Using Tailscale with an OrbStack VM on macOS (opens in new tab)

(github.com)

80 pointshighpost28d ago19 comments

Here's an example of how to build an Ubuntu VM using OrbStack on macOS and then connect to the VM through Tailscale SSH using an auth key stored in Apple Keychain.

For example, I can create a VM on my Mac mini at home that hosts a git repo or even a Forgejo server. A colleague in my Tailnet can then connect to this VM to clone, push or pull source code changes from a coffeeshop or airliner while not exposing the rest of my Mac mini.

Using Tailscale with an OrbStack VM on macOS

(github.com)

80 pointshighpost28d ago19 comments

Here's an example of how to build an Ubuntu VM using OrbStack on macOS and then connect to the VM through Tailscale SSH using an auth key stored in Apple Keychain.

19 comments

18 comments · 6 top-level

philips25d ago· 4 in thread

I recently learned of OrbStack and it feels like the only product that actually makes an effort to integrate VMs and Containers correctly and consistently into macOS.

Docker Desktop and Podman Desktop are both a treadmill made of Lego bricks.

jzelinskie25d ago

Hi Brandon!

Have you tried Apple's container CLI[0]? I'm still mostly using OrbStack, but container gives me some hope for the future that Apple cares about this experience.

[0]: https://github.com/apple/container

highpostOP25d ago

I also have a similar example repo for the Apple Containerization Framework.

https://news.ycombinator.com/item?id=48002958

dj0k3r25d ago

Curious if either of those support USBIP yet ? Last i checked there isn't a stable solution for it except maybe docker ?

1 more reply

philips25d ago

Woah, that is cool! I will check it out.

sudosteph25d ago· 3 in thread

I use tailscale with Orbstack so that my agents on the vm can use tailscale serve to share dashboards I can view on my phone. Works out nicely.

One thing I noticed though, is that even if I set up the VM as a tagged device with limited access rules, if my host machine (the laptop) is connected as my user (which has less limited permissions), the vm uses my host's user permissions, which isn't really what I want. If I disconnect tailscale on the mac and leave the vm tailscale connected it works as intended though - so that's something to look out for.

Also, if you're using orbstack as an agent sandbox, just be aware that they only recently added an option for true filesystem isolation, the default setup doesn't really sandbox effectively.

mikeocool25d ago

It sounds like you have tailscale setup in the container with userspace networking — which works smoothly for incoming traffic, but for outgoing traffic to use the container’s tailscale device it has to be routed through a proxy that tailscaled runs, otherwise it goes over the host’s network.

I haven’t tried with orbstack, but it is possible to setup containers to use tailscale with kernel networking by mounting /dev/net/tun into the container. With that setup outgoing traffic will automatically route to the tailnet as the container’s device (and you don’t need tailscale on the host at all).

chris_st25d ago

I have this setup, roughly, with UTM rather than orbstack. I think I have it set up safely, curious how you see it has the wrong permissions?

kenanfyi25d ago

Good to hear they added true isolation. I had immediately moved to Colima when I was considering options because of this.

robgough25d ago· 2 in thread

I do all my dev inside docker/orbstack environments. I've been using a Tailscale sidecar for each, which has let me easily spin up second (and third!) copy of each repo without having to worry about them interfering with each other (the same open ports etc.). I've not extended to using worktrees, as right now I prefer entirely separate clone's of a repo, but that may well change and I suspect this would work well for that too.

https://robgough.net/multiple-app-instances-with-tailscale

Also has the handy effect of making it super easy to share my dev environment with anyone else on my tailnet, though this could be locked down if needed.

threecheese25d ago

Looks like you provision a fresh tailnet host for each clone? You mention multi-tenancy via subdomain routing and I wonder if this is unrelated.

robgough25d ago

I do yeah, Tailscale is generous with the "device" counts so I'm not worried about using them up -- especially as I spin them up as ephemeral, so as soon as I shutdown the stack they're gone, but the "random" name persists across shutdowns as I store it in a file that stays out of git.

The subdomain routing then works by pointing to that ephemeral machines ip, and my site in dev mode populates the sidebar with active links for this so it's not like I have to keep updating bookmarks etc. Super convenient. It's probably the weakest part of the setup (no https) but works fine for my needs.

threecheese25d ago· 2 in thread

OrbStack is great, it makes everything so easy - like networking: VMs and containers can talk to the host and to each other using hostnames; and file sharing: there are automatic mounts between host and guest; and sshing around just works.

Part of that though requires adopting a security model where thats OK. As I’ve started sprinkling MacOS hosts and guests throughout my network, I’ve needed to adopt other vz tactics.

OPs use of Tailscale mirrors my own, but given the security model of OrbStack it’s mostly a convenience rather than a hard security partition within the lan or even the host.

kdrag0n24d ago

We have isolated machines in OrbStack now! Isolated machines have options for network isolation and mounting only specific paths (or none).

threecheese16d ago

You guys are rockstars; thanks!

CalChris25d ago· 1 in thread

Interesting. Can you do this with Forgejo?

skinfaxi25d ago

What do you mean?

Bnjoroge24d ago

I use Tailscale with orbstack machines which allows me to run two tailnets at once($dayjob and homelab). Both great products. https://bnjoroge.com/posts/connecting-to-multiple-tailscale-...

j / k navigate · click thread line to collapse