Back in July, I wrote a post on how to set up split tunneling between Tailscale and a WireGuard VPN — in my case, Mullvad — on macOS. In general, it worked as desired, with all traffic going through Mullvad, except for Tailscale traffic. However, there were some limitations: I had to disable Tailscale DNS in order to prevent DNS leaks, so I had to access Tailscale hosts via their Tailscale IP addresses; I had to manually clear the DNS settings on all my interfaces after disconnecting from the VPN; and crucially, I never completely trusted that the VPN setup was leak-free. Let’s see if we can do better this time.
I use Tailscale to connect all my devices to each other. In general, this is great. I can access all my machines from anywhere, through NAT, without messing with my firewall, by hostname. And that’s just the base level. I’m not here to be a Tailscale ad — go check out their website if you want to know more. Sometimes I want to use a VPN to anonymize my internet traffic, though, and Tailscale does not (currently) support that.