Tailscale needs an Internet-bound control plane to aide node discovery and VPN management. When that plane is offline, nodes try to cache each others’ endpoints, but this doesn’t persist upon reboot. So a peer discovery from cold start is impossible without an internet connection, even when that peer is on the same LAN.
To work around this problem, one could selfhost a LAN-only Headscale server and it’d probably work. Or just connect via LAN directly if Wireguard encryption and Tailscale features aren’t needed. But this means inconveniently switching and managing multiple VPNs/address spaces.
The problem has been raised on Tailscale’s issue tracker. Seeing relevant issues, it seems like the best bet is on local discovery mechanisms like mDNS/Bonjour. Though that’ll likely take a while to get supported.
With all that said, does anyone know of a current good way to still use the same mesh VPN to connect to LAN machines, sans-Internet? I’m open to hear about Tailscale alternatives and how they implement it too
TIA!
Since wireguard only awks connections with matching keys, on a private lan, I bet you could just scan the network for all hosts and try the wireguard connection. A hack, but might work.
That’s a nice thing with Wireguard yea. I’ll keep this in mind if ever I can grok Tailscale to do such things
I know tailscale prefers being installed on every machine but not all of my machines are even capable of running custom code. I use a single tailscale router that published my internal network to tailscale and if the internet is down everything still works fine internally.
If you’re self hosting Headscale you can configure your network such that Headscale is reachable on your network with or without internet access and available from the internet.
Something like yggdrasil would work or a daemon that publishes mdns and connects to known peers.