upvote

points

by notadeveloper9 hours ago |
comments
upvoteby salviati9 hours ago|
next
[-]
I had a very similar problem to the one OP was facing, and I solved it by connecting my fenced router (a router with no fixed public IP) via Wireguard to one machine in my tailscale network, and set up subnet routers so I can access it from any machine in my tailscale.

It works great.

I might misunderstand, but to me it looks like the solution in this post might be better than my setup because if that single node is down I won't be able to reach the fenced router.

reply
upvoteby juhovh9 hours ago|
parent|
[-]
Cool, this sounds like a very similar setup actually!

Even in this case, you still need to have a node somewhere to run the container and store the WireGuard keys, to be able to link the tailnet and the WireGuard endpoint. So that single point of failure still unfortunately remains.

The benefit of having it all configured in a single container means it's pretty easy to spin up anywhere (where the fenced router is accessible), all you need is the tunnel config file.

I also wanted to make sure it works for both IPv4 and IPv6 connections, because many ISPs in my area are starting to only give public IPv6 addresses. That way as long as the WireGuard router has IPv6 and the node running the container has IPv4/IPv6 dual stack, one can still access the Wireguard from an IPv4 only device.

reply
upvoteby juhovh9 hours ago|
prev|
[-]
This is using the subnet router functionality of Tailscale. However, instead of advertising subnets of the local physical network, as explained in the Tailscale docs, it's automatically parsing the given WireGuard config and advertising the subnets at the other end of the WireGuard tunnel.

It will also by default route traffic to the already advertised other subnets in the tailnet, but taking that into use requires a bit of manual configuration on the other end of the WireGuard tunnel. Each subnet needs to be routed through the WireGuard tunnel first to make it work.

reply
upvoteby benley8 hours ago|
parent|
[-]
Interesting - this could actually be good functionality to add to tailscale-manager (https://github.com/singlestore-labs/tailscale-manager), which currently just handles AWS prefix lists and DNS lookups.
reply
upvoteby juhovh7 hours ago|
parent|
[-]
Thank you, wasn't aware of this project, but it makes total sense!

Managing the advertised subnets manually is a bit of a pain, while the downsides of accidentally advertising a subnet are negligible, since you still have full control over them in the Tailscale console.

reply