Tailscale Mesh Topology
Full mesh map of Tailscale nodes, subnet routes, and cross-site connectivity between Milky Way and Andromedas
Tailscale Mesh Topology
Two physical sites connected by a Tailscale mesh VPN, forming a single logical network across residential internet links. The Milky Way (local, primary site) operates on 10.42.0.0/24, and the Andromeda (remote, the remote site) operates on 192.168.20.0/24. Tailscale assigns each enrolled node a stable 100.x.x.x address and establishes direct WireGuard tunnels between peers.
No inbound ports are opened on either gateway. All inter-site traffic is encrypted end-to-end via Tailscale’s WireGuard mesh.
Node Inventory
All nodes enrolled in the tailnet, by physical site.
Milky Way (Local — 10.42.0.0/24)
| Node | Alias | LAN IP | Tailscale IP | Role |
|---|---|---|---|---|
| Altair-Link | Altair-Link | 10.42.0.199 | 100.64.0.234.88 | Services gateway, tunnel host, subnet router |
| Proxmox Izar-Host | Izar-Host | 10.42.0.2 | 100.64.0.18 | Primary hypervisor |
| Bare Metal Tau-Host | Tau-Host | 10.42.0.194 | N/A | Bare metal host (no Tailscale agent) |
| Capella-Outpost | Capella-Outpost | 10.42.0.100 | Enrolled | Desktop workstation |
Andromeda (Remote — 192.168.20.0/24)
| Node | Alias | LAN IP | Tailscale IP | Role |
|---|---|---|---|---|
| Proxmox Tarn-Host | Tarn-Host | 192.168.20.100 | 100.64.0.118 | Secondary hypervisor, subnet router |
| Meridian-Host | Meridian-Host | 192.168.20.50 | 100.64.0.15.30 | Unraid NAS + compute |
Build Swarm Nodes (Tailscale-Only Access)
VMs and containers on the hosts above. Remote drones are accessed exclusively over Tailscale.
| Node | Tailscale IP | Host | Role |
|---|---|---|---|
| orch-Izar-Host | 100.64.0.18 | Izar-Host (port 8091) | Primary orchestrator |
| orch-Tarn-Host | 100.64.0.118 | Tarn-Host | Backup orchestrator |
| drone-Izar-Host | 100.64.0.126 | Izar-Host | Build drone |
| drone-Tarn | 100.64.0.91 | Tarn-Host | Build drone |
| drone-Meridian-Host | 100.64.0.110 | Meridian-Host | Build drone |
| gateway-Altair | 100.64.0.88 | Altair-Link | Swarm gateway |
Orchestrators and the gateway share their host’s Tailscale IP, differentiated by port. Drones run in separate LXC containers or VMs and have their own Tailscale identities.
Subnet Routing
Two nodes advertise their entire local LAN into the mesh as Tailscale subnet routers:
- Altair-Link (Altair-Link) at
10.42.0.199advertises10.42.0.0/24. Any Tailscale peer can reach Milky Way LAN devices, even those without Tailscale (OPNsense gateway, Synology NAS, NVIDIA Shield). - Proxmox Tarn-Host (Tarn-Host) at
192.168.20.100advertises192.168.20.0/24. Same for Andromeda LAN devices, including the ASUS router.
The result: any enrolled node on either site can reach any device on either LAN as if it were local.
Cross-Site Communication
Subnet routing enables several critical traffic patterns across both sites.
Build swarm coordination. Drones on Andromeda (drone-Tarn at 100.64.0.91, drone-Meridian-Host at 100.64.0.110) reach the primary orchestrator on Milky Way (orch-Izar-Host at 100.64.0.18:8091) directly through the mesh. The gateway on Altair-Link routes build requests to whichever orchestrator is healthy.
Cloudflare Tunnel reach-through. The cloudflared daemon on Altair-Link proxies public traffic to services on both sites. Andromeda services are reached via Tailscale IPs — for example, the Meridian-Host admin panel (mm-admin) points to 100.64.0.15.30:8888. From Cloudflare’s perspective it is a local connection; Tailscale handles the cross-site hop transparently.
Inter-site latency. Typical round-trip between Milky Way and Andromeda is approximately 38ms, adequate for SSH, web UIs, API calls, and build swarm coordination. Large file transfers work but are bounded by upstream bandwidth at each site.
MagicDNS
Tailscale MagicDNS is enabled on the tailnet, providing hostname-based resolution for all enrolled nodes. Any peer can reach another by name (e.g., Altair-Link, Tarn-Host, Meridian-Host) without manual DNS configuration.
Combined with subnet routing, this provides transparent cross-site access. A user on the Milky Way can SSH to Tarn-Host by name and land on 192.168.20.100 via the mesh, without knowing or caring that the host sits on a different physical network. The two-site topology collapses into a single addressable namespace.
Quick Reference
| Property | Milky Way (Local) | Andromeda (Remote) |
|---|---|---|
| LAN subnet | 10.42.0.0/24 | 192.168.20.0/24 |
| Gateway | 10.42.0.1 (OPNsense) | 192.168.20.1 (ASUS GT-AXE16000) |
| Subnet router | Altair-Link (100.64.0.234.88) | Proxmox Tarn-Host (100.64.0.118) |
| Inter-site latency | ~38ms | ~38ms |
| Tailscale IP range | 100.x.x.x | 100.x.x.x |
| ACL policy | Permissive (all-to-all) | Permissive (all-to-all) |