So, after a bit of tinkering I’ve managed to get tailscale working on Heroku using the Aptfile buildpack.
The problem I’m having is that every time my process restarts, it connects as a new machine. This is obviously not ideal, and kind of ruins the idea of using tailscale to connect to the service.
What I need to be able to do is authenticate as a specific machine, but that doesn’t seem to be an option?
Would I need to do something hacky like persisting the state file somewhere? Has anyone else figured something like this out?
Another issue is that I can’t listen on port 80 on loopback, a Heroku limitation. This obviously impacts the convenience of just being able to use magic DNS… you have to remember the port. Not sure if this is something that can be worked around.
I’m also not sure if starting tailscale in the same process as my webserver is the way to go…
The node’s identity is stored in /var/lib/tailscale/tailscaled.state. Saving and restoring that file would allow it to resume the same identity.
However that usually doesn’t work well in a serverless environment because Heroku can spin up multiple nodes. This can either be due to load of incoming requests, or because Heroku kills nodes at least every 24 hours but sometimes spins up the replacement before killing the original.
If tailscaled.state is restored to multiple Heroku nodes simultaneously, they’ll all fight over that Tailscale IP address and none of them will work well.
Thanks for the reply! I’m starting to think that using the machine IP address (or even magic DNS) is too low level… and actually I want to be using normal DNS so I can have some kind of round robin / automatic routing to the current machine.
A super hacky solution would be to set up a round robin CNAME record pointing at mymachine.foo.tailscale dot com, mymachine-1.foo.tailscale dot com, mymachine-2.foo.tailscale dot com (this is the way tailscale automatically increments machine names)… although looking that up, it’s not actually legal… you can only round robin A records.
Not sure if there are any approaches that would work. Would it maybe require a magic DNS feature to point at multiple IP addresses?