Im trying to set up a personal server with services that may be accessible from the web with a real domain name or only via Tailscale. I got the web part working with Caddy and mapping subdomains to services, but the problem is Tailscale Magic DNS doesn't support subdomains. I could try to host services on paths like "blah.blah.ts.net/svc1" and strip the paths in Caddy but that causes all sorts of problems that you have to debug per service - like maybe links breaking, websockets breaking etc. So it seems subdomains are the only clean solution.

I don't know much about this stuff but it seems the best way to circumvent this limitation is to create a private DNS server that can resolve any subdomains I want to the tailscale IP, so i'm working on getting pihole setup to do that.. is this a limitation of Wireguard? How do people set up this kind of network?

> is this a limitation of Wireguard?

Wireguard and Tailscale aren't the same thing, and "Tailscale Magic DNS" has absolutely nothing to do with Wireguard.

This is a great example of why "just use Tailscale" is bad advice. It has some great features, but if you don't need those features then you're needlessly locking yourself into a tightly integrated networking stack which is going to get in your way anytime you want to stray from the beaten path.

If your application really is personal, my advice is to ditch Tailscale and just use Wireguard. Any halfway decent router software, like OpenWRT or pfSense, will be able to run Wireguard as a virtual network interface and a local DNS server allowing you to set up static records, delegation, etc. however you want. You'll have to deal with certificates yourself, but that will be true anyway if you try to get some local DNS thing to play nicely with Tailscale.

That is what I ended up doing, I wrote a blog post about it some months ago [0].

The gist of it is using private dns and exposing services only on the private network. Implementation details can vary, you decide whether to use tailscale or bare wireguard, and any reverse proxy and dns server will do. In my case, I use Tailscale, NextDNS, and Caddy.

[0]: https://garrido.io/notes/tailscale-nextdns-custom-domains/

If you don't have a lot of services to access, you can hard code the tailscale IP address in /etc/hosts.

My personal /etc/hosts is at 10 services all hard coded since the internal IP address of a machine on tailscale is static. Way cheaper and easier to deal with than setting up a separate DNS resolver.

Of course that won't work if you have hundreds or thousands of services to work with.

If you have a domain, you simply a dns record for the Tailscale IP.

You can also run your own dns server, like a pihole or AdGuard, on your Tailscale network. There you define any dns record.