- the router is behind DDNS and changes its IP address on every connect, had to set up reresolve script and cron
- my WireGuard was capturing the default route and I wanted to use the DNS server behind the tunnel when using it as exit node, but that initially broke the DNS reresolve
- one WireGuard tunnel only supported IPv4, but the node I was running on had dual stack, half of the traffic ended up using IPv6 and not going through the tunnel at all
- when routing incoming connections from the other end of the tunnel to the tailnet, I realised Tailscale does SNAT by default for connections from tailnet to the router (this can be disabled), but the WireGuard connections were coming from an unknown subnet and I had to add masquerading rules
- Tailscale doesn't work so nicely with firewalls, it wants to either inject its chains as first or make you configure it after the startup, worked around by modifying a healthcheck to fix the firewall after startup
- I wanted to exclude the WireGuard device from Tailscale monitoring to avoid noise, there's a patch and multiple issues for that on GitHub that haven't been merged, included the patches in my image
I may have forgotten some other edge cases that came up, but here's a few. In addition, I wanted it to automatically parse the advertised subnets from the WG config, which added to the scripts a bit.
In short, it started out as a hack I didn't even think worth sharing, but more things broke than I would've imagined. So wanted to share with anyone who might find it useful.