Hi, so been working on this for a week but not really happy with the solutions I find as they seem to be done by induviduals who rely heavily on ai. I got wireguard easy going and can remotly connect which is great but id love to be able to route any internet traffic to and from the wireguard clients to go though another server while filtering my local onsite services. Felt that if i can crack this i dont need to rely on tailscale. The end goal is to have no reliance on tailscale as i am preparing for the eventual enshitification.
You could use headscale. Its the heart of tailscale but in an open source format.
Head scale is actually a simpler implementation rather than the heart of what tailscale uses directly. It is perfectly complete for a single persons homelab application IMHO. Would be easy for the community to maintain a fork, but its also good to see other approaches that solve the same problem.
I did consider it. But then im still using tailscale ecosystem which as much as i want to they are still an american company.
Just a bit of a nitpik, but tailscale is a Canadian company.
Well. That changes everything :D i shall look more seriously into this then. Would still love anythoughts on iptable routing tho >.<
iptables is deprecated… If you really do want to do your own custom thing you should learn nftables.
Thats probably where im having the issue then thanks for the heads up.
iptables should still work, but these days it gets converted to nftables so you may as well just learn nftables.
Having said that, I find it a pain to manually configure iptables or nftables. There might be a better way to do what you want.
Ahh good so im not just me its actually a bit of a headache. The more i talk to folk the more i feel headscales orobably going to be the way. And rely on folk smarter than i to implement the nftables. Atm im kinda doing a hamfisted approach as the two programs i am using 1 uses nftables and thebother iptables so im already making it hard for myself. Thanks so much this is the kind of clarity i was seeking.
I run head scale on a Vps and it has been 100% reliable and provides an exit node for me via that VPS. But you are going to have the exact same issue, I think with your VPN.
You want your default route from the exit node to go over mullivard’s interface, but you need wireguard or tailscale to talk to the other clients directly, via their clearnet IP. You can tell the exit nodes tailscale/wireguard client to bind the clearnet interface, but that may or may not help. Mullivard probably takes the default gateway, which will likely cut off the clients. You could set dedicated routes to the IP addresses of the clients, but they can change if those clients are mobile. You will need to maintain a routing table somehow or keep the pre-existing connection active (fragile).
I am sure its well trodden ground, just be aware that head scale probably won’t solve your problem automatically. Its a routing and or firewall config issue.