# 5. Core Application Services

- docker
- XRDP

# Tailscale VPN

Tailscale VPN from [https://tailscale.com/](https://tailscale.com/)

- [ ] configures a host interface `tailscale0`
- [ ] installs auto-start for tailscale daemon `/etc/systemd/system/multi-user.target.wants/tailscaled.service`
- [ ] starts service at boot allocating IP address 100.100.69.2 to the tailscale0 nic
- [ ] attaches tailscale0 nic to the shared VPN 
    - [ ] makes accessible 100.100.69.X addresses
    - [ ] makes the HOST available as an exit node

configured to use account <pkswansea@outlook.com> via the admin console via [https://login.tailscale.com/admin](https://login.tailscale.com/admin)

<table border="1" id="bkmrk-the-server-ssh-servi" style="border-collapse: collapse; width: 104.762%;"><colgroup><col style="width: 16.8057%;"></col><col style="width: 35.7544%;"></col><col style="width: 47.4398%;"></col></colgroup><tbody><tr><td>[![pngtree-banner-with-important-icon-vector-picture-image_7826342-244127159.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/lT9pngtree-banner-with-important-icon-vector-picture-image-7826342-244127159.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/lT9pngtree-banner-with-important-icon-vector-picture-image-7826342-244127159.png)</td><td>The server **SSH service** running on port 69 isonly exposed on the tailscale0 interface via the IP 100.100.69.2 once the daemon has started via `/etc/systemd/system/ssh-after-tailscale.service and can only be accessed when connected to a valid VPN client`

</td><td>`#!/bin/bash`  
`while ! ip addr show tailscale0 | grep -q "inet "; `

`do`  
`    sleep 10`  
`done`  
`systemctl start ssh`

</td></tr></tbody></table>

# Webmin

Webmin from [https://webmin.com/](https://webmin.com/)

- [ ] installed onto host system via 3rd party apt repository
- [ ] installs and auto-configured for start at boot-time
- [ ] OOB installation listens on all interfaces https://&lt;ip&gt;:10000 
    - [ ] post install modify the /etc/webmin./miniserv.conf
    - [ ] we will only listen on internally accessible networks
    - [ ] we will disable SSL
    - [ ] we will reverse proxy via nginx proxy manager https to http:10000

<div id="bkmrk-notable-changes-for-" style="color: #cccccc; background-color: #1f1f1f; font-family: Menlo, Monaco, 'Courier New', monospace; font-weight: normal; font-size: 12px; line-height: 18px; white-space: pre;"><div><span style="color: #569cd6;">Notable changes for /etc/webmin/miniserv.conf</span></div><div>  
</div><div><span style="color: #569cd6;">port</span><span style="color: #cccccc;">=10000</span></div><div><span style="color: #569cd6;">sockets</span><span style="color: #cccccc;">=172.22.20.1:\*</span></div><div><span style="color: #569cd6;">ssl</span><span style="color: #cccccc;">=0</span></div><div><span style="color: #569cd6;">no\_ssl2</span><span style="color: #cccccc;">=1</span></div><div><span style="color: #569cd6;">bind</span><span style="color: #cccccc;">=172.22.22.1</span></div><div><span style="color: #569cd6;">ipv6</span><span style="color: #cccccc;">=0</span></div><div><span style="color: #569cd6;">no\_tls1\_1</span><span style="color: #cccccc;">=1</span></div><div><span style="color: #569cd6;">webprefixnoredir</span><span style="color: #cccccc;">=1</span></div><div><span style="color: #569cd6;">no\_tls1</span><span style="color: #cccccc;">=1</span></div><div><span style="color: #569cd6;">no\_ssl3</span><span style="color: #cccccc;">=1</span></div></div>#### Installation Steps

1. ##### install webmin repo
    
    ```
    wget -O - https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh | sudo bash
    ```
2. ##### update repo
    
    ```
    sudo apt update
    ```
3. ##### install webmin package
    
    ```
    sudo apt install -y webmin
    ```
4. ##### start and verify service
    
    ```
    sudo systemctl status webmin
    sudo netstat -anp|grep 10000 | grep LISTEN | awk '{print $4}' | awk '{print "https://"$1}'
    ```
5. ##### access initial webmin UI and login as root[![Screenshot 2025-06-23 at 21.07.46.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-07-46.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-07-46.png)

<details id="bkmrk-installation-cli-com"><summary>Installation CLI commands copy &amp; Paste</summary>

```
wget -O - https://raw.githubusercontent.com/webmin/webmin/master/webmin-setup-repo.sh | sudo bash
sudo apt update
sudo apt install -yq webmin
sudo systemctl status webmin
sudo netstat -anp|grep 10000 | grep LISTEN | awk '{print $4}' | awk '{print "http://"$1}' | xargs -n1 open
```

</details>#### Update OOB installation

We can update via the webmin UI to change a minimal set of options to use Webmin behind a local IP which we access via https proxy through the nginx proxy

For the following configuration to be enabled, follow the setup steps below

[![image.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/image.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/image.png)

##### Pre-Setup Requirements

- [ ] Docker installed on HOST
- [ ] Docker networks configured on HOST
- [ ] Nginx Proxy Manager container setup as per [The NGINX Proxy Manager Install Guide](https://bookstack.pknw1.co.uk/books/core-system/page/nginx-proxy-manager-000080443 "NGINX Proxy Manager [0.0.0.0:80/443]")
- [ ] Access from your local machine to the server Tailscale IP address via Tailscale VPN

##### NGINX Proxy Host Configuration

Your NGINX Docker compose file should be setup to listen on your VPN (Tailscsale) Server IP Address

\- 100.100.69.2:80:80  
\- 100.100.69.2:443:443  
\- 100.100.69.2:81:81

We now setup an inbound host to listen on HTTP and HTTPS, setting the Domain Name and then rourting traffic to one of the internal IP addresses that Webmin is listening on

Next you want to request an SSL certificate or use the wildcard cert that should be available; ensure to **enable Force SSL** so all conections are secure; as a final check, we setup the advanced nginx config to check source IP ranges - if the address is not local or VPN, it is denied

<table border="1" id="bkmrk--1" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 33.3333%;"></col><col style="width: 33.3333%;"></col><col style="width: 33.3333%;"></col></colgroup><tbody><tr><td>[![Screenshot 2025-06-23 at 21.57.23.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-57-23.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-57-23.png)</td><td>[![Screenshot 2025-06-23 at 21.57.44.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-57-44.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-57-44.png)</td><td>[![Screenshot 2025-06-23 at 21.57.51.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-57-51.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-57-51.png)</td></tr></tbody></table>

##### Post Install Configuration (WebUI)

<table border="1" id="bkmrk-open-console-login-a" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 22.3215%;"></col><col style="width: 77.7977%;"></col></colgroup><tbody><tr><td>  
</td><td>  
</td></tr><tr><td>  
</td><td>  
</td></tr><tr><td>- [ ] Open Console
- [ ] Login as root

</td><td>##### [![Screenshot 2025-06-23 at 21.07.46.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-07-46.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-07-46.png)

</td></tr><tr><td>**Post Login Error**

</td><td>When loading using only the proxied address (https://webmin.admin.tld.com) it may redirect to [https://webmin.admin.tld.co.uk:10000 ](https://webmin.admin.tld.com:1000)- which will cause an error (as we should have blocked access externally to 10000) - simply remove the port from the URL and hit enter to load the page

[![image.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/wryimage.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/wryimage.png)

</td></tr><tr><td>- [ ] Open the Webmin Config Page

</td><td>[![Screenshot 2025-06-23 at 21.17.38.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-17-38.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-17-38.png)</td></tr><tr><td>- [ ] update IPs
- [ ] leave internal IP
- [ ] remove external

- [ ] modify listen ports as required (only change if there are conflicts)

</td><td>[![Screenshot 2025-06-23 at 21.10.48.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-10-48.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-10-48.png)</td></tr><tr><td>- [ ] disable SSL as the NGINX proxy will receive the SSL connection and terminate it using HTTP internally (optional but easier)
- [ ] Setup SSL Certs if you use SSL - use your \*.admin wildcard SSL cert

</td><td>[![Screenshot 2025-06-23 at 21.10.16.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-10-16.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-10-16.png)</td></tr><tr><td>- [ ] Update the approved referer DNS names

</td><td>[![Screenshot 2025-06-23 at 21.18.04.png](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/scaled-1680-/screenshot-2025-06-23-at-21-18-04.png)](https://bookstack.pknw1.co.uk/uploads/images/gallery/2025-06/screenshot-2025-06-23-at-21-18-04.png)</td></tr><tr><td>  
</td><td>  
</td></tr></tbody></table>

# Docker