx-ui/config/openrelik-ui.json with the following content:

   {
     "TCP": {
       "443": {
         "HTTPS": true
       }
     },
     "Web": {
       "openrelik.yourname.ts.net:443": {
         "Handlers": {
           "/": {
             "Proxy": "http://127.0.0.1:8711"
           }
         }
       }
     }
   }

   Important: Replace yourname.ts.net with your actual Tailscale network name.

7. Update docker-compose.yml: Add the following services to your docker-compose.yml file:

   tailscale-nginx-ui:
     container_name: openrelik-tailscale-nginx-ui
     image: tailscale/tailscale:latest
     hostname: openrelik
     environment:
       - TS_AUTHKEY=<AUTHKEY>
       - TS_SERVE_CONFIG=/config/openrelik-ui.json
       - TS_STATE_DIR=/var/lib/tailscale
     volumes:
       - ${PWD}/tailscale-nginx-ui/state:/var/lib/tailscale
       - ${PWD}/tailscale-nginx-ui/config:/config
       - /dev/net/tun:/dev/net/tun
     cap_add:
       - net_admin
       - sys_module
   
   tailscale-nginx-api:
     container_name: openrelik-tailscale-nginx-api
     image: tailscale/tailscale:latest
     hostname: openrelik-api
     environment:
       - TS_AUTHKEY=<AUTHKEY>
       - TS_SERVE_CONFIG=/config/openrelik-api.json
       - TS_STATE_DIR=/var/lib/tailscale
     volumes:
       - ${PWD}/tailscale-nginx-api/state:/var/lib/tailscale
       - ${PWD}/tailscale-nginx-api/config:/config
       - /dev/net/tun:/dev/net/tun
     cap_add:
       - net_admin
       - sys_module

   Important: Replace <AUTHLEY> with your AuthKey that you created in step 3.

8. Modify Existing Services in docker-compose.yml: Adjust the openrelik-server and openrelik-ui services in your docker-compose.yml file as follows:

   openrelik-server:
     # ... (existing configuration) ...
     depends_on:
       - tailscale-nginx-api
     network_mode: service:tailscale-nginx-api
     command: uvicorn main:app --proxy-headers --forwarded-allow-ips '*' --workers 1 --host 0.0.0.0 --port 8710
   
   openrelik-ui:
     # ... (existing configuration) ...
     depends_on:
       - tailscale-nginx-ui
     network_mode: service:tailscale-nginx-ui

9. Update config.env: In your OpenRelik directory, modify the config.env file:

   OPENRELIK_SERVER_URL=https://openrelik-api.yourname.ts.net

   Important: Replace yourname.ts.net with your actual Tailscale network name.

10. Update settings.toml: In your OpenRelik directory, modify the config/settings.toml file:

    # ... (existing configuration) ...
    api_server_url = "https://openrelik-api.yourname.ts.net"
    ui_server_url = "https://openrelik.yourname.ts.net"
    allowed_origins = ["https://openrelik.yourname.ts.net"]

    Important: Replace yourname.ts.net with your actual Tailscale network name.

11. Restart OpenRelik: Restart your OpenRelik server using docker-compose up -d to apply the changes.

Your OpenRelik server should now be accessible via your Tailscale network at the URLs you configured. You can access the UI by navigating to https://openrelik.yourname.ts.net from any device connected to your Tailscale network.