When running NixOS in ChromeOS, I use Tailscale to access a few remote hosts.

Although Tailscale can run within the VM itself, I prefer to run its Android app in ChromeOS. This way, the VM never sees the raw Tailscale credentials and, if running multiple VMs, they can all share network access.

Under the hood, all VM traffic already flows through the host, enabling Tailscale routing. In addition, the NixOS Baguette image delegates DNS resolution to the host, as follows:

ln -sf /run/resolv.conf /etc/resolv.conf

maitred takes care of populating the /run/resolv.conf file as the host’s network configuration changes:

Mar 17 10:26:43 baguette-nixos maitred[412]: Received request to update VM resolv.conf

Activating and de-activating Tailscale correctly updates the resolv.conf file. With Tailscale enabled, it will look as follows:

nameserver 100.100.100.100
search [redacted].ts.net

The search configuration allows using ping <hostname> or ssh <hostname> from the VM without specifying the Tailnet FQDN (something that wasn’t working in crostini). Queries outside the Tailnet go through the host’s DNS configuration.