Deprecated

The sniproxy has been deprecated. Use Tailscale app connectors⁠ instead.

sniproxy

The sniproxy allows traffic for one or more domains to be carried across the tailnet to the device where an sniproxy is running before egressing to the public Internet. This is useful for cases where the domain has an allowlist of IP addresses: the IP address of the device running sniproxy can be added to the allowlist, and all nodes on the tailnet will have their traffic egress using that IP address.

sniproxy works by setting itself as the nameserver for domain(s) which should transit the tailnet. It returns its own Tailscale IP address in response to any query. When it receives an HTTPS request, it decodes the SNI header to figure out where on the public Internet to steer the request.

Additionally, sniproxy can be configured to forward traffic for specific TCP ports to a fixed domain, such as sending port 22 SSH traffic to github.com. This allows sniproxy to handle traffic types which do not use SNI and cannot be automatically steered to the appropriate destination.

This means:

• Traffic to https://www.example.com/⁠ will traverse the tailnet and egress to the Internet from the public IP address of the sniproxy device.
• sniproxy cannot decrypt the contents of the HTTPS session. All it can do is steer the session to its destination.
• only HTTPS connections to example.com are supported, not other ports or protocols.

To use it, please follow these steps.

Step 1: Create an Authkey

An Auth key⁠ should be created, which will be used in the next step to authenticate the sniproxy.

Step 2: Run the sniproxy

We'd recommend running the docker image inside tmux or screen

docker run --env TS\_AUTHKEY=tskey-auth-ab12CD3CNTRL-abcdefghijklmnopqrstuvwxyzabcdef -v ${PWD}:/root/.config/ tailscale/sniproxy:unstable

To configure TCP port forwarding to a destination, add --env TS_APPC_FORWARDS=tcp/<port>/<fqdn>,tcp/<port>/<fqdn>.
For example: TS_APPC_FORWARDS=tcp/22/github.com

Step 3: Configure SplitDNS

Add a SplitDNS server for the domains to be carried.

• Nameserver: Tailscale IP address of the node named sniproxy in the Machines list⁠.
• Domain: example.com, the domain which one wishes to be carried over the tailnet

The sniproxy is now configured. Accesses to https://www.example.com/⁠ will be carried over the tailnet to the sniproxy before egressing to the Internet. The source IP address will be the public IP address of the device which is running the sniproxy.

When configuring a Software-as-a-Service provider using this mechanism, the provider often uses multiple domains which will all need to be added as SplitDNS entries. A helpful resource for this is the v2fly Project⁠, which curates a list of known domains used by various services.

Monitoring

The sniproxy exports metrics of its operations, reachable from the tailnet on port 8893:

• Prometheus: http://sniproxy:8893/debug/varz⁠
• JSON: http://sniproxy:8893/debug/vars⁠

Metrics likely to be of interest:

• sniproxy_tls_sessions: number of TLS sessions proxied by decoding the SNI header
• sniproxy_tcp_sessions: if TS_APPC_FORWARDS has been configured, there will be a counter labeled per TCP port configured. For example: sniproxy_tcp_sessions{proto="ssh"} 137
sniproxy_tcp_sessions{proto="rdp"} 12
• sniproxy_http_promoted: number of HTTP port 80 sessions which were automatically redirected to HTTPS
• sniproxy_bad_addrport, sniproxy_dns_failed: error counters