I've been using headscale with local DERP on a vps for a couple years to provide homelad access to android phones with decent results aside from it poorly handling changes between cellular and wifi. I have to open the android tailscale app and disconnect/reconnect manually often when connecting to my work or home wifi after being in the car on mobile data so thought I'd explore alternatives starting with Netbird.

I followed the guide and info at https://netbird.io/knowledge-hub/rethinking-zero-trust-security-with-netbird-and-pfsense

Spinning up a fresh VPS and installing the netbird controller was straightforward, as was manually installing the pfSense package and plugin. I have the pfSense box and an android phone (pixel 9pro android16) connected as peers. I added a network route for the lan CIDR using the pfSense peer, and a DNS nameserver entry using the IP of the pfSense peer in that CIDR, with a match domain of "lan" as the private domain the pfSense DNS server uses (my local DNS names are <hostname>.lan)

Connectivity by IP works fine, the phone can talk to non-peer devices on the lan by IP but not by name, DNS doesn't resolve any *.lan names. The netbird DNS names of the peers do resolve, but my goal is for netbird to match *.lan domain queries and forward to the pfSense DNS server to resolve them. Googling turned up several issues over the years of Android clients having similar symptoms so I'm curious if I have misunderstood some configuration or if this may just be broken on Android.

I'm partly just thinking out loud here as I decide whether to move on to looking at other tailscale alternatives and hoping something about this rings a bell with somebody and perhaps there's a likely fix.