I noticed that if the VPN client is stuck on a Beryl AX, it blocks all traffic for locally connected clients as expected, but clients connected via Tailscale with the Beryl AX configured as the exit node are not blocked and instead bypass the VPN.
Hi,
May I know what mean you mentioned did? Enable Tailscale with exit node, as well as enable VPN same time? when the exit node is down, the client is not stuck and (auto) bypass the VPN?
No, I did not say exit node down. Both the exit node and the client VPN are working. The traffic from Tailscale clients goes > exit node > VPN > website. Now if the VPN client goes down, for example because the service subscription has expired or the VPN service provider has switched the server configuration, traffic from Tailscale clients goes > exit node > website (bypassing the VPN). It seems the traffic should be blocked in this case as is the case for locally connected clients when the VPN is stuck.
As stated in a different thread, I am actually more interested in getting Tailscale exit node traffic to always bypass the VPN, but given that it currently all goes through the VPN, I think it should also be blocked like local traffic if the VPN is down.
-
If enable TS with exit node and VPN client (connected) in the GL router, all data actually is PC -> Router -> VPN Client -> VPN Server -> Application Server (like Web server)
-
If enable TS with exit node and disable VPN client in the router, all data is PC -> Router -> TS exit node -> TS running exit node device -> Application Server (like Web server)
-
We are not recommended both enable the TS with exit node and VPN client in the router, as they both work in the same way, to be an VPN Client, and we have not claim they supported and can work ok at the same time.
-
Based on your network road, seems that they are unrealistic.
When the VPN Client is unreachable, GL router have to follow the principle that data encryption does not leak and cannot be automatically transferred to other interfaces. Otherwise, the data will be leaked without user confirmation.
Only when the user switches manually via GL GUI, so it has been confirmed that the operation is from the router owner, not automatic switching.
GL always ensures user data security.
Sorry, I should have made it clear that I am talking about remote Tailscale clients. Everything you wrote seems to be referring to a situation where the client running Tailscale is physically behind the GL router. Again, I was talking about a Tailscale client that is for example a phone on a mobile connection and which is using the GL router as an exit node to open a website. This traffic is additionally going through the VPN running on the GL router if it is running and I would like to bypass the VPN without having to turn off the VPN for this traffic. Unfortunately, VPN policies and the kill switch are not respected by remote clients connected via Tailscale.
I see, the other thread has replied to you about this question.