Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've recently built something similar [0], but the complete opposite. I wanted to forward traffic onto my homeserver without a public IPv4. I've tried Tailscale Funnel, but the inability to use custom domains made me look for other solutions. I ended up with a fly.io app acting as a TCP proxy over Tailscale. Considering how crappy the setup is, it's surprisingly reliable. Great job fly.io and Tailscale teams! I haven't had any issues in the month or so I've been using it.

[0]: https://github.com/vakabus/flyio-tailscale-gateway



Have you considered using Wireguard for this? It's relatively straightforward, see: https://www.procustodibus.com/blog/2020/11/wireguard-hub-and...

This way you don't depend on a VPN provider, and can easily host it on any VPS. I suppose it would work on fly.io as well.

I use the hub and spoke setup to access my home network over the internet, and Wireguard works great.

This also doesn't require any special gateways or DNS setup. All connected hosts just use the DNS server on my main router, which resolves all internal domains.


Wireguard to this day does not handle IPv6 correctly. When connecting to a domain with A and AAAA records it stupidly prefers the A one.

Which works horribly on 464xlat providers, as now you're routing your VPN traffic over a IPv6->IPv4 proxy. While that's fine for outgoing stuff it breaks all incoming stuff as soon as you put your phone to sleep, as nothing can send stuff your way anymore.


Ah, that's a shame. How does Tailscale work around it?

I don't use IPv6, so this hasn't been an issue for me. It sounds like a relatively simple thing to fix, though.


Tailscale makes outbound connections so it circumvents the need for IPv6 with things like CGNAT.

OP, why not use an open source equivalent to Tailscale Funnel? For example, I work on the OpenZiti project and we created zrok.io which is fully open source alternative - https://github.com/openziti/zrok.


I apologize, it's in the DNS handling of Wireguard's iOS app. I've seen it being reported many times but no action.


I do something similar but with HAProxy and a micro GCE VM which acts as my edge which hits a Tailscale subnet router and routes to my MetalLB install. Works _really_ well.


Had seen this one before. Not bad. Not so fond it was using Debian ss their base is much bigger than necessary.

They also have caddy-tailscale which directly connects a tailnet IP with Caddy as a proxy. The development has stalled as it seems, but works.


How much does it cost to run on fly.io? I know fly has some free usage but haven't looked into it much


You can have 3 tiny VMs for free and 160GB of outbound traffic which is more than enough for me. So I am paying only 2$ per month for the IPv4.


Why the IP? This isn't really necessary, unless you're also considering inbound traffic to be routed to a node into your tailnet. You are more likely to get GeoIP'd in the US due to the IP you get assigned.

Note: Asian region does not offer the full 160GB, but only 20GB IIRC, like HKG and NRT.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: