I am currently using a hotel wifi and it’s blocking some outbound ports I need. I have a Tailscale setup with an exit node on my Apple TV on my home connection. This is all working beautifully. However, for work, I have a basic OpenVPN tunnel that just makes me appear as a certain IP so I can connect to various services that are IP whitelisted.
If I try to connect OpenVPN (using tunnelblick, macOS) on the wifi (with Tailscale disconnected) it does not connect because the port is blocked. However, if I connect to Tailscale first, then connect the OpenVPN, it connects! The problem is my IP address remains as my Tailscale exit node IP and not the IP of the OpenVPN server.
I’m not a networking expert and I can’t figure out exactly what I need to do to make this all work. Any ideas from the Tailscale side of things?
I find that it’s usually DNS, make sure you have one added to your tailnet. Sometimes the splash portals use a different DNS server that won’t resolve over tailscale so adding a split DNS to use that DNS server or 8.8.8.8 might work.
For example my commuter train has wifi but it blocks VPN, adding a split DNS server for that particular address made it work again.
I don’t think you can make this work. Will be interested to see if anyone thinks of something, but for now you may just have to use another network.
depending in os of the exit node you can use policy based routing to route tailscale packets through the OpenVPN connection but that comes with the downside of all tailscale traffic like dns and control being over OpenVPN
This might be a matter of routing on the client side. Make sure your openvpn interface has a higher priority, and/or make sure you’re not trying to route traffic over tailscale that should be destined for openvpn.
It’s working because the hotel is blocking the OpenVPN ports but when you connect over Tailscale you are tunneling your traffic over Tailscale first which IS allowed through the Hotel’s wifi. Are you by any chance in China?
What about adding the OpenVPN server IP address as a subnet route and disabling Tailscale as an exit node. That way OpenVPN should connect via Tailscale, but Tailscale won’t capture other traffic (and hopefully OpenVPN will get it instead).
I’d be ok with that, I just need to connect to a service that’s ip whitelisted for a few minutes a day…
I thought of that but only Tailscale shows up on the vpn settings of macOS and not tunnelblick, so I’m unsure of how to set the priority. I could have been barking up the wrong tree completely when thinking it could be done in the macOS vpn settings, though.
Nope, at a hotel in Andorra! The wifi is blocking all outgoing ports (afaik) except 80/443/8080. I was surprised Tailscale worked to be honest!
Interesting. I wonder if they hosted a security conference in the past and were pwned by their lack of security. 
It’s probably to stop guests using up the upstream bandwidth from games/torrents.
