Follow up from https://lemmy.world/post/37310527

We did it gang, and we went even further to be able to enter the LUKS password from anywhere via Tailscale.

The general Dropbear info from the Debian wiki seems accurate though it included dropbearconvert usage that wasn’t mentioned elsewhere. Unsure if that was needed or not but I did it anyway.

I also referenced this guide. I especially enjoyed the -c cryptroot-unlock param to Dropbear so it automatically prompts me for the password on login.

I’ve been getting familiar with Tailscale over the past few weeks and also just replaced my home router (immediately flashed with OpenWRT). Turns out you can run Tailscale on OpenWRT and cajigger it in a way that you can use the router as an exit node while allowing LAN access. So, I did that. Now, with Dropbear, the static IP in my initramfs, and Tailscale, if the server reboots while I’m away from home I can SSH via my phone and enter the LUKS password to allow it to boot.

… mostly it’s just going to be when I don’t want to dig behind my desk to plug in a keyboard, but the truly remote option is nice too.

Thanks for all the input.

  • clif@lemmy.worldOP
    2·
    4 days ago

    That’s mostly correct. If we want to be super technical, I’m not “logging in” to my router, just using it as a Tailscale network bridge to gain LAN access so I can SSH from my phone to my server. But, in general, yeah.

    I currently don’t allow any direct access to my server from the internet. The only way to access it is Tailscale. I have Tailscale installed on both my desktop (always on) and my router (also, always on). The reason I installed it on the router is because my desktop is also full disk encrypted. So, if there’s a power outage then both the server and desktop will reboot and both will be waiting for LUKS unlock, rendering my desktop useless as a Tailscale jump point.

    Since the router boots automatically then it will always start back up and allow Tailscale access after an outage and therefore I can use it to access my LAN and SSH to the server to enter the password.

    Basically the same setup you’ve got with the RPi - having a node that comes online automatically after a power outage, automatically starts Tailscale, and allows LAN access. You use an RPi, I use my router. (I briefly did the exact same thing as you, with an RPi, until I found I could install it on the router : )