Hi there,
As a summary, this is how I have Tailscale configured on my home network:
- Tailscale installed in my Raspberry Pi
- Tailscale started with
--accept-dns=false --advertise-exit-node --snat-subnet-routes=false
- DNS server (AdGuard Home) installed on Raspberry Pi
- Tailscale global nameserver pointing to the Pi
100.x
address (with “Override local DNS” enabled) - DNS server upstream servers goes to Cloudflare
1.1.1.1
by default, but if it matches my own custom domain (example.com
) it goes to my router’s DNS server instead (e.g.,machine.domain.example
→10.0.10.123
)
So far, everything is working as expected, but it’s now time to share my DNS server with my family and friends.
For testing purposes, I’m using my wife’s Google account. I created her own Tailscale account, and shared the Pi machine with her. I then proceeded to configure her account DNS to point the global nameserver to the Pi 100.x
address (with “Override local DNS” enabled). Now, with her laptop and Tailscale account connected, I can ping machine.domain.example
and I get 10.0.10.123
. So far, so good. If I ping anything else (like tailscale.com
), it also works, and I get whatever Cloudflare returns. In conclusion, her account goes through my DNS server installed on the Pi successfully.
The problem is that she can’t access 10.0.10.123
, Tailscale does not work like that. She could, however, access the 100.x
address pointing to the same machine. So, in a nutshell, this is what I aim to achieve:
- Inside our home network
- Not connected to Tailscale, pinging
machine.domain.example
returns10.0.10.123
- Connected to Tailscale, pinging
machine.domain.example
returns100.x
- Not connected to Tailscale, pinging
- Outside our home network
- Connected to Tailscale, pinging
machine.domain.example
returns100.x
- Connected to Tailscale, pinging
I’m thinking that we’d need to have some kind of override functionality in the Tailscale DNS interface, so that we could tell Tailscale DNS to return a Tailscale machine IP for a specific hostname, otherwise fallback to the global nameserver. But I don’t think this functionality exists yet.
So far, the only workaround I found to achieve this, is to forget about sharing, and use my own account in my wife’s laptop, while advertising my home’s subnet. But “my wife’s laptop” was just an example, ideally I would want to share specific machines to multiple friends and family, and sharing my account credentials is not feasible.
Is this not possible to achieve in some other way? What are my alternatives?