It works great.

I might misunderstand, but to me it looks like the solution in this post might be better than my setup because if that single node is down I won't be able to reach the fenced router.

It will also by default route traffic to the already advertised other subnets in the tailnet, but taking that into use requires a bit of manual configuration on the other end of the WireGuard tunnel. Each subnet needs to be routed through the WireGuard tunnel first to make it work.

Just instead of dropping that camellia.conf to the WireGuard MacOS client or Linux wg-quick, spin up the TailGuard container somewhere (pretty much anywhere, but with good ping to fly.io). That way you should have the fly.io private network accessible in your Tailscale tailnet, it runs wg-quick internally alongside Tailscale anyway, just with a bit of scripting to automatically configure the network and the firewall to avoid connections leaking.

If it doesn't work, feel free to raise an issue and I can have a look.

- the router is behind DDNS and changes its IP address on every connect, had to set up reresolve script and cron

- my WireGuard was capturing the default route and I wanted to use the DNS server behind the tunnel when using it as exit node, but that initially broke the DNS reresolve

- one WireGuard tunnel only supported IPv4, but the node I was running on had dual stack, half of the traffic ended up using IPv6 and not going through the tunnel at all

- when routing incoming connections from the other end of the tunnel to the tailnet, I realised Tailscale does SNAT by default for connections from tailnet to the router (this can be disabled), but the WireGuard connections were coming from an unknown subnet and I had to add masquerading rules

- Tailscale doesn't work so nicely with firewalls, it wants to either inject its chains as first or make you configure it after the startup, worked around by modifying a healthcheck to fix the firewall after startup

- I wanted to exclude the WireGuard device from Tailscale monitoring to avoid noise, there's a patch and multiple issues for that on GitHub that haven't been merged, included the patches in my image

I may have forgotten some other edge cases that came up, but here's a few. In addition, I wanted it to automatically parse the advertised subnets from the WG config, which added to the scripts a bit.

In short, it started out as a hack I didn't even think worth sharing, but more things broke than I would've imagined. So wanted to share with anyone who might find it useful.

I myself didn't really have a need to disable the interface during the lifecycle of the container, so I went with the standard containerboot process provided by Tailscale. I also wanted the container to be "invisible" and not respond to any incoming connections, so that it feels like you're running Tailscale on the actual router.

Keeping things a bit more granular and flexible for this use case makes total sense.

https://developer.android.com/reference/android/net/VpnServi...

"There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created."

Note this is not about routing some traffic to the VPN and other traffic to the clear net. This is about running two VPN connections simultaneously.