←back to thread

Show HN: TailGuard – Bridge your WireGuard router into Tailscale via a container

(github.com)
149 points juhovh | 2 comments | 10 Sep 25 03:42 UTC | HN request time: 0s | source

My elderly parents are behind a 5G connection in rural areas, and I help them manage their network from overseas. I found a reasonably priced 5G router that can do external antennas required for it to work, but the only reasonable ways to get access to it is either through OpenVPN or WireGuard, the latter of which is much more lightweight and preferred with the memory constraints of the device.

The problem with WireGuard is that it requires handling key management oneself, and configuring the keys to every device you want to access it from. It also doesn't play nicely together with other VPNs, meaning I ended up connecting and disconnecting VPNs whenever I wanted to use them. This is especially evident on my phone, which only allows one VPN app at a time.

I was already using Tailscale as an easy way to handle homelab access with SSO, even if some computers are behind ISP CGNAT, and came up with this idea of spinning up a Docker container to connect the two. I found some suggestions for it online, but nothing ready to use. It ended up being more work than I expected to fine tune the routing, IPv6, firewall settings, re-resolving the DNS of the router on IP address changes etc.

I got it very stable eventually though, and wanted to share with everyone else. I think it's cool to have the WireGuard router looking like any other Tailscale node in my tailnet now.

Show context
vladvasiliu ◴[10 Sep 25 18:36 UTC] No.45201883[source]
> It also doesn't play nicely together with other VPNs, meaning I ended up connecting and disconnecting VPNs whenever I wanted to use them. This is especially evident on my phone, which only allows one VPN app at a time.

What do you mean? I've had great luck using specific routes over wireguard with the official app on my phone. It works great with "on-demand" wg, and only routing my home subnet over it.

Now, some "business" vpns suck donkey balls, but these are usually borked beyond belief without any external help. I'm specifically thinking about the dotted red square one.

replies(1): >>45201955 #
EnigmaCurry ◴[10 Sep 25 18:43 UTC] No.45201955[source]
This is at least a limitation in Android itself:

https://developer.android.com/reference/android/net/VpnServi...

"There can be only one VPN connection running at the same time. The existing interface is deactivated when a new one is created."

Note this is not about routing some traffic to the VPN and other traffic to the clear net. This is about running two VPN connections simultaneously.

replies(1): >>45202088 #
vladvasiliu ◴[10 Sep 25 18:54 UTC] No.45202088[source]
Fair enough. I haven't used an Android device since 2017... Do people have these issues on iOS too?

On Linux, I have no problem running either bare wireguard or tailscale alongside Forticlient. On Windows and macOS it's a bit more janky, specifically the DNS resolution, but I don't daily drive these platforms so I may be missing some kind of knowledge to fix this.

replies(2): >>45202142 #>>45222219 #
1. EnigmaCurry ◴[10 Sep 25 18:58 UTC] No.45202142[source]
Yea on Linux I can run 10 different VPNs (or 10 wg peers) no problem, this limitation of Android is super annoying to me. I think OPs solution is quite a good one for Android users.
replies(1): >>45205607 #
2. juhovh ◴[10 Sep 25 23:30 UTC] No.45205607[source]
Yeah you're exactly on point here, and this limitation exists on both iOS and Android alike. I got very frustrated with switching between VPNs and connections breaking every time I did that.