"
Thanks Raymond,
that was really helpful. I've successfully managed to get it to work except the combination of internal (split) DNS (active directory domain DNS servers here) and running OPNSense as an exit node.
I have the following setup:
I have the following findings (using Windows clients, connected over mobile hotspot):
In both cases, nslookup uses by default the magicdns server (100.100.100.100). Without an active exit node, DNS resolves internal names correctly, with an active exit node it does not. If i do "nslookup - <internaldns-server>" internal names do resolve correctly, even with an active exit node - so it is definitely not a firewall issue (internal DNS servers are reachable from the tailnet)...
It seems more like enabling the exit node on the (Windows) client breaks (split) DNS resolving...
I suspect, I am missing some small bit - I've been chasing this for a few days now without success.
Any hints would be highly appreciated!
Thanks!
that was really helpful. I've successfully managed to get it to work except the combination of internal (split) DNS (active directory domain DNS servers here) and running OPNSense as an exit node.
I have the following setup:
- OPNSense running tailscale, routes to internal network advertised (as you've described)
- Headscale running as coordination server (with magicdns enabled and advertising the internal (active directory) DNS servers)
I have the following findings (using Windows clients, connected over mobile hotspot):
- If the exit node is not enabled on a client, VPN is working (access to internal and external addresses) and DNS is working (resolving internal and external names correctly). The public IP (www.whatismyipaddress.com) on the client is the mobile network ip (as expected).
- If the exit node is enabled on a client, VPN is working (access to internal and external addresses) but DNS is only resolving public IP addresses (internal names don't resolve --> non-existent domain). The public IP (www.whatismyipaddress.com) on the client is the OPNSense WAN provider ip (as expected, so all traffic is actually tunneled through the exit node).
In both cases, nslookup uses by default the magicdns server (100.100.100.100). Without an active exit node, DNS resolves internal names correctly, with an active exit node it does not. If i do "nslookup - <internaldns-server>" internal names do resolve correctly, even with an active exit node - so it is definitely not a firewall issue (internal DNS servers are reachable from the tailnet)...
It seems more like enabling the exit node on the (Windows) client breaks (split) DNS resolving...
I suspect, I am missing some small bit - I've been chasing this for a few days now without success.
Any hints would be highly appreciated!
Thanks!
