I think this is a very common scenario that is, to my knowledge, is not well covered in the documentation. Given:
- full control over a fast local home network
- a bunch of domains
- a bunch of servers on the network that are primarily used locally but sometimes remotely, let’s assume we have full control over them for simplicity
- for simplicity, assume that the network is not trusted and all servers authenticate requests
…what’s the best way to ensure transparent perfect access via domain names, utilising full bandwidth locally while allowing remote access?
Some solutions I saw or can think of:
- just using tailscale all the time. I’d love to, but unfortunately it tops out at about 190mbit/s, or about 25% of my local network’s bandwidth. This can change if/when Tailscale adopts kernel-native wireguard Linux kernel Wireguard data plane · Issue #426 · tailscale/tailscale · GitHub , but it seems to be unlikely to happen soon
- use a relay node and local IPs in DNS, using “native” network adapter’s weight to route traffic directly if it’s in “home” network to avoid tailscale performance hit. This can work transparently if When local route is available to a subnet, bypass tailscale subnet relay · Issue #1227 · tailscale/tailscale · GitHub is ever resolved, but it isn’t for the moment, so the only way to do that is to disable tailscale manually and/or on wifi connection
- split DNS: use local DNS resolving local servers’ domains into local addresses, but pointing “normal” DNS servers to Tailscale. This should work transparently as long as DNS cache doesn’t interfere
Am I missing some other options? What would you use, and is there an officially recommended way of doing this?