Tailscale is one of the most popular open-source projects, used by hundreds (if not thousands) of users to communicate securely around the world.

You can use the power of AppJail to deploy jails, and the power of Tailscale to connect to your services no matter where you are.

We are going to deploy a jail and expose port 4321, which means our service must listen on that port. We'll use Netcat just for testing purposes, but this works with any other network program.

$ appjail quick netcat \
    virtualnet=":<random> default" \
    nat \
    start \
    overwrite=force \
    ephemeral \
    expose="4321 ext_if:tailscale0 on_if:tailscale0"
...
$ appjail cmd jexec netcat nc -v -l 4321
...

And we can connect to this service on any other machine that is part of our tailnet.

Client:

$ nc -z -v controller.namespace.lan 4321
Connection to controller.namespace.lan 4321 port [tcp/rwhois] succeeded!

Server:

$ nc -z -v controller.namespace.lan 4321
Connection from 100.109.177.49 39733 received!

Jails using Virtual Networks require an additional rule in our pf.conf(5) to communicate with other devices on our tailnet.

First, you need to know the network address. If you are using the default Virtual Network (and has not been modified) created by AppJail, the following should be the same:

$ appjail network list
NAME   NETWORK   CIDR  BROADCAST      GATEWAY   MINADDR   MAXADDR        ADDRESSES  DESCRIPTION      MTU
ajnet  10.0.0.0  10    10.63.255.255  10.0.0.1  10.0.0.1  10.63.255.254  4194302    AppJail network  1500

So our pf.conf(5) should contain:

nat on tailscale0 from 10.0.0.0/10 to 100.64.0.0/10 -> (tailscale0:0)