prologue
recently, i've been using my beefier desktop machine remotely to conserve battery when coding on my laptop while i'm at school.
this works pretty well most of the time (i have another host's sshd port-forwarded to WoL the machine) but trying to swoosh ssh into [reverse-]forwarding the right ports to test stuff gets painful rather quickly when using tooling that runs ssh for you.
Tailscale
Tailscale is a nice overlay VPN backed by WireGuard; basically you login into tailscale on a bunch of machines and they get assigned private IPv4s. apparently it's supposed to break through NATs but i haven't had any luck with that.
i have a friend who works at tailscale which has made me quite aware of it's existence. i've been carefully avoiding getting a VPN setup for 4 months, but a few weeks of constantly rereading the ssh(1) manpage for the various port forwarding argument syntaxes did it for me.
being a NixOS user, i dropped a quick services.tailscale.enable = true; in my local machine's configuration, rebuilt, ran tailscale up and logged in.
tailscaled was happily churning along in the background, so i proceeded to think about running tailscale up 3 more times for my other hosts, got terrified at the proposition and wrote this instead:
cookie.secrets.tailscale-authkey = { source = "./secrets/tailscale-authkey"; owner = "root"; group = "root"; permissions = "0400"; wantedBy = "tailscaled-autoconfig.service"; }; systemd.services.tailscaled-autoconfig = rec { description = "Autoconfigure tailscaled"; wantedBy = [ "multi-user.target" ]; requires = [ "tailscaled.service" "tailscale-authkey-key.service" ]; after = requires; serviceConfig.Type = "oneshot"; script = "${tailscale}/bin/tailscale up --reset --force-reauth --authkey $(cat ${ escapeShellArg config.cookie.secrets.tailscale-authkey.dest })"; }; };
after encrypting the new tailscale-authkey secret it happily deployed, which meant it was time for my next problem...
ckie@cookiemonster ~ -> tailscale status 100.77.146.21 cookiemonster ckiee@ linux - 100.124.234.25 bokkusu ckiee@ linux - 100.80.1.116 drapion ckiee@ linux - 100.94.232.88 galaxy-a51 ckiee@ android active; direct 192.168.0.43:35862, tx 8463276 rx 642228 100.89.163.81 thonkcookie ckiee@ linux -
(sidenote: i'm still not sure how i feel about depending on yet another company, but i can always fall back on other solutions.)
DNS troubles
on my home network, i have a CoreDNS server listening locally, filtering ads and forwarding other traffic to cloudflared which (among other things) sends queries using DNS-over-HTTPS.
this has worked pretty well for a while but with the addition of non-local devices, keeping a single host serving two different continents seems like a latency disaster, so i refactored a tad and enabled the coredns module on all tailscale-connected hosts.
MagicDNS
tailscaled can also act as a DNS resolver to resolve requests like
having too much free time, i sat down and whipped up a little script to occasionally regenerate my hosts file with the currently available tailscale hosts: