←back to thread

Show HN: TailGuard – Bridge your WireGuard router into Tailscale via a container

(github.com)
149 points juhovh | 2 comments | 10 Sep 25 03:42 UTC | HN request time: 0s | source

My elderly parents are behind a 5G connection in rural areas, and I help them manage their network from overseas. I found a reasonably priced 5G router that can do external antennas required for it to work, but the only reasonable ways to get access to it is either through OpenVPN or WireGuard, the latter of which is much more lightweight and preferred with the memory constraints of the device.

The problem with WireGuard is that it requires handling key management oneself, and configuring the keys to every device you want to access it from. It also doesn't play nicely together with other VPNs, meaning I ended up connecting and disconnecting VPNs whenever I wanted to use them. This is especially evident on my phone, which only allows one VPN app at a time.

I was already using Tailscale as an easy way to handle homelab access with SSO, even if some computers are behind ISP CGNAT, and came up with this idea of spinning up a Docker container to connect the two. I found some suggestions for it online, but nothing ready to use. It ended up being more work than I expected to fine tune the routing, IPv6, firewall settings, re-resolving the DNS of the router on IP address changes etc.

I got it very stable eventually though, and wanted to share with everyone else. I think it's cool to have the WireGuard router looking like any other Tailscale node in my tailnet now.

1. Jnr ◴[10 Sep 25 17:22 UTC] No.45200870[source]
I use tailscale and wireguard and I route traffic between them, so I can't understand why are so many lines of code needed? Can't you simply enable subnet routing on the tailscale node (single argument does that) and perhaps add additional subnet to the addresses list of wireguard peer?
replies(1): >>45201112 #
2. juhovh ◴[10 Sep 25 17:39 UTC] No.45201112[source]
You definitely don't need that many lines of code, started with just a couple. After that I started having several small issues:

- the router is behind DDNS and changes its IP address on every connect, had to set up reresolve script and cron

- my WireGuard was capturing the default route and I wanted to use the DNS server behind the tunnel when using it as exit node, but that initially broke the DNS reresolve

- one WireGuard tunnel only supported IPv4, but the node I was running on had dual stack, half of the traffic ended up using IPv6 and not going through the tunnel at all

- when routing incoming connections from the other end of the tunnel to the tailnet, I realised Tailscale does SNAT by default for connections from tailnet to the router (this can be disabled), but the WireGuard connections were coming from an unknown subnet and I had to add masquerading rules

- Tailscale doesn't work so nicely with firewalls, it wants to either inject its chains as first or make you configure it after the startup, worked around by modifying a healthcheck to fix the firewall after startup

- I wanted to exclude the WireGuard device from Tailscale monitoring to avoid noise, there's a patch and multiple issues for that on GitHub that haven't been merged, included the patches in my image

I may have forgotten some other edge cases that came up, but here's a few. In addition, I wanted it to automatically parse the advertised subnets from the WG config, which added to the scripts a bit.

In short, it started out as a hack I didn't even think worth sharing, but more things broke than I would've imagined. So wanted to share with anyone who might find it useful.