I’ve had a VPN running on my server via Wireguard for ages with no issues. A couple of weeks ago I finally got round to setting up Tailscale so I could access it remotely and again it worked fine without any issues. I rebooted my server this morning and while I was out I realised I could no longer access it, once I got home I discovered everything else was working fine it was just inaccessible over Tailscale.

After some troubleshooting I’ve come to the conclusion that if Tailscale starts first the other VPN’s routing entries take priority and Tailscale doesn’t work. If Tailscale starts second then it seems to work fine. As far as I can tell I have a few options for fixing this but I’m not sure what would be the most recommended. The simplest solution is probably just to disable Tailscale from autostarting and start it manually, however I’m likely to forget that at some point and will probably only notice when I’m out and can’t access the server to start it.

If I add the following to the Wireguard config file this solves the issue: PostUp = ip route add 100.64.0.0/10 dev tailscale0
PostDown = ip route del 100.64.0.0/10 dev tailscale0 However in that case if the other VPN tries to start first it just fails as the tailscale0 interface doesn’t exist yet, so all I’ve done is reverse the order I need them to start.

I could also edit the wireguard or tailscale service files with before or after targets, that would be fairly simple to do but I think its not recommended to manually edit package provided service files? The tailscale one specifically says its meant to be read only.

The final option I can think of is to disable the tailscale service on startup and then create a systemd timer to start the tailscale service with a slight delay after boot. I think this may be the best method as I can’t see any downsides, but maybe I’m overlooking something?