Firefox supports per-container (and as such per-tab) SOCKS proxies, which I find really useful.
So useful, in fact, that I've come full circle and I am now running a userspace Wireguard to SOCKS proxy [1] in order to have that convenience for a VPN which does not have any host I could SSH to.
Tailscale is great, but by itself is the wrong tool for the task of routing traffic over some host only for a single browser tab (but to all destinations for that browser tab), as it seems to be "all or nothing" when it comes to using a remote exit node.
It's probably possible to set up a local SOCKS proxy that knows to use some Tailscale non-exit-node for egress, and to manually allow that traffic within Tailscale and on the remote node, but not out of the box as far as I can tell.
Installing a SOCKS proxy on the remote node, reachable only over Tailscale, would be an alternative, but that doesn't work on an Apple TV.
Firefox supports per-container (and as such per-tab) SOCKS proxies, which I find really useful.
So useful, in fact, that I've come full circle and I am now running a userspace Wireguard to SOCKS proxy [1] in order to have that convenience for a VPN which does not have any host I could SSH to.
[1] https://github.com/whyvl/wireproxy