Just a couple notes I’d like to add:
Tailscale SSH
For those using Tailscale SSH, a connection can be initiated from within an AppVM using sys-tailscale as its Net qube. However, when using Fedora as a template for sys-tailscale this functionality is blocked when SELinux is set to enforce – which it is by default.
Since Tailscale does not come with an appropriate SELinux policy (see issue 4908), users wishing to take advantage of Tailscale SSH need to either disable SELinux in the underlying template or attempt to use a user-generated SELinux policy (again see issue 4908).
DNS Resolution
@kalbasit’s guide on configuring DNS is my preferred solution since it eliminates the need to explicitly configure DNS on AppVMs which use sys-tailscale as Net qube and allows for seamless swapping of Net qubes.
Ensure to make /usr/bin/qubes-tailscaled-dns.sh executable with chmod +x /usr/bin/qubes-tailscaled-dns.sh. Reboot, then verify that the script executes correctly at startup with systemctl status qubes-tailscaled-dns.sh.
DNS Short Name Resolution
As is, @kalbasit’s script does not work with a search domain. Therefore, short names like server must be accompanied their FQDN (i.e server.example.com) in order to resolve from the AppVM. While this can be solved by binding /etc/resolv.conf in a given AppVM and appending search example.com, this runs contrary to the approach of having all configuration reside in sys-tailscale – thinking about a solution, perhaps rewriting with dnsmaq?
Exit nodes
As @apparatus points out (thread linked above in original post – as a new user I am limited to 2 links per post) the command ip rule add from all lookup main suppress_prefixlength 0 must be run on sys-tailscale in order for AppVM traffic to passthrough to a Tailscale exit node. My solution is to create service /etc/systemd/system/ip-rule.service in the TemplateVM with the following content:
[Unit]
Description=Add custom IP rule
After=network-online.target
After=nftables.service
[Service]
Type=oneshot
ExecStartPre=/bin/sleep 10
ExecStart=/usr/sbin/ip rule add from all lookup main suppress_prefixlength 0
RemainAfterExit=true
[Install]
WantedBy=multi-user.target