An Adventure Through Tailscale and CoreDNS

This post was migrated from the old site and cannot yet be parsed properly. Here's the original.

prologue

recently, i've been using my beefier desktop machine remotely to conserve battery when coding on my laptop while i'm at school.

this works pretty well most of the time (i have another host's sshd port-forwarded to WoL the machine) but trying to swoosh ssh into [reverse-]forwarding the right ports to test stuff gets painful rather quickly when using tooling that runs ssh for you.

Tailscale

Tailscale is a nice overlay VPN backed by WireGuard; basically you login into tailscale on a bunch of machines and they get assigned private IPv4s. apparently it's supposed to break through NATs but i haven't had any luck with that.

i have a friend who works at tailscale which has made me quite aware of it's existence. i've been carefully avoiding getting a VPN setup for 4 months, but a few weeks of constantly rereading the ssh(1) manpage for the various port forwarding argument syntaxes did it for me.

being a NixOS user, i dropped a quick services.tailscale.enable = true; in my local machine's configuration, rebuilt, ran tailscale up and logged in.

tailscaled was happily churning along in the background, so i proceeded to think about running tailscale up 3 more times for my other hosts, got terrified at the proposition and wrote this instead:

    cookie.secrets.tailscale-authkey = {
      source = "./secrets/tailscale-authkey";
      owner = "root";
      group = "root";
      permissions = "0400";
      wantedBy = "tailscaled-autoconfig.service";
    };

    systemd.services.tailscaled-autoconfig = rec {
      description = "Autoconfigure tailscaled";
      wantedBy = [ "multi-user.target" ];
      requires = [ "tailscaled.service" "tailscale-authkey-key.service" ];
      after = requires;

      serviceConfig.Type = "oneshot";

      script =
        "${tailscale}/bin/tailscale up --reset --force-reauth --authkey $(cat ${
          escapeShellArg config.cookie.secrets.tailscale-authkey.dest
        })";
    };
  };

after encrypting the new tailscale-authkey secret it happily deployed, which meant it was time for my next problem...

ckie@cookiemonster ~ -> tailscale status
100.77.146.21   cookiemonster        ckiee@       linux   -
100.124.234.25  bokkusu              ckiee@       linux   -
100.80.1.116    drapion              ckiee@       linux   -
100.94.232.88   galaxy-a51           ckiee@       android active; direct 192.168.0.43:35862, tx 8463276 rx 642228
100.89.163.81   thonkcookie          ckiee@       linux   -

(sidenote: i'm still not sure how i feel about depending on yet another company, but i can always fall back on other solutions.)

DNS troubles

on my home network, i have a CoreDNS server listening locally, filtering ads and forwarding other traffic to cloudflared which (among other things) sends queries using DNS-over-HTTPS.

this has worked pretty well for a while but with the addition of non-local devices, keeping a single host serving two different continents seems like a latency disaster, so i refactored a tad and enabled the coredns module on all tailscale-connected hosts.

MagicDNS

tailscaled can also act as a DNS resolver to resolve requests like .example.com.beta.tailscale.net; it's supposed to autoconfigure this but that didn't work, feels a bit intrusive and doesn't really work with the rest of my setup as i want to keep ad-blocking consistently working.

having too much free time, i sat down and whipped up a little script to occasionally regenerate my hosts file with the currently available tailscale hosts: