diff --git a/config-example.yaml b/config-example.yaml index 940fe57f..4fc06c97 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -16,6 +16,13 @@ server_url: http://127.0.0.1:8080 # listen_addr: 0.0.0.0:8080 +# Address to listen for gRPC. +# gRPC is used for controlling a headscale server +# remotely with the CLI +# Note: Remote access _only_ works if you have +# valid certificates. +grpc_listen_addr: 0.0.0.0:50443 + # Private key used encrypt the traffic between headscale # and Tailscale clients. # The private key file which will be diff --git a/docs/remote-cli.md b/docs/remote-cli.md index 3d4bbafb..1a1dc1de 100644 --- a/docs/remote-cli.md +++ b/docs/remote-cli.md @@ -7,6 +7,7 @@ - Access to create API keys (local access to the `headscale` server) - `headscale` _must_ be served over TLS/HTTPS - Remote access does _not_ support unencrypted traffic. +- Port `50443` must be open in the firewall (or port overriden by `grpc_listen_addr` option) ## Goal @@ -53,10 +54,17 @@ chmod +x /usr/local/bin/headscale 4. Configure the CLI through Environment Variables ```shell -export HEADSCALE_CLI_ADDRESS="" +export HEADSCALE_CLI_ADDRESS=":" export HEADSCALE_CLI_API_KEY="" ``` +for example: + +```shell +export HEADSCALE_CLI_ADDRESS="headscale.example.com:50443" +export HEADSCALE_CLI_API_KEY="abcde12345" +``` + This will tell the `headscale` binary to connect to a remote instance, instead of looking for a local instance (which is what it does on the server).