NovaScale
NovaScale Menu
Get NovaScale app

FAQ

How does this differ from the official Tailscale client?

NovaScale uses a libtailscale fork and dials tailnet traffic inside the app process, so it does not require iOS VPN permission for this use case.

Reference: https://tailscale.com/kb/1112/userspace-networking

Why can SSH sessions resume after app backgrounding?
NovaScale relies on userspace networking behavior and in-memory app state. If iOS terminates the process due to memory pressure, sessions cannot resume.
Why does NovaScale fail to load hosts when some Chinese users' VPN apps are running?

Some third-party VPN apps in China enable a feature called FakeIP that returns addresses from a reserved IP space for DNS queries. NovaScale can bind to a non-VPN network interface (for example, a 5G or Wi-Fi interface) and send requests from that interface directly.

If a VPN app is started first, system DNS may be replaced by that app, and NovaScale requests for Tailnet domains or your self-hosted Headscale auth domain can be answered with a FakeIP. That traffic then bypasses the VPN path and cannot be rewritten to real addresses.

The fix is to force those names to resolve to real IPs in the VPN app. In Surge, for example, when using the official Tailnet authentication endpoint, add this line under a [General] profile:

[General]
always-real-ip = *.tailscale.com