←back to thread

Show HN: TailGuard – Bridge your WireGuard router into Tailscale via a container

(github.com)
149 points juhovh | 3 comments | 10 Sep 25 03:42 UTC | HN request time: 0s | source

My elderly parents are behind a 5G connection in rural areas, and I help them manage their network from overseas. I found a reasonably priced 5G router that can do external antennas required for it to work, but the only reasonable ways to get access to it is either through OpenVPN or WireGuard, the latter of which is much more lightweight and preferred with the memory constraints of the device.

The problem with WireGuard is that it requires handling key management oneself, and configuring the keys to every device you want to access it from. It also doesn't play nicely together with other VPNs, meaning I ended up connecting and disconnecting VPNs whenever I wanted to use them. This is especially evident on my phone, which only allows one VPN app at a time.

I was already using Tailscale as an easy way to handle homelab access with SSO, even if some computers are behind ISP CGNAT, and came up with this idea of spinning up a Docker container to connect the two. I found some suggestions for it online, but nothing ready to use. It ended up being more work than I expected to fine tune the routing, IPv6, firewall settings, re-resolving the DNS of the router on IP address changes etc.

I got it very stable eventually though, and wanted to share with everyone else. I think it's cool to have the WireGuard router looking like any other Tailscale node in my tailnet now.

Show context
oe ◴[10 Sep 25 17:20 UTC] No.45200841[source]
Which 5G router do you use?
replies(1): >>45200951 #
1. juhovh ◴[10 Sep 25 17:27 UTC] No.45200951[source]
The one they ended up using was TP-Link Deco X50-5G, but honestly I'm not sure if I can fully recommend that. It has had its own share of problems...
replies(1): >>45201240 #
2. toomuchtodo ◴[10 Sep 25 17:47 UTC] No.45201240[source]
I recommend Glinet's mobile routers: https://www.gl-inet.com/products/

I have several of them in a cross Atlantic Wireguard mesh, and they are bulletproof.

replies(1): >>45201606 #
3. juhovh ◴[10 Sep 25 18:13 UTC] No.45201606[source]
I actually use the non-mobile Flint 2 myself at home, and it's one of the devices in my tailnet. I worked with their engineers on the forums to get better IPv6 support for their WireGuard tunnels. Running both Tailscale and WireGuard on it can mess up the routing at times though, so I prefer to stick to just either or.

It's a bit unfortunate they decided to go with Broadcom for their Flint 3 router, since Broadcom is known to not play well with open source. One of the reasons I got Flint 2 was its Mediatek chip, since stock OpenWRT support for that should get reasonably good eventually. They're all still way more open than TP-Link Decos.