Preserve source IP when forwarding through Tailscale

I have a Linux VPS that forwards all incoming traffic on a certain port to a Tailscale IP using firewalld. This allows me to expose a port on my homeserver using the public IP of the Linux VPS.

This is working fine, but the only problem is that my homeserver sees the Tailscale IP as the source address, instead of the original IP. It would be nice to be able to see the “real” ip addresses of the connections.

According to this article ( Mos's blog: Forward Traffic from Public IP to Wireguard client behind NAT and Preserve IP i) it is possible to do this with Wireguard and IPtables. So im interested how to do this with Tailscale+Firewalld instead.

This isn’t really possible, unless your home server was setup to send all traffic through Tailscale and back out through that VPS. Otherwise when it received a packet from a non-Tailscale address it would try to reply using its normal route, and the reply would never get back to the source machine.

I was afraid of that already :frowning:

But did you take a look at the article? It seems he was able to do it somehow.

That post shows exactly what I described; the ‘home server’ routes all non-local traffic back over the Wireguard VPN and out through the VPS.