About a month ago, YouTube suddenly started feeding me Level1 and Craft Computing videos. What got me interested in homelabbing again was actually Tailscale 
, because I’d played with DuckDNS in the past but it always made me uncomfortable.
Anyway, I pulled an ancient Zotac ZBOX ID-86 (Atom D2550) out of my closet, slapped in a (terrible point of sale system-quality) Silicon Power SSD, and installed Debian Bullseye (to see what I could be done with the GT-610, i.e., transcoding), and nvidia legacy 390xx is only available up to bullseye (no Sid backports for me, thanks!). Not impressing anyone here with this hardware here - the moral of the story is that it’s possible to run a few services on a potato.
I installed Tailscale directly (I don’t understand installing core networking services in Docker - what if Docker has a problem?) on the host, alongside Cockpit for administration (might be useful for situations where TrueNas, OMV, etc, are overkill, quite nice and some 45 Drives plugins exist). Then, into Docker containers I installed Portainer (for fun), AdGuard Home and Syncthing.
I was able to configure everything to be available via Tailscale exit node, which is kind of cool. I’ve tested and can login to my Tailnet on mobile data, which allows my phone to see all its Syncthing peers and obviously routes DNS traffic to AdGuard. Sadly, perhaps because of the way Tailscale/WireGuard work, these DNS requests show up as 127.0.0.1 rather than my Tailnet IP. I was wondering if anyone had encountered this in their own setup and had a workaround? Or if this is just the expected behaviour… (edit for clarity after some testing: regular Tailnet connections show the correct IP in Adguard, but when connecting with --accept-routes --exit-node=xxx flags, the queries all appear to come from 127.0.0.1). Is this “masquerading”?
Another question I had was regarding Adguard Home encryption. I live alone and am the only tenant on my local network (according to nmap anyway). Since the only two times I will contact this DNS server are: (1) when I am on my home network, and (2) when I am connected to my Tailnet, is encryption really necessary? I am using DNS-over-HTTPS (with malware filtering) for the upstreams, so traffic egress from my box to the upstream should be encrypted, but should I also be encrypting traffic between the DNS server and clients? It seems like this is overkill to me - nothing should really be exposed to the internet here. Plus, in the most dangerous case (Tailscale) it seems like the communication between exit node and client are occuring over lo interface so encryption seems unnecessary unless I want to protect from a hacker who has already rooted my box (to the extent he can see local loopback traffic).
If anyone wants to chime in I would love to hear your thoughts. I’m very much still an amateur, though I have been playing with Linux for close to two decades now. Not afraid to dig into the conf files 
Thank you for reading my rambling message
