Setup
Consider the following setup:
server: is hosting two services:service_public,service_intern.service_public: should be available from the open internetservice_intern: should only be available to people on the local network and those inside the tailnet.
client_extern: Generic client trying to access one of the service from the outsideclient_tailscale: Client in the tailnetclient_intern: Client on the local network of theserver
Problem
Im struggling to figure out how to organize DNS, caddy, etc. to make this work. Currently only devices on the local network can access service_intern and service_public, i.e. I use Adguard Home to rewrite the DNS queries for service_*.mydomain.com to server-IP address, and on server I run caddy to reroute to the correct port.
I now added server to the tailnet, i.e. it has two IPs: 10.X.Y.Z and 100.X.Y.Z. I think the change in caddy is just to move from
service_internal.mydomain.com {
bind 10.X.Y.Z
tls ...
reverse_proxy 127.0.0.1:SERVICE_INTERNAL_PORT
}
to
service_internal.mydomain.com {
bind 10.X.Y.Z 100.X.Y.Z
tls ...
reverse_proxy 127.0.0.1:SERVICE_INTERNAL_PORT
}
What I am struggling is how to resolve the DNS now… If Im in the local network, the DNS is still rewritten, so that works. But how do I configure device on the tailnet to correctly resolve the DNS? There is the option to add a nameserver and enable “Split DNS”, but Im not sure if this is the right way to go about this…
For adding the external access, currently Im planning to go with Cloudflare Tunnels, which will kind of solve the DNS problem by itself (i.e. there you have to specify anyway for a subdomain the CNAME record).
Notes
- All of this is for a homelab setup, so the number of users will be ~ 10.
- Only I the admin will have access through tailscale to all services. This is just to make sure that I can access the machines and maintain them, even when I am not at home.
- All other users will just access it over cloudflare tunnels.
Questions
- How to configure the tailscale DNS resolution?
- Does the Cloudflare Tunnel setup make sense? When googling, this was quite a bit confusing, i.e. there is lots of terms like Zero Trust, WRAP, etc. and Im still trying to figure out how all of these relate to each other…