Workaround for problem with Tailscale using Relay

This is not criticism of Tailscale (TS). Without Tailscale this story would not have a happy ending.

I use TS extensively for inter machine and inter-network communication. But I have a use case where I run a daily job to copy all my backup files from my “home” site to an “away” site. Both ends are using Raspberry PI 4. This is about 900GB of data a month. when I set this up it ran perfectly using TS. I could copy all data with no open ports and tight security. But occasionally I’d encounter a situation where TS would only set up a Relay (DERP) connection. This connection, in my case is significantly slower that a TS direct connection. Once, a day’s copying took 44 hours!

My solution is to use my public IP address and open a port for my ssh/rsync connection. I was not happy as my systems currently run out of public view and I have no open ports on my router.

Here’s what I did:

  • Changed my home Pi to only accept Authentication key/pair login so a password attack will fail
  • Set up port forwarding to use an obscure port number, such as 12345 to prevent accidental attacks
  • Added UFW (Uncomplicated Firewall) to restrict outside access to the Pi to only the IP address of the away network.

This worked and reliable speed was restored. But… there were a few remaining problems

  • Both home and away are residential ISP plans so the IP changes at irregular times.
  • I really wanted to keep that port closed as much as possible

The solution I devised was to enhance my backup script, which runs on the away machine, to use TS to send the away IP address, using an ssh inline command, to the home machine. The home machine then uses UFW to allow access for only that IP address and returned to the away machine the home machine IP address. The sync then runs, After the sync finishes, again using TS, the away machine sends a command to the home machine to delete the UFW rule. This resolved both my changing IP problem and keeping the port blocked whenever possible.

This is working flawlessly.

If there is any interest, I’ll publish the specifics of the batch files etc., I use.