UPDATE
Synology’s TS app was saying an update was needed. No built in updates, so deleted app and went to reinstall…never updated the app but after the reinstall everything started working?!
NEXT STEPS
• Close all the open ports on synology
• Iron out glitches w/TS, internet and 3rd party vpns (maybe via passthrough)
• Get domain name connected to IP
Great outcome! Well done for solving it.
And yep, your third bullet point is the way: just update your NAS’ DNS entry to point to its Tailscale IP, and put your DNS service’s IP address in the Tailscale DNS settings as a global name server. Then whenever you are roaming on your iPhone you can access your NAS at your custom domain, no port forwarding required.
Keeps getting better…using a public dns atm.
I have an actual domain which is hosted elsewhere and need to connect so I could essentially use a personal subdomain <servername.hostname.cXm>. The host itself appears to discourages ddns (says it is not supported etc.) … wondering if it is possible to set up a URL forwarder from server name.hostname.com to point to hostname.publicddnsservername.cXm and have that work?
I’m sure it’s possible, but my understanding of that is not great, probably depends a lot on the providers involved. Don’t forget you can use Synology’s built-in DDNS service with a number of DDNS providers.
Also I guess the key advantage of Tailscale is to avoid the need to open ports in your firewall. So normal domain forwarding etc is probably not the way to go unless you want to configure this to forward to your NAS’ Tailscale IP all the time.
I found the guides to Magic DNS really helpful, I use this set up and find it works really well. Worth turning on and experimenting with now that your connections are working fine.
If you add your domain to Tailscale’s DNS settings, and if you add the same domain to your home router, you should be able to access nas.homedomain.com seamlessly.
Synology’s built-in DDNS service is how the third party ddns host is connected and working.
Also have a synology name as backup here in this panel.
What I am trying now (not yet successful) is exactly that, to have the forwarder always point to the TS ip.
(super simple, right? not yet working.) In theory, even a simple redirect to the TS IP should work.
Mind elaborating on that last statement? Add domain to TS DNS settings (got it) … why add it again to home router?
I add my domain to my home router as well so that if my devices aren’t connected to Tailscale, they can still find my devices at device.homedomain.com.
If your forwarder’s not working, you might be able to just create an A record for your nas.domain.com that points to your Tailscale IP. This will vary depending on which provider you use, but instructions will be something like these: https://godaddy.com/help/create-a-subdomain-4080
Update:
• TS is working on all devices.
• sub domain forwarder is working pointing to ts ip
• milestone by far, happy to have gotten to this point.
Main issue: Internet
Internet and VPNs. TailScale requires quitting any 3rd party vpn to activate TS vpn and connect. That is a problem on the desktop because desktop is configured not to have ANY internet unless it is successfully connected to a 3rd party vpn anonymized. Switching to TS vpn disables online access.
On iOS it is asking way too much to keep having to switch between vpns depending on the task at hand.
Presume there is a way to achieve TS connection while still concurrently maintaining day-to-day access to preferred vpn…maybe it takes some creative thinking. Would there be a solution through a proxy, split-running I’d image would work…wanting all TS activity going through TS IP, everything else business as usual on other VPN.
Expect the exit location will not help as all devices are to be on unique vpn instances, and if exit device has to be on the same network then we are in the same problem needing to split traffic in two directions.
—splitting this into a separate post—
Hmm so it sounds like you want two VPNs to coexist. One is your Tailscale private mesh network, the other is your 3rd party VPN provider. And you want selected devices to use only your 3rd party VPN for general internet access, but your Tailscale mesh network for access to devices you own.
I don’t have enough networking experience to know how best to do this. It can be done at a container level using docker networks, just create a virtual docker network with internet access via your VPN provider, and only grant access to internet via that network to containers that are required to go through your VPN provider. Not sure how to do this at the physical device level, if you have already ruled out Tailscale’s existing features that assist with this.
Another solution is just to set up a third device on your home network that is logged into Tailscale and uses the advertise routes feature to advertise your home network subrange. That way any external devices connected to Tailscale will be able to access your desktop at its local LAN IP. Your desktop is not signed into Tailscale at all, and remains connected to the 3rd party VPN provider.
Right - this is getting more complicated. Since I am able to get the laptop working with both TS and 3rd party VPN, I was thinking to use it as an exit port…didn’t yet give that a try. That would defeat some of the purpose of moving the server from the Mac to Synology for an always on device.
I can see how Docker might work for the media center instance which might be the most, if not only, important need from the synology side. When at home there are a lot of options that work to meet both needs (and am not on the iOS devices so that removes the hardest piece of the equation.) When traveling, everything is iOS and I’m away from home often.
So to further focus the use case, how to split traffic from the iPhone between TS & a second VPN service.
As far as I know you can’t have two, simultaneous active VPNs running on iPhone. Thus the need to rely on other devices to handle the other VPN connection. As a general strategy you might find it easier to only have services that need the VPN running through the VPN, rather than having your entire device run all its internet activity through the 3rd party VPN.
How is that accomplished from an iOS device?
Your iPhone is just the client, but on your servers try to compartmentalise and segregate services into those that need 3rd party VPN access and those that don’t. This might be easier to configure than having all services on your server running through the 3rd party VPN.
Not following how that resolves the the issue from the iOS client.
Lets say I only have a few services on the server configured for the internet (and to your point, that could be narrowed down.) Regardless of the server internet settings, I would still be needing to switch between TailScale’s VPN and 3rd Party VPN depending on the task. What am I missing?
If you access services running on your server via Tailscale, and those services have their internet access configured to use your 3rd party VPN, then you don’t need your 3rd party VPN on your iPhone.
Yes, I am in the process of getting Exit mode enabled (hitting a error in separate post.)
I didn’t get the segregation of services into those that need 4rd party vpn and those that don’t. I’d essentially have vpn running for all internet on synology? something in that idea isn’t yet clicking.