Show HN: TailGuard – Bridge your WireGuard router into Tailscale via a container
github.com147 points by juhovh 3 days ago
147 points by juhovh 3 days ago
My elderly parents are behind a 5G connection in rural areas, and I help them manage their network from overseas. I found a reasonably priced 5G router that can do external antennas required for it to work, but the only reasonable ways to get access to it is either through OpenVPN or WireGuard, the latter of which is much more lightweight and preferred with the memory constraints of the device.
The problem with WireGuard is that it requires handling key management oneself, and configuring the keys to every device you want to access it from. It also doesn't play nicely together with other VPNs, meaning I ended up connecting and disconnecting VPNs whenever I wanted to use them. This is especially evident on my phone, which only allows one VPN app at a time.
I was already using Tailscale as an easy way to handle homelab access with SSO, even if some computers are behind ISP CGNAT, and came up with this idea of spinning up a Docker container to connect the two. I found some suggestions for it online, but nothing ready to use. It ended up being more work than I expected to fine tune the routing, IPv6, firewall settings, re-resolving the DNS of the router on IP address changes etc.
I got it very stable eventually though, and wanted to share with everyone else. I think it's cool to have the WireGuard router looking like any other Tailscale node in my tailnet now.
We have a similar container @juhovh, for a plugin for the router we work on. in case this is helpful for you, feel free to to review https://github.com/spr-networks/spr-tailscale/blob/main/Dock... Looks interesting, I see you've added a light React UI and a simple REST API on the Go service to query for status and control the Tailscale interface. I'll make a note for sure! I myself didn't really have a need to disable the interface during the lifecycle of the container, so I went with the standard containerboot process provided by Tailscale. I also wanted the container to be "invisible" and not respond to any incoming connections, so that it feels like you're running Tailscale on the actual router. Keeping things a bit more granular and flexible for this use case makes total sense. So, it looks like this might work with fly.io? fly.io provides a way to connect to their servers via wireguard (https://fly.io/docs/blueprints/connect-private-network-wireg...), and so tailguard could connect to their wireguard instance? Not super familiar with fly.io, but with a quick look at that page it should work just fine. Just instead of dropping that camellia.conf to the WireGuard MacOS client or Linux wg-quick, spin up the TailGuard container somewhere (pretty much anywhere, but with good ping to fly.io). That way you should have the fly.io private network accessible in your Tailscale tailnet, it runs wg-quick internally alongside Tailscale anyway, just with a bit of scripting to automatically configure the network and the firewall to avoid connections leaking. If it doesn't work, feel free to raise an issue and I can have a look. You can run a Tailscale node providing LAN access on Apple TV. Just grab Tailscale's Apple TV app. Performance is higher than you'd expect, saturates a gigabit link. This is the perfect "get to parent's network" appliance. Pairs nicely with Eero+, which one might pick for remote network mgmt for reasons such as ad/threat blocking, aside from the cloud management with co-mgmt delegation built in. It can also serve as an exit node. This makes it a lovely "use the Internet from my usual location" appliance, for all kinds of reasons. Setup and use is ultra simple. This actually sounds better than I thought, pretty unexpected but valid selling point for Apple TV. :D Will keep in mind, although my use case is resolved for now. It's a great way to get around those pesky "Are you actually at your home" nagware that Disney+ and other apps employ as well. > It also doesn't play nicely together with other VPNs, meaning I ended up connecting and disconnecting VPNs whenever I wanted to use them. This is especially evident on my phone, which only allows one VPN app at a time. What do you mean? I've had great luck using specific routes over wireguard with the official app on my phone. It works great with "on-demand" wg, and only routing my home subnet over it. Now, some "business" vpns suck donkey balls, but these are usually borked beyond belief without any external help. I'm specifically thinking about the dotted red square one. This is at least a limitation in Android itself: https://developer.android.com/reference/android/net/VpnServi... "There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created." Note this is not about routing some traffic to the VPN and other traffic to the clear net. This is about running two VPN connections simultaneously. Fair enough. I haven't used an Android device since 2017... Do people have these issues on iOS too? On Linux, I have no problem running either bare wireguard or tailscale alongside Forticlient. On Windows and macOS it's a bit more janky, specifically the DNS resolution, but I don't daily drive these platforms so I may be missing some kind of knowledge to fix this. On a linux box, is it possible to run tailscale/wireguard as an exit node along with Forti vpn? Aka what I want to achieve is (my-machine + tail/wireguard) --> (server with tailscale/wireguard + forti vpn) --> Corporate network. So wireguard or tailscale to receive traffic and forward it through forti. Or another option (my machine fortivpn over tail/wireguard) --> (server as exit node) --> corporate network Rather than using the official forticlient I am using https://github.com/adrienverge/openfortivpn. It has some options to configure custom pppd/routes/dns etc if necessary, which I have not touched as I don't know enough :P
DNS resolution is not important for my usecase, only traffic. Yea on Linux I can run 10 different VPNs (or 10 wg peers) no problem, this limitation of Android is super annoying to me. I think OPs solution is quite a good one for Android users. Yeah you're exactly on point here, and this limitation exists on both iOS and Android alike. I got very frustrated with switching between VPNs and connections breaking every time I did that. I use tailscale and wireguard and I route traffic between them, so I can't understand why are so many lines of code needed? Can't you simply enable subnet routing on the tailscale node (single argument does that) and perhaps add additional subnet to the addresses list of wireguard peer? You definitely don't need that many lines of code, started with just a couple. After that I started having several small issues: - the router is behind DDNS and changes its IP address on every connect, had to set up reresolve script and cron - my WireGuard was capturing the default route and I wanted to use the DNS server behind the tunnel when using it as exit node, but that initially broke the DNS reresolve - one WireGuard tunnel only supported IPv4, but the node I was running on had dual stack, half of the traffic ended up using IPv6 and not going through the tunnel at all - when routing incoming connections from the other end of the tunnel to the tailnet, I realised Tailscale does SNAT by default for connections from tailnet to the router (this can be disabled), but the WireGuard connections were coming from an unknown subnet and I had to add masquerading rules - Tailscale doesn't work so nicely with firewalls, it wants to either inject its chains as first or make you configure it after the startup, worked around by modifying a healthcheck to fix the firewall after startup - I wanted to exclude the WireGuard device from Tailscale monitoring to avoid noise, there's a patch and multiple issues for that on GitHub that haven't been merged, included the patches in my image I may have forgotten some other edge cases that came up, but here's a few. In addition, I wanted it to automatically parse the advertised subnets from the WG config, which added to the scripts a bit. In short, it started out as a hack I didn't even think worth sharing, but more things broke than I would've imagined. So wanted to share with anyone who might find it useful. What about the Subnet Router functionality that Tailscale has? I had a very similar problem to the one OP was facing, and I solved it by connecting my fenced router (a router with no fixed public IP) via Wireguard to one machine in my tailscale network, and set up subnet routers so I can access it from any machine in my tailscale. It works great. I might misunderstand, but to me it looks like the solution in this post might be better than my setup because if that single node is down I won't be able to reach the fenced router. Cool, this sounds like a very similar setup actually! Even in this case, you still need to have a node somewhere to run the container and store the WireGuard keys, to be able to link the tailnet and the WireGuard endpoint. So that single point of failure still unfortunately remains. The benefit of having it all configured in a single container means it's pretty easy to spin up anywhere (where the fenced router is accessible), all you need is the tunnel config file. I also wanted to make sure it works for both IPv4 and IPv6 connections, because many ISPs in my area are starting to only give public IPv6 addresses. That way as long as the WireGuard router has IPv6 and the node running the container has IPv4/IPv6 dual stack, one can still access the Wireguard from an IPv4 only device. This is using the subnet router functionality of Tailscale. However, instead of advertising subnets of the local physical network, as explained in the Tailscale docs, it's automatically parsing the given WireGuard config and advertising the subnets at the other end of the WireGuard tunnel. It will also by default route traffic to the already advertised other subnets in the tailnet, but taking that into use requires a bit of manual configuration on the other end of the WireGuard tunnel. Each subnet needs to be routed through the WireGuard tunnel first to make it work. Interesting - this could actually be good functionality to add to tailscale-manager (https://github.com/singlestore-labs/tailscale-manager), which currently just handles AWS prefix lists and DNS lookups. Thank you, wasn't aware of this project, but it makes total sense! Managing the advertised subnets manually is a bit of a pain, while the downsides of accidentally advertising a subnet are negligible, since you still have full control over them in the Tailscale console. The overview and benefits sections along with other bits are great examples of what should go in a root level README.md Nice work <3 Neat idea but getting a 5G GL inet router would probably be more robust. Built in tailscale and wireguard so you don’t have to worry about this. Best thing about GL inet routers are the IMEI cloning. It’s pretty popular for wireless ISP like T-Mobile and Verizon 5G home internet. While I have no experience of their 5G routers specifically, based on my experiences with other GL.iNet routers and the TG-Link I have, I don't disagree. The Deco they have has the benefit of easy mesh wifi setup with fast roaming, but the easier access and configurability of GL.iNet are generally nice, and they're fairly affordable. Since you have tailscale, and assuming your parents don’t do anything fancy, you can always double NAT. It especially doesn’t matter since you’re on CGNAT. Use the gl inet router as the primary and attach a mesh router behind it. You’ll be able to configure the secondary router through the primary. I am confused. Why not simply advertizing a route in Tailscale on the host that supports tailscale? It will work as the gataway to the LAN. There’s unfortunately no always-on host supporting Tailscale. The Apple TV suggestion in the other comment is pretty good though, since it’s easy for anyone to use. Naturally requires having one though. I still do not understand. You run tailguard in docker, so the host is surely capable of running tailscale. I must be missing something. Which 5G router do you use? The one they ended up using was TP-Link Deco X50-5G, but honestly I'm not sure if I can fully recommend that. It has had its own share of problems... I recommend Glinet's mobile routers: https://www.gl-inet.com/products/ I have several of them in a cross Atlantic Wireguard mesh, and they are bulletproof. I actually use the non-mobile Flint 2 myself at home, and it's one of the devices in my tailnet. I worked with their engineers on the forums to get better IPv6 support for their WireGuard tunnels. Running both Tailscale and WireGuard on it can mess up the routing at times though, so I prefer to stick to just either or. It's a bit unfortunate they decided to go with Broadcom for their Flint 3 router, since Broadcom is known to not play well with open source. One of the reasons I got Flint 2 was its Mediatek chip, since stock OpenWRT support for that should get reasonably good eventually. They're all still way more open than TP-Link Decos.
supernetworks - 3 days ago
juhovh - 3 days ago
jasonriddle - 3 days ago
juhovh - 3 days ago
Terretta - 2 days ago
juhovh - 2 days ago
RationPhantoms - 2 days ago
vladvasiliu - 3 days ago
EnigmaCurry - 3 days ago
vladvasiliu - 3 days ago
standard_indian - a day ago
EnigmaCurry - 3 days ago
juhovh - 3 days ago
Jnr - 3 days ago
juhovh - 3 days ago
notadeveloper - 3 days ago
salviati - 3 days ago
juhovh - 3 days ago
juhovh - 3 days ago
benley - 3 days ago
juhovh - 3 days ago
avtar - 3 days ago
syntaxing - 3 days ago
juhovh - 3 days ago
syntaxing - 3 days ago
BrandoElFollito - 2 days ago
juhovh - 2 days ago
BrandoElFollito - a day ago
oe - 3 days ago
juhovh - 3 days ago
toomuchtodo - 3 days ago
juhovh - 3 days ago