Set up a Tailscale Subnet Router

What is a Subnet router?

A subnet router is a device within your tailnet that you use as a gateway that advertises routes for other devices that you want to connect to your tailnet without installing the Tailscale client.

Source: Subnet routers Via Tailscale's Documentation

In the context of Railway, The "other devices" are the services within a project.

About this Tutorial

This tutorial will help you connect to your database via the private network without you having to use public endpoints.

Since Railway doesn't currently offer a native way to access the private network from our local environment, we can use a Tailscale Subnet Router to accomplish this.

Deploying Tailscale as a subnet router into our project means that we can access the railway.internal private domains from any device connected to our tailnet.

This tutorial aims to provide a simple step-by-step guide on setting up everything needed so that we can access the private domains of our services.

Objectives

In this tutorial, you'll learn how to do the following: -

• Generate an Auth Key.
• Set up split DNS.
• Deploy the Tailscale Subnet Router template.
• Approve the private network subnet.
• (Bonus) Connect to Postgres locally via the private domain.

Prerequisites

This guide assumes you are familiar with the concepts of Private Network, for a quick explainer check out our guide and reference page.

In Railway -

• Have all the services you plan on connecting to via the tailnet, listening on IPv6.

  This is necessary because the Tailscale tunnel will communicate with your services over Railway's IPv6-only private network.

  All database services already do this but for information on configuring your service to listen on IPv6, see here.

In Tailscale -

• Have an account.

  You can sign up here - For what this template achieves you do not need a paid plan.

• Have the Tailscale app installed on your computer.

  You can find the downloads for your OS here.

1. Getting an Auth Key

The Auth key will authenticate the Tailscale machine that we'll deploy into our Railway project in a later step.

• Head over to the Keys page located within the settings menu on the Tailscale dashboard.

• Click Generate auth key.

  Put in a description and leave all other settings as the default.

• Click Generate key.

  Tailscale will now show you the newly generated auth key, be sure to copy it down.

• Click Done.

2. Configure Split DNS

Properly configuring our nameserver in Tailscale is essential for enabling local DNS lookups for our private domains.

• Open the DNS page.

• Under the Nameservers Header, click Add Nameserver → Click Custom.

  This is where we'll tell Tailscale how to route the DNS lookups for our railway.internal domains.

• Enter fd12::10 as the Nameserver.

  This DNS nameserver is used across all private networks in every environment and will handle our DNS queries for private domains.

• Enable the Restrict to domain option, AKA Split DNS.

• Enter in railway.internal as our domain.

  This makes sure only DNS lookups for our private domain are forwarded to the private DNS resolver.

• Click Save.

3. Deploy the Tailscale Subnet Router

This will be the gateway into our environment's private network.

• Open the project that contains the services you want to access privately.

  For this tutorial, we will deploy the Subnet Router into a project with a Postgres database service.

• In the top right of the project canvas, click Create → Choose Template.

• Search for the Tailscale Subnet Router template.

  Choose the result that is published by Railway Templates.

• A ghost service will appear, Paste in your Auth Key from earlier.

• Click Deploy Template

This template will start to deploy and once deployed it will register itself as a machine in your tailnet with the name automatically derived from the project's name and environment name.

4. Approve the Subnet

Our subnet router will advertise the private network's CIDR range but we will need to manually approve it.

• Head back over to our Machines dashboard.

You will see your newly deployed machine with its name that was previously derived from the project and environment.

• Click on the machine's 3-dot menu → Edit route settings.

• Click the radio button on the fd12::/16 to accept it.

This route covers the entire private networking range allowing us to access all services within the project.

• Click Save.

• Ensure that the Use Tailscale subnets option is enabled in your Tailscale client's Settings or Preferences menu.

That is it for all the configurations needed, you can now call any service via its private domain and port just as if you were another service within the private network!

5. Connecting to a service on the private network (Bonus)

During this tutorial we have used Postgres as an example service, so let's finally connect to it via its private domain and port!

You can use any database GUI tool you prefer, or none at all, since our setup allows you to connect to the database over the private network using any software.

Example: Your prisma migrate deploy or python manage.py migrate commands will now work locally without the need to use the public host and port for the database.

Note the use of our private domain and port in the database URL.

Additional Resources

This tutorial explains how to set up a Tailscale Subnet router on Railway but does not delve into all the terminology and settings related to Tailscale.

We recommend reviewing the following Tailscale documentation:

• Subnet router
• Auth keys
• Machine names
• DNS
• Tailscale FAQ