Good point, it can’t report anything as long as cellular remains turned off.
My phone is always in Flight Mode.
But once it does connect to the intended network via Wi-Fi it would then regain that ability to report.
Yup… & that’s a problem. You know what I’d do? I’d setup your Beryl w/ AdGuard Home but no WAN/Internet uplink, cable, repeater or smoke signals. Then I’d use the phone as much as possible, days even. Gaming, surfing, idling… whatever. AdGuard should do the logging quite nicely. IDK how much effort it’d be pull those logs but that data could be used to build a custom blocklist.
How you deploy that blocklist onto your ‘tailnet’ to ‘zero out’ or ‘null route’ those particular DNS requests is up to you… but you might be surprised how often tracking is a concern.
Eg: I have a custom curated block list that nulls out specific domains I don’t like on my Slate AX & a service that takes care of some claimed 70000 other sites which they update. The capability to run this already ships in f/w 4.2.1-r4. It’s just a matter of collecting the domains to build the list & some manual configuration.
Your goal of using Tailscale is a little more complex setup than mine but the more I think of it, I don’t think there’d be much of a problem replicating a similar blocking setup I have for your goals. I’m already using WireGuard, just not via Tailscale.
IDK; I always set static DHCP. I like to know my devices are where I put them. Whether you choose to assign them to tunnel is up to you but there’s more than just an ‘all or nothing’ option under Global Proxy. How paranoid ya’wanna get? You are properly paranoid, right?
(Side note: I think you’ll want to click that link in this post. I really do.)