My config is available at Trying a first pihole test: block google.be - #2 by Bucking_Horn
I'm not using the template here since it's more of a question/recommendation...
I have configured pihole to run with tailscale. It does not work when Pihole was configured to its "Recommended setting Allow only local requests "
This makes sense, since it has a local IP (192.168.0.190) and a tailscale IP (let's say 100.1.2.3), , will get request from clients from "100.x.y.z" and I assume that being outside of 192.168.0.0/24 is indeed not seen as "local".
If I set Pihole to "permit all origins", all works fine, but that probably is not secure...
My NAT has the following ports forwarding settings:
-
5000 and 5001 to the LAN IP of my Synology (192.168.0.200)
-
6690 to the LAN IP of my Synology (192.168.0.200) (for Synology Drive)
-
51820 to the LAN IP of my Raspberry Pi (for SSH) (192.168.0.200)
-
Is it safe to keep the "permit all origins" in my setup?
-
Should I switch back to "local only", but then configure it to consider 100.x.y.z as "local" (and how)? This would respond only to (from the doc) "queries only from hosts whose address is on a local subnet, i.e., a subnet for which an interface exists on the server". An interface exists, "tailscale0", but that does not seem to suffice.
-
Is the " Respond only on interface" setting safer in my case (I do have an interface named "tailscale0")?
Out of scope (my apologies): with tailscale in place, maybe I can get rid of all my port forwarding rules on my router? 
Thanks again, I'm a rusty IT guy and would never have made it work with you 
