beefcake: advertise 192.168.0.0/24 so tailnet clients can reach LAN-only services #542

Closed

lytedev wants to merge 1 commit from beefcake-advertise-lan into main

pull from: beefcake-advertise-lan

merge into: lytedev:main

lytedev:main

lytedev:stalwart-kanidm-oidc

lytedev:stalwart-oauth-callback-fix

lytedev:stalwart-roles-fix

lytedev:stalwart-016-post-cutover-fixes

lytedev:stalwart-016-cutover-docs

lytedev:stalwart-016-module-v2

lytedev:stalwart-016-overlay

lytedev:fix/steamdeck-oobe-update

lytedev:stalwart-016-module

lytedev:stalwart-0.16-upgrade-plan

lytedev:zulip

lytedev:router-guest-vlan-hardened

lytedev:router-guest-vlan

lytedev:pipewire-agc-comment

lytedev:headscale-extra-records

lytedev:beefcake-exit-node-nat

lytedev:push-qrvuuqmxtznv

lytedev:push-smxxyqowrpts

lytedev:push-wlyvykxxoyzl

lytedev:voxtype-per-host-model

lytedev:hearth-k8s

lytedev:cleanup

lytedev:push-kanidm-opt-in

lytedev:push-voxtype-flake-fix

lytedev:push-uvqqknxvqlvy

lytedev:push-qrqsxkmlrevert

lytedev:align-daniel-uid

lytedev:fix-kanidm-uid-attr-map

lytedev:fix-hibernate

lytedev:nix-on-droid

lytedev:agent-runners

lytedev:self-hosted-dns

lytedev:fix-runner-tmpfs-revert

lytedev:github-mirror

lytedev:beefcake-email

lytedev:beefcake-immich

lytedev:firefox-nightly-devedition

lytedev:fix-bun-baseline

lytedev:fix-user-env-manifest-perms

lytedev:cleanup-home-manager

lytedev:stale-symlink-cleanup

lytedev:flab-stuff

lytedev:printer-sftp

lytedev:dragon-vr-monado

lytedev:clever-vr-game-clamshell-mode-detection

lytedev:wireguard-mesh

Conversation 0 Commits 1 Files changed 1 +7

lytedev commented 2026-05-23 20:39:33 -05:00

Owner

Copy link

Summary

Phones on cellular using beefcake as exit node could reach lobste.rs and other internet hosts (after #540 landed the NAT fix), but silently failed to reach internal-only services that DNS resolves to LAN IPs — git.lyte.dev → 192.168.0.9, for example.

Root cause: Tailscale clients exclude RFC1918 destinations from exit-node routing unless the subnet is advertised as a route by some peer. So the phone resolves git.lyte.dev → 192.168.0.9, has no route for that IP, drops the packet. Works on wifi only because the phone is on the LAN directly.

Fix: advertise 192.168.0.0/24 from beefcake. Tailnet clients now have a route for the home subnet via beefcake → LAN-only services reachable from anywhere on the tailnet, exit-node or not.

Test plan

• Deploy beefcake (nixos-rebuild switch).
• Approve the new route in headscale: sudo headscale nodes approve-routes -i 8 -r 0.0.0.0/0,::/0,192.168.0.0/24 (the existing 0.0.0.0/0 + ::/0 routes must be re-listed because approve-routes is a SET operation, not an add).
• Verify beefcake announces the route: tailscale status --json | jq .Self.AllowedIPs should include 192.168.0.0/24.
• Verify a peer received it: from dragon, tailscale status --json | jq '.Peer | to_entries[] | select(.value.HostName=="beefcake") | .value.AllowedIPs' should include 192.168.0.0/24.
• From phone on cellular with beefcake as exit node: open https://git.lyte.dev/ — page loads.
• Spot-check: curl http://lobste.rs/ from phone still works (didn't break general exit-node behavior).

Security

No ACL change. Only tag:admindevice has the *:* rule that grants reachability to arbitrary destinations, so group:family / group:friends still can't reach LAN devices through this advertised route — they remain limited to the explicit beefcake:80,443[,445] rules. Stacks on top of #540 cleanly (different lines of the same file).

## Summary Phones on cellular using beefcake as exit node could reach lobste.rs and other internet hosts (after #540 landed the NAT fix), but silently failed to reach internal-only services that DNS resolves to LAN IPs — git.lyte.dev → 192.168.0.9, for example. Root cause: Tailscale clients **exclude RFC1918 destinations from exit-node routing** unless the subnet is advertised as a route by some peer. So the phone resolves git.lyte.dev → 192.168.0.9, has no route for that IP, drops the packet. Works on wifi only because the phone is on the LAN directly. Fix: advertise 192.168.0.0/24 from beefcake. Tailnet clients now have a route for the home subnet via beefcake → LAN-only services reachable from anywhere on the tailnet, exit-node or not. ## Test plan - [ ] Deploy beefcake (`nixos-rebuild switch`). - [ ] Approve the new route in headscale: `sudo headscale nodes approve-routes -i 8 -r 0.0.0.0/0,::/0,192.168.0.0/24` (the existing 0.0.0.0/0 + ::/0 routes must be re-listed because approve-routes is a SET operation, not an add). - [ ] Verify beefcake announces the route: `tailscale status --json | jq .Self.AllowedIPs` should include `192.168.0.0/24`. - [ ] Verify a peer received it: from dragon, `tailscale status --json | jq '.Peer | to_entries[] | select(.value.HostName=="beefcake") | .value.AllowedIPs'` should include `192.168.0.0/24`. - [ ] From phone on cellular with beefcake as exit node: open `https://git.lyte.dev/` — page loads. - [ ] Spot-check: `curl http://lobste.rs/` from phone still works (didn't break general exit-node behavior). ## Security No ACL change. Only `tag:admindevice` has the `*:*` rule that grants reachability to arbitrary destinations, so `group:family` / `group:friends` still can't reach LAN devices through this advertised route — they remain limited to the explicit `beefcake:80,443[,445]` rules. Stacks on top of #540 cleanly (different lines of the same file).

lytedev added 1 commit 2026-05-23 20:39:33 -05:00

beefcake: advertise 192.168.0.0/24 subnet route for tailnet LAN access ... 7aa82c2d77

Tailscale clients exclude RFC1918 destinations from exit-node routing
unless the subnet is advertised as a route by some peer. Result: phones
on cellular using beefcake as exit node can reach lobste.rs and other
internet hosts, but silently fail to reach LAN-only services that DNS
resolves to 192.168.0.x (git.lyte.dev for example).

Advertising 192.168.0.0/24 from beefcake gives every tailnet client a
route into the home LAN via the exit node, fixing this for all clients
in one shot. Headscale still has to approve the route — run
\`headscale nodes approve-routes -i 8 -r 0.0.0.0/0,::/0,192.168.0.0/24\`
once after deploy.

Security: existing ACL only grants tag:admindevice the \`*:*\` rule
that covers arbitrary IPs, so family/friends groups still can't reach
LAN devices through this route.

lytedev closed this pull request 2026-05-23 20:48:47 -05:00

lytedev referenced this pull request 2026-05-23 20:52:04 -05:00

headscale: derive tailnet DNS records from dns-updater list #544

All checks were successful

Hide all checks

/ check-format (push) Successful in 8s

Required

Details

/ build (push) Successful in 12m23s

Required

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is wrong

  

enhancement

New feature

  

question

Awaiting information

  

scary

Potentially problematic change

  

upstream

Awaiting upstream changes

No labels

bug

enhancement

question

scary

upstream

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lytedev/nix!542

No description provided.