You know I love Tailscale. It enables you to regain confidence and trust in your network which in turn allows you to focus on writing the tools and services you need for your users. Today I want to talk about tsnet. Tsnet is a library for embedding tailscale in a golang program. What does that mean? How does it work? What are you talking about? Let's jump in.
Tsnet uses a tcp/ip at userland level. Most operating systems allow you to create virtual network devices so your programs can send and receive packets using those virtual devices. Tsnet uses that machinery to connect to your tailnet. Once you are connected your program, it will show in the list of "machines" in the tailnet. At that point you can control access to it using ACLs just like you'd do if you were running tailscaled on a machine.
This opens up so many possibilities. The golink tool is probably the canonical example. It allows you to have short urls for your tailnet. Tailscale extends your OS's dns resolver so you can have dns access to all the machines in your tailnet. The golink tool is a tsnet program. When you run a tsnet program you register a tailnet name. In this case, the name is "go". Now, you have a "machine" named go in your network. But it is not a machine, it is a piece of go code. When you hit go via http, the requests will go to the golink program. The program looks for your path in the url and checks to see if there is a mapping that exists, if it does, redirects your request to that url. This is very useful. I use it at work for mapping things like: http://go/dashboard to a grafana dashboard.
Talking about grafana. Another extremely useful application of tsnet is using your tailscale identity to automatically login into services, like grafana. Typically you will have to add and remove users via the grafana UI. This is fine but adds churn. If your users are already authenticated in your tailnet, why not to tap into that? That is exactly what you can do with the proxy-to-grafana. It is a another tsnet program that processes http requests and checks to see if you are authenticated on the tailnet, if you are, then it adds a few headers in the http requests and redirects to the grafana instance. You configure grafana to look for specific headers that contain the username and role to use, and if grafana founds those, loads the session with that identity. Brilliant.
That is an example of how tailscale gives you better networking.
drio out.