Heroku Tailscale buildpack

Hi folks!

The official docs for Tailscale on Heroku recommend using Docker to be able to connect to your resources on your tailnet. However, using your own Docker images on Heroku significantly reduces the CI/CD benefits of using Heroku. I’ve created a buildpack that will install Tailscale and Proxychains-ng which allows for your web process to access resources on the tailnet.

The problem I specifically ran into was hosting a CrunchBridge database in a tailnet and being unable to access it from a Heroku dyno. Even after switching to a Docker, getting the networking to play nicely with the Python’s psycopg connector was a pain. This is because it doesn’t respect the ALL_PROXY environment variable and likely never will (see issue 1117 in psycopg2 repo on github).

Proxychains allows you to pipe the network connection to localhost:1055 where the tailscale SOCKS5 proxy is running. From there it’s forwarded onto your tailnet.

Integrating the buildpack shouldn’t change anything about your application. If you don’t have the TAILSCALE_AUTH_KEY environment variable set, it won’t do anything. However, if you still don’t configure the auth key and then try to use the proxychains4 wrapper, you will have a bad time.

This was a pretty challenging area for me to work in, if folks have any opinions or feedback please share it with me. I believe using proxychains-ng in this manner is reasonable, but this is a bit outside my wheelhouse.

1 Like