Basically you can setup one or more nodes in your tailnet as the exit node for traffic to specific domains. So, for example, say I want to watch Netflix but have it think I am visiting from the US, and I have a tailnet node in the US, I can just set all the Netflix domains (netflix.com, *.netflix.com, and whatever else is needed) to route via this node in the US. I don’t have to set it as my exit node and have everything go via that, I can have just the specific traffic go via that from all my nodes. So neat!
Of course, Netflix is just a contrived example, but as an IT person this is super useful in other scenarios. For instance, I have my test Entra ID tenant (previously known as Azure AD). Using Conditional Access policies I want to lock down my admin account to specific IPs – like my home public IP for instance. I can do that, but when I am out in a cafe or something I’d then have to use some node in my home as the exit node so the login traffic appears as if from the home public IP, and I don’t really want to do that. But what I can do now though is assign one or more of my nodes at home as the app connector for login.microsoftonline.com (and other domains too I guess) and then all traffic for logging in to Entra ID goes via that node… for all my nodes. It doesn’t matter if I am at home or outside, since all my machines have Tailscale installed by default the traffic for just these domains will automagically go via my home node. So awesome!
What’s more, I have one node at home which also has WireGuard installed on it and I use it along with Tailscale. WireGuard connectors a VPN provider and whenever I want to use this VPN provider from any of my Tailnet machines I would just use this node as the exit node. I can still do that, but now I can also take things one step granular. Say there’s a specific site I always want to visit via this VPN. As of now I’d have to always use this WireGuard node as my exit node just to visit that site, forcing all my traffic to go via that exit node, but now I can just create an app connector to these domains on this particular node and any traffic to these domains from any of my Tailnet machines will go via this WireGuard connected node, thus having a sort of VPN connection just for this domain. :)
Before I end, one really neat thing about Tailscale’s user friendliness. I had noticed this in the past but get a chance to post it. One of the steps when doing a lot of Tailscale related activities is the run the
tailscale up command again with some switches. Problem is, you might already run the switch in the past with a different set of switches, so you can’t simply run it again with only the new switches. You must specify the previous and new switches. But a lot of times you might have forgotten what switches you used in the past, or not sure whether you even sed any switches. How the Tailscale CLI handles this is beautiful, because when I enter a command like this for instance:
sudo tailscale up --advertise-connector --advertise-tags=tag:connector
It does not just error out or tell me to add the previous switches too, it actually gives a helpful error message and also outputs the whole command so I can just copy paste it and run (the
sudo is missing, but that’s a minor point).
Error: changing settings via 'tailscale up' requires mentioning all
non-default flags. To proceed, either re-run your command with --reset or
use the command below to explicitly mention the current value of
all non-default settings:
tailscale up --advertise-connector --advertise-tags=tag:aad-connector --advertise-exit-node
That’s such a fine a attention to detail! Kudos.