Thread #108610563
File: OIP-2258121449.jpg (40.3 KB)
40.3 KB JPG
From what I can tell, this thing is great. However, I am having trouble setting it up. It is because I still don't understand how it works.
Do I have to set up a reverse proxy for every application I want to have available on the network?
How do I force an application to use the tailscale network instead of WAN or LAN?
Can I have a tailscale DNS without it being an exit node? And can it serve only tailscale addresses?
I looked up these questions online. For the DNS, there's only instructions how to have a DNS if you run an exit node. I want to have a tailscale DNS so I don't need to manually edit host files on every device on the network, I don't want an exit node.
Share your setups and any useful guides you've come across.
49 RepliesView Thread
Showing all 49 replies.>>
I've dug into this, and I have good news: you can absolutely run a Tailscale DNS without an Exit Node, and you don't need a reverse proxy for every single app. Here is the breakdown of how to solve your setup issues.
Understanding the "How It Works" Gap
The confusion usually comes from mixing up two separate ideas:
· Tailscale is a Network: It gives every device a unique IP (like 100.x.x.x). This connects your devices securely.
· DNS is a Phonebook: It translates a name like server into that IP address (100.x.x.x).
· Reverse Proxy is a Traffic Cop: It listens on one address (e.g., server) and looks at the request to decide which internal app to send it to (e.g., "Jellyfin" or "Home Assistant").
You don't need a reverse proxy if you just want to access one service per device (e.g., http://100.x.x.x:8096). But you do need one to access multiple services on the same machine without typing port numbers.
The DNS Solution (No Exit Node Required)
You can run a Tailscale DNS server without an Exit Node. Here is how DNS works inside Tailscale:
· MagicDNS (The Easiest): Enabled by default, it automatically lets you use device-name.tailnet-name.ts.net to reach any device. No setup required.
· Split DNS (Your Custom Option): If you want to use simple names like jellyfin/ or router/, you don't need an Exit Node.
1. Go to the DNS tab in the Tailscale Admin Console.
2. Under Nameservers, add a Restricted Nameserver.
3. Set it to the IP of your internal DNS server (like 100.x.x.x or 192.168.1.x).
4. Tell it to only answer queries for a specific domain (e.g., myhome.internal).
This way, your Tailscale network will send only those specific requests to your private DNS, keeping everything else fast and local.
>>
>>
>>108610563
You're about to kick off a huge argument thread where anons either advocate for TS or call everyone else a moron for using it instead of wireguard.
It works at machine level, not application level, and needs installed on every machine and hooked to the tailnet.
Machines do not need to be an exit node.
There is no manually editing host files, though the tailscale has a single rulebook it can use to gate traffic.
Sounds to me like you just need to try it out to see how it works. 30 min spent doing that will answer all these Qs. If you don't like it, close the account. TS makes its money from large orgs, not single users.
>>
>>
>>108610601
>either advocate for TS or call everyone else a moron for using it instead of wireguard
Can you build a private network with wireguard as with TS?
>>108610594
I don't talk to machines.
>>
>>
>>
>>
>>
>>
>>108610590
Thanks grok.
>>108610563
I was looking into this and considered it wasn't worth my time.
>>
>>
>>108610801
>>108610775
You obviously used an algorithm to search the materials to make these posts. Use it again.
>>
>>
>>108612562
What? I went to tailscale.com and read their instructions. They're just unclear.
For example, TailscaleSSH.
https://tailscale.com/docs/features/tailscale-ssh
It doesn't explain how it logs me into a computer. How does TailscaleSSH know the root password to a server I want to SSH to?
Then there's App Connectors.
https://tailscale.com/docs/features/app-connectors
And that was my original question: do all apps need a reverse proxy to be available on the network? They all need an App Connector, but people say apps should just see the network automatically.
And what the hell are "Tailscale services"?
https://tailscale.com/docs/features/tailscale-services
>Tailscale Services let you publish internal resources (like databases or web servers) as named services in your tailnet.
How is that different from an app connector?
>App connectors let you route your self-hosted applications and software as a service (SaaS) applications through dedicated devices in your Tailscale network (known as a tailnet).
And don't get me started on the DNS. MagicDNS, custom DNS, advanced DNS, custom advanced DNS...
Their documentation is poorly written and confusing.
>>
>>
>>
>>
>>
>>
>>
>>108613012
>>108613029
How can I have multiple devices on the same wireguard network? I need a router, right? So that it can route packets between wireguard'd devices.
>>
>>
>>108613012
>>108613156
Tailscale (headscale if you want to self-host) is basically a control plane that coordinates a mesh network of wireguard tunnels between peers (clients in the tailnet), which forms the data plane.
It handles all the intricacies of punching through NAT and shit. Makes it easy to create an VPN overlay network and secure it with access control lists that give you fine grained control over communication between peers. And there's other goodies like tailscale serve, funnel, etc.
Try setting up something that complex with just plain wireguard. Good fucking luck.
>>
>>108613258
>Try setting up something that complex with just plain wireguard. Good fucking luck.
You can, you just have to manually add each device, its MAC address, public rsa key. Then you have to make an iptables entry to route packets to and fro. Then you have to add an entry for the address in your DHCP server's host file.
>>
>>
>>108613258
>headscale
>Headscale should just work as long as the following requirements are met:
>A server with a public IP address for headscale. A dual-stack setup with a public IPv4 and a public IPv6 address is recommended.
This is another thing. Supposedly both tailscale and headscale require a public IP address to work. But I don't have one, I am CGNAT'd, that is why I want to use tailscale. If I had a public ipv4 address then I wouldn't need tailscale.
>>
>>108610563
>this thing is great
debatable
>Do I have to set up a reverse proxy for every application I want to have available on the network?
tailscale works at the IP level not application level, either every every device has to join the tailnet (with the appropriate client installed) or you use one of your devices with tailscale as a subnet router to access your other devices remotely
>How do I force an application to use the tailscale network instead of WAN or LAN?
you use the ip address that tailscale has given to you instead of the local one
>Can I have a tailscale DNS without it being an exit node? And can it serve only tailscale addresses?
yes, no. (unless they changed something in recent times since i don't use tailscale anymore)
>>108613258
>headscale if you want to self-host
defeats the whole purpose of what you want with tailscale and at that point you can make everything simpler by just using wireguard
>>108613417
>Supposedly both tailscale and headscale require a public IP address to work
headscale yes, tailscale no
>>
>>108613462
>tailscale no
It does if you want to set up a DNS for the tailnet.
>no. (unless they changed something in recent times since i don't use tailscale anymore)
If I don't have an exit node and my tailnet cannot access the internet, then why does the tailnet DNS need to serve Internet domains and addresses?
>>
>>108613462
>headscale yes
Can this be satisfied with a €3/mo. VPS? Is all traffic routed through the headscale client with the public IP? Again, the instructions aren't clear and they don't explain what the hell the public IP is used for or why it's necessary.
>>
I've seen Tailscale proposed as an alternative to NPM as a reverse proxy to run a Nextcloud server if you only have one external IP to play with and want a dedicated subdomain for it but that's the only application I've been introduced to.
>>
>>108613543
I think you're reading the docs wrong
https://tailscale.com/docs/reference/dns-in-tailscale
>then why does the tailnet DNS need to serve Internet domains and addresses?
Wat
>>108613550
>Again, the instructions aren't clear and they don't explain what the hell the public IP is used for or why it's necessary.
They kinda do
https://headscale.net/stable/setup/requirements/#ports-in-use
they just assume that if you wanna self host the thing you'd know that you need a STUN server with a public IP to get a peer-to-peer connection between 2 devices that sit behind a NAT/your router
>>
>>108613676
>you'd know that you need a STUN server with a public IP to get a peer-to-peer connection between 2 devices that sit behind a NAT/your router
How does Tailscale avoid this? I mean, why doesn't Tailscale need a public IP to achieve the same thing?
Headscale also relies on external Let's Encrypt, while Tailscale allows for signing certificates within the tailnet.
>>
>>
>>108613708
>I mean, why doesn't Tailscale need a public IP to achieve the same thing?
Because tailscale hosts their own STUN servers and you use them when using tailscale
>Headscale also relies on external Let's Encrypt, while Tailscale allows for signing certificates within the tailnet
That's for providing https for their web-ui, not for internal certs within the network. Cmon they describe all of that in their docs
>>
>>
>>
>>108613768
>>108614044
If I host the STUN server on a VPS, does that mean the VPS company can grab the private keys, MAC addresses and routes/IPs from the server?
>>
>>
>>
>>108614079
>If I host the STUN server on a VPS,
a STUN server alone won't give you anything
>MAC addresses and routes/IPs from the server?
but if you're talking about headscale it probably stores that metadata somewhere in it's database so yes your VPS company could grab it
>>
>>108614399
>if you're talking about headscale it probably stores that metadata somewhere in it's database so yes your VPS company could grab it
I was. I guess my other option is to pay my ISP an extra €3/mo for a static IP without CGNAT.
>>
>>108614451
i don't think they'd store private keys on the server (apart the tls certs you need anway for serving https traffic for the web-ui) but yes i'm pretty sure some metadata is kept there
>I guess my other option is to pay my ISP an extra €3/mo for a static IP without CGNAT.
at that point you can just run wireguard without needing tailscale/headscale
>>
>>108610563
>Do I have to set up a reverse proxy for every application I want to have available on the network?
Depends, if you want it to have an easy to remember address (pihole.example.local) then yes. If you don't mind using IP:Port then no
>Can I have a tailscale DNS without it being an exit node? And can it serve only tailscale addresses?
Could be wrong but I don't think so. You'll have to open the ports for the DNS specifically (56 and 57 I think?) and use it that way instead.
I personally run everything through Cloudflare. Got a free domain from nic.eu.org (digital plat is easier and faster to get) so I don't have to mess with VPN configs or any of that. I think it's just easier.
Also have Netbird to get a working vpn at school
>>
>>108610563
Tailscale is just a trivialized VPN service. Uses WireGuard as the protocol, has their own central management and proxy servers for NAT traversal.
It's piss easy to set up and use, but it requires some basic networking knowledge, otherwise you'll get frustrated and confused at trivial issues.
>>
>>