Comment on Friendly reminder that Tailscale is VC-funded and driving towards IPO
Croquette@sh.itjust.works 2 weeks agoI am a newbie so I am not sure I understand correctly. Tell me if my understanding is good.
Your Pi-Hole act as your DNS, so the VPS use the pi-hole through the tunnel to check for the translation IP, as set through the DNS directive in the wg file. For example, my pi-hole is at 10.0.20.5, so the DNS will be that address.
On the local side, the pi-hole is the DNS for all the services on that subnet and each service automatically populate their host name on pi-hole. I can configure the DNS server in my router/firewall (OPNSense in my case)
So when I ping service.example.com, it goes through the VPS, which queries the pi-hole through the tunnel and translates the address to the local subnet IP if applicable.
So when I have the wg connection active and my pi-hole is the DNS, every web request will go through the pi-hole. If the IP address is inside the range of AllowedIPs, the connection will go through the tunnel to the service, otherwise, the connection will go through outside the wg tunnel.
Does that make sense?
Vanilla_PuddinFudge@infosec.pub 2 weeks ago
The VPS is Pihole, the dns for the server side is 127.0.0.1. 127.0.0.1 is also 10.x.x.1 for the clients, so they connect to that as the dns address.
server dns - itself
client dns - the server’s wg address
Only if your router/firewall can directly connect to wg tunnels, but I went for every machine individually. My router isn’t aware I host anything at all.
Pihole (in my case) can’t see 192.x.x.x hosts. Use 10.x.x.x across every system for continuity.
Allowed ips = 10.x.x.0/24 - only connects the clients and servers together
Allowed ips = 0.0.0.0/0 - sends everything through the VPN.
Do the top one, that’s how TS works.
Croquette@sh.itjust.works 2 weeks ago
Thanks for the info, I appreciate it.