I’m afraid I come to you this morning with terrible news: I’ve been writing code again.
It involves Lambda and Tailscale and is no doubt an atrocity committed against all of humanity. Before we go any further, let me explain the problem I’m attempting to solve in the worst possible (for my skills) way imaginable.
Corey, what have you done?
Communicating securely between various networks and cloud providers is a challenge. You’ve got to either wrangle a bunch of networking rules, or else set up a VPN at great time and expense.
Tailscale is a next-generation VPN approach that wraps around Wireguard. It offers a useful management interface, uses far less power on mobile devices than options like OpenVPN, and claims to run on almost anything.
What I’ve done is taken Tailscale at its word and built an AWS Lambda extension to provide a SOCKS5 proxy inside of the Lambda runtime environment.
In other words, this extension can be used with any existing Lambda function to provide communication across your Tailscale network — without having to configure a bunch of network rules that, frankly, don’t work very well across different provider boundaries.
So far, I’ve used the extension to have Lambda functions talk to: The Raspberry Pi in my video production studio/guest room/sewing closet/screamatorium.My massively overpowered instance running in Oracle Cloud’s yes-it’s-actually-free tier.My iPhone and iPad.Resources living inside of my AWS VPCs, without having to use a NAT instance or Managed NAT Gateway to allow those functions to also speak to external resources.
How does your Lamba extension for Tailscale work?
Lambda extensions allow you to run tooling alongside your Lambda functions, but in typical AWS fashion, they aren’t particularly well-explained or documented. (My thanks to Julian Wood for helping me decipher the mysteries of the offering.)
What I’ve done is tricked Lambda extensions into taking advantage of Tailscale’s ephemeral keys combined with its userspace networking mode to reliably handshake with the rest of the Tailscale network. Once the tunnel is up, the Lambda begins its normal execution. This does add some small latency per invocation to each Lambda, so I’d not deploy it to functions that don’t need it. Once it’s up, you can expose “localhost:1055” as a proxy variable to your function. Many languages will automatically use the SOCKS5 proxy; others will need specific libraries added to use it. You’ll need to add your ephemeral key as a variable to your Lambda environment with a name of “TS_KEY” or it won’t work. Past that, batteries are included.
Have you published a public extension people can use so they don’t have to build it themselves?
I was going to do this, but then I thought about it. I don’t really want to get people in the habit of trusting random things I put out there that are incredibly important to their security posture. Hence, I’ve put the code on GitHub, distilled the creation process down to a handful of “make” commands, and left the rest for you folks.
You’ll need a configured AWS CLI and Docker on your build environment. Past that, you should be set. Open a GitHub issue if you discover otherwise.
Where can I find this thing?
On my GitHub. I’d put it on CodeCommit except that this is, for once, not a joke.
Wait, is this a joke?
Not in the least. The code works — you can review it yourself.
What software license does this thing use?
You people are absolutely insufferable, you know that? The MIT license. Please go away.
I don’t understand why I’d use this
Then don’t! This is far from a universal balm that cures all ills. It solved a specific problem that I have, poked yet another stick in the eye of AWS’ Managed NAT Gateway 4.5¢-per-GB data processing fee, and gave me an excuse to inflict my crappy version of code on the world.
Tailscale is a for-profit company. Are you being sponsored by them?
Well, not yet, I’m not!
I’ve been using Wireguard, the VPN technology that Tailscale is based on, for a while and like it. Tailscale provides a much more polished user experience on top of Wireguard. I’m still in Tailscale’s free tier offering and have yet to pay them a dime.
I very much like Tailscale’s approach to solving the problem, and I’ve been using it extensively across all of my devices for a month now. As an example, I have a Raspberry Pi running Pi-hole, an ad-blocking DNS server, that provides DNS to the entire network. That was a colossal pain to get set up before Tailscale.
What’s next for this monstrosity?
Now that I’ve pressed publish on this post, I wait for the criticisms and pull requests to roll in.