How to access WAN IP of VPS connected to Tailscale

Tailscale version: 1.34.2
Your operating system & version: Ubuntu Server 22.04

I’ve currently got a tailscale network setup between my VPS and my other devices in order to expose services without having to open local ports, and I’ve been using the site-to-site networking to expose subnet routes on both the VPS and a local Raspberry Pi. This currently has a reverse proxy (traefik) as well as a proxy/router for game servers on it that point to a local machine. From a different machine on the local network, without tailscale, and without adding the subnet routes via the RPi, I’m unable to access the public IP address of the VPS. How do I go about solving this?

Edit: I should clarify, I can access the public IP from outside the LAN, just want to be able to access it from within without NAT reflection or any kind of shenanigans.

Why did you enable subnet routes? you dont need it if tailscale is installed on your raspi (for this scenario where you want to expose services withouth opening ports)

i have a similar setup.

Internet → VPS → Tailscale → RasPi(with caddy)

VPS can access my RasPi over tailscale with its tailscale IP.
VPS has an external accessible IP
VPS redirects port 80/443 to my RasPi over tailscale-network (im using rinetd for this)

so when i access (resolv to e.g. im going to my vps. the vps redirects this traffic than to my raspi over tailscale. my raspi is than doing its reverseproxy thing.

btw. rinetd is as simple as that:

# bindadress    bindport  connectaddress  connectport	          80	80	          443	443

Alright, I’ve tried using rinetd, but I’ve had absolutely no luck. How were you able to use rinetd? There have been no logs, I’ve edited the config file, nothing. I’ve tried building it from the source on github, also tried installing it from the apt package manager, what were your setup steps?

i’ve installed it with sudo apt-get install rinetd

the configuration file is located at /etc/rinetd.conf

you can check the status with systemctl status rinetd

After configuration change do systemctl restart rinetd

You can also check if rinetd is listening on the ports with netstat -tuplen

Alright, I’ve gotten it to partially work now, although it was only my http and https forwarding. For whatever reason it started working when I removed the ones for my gameservers (25565/tcp and 11000/udp). Any clue as to why that happened in particular?

Okay, I’ve mostly gotten it working, although the ones to my minecraft server reverse proxy don’t work, 25565 both tcp and udp, tried using just tcp, no luck. I’ve been checking through the logs that finally generated (not entirely sure why it wasn’t working before, I’ve gone back to my previous config and it’s working now), and whenever I try to connect via 25565, it says it opens, and almost immediately again it says “done-local-closed.” Do you have any idea as to why that would have happened?

Is your Minecraft server listening on any connection or only on your LAN address?
For example it’s listening on than tailscale would not be able to connect to it. You need to bind the Minecraft server to if this is possible.

Can you test to connect to the Minecraft server from your laptop etc. over tailscale?
If your Minecraft game is able to connect to it, than the server is already listening on the tailscale interface. If not, than it’s not bound to the ‘any’ interface.

On the MC Server host, you can also check with netstat -tuplen how the port 25565 is bound

Oh one important thing:

In the rinetd config, if you define the port as a simple number, it is always TCP. If you want to tunnel UDP, u need to add /udp to BOTH the incoming and outgoing port. 1100/udp 1100/udp