Expose Mailserver Ports though Tailscale with ip/nftables

Hello tailscale community,

I’m trying to realize the following scenario.
I have rented a VPS which has tailscale installed.
Also I have a server at home which has tailscale installed.

Now I want to use nftables/iptables to forward all mail server ports from the external vps address through tailscale to my homeserver.

From VPS I’m able to telnet the mailserver through tailscale network.

However I’m not able via simple iptable rules to route/nat the traffic through tailscale to my homeserver.

iptables -A FORWARD -i eth0 -o tailscale0 -p tcp --syn --dport 25 -m conntrack --ctstate NEW -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination 100.x.x.x (homeserver)

Does anyone know where the problem could be ?
It seems as if ip/nftables is not able to redirect traffic through tailscale ?

I don’t think that rule is redirecting the packet to the Tailscale interface. It is rewriting the destination address to 100.x.x.x but then sending it out whatever interface it was going to go out.

You might consider using a userspace forwarder like stunnel or using ssh to forward ports. Those will send the packet into the kernel to be routed, which should take it to the tailscale0 interface.