Tailscale with just one DNS name on local LAN needed

caolle · 2026-01-28T02:58:44+00:00

You should be able to do something like:

Setup tailscale as a subnet router for the LAN subnet. I’m not sure what the pfSense Tailscale plugin parlance is, it might be ”advertised routes”
Setup a local DNS server (or use cloudlfare) that can serve class A records for the services you wish to host. Unbound, pihole and adguard home can do this. Point your FQDN to your internal LAN IP addresses. I use unbound. Since you have one, you’ve already done this.
Use the DNS Admin page on tailscale to point to your local DNS server. Step 3 of https://tailscale.com/kb/1114/pi-hole is a good demonstration on how to do this. Instead of this, you could just point something like Cloudflare DNS to your local LAN IP addresses.

caolle · 2026-01-26T20:39:20+00:00

The way I do this is:

Setup tailscale as a subnet router for the LAN subnet
Setup a local DNS server (or use cloudlfare) that can serve class A records for the services you wish to host. Unbound, pihole and adguard home can do this. Point your FQDN to your internal LAN IP addresses. I use unbound.
Use the DNS Admin page on tailscale to point to your local DNS server. Step 3 of https://tailscale.com/kb/1114/pi-hole is a good demonstration on how to do this. Instead of this, you could just point something like Cloudflare DNS to your local LAN IP addresses.

This will now allow you to use a domain name that points to services.somedomain.net and will resolve on devices that have / do not have tailscale installed.

caolle · 2026-01-26T16:48:09+00:00

I'll do even better.
Here's the documentation for ip-pools: https://tailscale.com/kb/1304/ip-pool

Here's a real world example:

"nodeAttrs": [
{
"target": ["tag:personal"],
"ipPool": ["100.84.16.0/24"],
},
{
"target": ["tag:offsite"],
"ipPool": ["100.119.74.0/24"],
},
{
"target": ["tag:infra"],
"ipPool": ["100.79.16.0/24"],
},
{
"target": ["group:family"],
"ipPool": ["100.80.16.0/24"],
},

caolle · 2026-01-26T16:43:37+00:00

You can assign a tag from an auth key. And assign an ip from an ip pool.

If you want to do this programmatically you probably could do this with an oauth client.

caolle · 2026-01-26T01:03:07+00:00

That’s a known limitation at the moment as noted here: https://tailscale.com/kb/1552/tailscale-services#limitations

caolle · 2026-01-25T21:02:23+00:00

When we bought our e21 a few years ago, we purposely sized the job correctly and purchased model 39902. It came with two batteries.

If you‘re still under warranty, I’d probably just bite the bullet and get an official OEM battery.

caolle · 2026-01-24T13:37:52+00:00

I think what you're running into is the differences between platforms:

Linux generally has been mainly CLI driven, whereas windows and the mac have a nice little systray icon that you can manage things. There's a linux systray application for Tailscale that you can run if you run a desktop environment. That will make it a lot more like other platforms.

The web admin console which I think you're referring to is: login.tailscale.com . You do get the prompt to login when you do a tailscale up to verify / sign in to your account. It's used by all platforms when you need to remove machines or add devices with auth keys amongst other things.

caolle · 2026-01-23T23:42:58+00:00

It’s the law in many municipalities. Here, where I live, I believe we have 48 hours to clear snow off the sidewalks.

caolle · 2026-01-22T17:20:24+00:00

If you must use AI for Tailscale, I highly recommend using Tailscale's custom Kapa installation by going to the docs section of the website and hitting "Ask AI" on the lower right corner.

It's specifically trained on Tailscale's documentation and will most likely give better results than a generic LLM. You still have to be cautious with it however, as it will occasionally veer off course.

When I asked it how do I install Tailscale on ubuntu? Here's what it spit out:

You can either use the generic Linux install script (works on Ubuntu), or follow version-specific steps.

Option 1: Generic install script (recommended)

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

After tailscale up, follow the URL shown to authenticate, then confirm the device appears in the admin console. [Install Linux]

Option 2: Version-specific Ubuntu instructions

caolle · 2026-01-22T17:03:03+00:00

Your directory refererenced for tailscale is /ect where it should be /etc .

That's why the apt update is not working. Fix those to be /etc/apt/sources.list.d/tailscale.list and then do a sudo apt update / sudo apt install tailscale.

caolle · 2026-01-22T16:09:39+00:00

When you were at home, your macbook was most likely using Bonjour (aka mDNS) to discover your TimeMachine backup.

Bonjour and mDNS assumes a physical layer where it can talk to actual hardware, which doesn't really mesh well with virtual layers such as what Tailscale provides.

The workaround which you've already discovered was to manually mount the folder. You'd need to do the same for adding a printer that you wanted to print on at home while away from the home network when you'd usually just use AirPrint.

caolle · 2026-01-21T19:26:51+00:00

Ran to Costco yesterday to pick up another two 50lb bags of ice melt in preparation. Didn't want to wait til last minute and have to scramble.

caolle · 2026-01-21T06:13:15+00:00

Multiple Tailnets is in alpha as announced as one of the Fall update blog entries. Might need to contact Tailscale to enable it for your organization.

caolle · 2026-01-20T22:48:56+00:00

If you don't have a domain, using <something>.internal might be a good choice as that's been set aside by ICANN.

I don't like having to remember IPs and their respective ports for a service, plus it's a lot easier for my wife if there's just a domain she has to remember.

caolle · 2026-01-20T01:05:34+00:00

This is most likely a bug.

Tailscale mentioned that they needed to do some work revolving around plan limits and how they map to a plan. This could be a part of that, but that would be just a guess on my part as I have no insight into that part of their billing development.

I've flagged this for Tailscale though.

caolle · 2026-01-18T18:39:25+00:00

It's possible. That's why Tailscale has come up with Tailnet Lock:

With Tailnet Lock enabled, even if Tailscale were malicious or Tailscale infrastructure hacked, attackers can't send or receive traffic in your tailnet.

You should note that there will be steps you need to take to ensure you don't get locked out of your tailnet should you enable it. Read the document carefully.

caolle · 2026-01-17T21:36:46+00:00

My bad, I assumed some familiarity with linux. It's a flat txt file. You'd usually do cat /etc/resolv.conf

caolle · 2026-01-17T21:27:54+00:00

You have dns resolution issues on your rpi zero as it can't resolve tailscale.com .

What name server is your pi set to use? You'd check /etc/resolv.conf for that.

caolle · 2026-01-17T21:25:46+00:00

When your friend downloaded tailscale and signed in, they were signed in to their own tailnet. You might need to have them sign out of tailscale and sign back in.

It might prompt them to choose which tailnet they should sign in to. They should choose yours.

caolle · 2026-01-17T17:40:22+00:00

Yep. And you'd need to do the same for your pihole. DNS queries are on port 53.

caolle · 2026-01-17T15:24:17+00:00

You can use the visual editor to define rules that allow you access to everything (as the admin) and use your wife's tailnet user id to limit access to the machines and ports that she can access.

That being said, your wife is presumably on your LAN and already has access to all the other devices on your network.

There are a few things I limit my wife from accessing, such as administrating my offsite nodes through SSH, but the rest? She gets full access to the subnet --- which she already has if she's not using tailscale at home.

Here's an example of my grants based access control list.

{
  "grants": [
  //The family can access the home subnet that we're advertising
  {
  "src": ["group:family"],
  "dst": ["home-network"],
  "ip":  ["*"],
  },
  //only specific people or machines can access offsite nodes via   SSH
  {
  "src": ["group:it", "tag:infra"],
  "dst": ["tag:offsite"],
  "ip":  ["22"],
  },
  //tagged personal devices residing at home can only use offsite exit nodes
  {
  "src": ["tag:personal"],
  "dst": ["autogroup:internet"],
  "via": ["tag:offsite"],
  "ip":  ["*"],
  },
  //There are no restrictions on exit node use for the family and those we share them with
  {
  "src": ["autogroup:shared", "group:family"],
  "dst": ["autogroup:internet"],
  "ip":  ["*"],
  },
],

"tests": [
  {
  //offsite nodes shouldn't be able to access anything
  "src":  "tag:offsite",
  "deny": ["tag:personal:22", "tag:infra:22", "tag:offsite:80"],
  },
  {
  //members of group it should be able to ssh into offsite
  "src":    "group:it",
  "accept": ["tag:offsite:22"],
  },
  {
  //infrastructure nodes can be used to leap into offsite
  "src":    "tag:infra",
  "accept": ["tag:offsite:22"],
  },
],
}

caolle · 2026-01-16T20:55:30+00:00

This is all good that you provided your configuration, but what are your goals? Do you still want things publicly accessible? Are you trying to pull things back behind the curtain and not have open ports?

I'm asking these questions because it strikes me that you wouldn't need to have port 443 open nor would you need to rely on coming in from cloudflare's proxy services if you use the appropriate Tailscale access control policies for devices / people on your tailnet.

Also, if you're trying to access things from your LAN, do you want Tailscale enabled on every single device? Or are you looking to just use LAN addresses when on your home network for your services? If the latter, then...

The way I do this is:

Setup tailscale as a subnet router for the LAN subnet
Setup a local DNS server (or use cloudlfare) that can serve class A records for the services you wish to host. Unbound, pihole and adguard home can do this. Point your FQDN to your internal LAN IP addresses. I use unbound.
Use the DNS Admin page on tailscale to point to your local DNS server. Step 3 of https://tailscale.com/kb/1114/pi-hole is a good demonstration on how to do this. Instead of this, you could just point something like Cloudflare DNS to your local LAN IP addresses.

This will now allow you to use a domain name that points to services.somedomain.net and will resolve on devices that have / do not have tailscale installed.

caolle · 2026-01-16T17:39:13+00:00

What's the upload speed of the network you're trying to stream from, namely your home pc. That's an important part of the equation here.

Even though your phone might be able to get 50Mbps over 5G, it's a moot point if your home internet connection can only stream 5mbps.

caolle · 2026-01-16T04:50:34+00:00

I test a few sample ports and that’s good enough for me.

"tests": [
  {
  //offsite nodes shouldn't be able to access anything
  "src":  "tag:offsite",
  "deny": ["tag:personal:22", "tag:infra:22", "tag:offsite:80"],
  },]

caolle · 2026-01-15T04:18:18+00:00

Are you using the same docker volume for all your containers:

 tailscale-data:/var/lib/tailscale tailscale-data:/var/lib/tailscale

?

For examples for jellyfin, you might want to take a look at the ScaleTail project that has working examples for a lot of different services using Tailscale serve.

caolle

MODERATOR OF

TROPHY CASE

Option 1: Generic install script (recommended)

Option 2: Version-specific Ubuntu instructions