tailscale into private network
Hey, I'm trying to get a VPN connection into a railway private network and it seems to work because I can ping the tailscale exit node (inside the private network) but can't seem to ping any other service on the network via their railway private domain name.
Has anyone fiddled with this? Could it be a dns issue?
103 Replies
Project ID:
be9e230a-dc4d-4a06-803b-8fed247ffba6be9e230a-dc4d-4a06-803b-8fed247ffba6
Is there a way to know the private ip address of a service?
There is a way to get the IP of a service from what I've seen but railway does not like it when you do that
What would that be?
something to do with A records or something, the actual explanation of the method was deleted and like I said, railway does not like it when you do that so best not do that
there's likely an alternative way to do whatever you want to do
Hopefully there is
they are asking about how to get the IP address of an internal service, but still shouldn't do that because those are also dynamic
and internal domains use AAAA records since they are ipv6 only
but purely for testing purposes, you can find the ipv6 address of a service in one of the api responses in the browsers network requests
My service is purely UDP so no luck doing that :/
whats that have to do with it lol?
Browsers are http=TCP?
The railway's internal network uses a private DNS server to resolve. I think what you are trying to do wouldn't work unless you proxied the request to a service inside the private network so that it can decide to an IPv6 IP provided by our internal server. You could try and grab that IP and use that with tailscale but that would break randomly when our platform load balances or any other reason we might change that.
Why do you want to do this?
In order to connect to a UDP server
Since it's not possible directly as far as I know on railway
Why not set up tail scale directly in the service that needs udp. That way you don't have to rely on our internal Network which I'm not entirely sure supports UDP anyways. The problem with UDP packets is the very limited header. As I understand it would be possible to reverse proxy a UDP server by running an external server that proxies via HTTP or creates a tunnel that would do the same. The latency added by that would be counter productive to the purpose of udp
Can I ask what your use case is? I only have used udp for gaming server purposes. Web sockets won my heart for real time web applications awhile ago
I don't think what you want is impossible and if we figure it out I can write a guide. I am just not sure even if we could get it to work if railway is the best solution for this.
Thread has been flagged to Railway team by @thomas.
I'm using a ready to use docker image for a game server that only handles UDP
The docs say that private networks support UDP https://docs.railway.app/reference/private-networking#how-it-works
Railway might not be the best solution for this I have to admit, I just wanted to find a way since I'm paying! And I'm sure others might try to figure it out at some point, and if we figure it out, a guide would help them!
I'm looking into tailscale as a subnet router, which looks like it fits my use case
https://tailscale.com/kb/1019/subnets/
Is there a way to have the railway private network subnet CIDR?
Also, is udp public port gonna be a thing at some point?
I see a feature request marked as planned 2 years ago https://feedback.railway.app/feature-requests/p/allow-non-http-port-forwarding
at some point? yes
at some point Railway wants to allow you to expose whatever, however you would like, but right now we can only do 1 exposed http service or 1 exposed tcp service
This would fix my issue, any idea when it is planned?
not anytime soon
I might be wrong but under the hood it is. The issue is that is can't be static. So while you might be able to grab the internal IP from the way Brody descirbed, it might change at anytime.
So the way I understand this, you would have a game server service. Which you would tunnel into with Tailscale.
I have to repeat, why not just take our tailscale template and shove the code directly into the game server service?
You could wrap it in a python script:
This also creates an exit node
Please note I didn't test that I had chatGTP write that based on this project: https://github.com/Andrew-Bekhiet/railway_tailscale_vpn/blob/master/start.sh
I didn't even read all the lines
GitHub
railway_tailscale_vpn/start.sh at master Β· Andrew-Bekhiet/railway_t...
Host personal VPN on Railway using Tailscale. Contribute to Andrew-Bekhiet/railway_tailscale_vpn development by creating an account on GitHub.
I think this would work for you and if it doesn't I want it too now please keep me updated
I'll test this out tomorrow, thanks for the idea
No problem, I kinda want this to be possible for my own reasons
you could use this to ssh into your own service
didn't copper do this exact same thing?
https://railway.app/changelog/2023-10-13-railway-hacks-2023#railway-hacks-2023
Cooper hacked together a way to tunnel via the CLI from local dev into a Railway Private Network over encrypted WireGuardthough I'm pretty what he did would be geared towards dev purposes, like accessing a database that is only accessible over the private network
It's not exactly the same but yes. and it is really cool but I haven't tried it yet
the real question is, would it ever make it to GA?
I don't know what I can say or not say about that yet. I'm still learning the lines in the sand.
When you put something in GA you are promising it will work
thats is true, it could be available as a branch and the curious people could build their own cli from that branch
π
I'm trying out twingate to try their dns management, but the lookup fails :/
what dns resolver are you using
It's using the internal one, at least it's supposed to
what is it
The railway private network dns
yes, what is the address for it
Idk, it's provided by the private network dhcp?
Is there a fixed address for it?
uh, can you guide me?
never used twingate before
on what you linked
thats the internal networks dns resolver
Oh cool
thats why i was asking, if you dont know what resolver address you are using, how can you be sure you are using the right resolver address in the first place
It's resolving
it should return a ipv6 address
unless twingate is doing an ipv4 to ipv6 proxy
Not sure, it might be
ping it then
It seems I cannot
It might be because of my connector setup
have you tried thomas's code?
Not yet
Before I do I wanna exhaust the easier options
Is there a way to start a dockerhub service with
--sysctl net.ipv4.ping_group_range ?the private network is ipv6 only
True, still how can I pass --sysctl arg?
you cant
thomas said it, and im going to say it again, i dont think railway is the best solution for this (game server)
I know I know
But I live for this kind of tinkering
I assume "expensive" services like game servers are profitable for railway, so how is public udp not a thing?
I mean I don't think we have many game servers because until recently we had one region would be very limiting.
It's been a requested feature for a long time:
That's fair
Allow non-HTTP port forwarding | Feature Requests | Railway
I would like to run an app with a plain TCP or UDP port connection that isnβt http. Railway would give me a way to publicly access that port and connect to it
But now that we have regions π
but it's not easy to do, and we probaby would just re-do private netowrking while we are at it
yep upvoted yesterday πΌ
that's the best way to tell us what to do, that's all I do a bunch of the time
What server are you trying to run
lol
I wonder what one of our servers could do there
Meaning performance-wise?
at least that game is pretty latency resistant
Yeah it's very well optimized
Yeah, for me routing thur my tailscale VPN on railway addes about 50ms of latancy
But that's just what triggered my little investigation
I think in that game it should be fine
Do you have a github repo
So you embed tailscale with a script like the one you showed?
for?
It's just a template project for a tailscale exit node:
https://railway.app/template/uIBpGp
It's like a really cheap VPN
Yeah but how do you test your latency?
Oh exit node so all your traffic
I see
But you haven't managed to ping internal network
Internet Speed Test - Measure Network Performance | Cloudflare
Test your Internet connection. Check your network performance with our Internet speed test. Powered by Cloudflare's global edge network.
No because your are not meant to be able to via UDP
not saying you can't get it to work
Have you managed via TCP?
or even ICMP
I think brody could if he wanted to but no
I haven't even managed to ping services in the private network
being brutally honest, hosting games servers on railway doesnt really interest me
It's just my use case, but Thomas' is to ssh for instance
not everything has to interest you haha, no worrys man
You just shared a way we leak the internal IP earlier
Find your own use case π
and I think you where right
i did?
I think I mis read this
oh yeah thats harmless
oh yeah, for sure
not worried about it
you would just break your code if you tried to use that for long
could a
udp -> tcp -> udp proxy work?Probably, but I feel like I'm close to getting it working
What's weird is I can nslookup, but the lookup from the controller fails
no template?
nope π
What is this?
a little app I made
make a template!
why tho lol
So people can ping their private networks
It looks very official, nice job
people can do that from their services
I did snag a nice subdomain
People can probably remake every template lol
you weren't the first to try to port check or ping a service in a completely different private network don't worry
haha
wouldn't be very private if you could do that though
looked official as thomas said
Ok options exhausted, I'll look into embedding tailscale in the service