Tailscale - Will It Work With Dual NICs On BI To View UI3 With No Internet?

Alaska Country · Sep 20, 2023

Using Blue Iris with dual NICs. One connected to a 24 port POE switch with the other NIC connected to the LAN. Both cards have no DCHP set and no internet connectivity.

The Blue Iris web server is on 192.168.1.135:81 and UI3 is currently reachable from any Windows's desktop connected to the LAN side of the Asus router for viewing Dahua cameras plus internet.

Goal
To use Tailscale on a phone or tablet to connect to UI3 and nothing else.

Possibilities
Is it possible to use Tailscale, when installed on a Window's desktop, (non BI machine) to only access UI3 for remove camera viewing?

In addition there is the requirement to maintain zero internet connectivity on Blue Iris plus provide security for other files on the Tailscale enable desktop? i.e. no hard drive or file snooping for the technically inclined.

Alaska Country · Sep 20, 2023

Point of Clarification

The Blue Iris Window's NIC is on a subnet at 192.168.55.xxx with no internet. This NIC is connected to a 24 port POE switch that provides power and data connections to the Dahua cameras.

The other Blue Iris NIC is on 192.168.1.xxx with no internet. Neither have DHCP set.

The desktop computers are connected to the LAN side of the router (Asus) and are on 192.168.1.xxx with internet. The second Blue Iris NIC is also connected to the same LAN.

All of the LAN connected computers are able to access and interact with UI3.

The thought is with Tailscale and/or ZeroTier installed on the desktop machine (no Tailscale on the BI machine) that a link could be established to connect the none BI machine to a remote phone or tablet for viewing and interaction of UI3.

bp2008 · Sep 20, 2023

I looked over the Tailscale feature list and it looks like it might be possible to configure something natively using the "Subnet routers" feature and Access Control Lists, but I'm not sure how complex that would be or exactly how it would work.

If I were you I would set up a reverse proxy server on the machine with "Tailscale and/or ZeroTier", configured to know how to talk to Blue Iris. Then your other Tailscale/Zerotier clients can connect to the reverse proxy server through the virtual network, and the reverse proxy server forwards all the requests to Blue Iris's web server on the BI machine. As far as Blue Iris is concerned it would look just like local LAN traffic coming from the machine with the reverse proxy software on it. Does that make sense?

There are a lot of different reverse proxy programs. Most of them require messing around with configuration files, and I hate that, so I created one myself this year called simply "WebProxy" which is fully configured via a graphical interface. Feel free to try it out: WebProxy: GUI-based alternative to stunnel

As I said there are a lot of reverse proxy programs. If for any reason you don't want to use WebProxy, you could use stunnel or nginx or IIS (Internet Information Services) which is Microsoft's own web server built into Windows (but not preinstalled). There is even a built-in low level TCP proxying capability in Windows which can proxy to Blue Iris, but it has to be fully configured and managed via command line.

Alaska Country · Sep 20, 2023

Did try, a year ago, ZT and was successful. However, at that time BI was connected to the internet. Since then, it is a dual NIC machine with no internet which complicates the entire scenario.

Will take a look at your "WebProxy: GUI-based alternative to stunnel". Appreciate the suggestion.

Would assume it is then not possible to use Tailscale or ZT to only access one of the LAN connected computers with internet that can also see UI3?

For my needs there is no need to actually connect to BI to use any of its functions for camera setup. The overall goal is to install a camera or two on a neighbor's house and provide them the ability to view via UI3 with Tailscale or ZT. i.e. they always ask how they can see the camera video. Thus something simple to use on their end is always a plus.

Will provide a system diagram in the next post.

Alaska Country · Sep 20, 2023

The WIFI router is connected to the LAN side of the Asus router for testing Tailscale using a tablet. Normally, it is not part of the system.

The plan is to use separate logins for Tailscale along with the normal IP address at 192.168.1.xxx (Computer1) and with the tablet on WIFI at 192.168.55.xxx.

Perhaps this will work for testing. So far the desk top #1 with Tailscale installed has the ability to send a file to the tablet (Tailscale installed). However, the tablet can not view the desktop.

It may be that the same login credentials are being used for both accounts. Perhaps creating a separate set of credential will be required.

Or their system is detecting that the same network is being using and it is something that Tailscale does not support even though one is on a different subnet (.1 vs .55).

Alaska Country · Sep 21, 2023

Noticed this bit of information on the TS site. Is this something to consider to access UI3 without adding internet to the BI machine?

Subnet routers and traffic relay nodes

Tailscale works best when the client app is installed directly on every client, server, and VM in your organization. That way, traffic is end-to-end encrypted, and no configuration is needed to move machines between physical locations.

However, in some situations, you can’t or don’t want to install Tailscale on each device:

With embedded devices, like printers, which don’t run external software
When connecting large quantities of devices, like an entire AWS VPC
When incrementally deploying Tailscale (eg. on legacy networks)

In these cases, you can set up a “subnet router” (previously called a relay node or relaynode) to access these devices from Tailscale. Subnet routers act as a gateway, relaying traffic from your Tailscale network onto your physical subnet. Subnet routers respect features like access control policies, which make it easy to migrate a large network to Tailscale without installing the app on every device.

Subnet routers and traffic relay nodes · Tailscale Docs

Learn how to relay traffic from your Tailscale network onto your physical subnet.

tailscale.com

and

Experience from a Tailscale install on a Raspberry Pi as a subnet router

Experience from a Tailscale install on a Raspberry Pi as a subnet router

Hi, I just wanted to record my experience so far with a Tailscale install on an RPi 4B, prior to doing the same on a Pi 3. Hopefully it will help the less network-savvy folks that want to try it, like me. I am good at following instructions but I really don’t know what is happening underneath...

forum.tailscale.com

bp2008 · Sep 22, 2023

Alaska Country said:
Would assume it is then not possible to use Tailscale or ZT to only access one of the LAN connected computers with internet that can also see UI3?

The opposite is true.

Alaska Country said:
Noticed this bit of information on the TS site. Is this something to consider to access UI3 without adding internet to the BI machine?

Subnet routers and traffic relay nodes

Yes. This could most likely be configured to provide access to UI3, without the BI machine itself needing internet. I've never used Tailscale before so I don't know how easy that is to set up. That is what I meant in my first sentence in the previous post:

I looked over the Tailscale feature list and it looks like it might be possible to configure something natively using the "Subnet routers" feature and Access Control Lists, but I'm not sure how complex that would be or exactly how it would work.

bp2008 · Sep 22, 2023

Anyway I know for certain that you can achieve your goal using an HTTP reverse proxy server on the machine with internet access and tailscale or zerotier on it. I do similar all the time.

Alaska Country · Sep 22, 2023

Did get TS to work with the desktop and laptop combination (BI computer was not placed on TS). Could ping, using the assigned TS IP address in the 100 range and both showed connectivity. At that point did not locate the next how to in regard to accessing one computer from the other. Did also try a tablet and as TS shows there should be a login screen. But it is a no show on the tablet.

Will have to view some of the You Tube videos on the overall setup procedures.

Appreciate the comments and glad to hear that either TS or ZT will work for my intended purposes. Will also give ZT a try and see what develops.

Let me ask, assume that it is possible to test ZT using two different computers on the same network? i.e. it is not necessary to have different and isolated networks and both can be on the same router?

bp2008 · Sep 22, 2023

Alaska Country said:
Let me ask, assume that it is possible to test ZT using two different computers on the same network? i.e. it is not necessary to have different and isolated networks and both can be on the same router?

Sure, you can do that no problem.

Zerotier clients do not require login. You just enter the network ID on each client, and then in your zerotier portal website (ZeroTier Central -- does require login) you can authorize each client in order to grant it access to the network. A moment later an IP address will be assigned and you can give the client a name and description.

Alaska Country · Sep 23, 2023

Will work more with ZT with the goal to get the laptop, tablet and desktop all communicating with one another. Once that is working then BI can be added to the mix.

In regard to the BI computer, should your reverse proxy server be installed first? Then followed by ZT on the BI computer?

Still not understanding the part of how to install ZT on a non internet connected computer when ZT requires internet for functionality? i.e. at present the only connection to the LAN via BI is through the BI web server for the UI3 connection.

Could take the ZT files off the desktop and port them over to the BI machine with a thumb drive. But it looks like the ZT "ZeroTierOne.msi" install file may require an internet connection to complete it's task.

bp2008 · Sep 24, 2023

Alaska Country said:
In regard to the BI computer, should your reverse proxy server be installed first? Then followed by ZT on the BI computer?

Still not understanding the part of how to install ZT on a non internet connected computer when ZT requires internet for functionality? i.e. at present the only connection to the LAN via BI is through the BI web server for the UI3 connection.

You do not install ZT or the reverse proxy on the BI server. Install those on an internet-connected machine on the same LAN. Install order does not matter.

Alaska Country · Sep 27, 2023

Glad to see that ZT/TS will not be installed on the BI computer. That will simplify the installation process. Appreciate the update.

Search

Tailscale - Will It Work With Dual NICs On BI To View UI3 With No Internet?

Alaska Country

Getting comfortable

Alaska Country

Getting comfortable

bp2008

Alaska Country

Getting comfortable

Alaska Country

Getting comfortable

Alaska Country

Getting comfortable

Subnet routers and traffic relay nodes · Tailscale Docs

Experience from a Tailscale install on a Raspberry Pi as a subnet router

bp2008

bp2008

Alaska Country

Getting comfortable

bp2008

Alaska Country

Getting comfortable

bp2008

Alaska Country

Getting comfortable