By Casey Liss
A Tailscale Example

Since we last spoke about Tailscale, my post was linked by Tailscale themselves, and I’m pleased to report Tailscale has sponsored one of my podcasts a couple times.

With that in mind, I want to make it clear that they do not know I’m writing this post, and have not requested anything of me with regard to my website.

I just cleanly solved a weird problem that’s been nagging me for a very long time, and thanks to Tailscale, I was able to do so quite easily. I thought it was a great case study in what makes Tailscale so amazing.

The Issue

My parents have a network attached storage that they use for, among other things, recording security cameras locally. As such, they will occasionally access it remotely, and thus having a SSL certificate is pretty much required these days.

Thankfully, Synology makes it easy to request a Let’s Encrypt certificate. However, to do so requires you to have the router forward ports 80 and 443 to the Synology. Generally speaking, I do not want those ports forwarded anywhere, so I only turn on those forwards when renewal time comes around.

Messing about with their in-home router is not easily accomplished from my house, 45 minutes away from theirs. Furthermore, Let’s Encrypt certificates have to be refreshed every 90 days, so this dance happens quarterly.

The Complication

My predicament is complicated by my parents’ oddball ISP-issued router refusing to respond to network requests coming from outside the network. Even over a traditional VPN hosted in their house, the router would not respond to requests from my house. This very well could have been user error, but that was what I experienced.

I needed a way to have packets from my computer appear to be originating on my parents’ network.

Solution #1

My first solution to this was to host a docker container that basically exposed Firefox via the web. Yo dogg, I heard you like web browsers in your web browsers. So, the process was:

  1. Get on the VPN hosted at my folks’
  2. Get on the Firefox docker image via http://192.168.1.x
  3. Make the port forwarding changes to their router
  4. Request a certificate renewal on their Synology
  5. Undo the port forwarding changes

This worked just fine, but it was… involved.

Enter Tailscale

Tailscale is many many different features, all rolled into one product. A core tenet of Tailscale is that you should be able to migrate to Tailscale incrementally; you shouldn’t have to go all-in from the get-go. Tailscale has some features that help facilitate incremental adoption.

One of these features is Subnet routers; they are summarized quite well in the Tailscale documentation:

In cases [where you can’t install Tailscale on every device], you can set up a subnet router to access these devices from your Tailscale network (known as a tailnet). Subnet routers act as a gateway, relaying traffic from your tailnet to a physical subnet.

In short, if you have a subnet router, you can route

local network → tailnet → subnet router → remote network

So, in principle, I could enter my parents’ router’s IP address into my browser, and it will load.

A New Complication

The way subnet routers typically work is that they effectively bridge two networks together. My parents’ network is 192.168.1.x; mine is 192.168.17.x. On the surface, this seems fine, but so many networks are 192.168.1.x. I suspect there will come a time one of my portable devices is on a 192.168.1.x network, and I may want to reach local devices on that network. By default, a basic subnet router will intercept all requests to 192.168.1.x and try to serve them via my parents’ network. That could easily make things wonky, and lead to my devices not being able to reach local peers.

Diagram of networking conflict

I’d like my parents’ network to stay… at my parents’ house. I’d just like to be able to peek into it for the purposes of tweaking their router’s settings every now and again.

A New Solution

Tailscale has another trick up its sleeve that I realized would be a perfect fit for this scenario. Tailscale offers “4via6” subnet routers. It occurred to me recently that this is the fix I’ve been looking for.

Tailscale’s problem statement is this:

In a large network, you may have existing subnets with overlapping IPv4 addresses. If there are two entirely separate virtual private clouds (VPCs) using the identical set of IPs […]

That’s the scenario I’m worried about: I’m on a 192.168.1.x network, but my parents have already “claimed” the 192.168.1.x address space.

4via6 routers solve this by:

The 4via6 (“4 via 6”) subnet router feature provides an unambiguous, unique IPv6 address for each overlapping subnet, so a Tailscale node’s traffic is routed to the correct device.

In short, I told the subnet router at my parents’ “I’d like you to expose this [otherwise internal] network on the tailnet only as IPv6”. That means all the IPv4 addresses in my parents’ house are exposed using a special IPv6 address:

fd7a:115c:a1e0:b1a:0:XXXX:YYYY:YYYY

Where:

  • fd7a:115c:a1e0:b1a:0 = a special Tailscale prefix to indicate 4via6
  • XXXX = the identifier for the target subnet
  • YYYY = the IPv4 address represented in hex

So, if I’ve designated my parents’ house as 123 (which is 7b in hex), then 192.168.1.1 would be:

fd7a:115c:a1e0:b1a:0:7b:c0a8:101

Progress! However, an IPv6 address is not particularly memorable, which kinda stinks.

MagicDNS

Tailscale also offers “MagicDNS”, which does many things, but it will also convert/resolve specially formed hostnames into the appropriate IPv6 addresses.

So, if my tailnet name is smiley-tiger.ts.net, then I can open my parents’ router’s configuration page by entering this URL into a browser on my computer:

http://192-168-1-1-via-123.smiley-tiger.ts.net/

That will automatically get resolved by MagicDNS to

http://fd7a:115c:a1e0:b1a:0:7b:c0a8:101

…which in turn lets me log into my parents’ router remotely, anytime, without any fiddling nor Docker containers required.

I can do this no matter what network my computer is on, as long as my subnet router at my parents’ is also on. Tailscale connects everything together.

It’s ✨ Magic ✨

This is what makes Tailscale so great — once you can connect your devices together, it opens a world of possibilities. Those possibilities easily extend to the devices on your tailnet, but they can extend to devices beyond your tailnet, with just a little bit of work.

Seriously, Tailscale is so great; you really should try it.

At some point, I should probably look into automating some (all?) of this certificate renewal process, but for right now, I’m happy to bask in the work being far quicker and easier than it’s ever been before.