Dom Corriveau

Tailscale subnet routing with Pihole is homelab perfection

Posted on Sep 18, 2023
tl;dr: After I lost the ability to do port forwarding with my ISP, I setup my Pihole instance on my tailnet and then enabled Tailscale subnet routing. This makes it so I can use my reverse proxy to access my self-hosted services from anywhere.

As a self-hoster, I’ve been trying to find an elegant way to access my services from outside the house. I think I’ve finally found it using Tailscale with Pihole on my tailnet with subnet routing.

For years I didn’t care much about this aspect of self-hosting. I worked from home, so I didn’t care about reverse proxies, CGNAT, or punching a hole for a port. But two things changed. One, I spend a significant amount of time out of the house on jobsites. Two, my self-hosted services are no longer tests or for fun, but the primary way I do most things. Access to my Nextcloud is integral to my daily life and I need access to it from anywhere.

VPN connections

I first tried to solve this with a VPN. I stood up a Wireguard connection using PiVPN in a VM (all my Raspberry Pi’s are way too old for this kind of work, but PiVPN is so easy). I loved this setup because it put me on my network just like another device. But, I started having problems with my ISP about a year ago.

I lost the ability to open ports on my modem. My ISP requires you to use their stupid app to do any port forwarding. One day I needed to do some changing and I deleted the port forward for just a few minutes and I magically lost the ability to map any ports. I think they started to figure out I was self-hosting things on a residential connection. Luckily both ports 443 and 80 stayed open, however 51820 was now closed and I still can’t get access to port forwarding. It just continues to say, “something went wrong.”

Network setup

At my house I have a reverse proxy that handles my domain and a Let’s Encrypt certificate. About a year ago I finally figured out how to set it up and it has been glorious. It fixed so many little issues I was having using apps and self-signed certificates. It also meant I could open a few services to the internet and run them through the reverse proxy.

Side note: This is also when I started having more issues with my ISP. After a month of using this setup, my ISP started rotating my IP address faster. I had to start updating my domain IP every 5 minutes. I truly think they figured out I am self-hosting and they are trying to make it as much of a pain in the ass as possible.

When I’m on my LAN I use Pihole for my DNS. Obviously it blocks ads. In addition, I have it set up for local DNS mapping. For example, if I want to go to some_service.example.tld on my LAN it will never resolve. But, in Pihole I can set some_service.example.tld to point to the IP address of my reverse proxy, which will then point to the actual IP:Port of my service.

This is why I want to be just another device on my network when I’m out of home. With my original Wireguard setup I had the DNS configured to be my Pihole instance.

Tailscale

I started playing around with Tailscale about 4 months ago and found it useful. It was nice to have the ability to connect to various devices on my network, but it still wasn’t what I wanted. I want to navigate around my network like I’m physically there.

Yet, I finally got it sorted and have exactly what I want.

First, I setup Pihole on my tailnet. It is the same Pihole instance, just now accessible on my LAN and through my Tailscale account. Now when I’m out of home I can still block ads on my mobile device. This also means that my local DNS records are now available.

Next, I turned on subnet routing with one of my devices at my house. With this turned on I can access machines on my network by going to their IP:Port. For example, I can go to 192.168.1.x:8096 and reach Jellyfin.

The most important part is how subnet routing and Pihole work together. Now that I can navigate around my network, I can also use my custom DNS entries through my reverse proxy. Another example: I’ve been using StirlingPDF for converting, merging, and editing PDFs. But its only available on my LAN. Now Pihole is managing DNS on my tailnet, I can go to pdf.example.tld and it will direct that to my reverse proxy, which will then point to the right place with a valid SSL cert.

Its a life changing moment.

Not only am I able to navigate to all the self-hosted services on my LAN, but its also through the reverse proxy and its only available through my tailnet. I can access anything and know that all my data is safe. I know my boxes are safe.

It really is magical.