Preserve source IP when forwarding through Tailscale

Muis · June 13, 2022, 7:28pm

I have a Linux VPS that forwards all incoming traffic on a certain port to a Tailscale IP using firewalld. This allows me to expose a port on my homeserver using the public IP of the Linux VPS.

This is working fine, but the only problem is that my homeserver sees the Tailscale IP as the source address, instead of the original IP. It would be nice to be able to see the “real” ip addresses of the connections.

According to this article ( Mos's blog: Forward Traffic from Public IP to Wireguard client behind NAT and Preserve IP i) it is possible to do this with Wireguard and IPtables. So im interested how to do this with Tailscale+Firewalld instead.

kpfleming · June 13, 2022, 8:11pm

This isn’t really possible, unless your home server was setup to send all traffic through Tailscale and back out through that VPS. Otherwise when it received a packet from a non-Tailscale address it would try to reply using its normal route, and the reply would never get back to the source machine.

Muis · June 13, 2022, 8:35pm

I was afraid of that already

But did you take a look at the article? It seems he was able to do it somehow.

kpfleming · June 13, 2022, 10:43pm

That post shows exactly what I described; the ‘home server’ routes all non-local traffic back over the Wireguard VPN and out through the VPS.

Topic		Replies	Views
Use tailscale to provide public IP to node in tailnet	0	2350	September 18, 2022
Wireguard through tailscale	1	936	August 18, 2022
Expose Mailserver Ports though Tailscale with ip/nftables Linux	1	1198	November 11, 2021
VPN on exit node Linux	0	1166	May 14, 2022
How can I route a port from my Home Server to a VPS which can host it publicly?	1	1053	January 30, 2023

Preserve source IP when forwarding through Tailscale

Related Topics