a year ago
My project has two environments (staging and production.) I setup a Tailscale Subnet Router for production following the tutorial step-by-step and it all worked great.
However, my understanding is that private networking does not work across different environments in the same project, so I tried setting up a separate Tailscale Subnet Router for the staging environment, following the same tutorial. I generated a new auth key and approved the subnet.
I did not need to, and in fact I could not, Configure Split DNS again, because the settings were the same.
After all this, while I can still connect to the services on the production subnet, the staging ones are completely unreachable.
Is this a known issue? Is there anywhere I should look for clues as to what might be going wrong? Thanks.
EDIT: I can ping both Subnet Router devices via their IP address, so that seems to be working. It’s the DNS part that looks problematic.
10 Replies
a year ago
Hello, writer of that guide here.
This is a known limitation, for a few reasons.
Across all environments within any project -
The private domains on services can be the same.
The private network's DNS resolver is the same address.
The subnet is the same.
All these factors combined mean you can only run one subnet router at a time in any project, since there is no way for tailscale to differentiate.
I don't currently know of any workarounds to let you run multiple subnet routers at the same time short of writing my own tunnel built into the CLI.
Status changed to Awaiting User Response Railway • 11 months ago
a year ago
I see. I don’t know if there are plans to change any of the above, but if not then it would be useful if a subnet router could allow access to all the services in the same project, rather than limit them by environment. Thanks!
Status changed to Awaiting Railway Response Railway • 11 months ago
a year ago
The private network itself is scoped a given environment, so this would not be achievable unfortunately.
Would you mind sharing your use case, perhaps there is an alternative solution?
Status changed to Awaiting User Response Railway • 11 months ago
a year ago
I’d rather have all non-user-facing services off the publicly available internet. Web apps would connect to them via the private network only, and I would still need to connect to them somehow, for debugging, backup etc. so Tailscale seemed like a good solution.
Status changed to Awaiting Railway Response Railway • 11 months ago
a year ago
I guess a way of achieving what I’m describing would be to let go of Railway’s notion of environments, and instead deploying all of my services in a single env.
a year ago
Does this work if you take a specific subnet router offline? e.g. if you want to access the services within the staging env, take the subnet router in the production env offline.
Status changed to Awaiting User Response Railway • 11 months ago
a year ago
Yeah, that works too.
Status changed to Awaiting Railway Response Railway • 11 months ago
a year ago
Putting both staging and production on the same “environment” would make the PR Environment feature unusable.
a year ago
Yeah unfortunately that's the best solution we can offer right now - keeping only one subnet router running across your entire railway account at any given point.
Status changed to Awaiting User Response Railway • 11 months ago
a year ago
Status changed to Awaiting Railway Response Railway • 11 months ago
Status changed to Solved angelo-railway • 11 months ago