My ISP uses CG NAT which is stopping me from reaching my internal network, so I’m thinking about using Tailscale to allow me to connect to my server and hence to my internal network.
But I’m not very comfortable giving 100% access to Tailscale to my internal network, so I was thinking if I could limit it only to what it requires to connect to the internet and to a wireguard service running in the same container. This would in turn connect to a wireguard server in the container’s host and provide me with full network access.
I know, as long as they have a service running in the server, even if inside a container, they can always be able to access the host. But even do I would feel safer if at least tried to contain it.
Does anyone know if this is possible? And can it be done through Docker Compose?
There is no need, and you’re defeating the point of using tailscale. Use headscale if you cannot summit your anxiety around trusting tailscale.
Note that using headscale transfers the anxiety of contril from tailscale as a company to whatever vps you would be hosting the headscale on