Tailscale needs an Internet-bound control plane to aide node discovery and VPN management. When that plane is offline, nodes try to cache each others’ endpoints, but this doesn’t persist upon reboot. So a peer discovery from cold start is impossible without an internet connection, even when that peer is on the same LAN.

To work around this problem, one could selfhost a LAN-only Headscale server and it’d probably work. Or just connect via LAN directly if Wireguard encryption and Tailscale features aren’t needed. But this means inconveniently switching and managing multiple VPNs/address spaces.

The problem has been raised on Tailscale’s issue tracker. Seeing relevant issues, it seems like the best bet is on local discovery mechanisms like mDNS/Bonjour. Though that’ll likely take a while to get supported.

With all that said, does anyone know of a current good way to still use the same mesh VPN to connect to LAN machines, sans-Internet? I’m open to hear about Tailscale alternatives and how they implement it too

TIA!

  • i_am_not_a_robot@discuss.tchncs.deEnglish
    8·
    6 hours ago

    If you’re self hosting Headscale you can configure your network such that Headscale is reachable on your network with or without internet access and available from the internet.

    • stratself@lemdro.idOPEnglish
      1·
      4 hours ago

      I’ve vaguely thought about this with Split DNS.

      My concern would be the need to set up some non-Tailnet mechanism to expose it to the internet and keep it secure. Either port forwarding, Pangolin, or even using Funnel… all of which would be better off on a separate device (and maybe a separate VLAN)

      It’d be an interesting idea for sure, perhaps for when I can get myself the separate Headscale-dedicated device. Although now I’d have to learn the “normal” zone-based networking ahah

  • theit8514@lemmy.worldEnglish
    6·
    9 hours ago

    I know tailscale prefers being installed on every machine but not all of my machines are even capable of running custom code. I use a single tailscale router that published my internal network to tailscale and if the internet is down everything still works fine internally.

  • Jason2357@lemmy.caEnglish
    9·
    10 hours ago

    Since wireguard only awks connections with matching keys, on a private lan, I bet you could just scan the network for all hosts and try the wireguard connection. A hack, but might work.

    • stratself@lemdro.idOPEnglish
      3·
      9 hours ago

      That’s a nice thing with Wireguard yea. I’ll keep this in mind if ever I can grok Tailscale to do such things