Intro

I just got an Ubiquiti UNAS 2 - this is how I got Tailscale running on it, and got it set up to backup to a Windows SMB share via Tailscale by routing traffic to Tailscale via my UDM since the UNAS runs Tailscale in usermode.

UNAS backup to Tailscale SMB

Do this at your own risk. There is a very good reason that SSHing into a Unifi device says: you acknowledge that the use of CLI to modify device(s) outside of their normal operational scope, or in any manner inconsistent with the ToS or EULA, will permanently and irrevocably void any applicable warranty.

ATP is to blame

That said, the excellent Accidental Tech Podcast is clearly to blame: first Marco got me hooked on Ubiquiti Unifi gear, then Casey had me go all in on Tailscale.

But what happens when you combine the two? I’m sure Ubiquiti will support Tailscale natively one day, on an infinite timescale. Until then, its a little involved.

For those that don’t know: Ubiquiti provide networking gear to small businesses and home. It works well and all integrates seamlessly together.

Tailscale brings all your devices together into a virtual LAN so that they can always talk to each other, even when not connected directly (it is essentially free for individuals).

How it started

A few years ago I got the Unifi Dream Machine (UDM Pro) which is the backbone of my home network.

I wanted to install Tailscale on it so that I could access it via its Tailscale address no matter where I was, and also so that I could create and install certificates via Tailscale meaning I could access it via https. https://home-udm-pro.domain.ts.net/network/default/dashboard

Ubiquiti does also provide a great VPN service, but I want Tailscale everywhere. If you know, you know.

I installed Tailscale on my UDM by enabling SSH access, sshing into it, and using the script at https://github.com/SierraSoftworks/tailscale-udm … That got it up and running very quickly and easily.

How it is going

Once you are in the Ubiquiti ecosystem, it kind of sucks you in … I just got an Ubiquiti UNAS 2 which is a bare-bones Network Attached Stroage (NAS) that supports two disks in RAID 1.

Installing Tailscale on the UNAS 2

On my UNAS 2, I enabled SSH, and tried running the same script. It didn’t work, since it didn’t recognize the device. It was trivial to fix, and my pull request was accepted - so it should work for you now.

Tailscale didn’t start though. Seems like Ubiquiti ship a stripped down version of linux without the prerequisite components.

There is a workaround, which is to run Tailscale using usermode networking (primarly made for Docker), as described here: https://github.com/SierraSoftworks/tailscale-udm/issues/120#issuecomment-3148812300 … this does have unfortunate restrictions though, as we will see later.

Having generated ssl certificates and installed them, I was able to access both my UDM and my UNAS 2 via https:// using their Tailscale names.

UNAS 2 https via Tailscale

Accessing Tailscale devices from the UNAS 2

My next step was to have the UNAS 2 backup to an SMB server running on a windows machine that is part of my Tailscale network, on the other side of the world.

This is where things got messy. I could not connect to the SMB server either from the UNAS 2 web interface, or just by pinging when sshed into the UNAS. Neither the Tailscale name nor the IP address worked. This turned out to be a consequence of running Tailscale in usermode networking.

The solution was to tell the UDM to forward traffic to Tailscale. I sshed into my Unfi Dream Machine, and ran:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o tailscale0 -j MASQUERADE

This routes traffic to Tailscale from my LAN.

Now on my UNAS 2 I was able to ping my remote windows machine using the IP address (not using the Tailscale name), but that was good enough.

Unable to connect to Windows login SMB share

Next I tried to set up the backup but I still could not connect. Looking at the Windows Event Log on the remote windows machine I was trying to mount via SMB I could see that the Microsoft account I was using was not being accepted (even though I was able to connect using that account from a Mac). It was treating my Microsoft account as a local workgroup account:

Account For Which Logon Failed:
	Security ID:		NULL SID
	Account Name:		damian@mehers.com
	Account Domain:		WORKGROUP

My solution was to create a second local Windows account, called damiansmb, grant access to the Windows SMB share to that, and then I was able to connect using that account.

UNAS 2 https via Tailscale

In summary

I can now access my UNAS 2 via Tailscale, and by enabling routing from my LAN to Tailscale on my UDM, and by setting up a Windows local acount, I am able to backup to a Windows SMB via Tailscale.

If you know better ways of doing this, please let me know. Kind comments and feedback welcome