WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Tailscale on RUTX11 VPN via Exit-Node

0 votes
1,348 views 3 comments
by anonymous

Hello,
my set-up ist as in the picture.

I am running a Synology device at my home with Tailscale. This device is acting as an exit node.
On another location, there is running the RUTX11 also with Tailscale installed and running. This machine advertises subnet routes (192.168.4.0/24).

RUTX11 Firmware Version: RUTX_R_00.07.04
Tailscale version: 1.24.2-1 (OpenWrt)
OS: OpenWrt 21.02.0


When I start tailscale on the RUTX11 with the command "tailscale up --advertise-routes=192.168.4.0/24", I can ping all my tailsclae machines form the router cli using tailscale IPs and vice versa, from all tailscale clients I am able to ping the RUTX11 IP (100.82.25.31).
However I am not possible to ping the the clients behind the RUTX11, so basically any client on the 192.168.4.0/24 network. (On the picture it would be: ping 192.168.4.113).

My goal is to start tailscaleon the RUTX11 with the command "tailscale up --advertise-routes=192.168.4.0/24 --exit-node=100.93.155.21" so all the clients behind the RUTX11 will use the Synolgy as the Exit Node when going out to internet.
(I can not or dont want to install Tailscale on this clients.)
But when this command is issued, the connection from the Client-NB (IP: 192.168.4.113) to RUTX11 is not possible (it is lost), also I am not able to ping 192.168.4.1 from the Client-NB.
From Mobile or Synolgy (see picture) I am abel to ping the RUTX11 tailscale IP and connect to RUTX11 Web-Interface.

I tried what is described here (https://community.teltonika-networks.com/37810/can-we-please-get-tailscale-added-to-the-os?show=37810#q37810) , but with no success.

I do not know what I could do next. Maybe it is a routing problem, that is why I atatched the routing table a firewall settings.
If more info is needed, I will try to upload it as soon as possible.

Any help would be appreciated.

Current Setup

current setup

In cli interface tailsacle0 is present:

root@Teltonika-RUTX11:~# ifconfig

tailscale0 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:100.82.25.31  P-t-P:100.82.25.31  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:15 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:1519 (1.4 KiB)  TX bytes:1592 (1.5 KiB)


However not in GUI:

I did not set any routes manually, this are the IPV4-Routes after issuing the command "tailscale up --advertise-routes=192.168.4.0/24 --exit-node=100.93.155.21"

Network Target IPV4-Gateway Metric Table
(tailscale0) 100.93.155.21 * 0 52
(tailscale0) 100.100.100.100 * 0 52
(tailscale0) 100.112.116.55 * 0 52
(tailscale0) 0.0.0.0/0 * 0 52
(tailscale0) 192.168.1.0/24 * 0 52
(tailscale0) 192.168.4.0/24 * 0 52
wan 0.0.0.0/0 192.168.1.1 0 main
wan 192.168.1.0/24 * 0 main
lan 192.168.4.0/24 * 0 main

Firewall - Zones

1 Answer

0 votes
by anonymous

Hi,

Could you please try to create an interface in Network -> Interfaces?

  • Name: tailscale
  • Select protocol as none.
  • In physical settings, select a custom interface and enter 'tailscale0'
  • (you can also try to set lower metrics in advanced settings).

Save and apply.

Navigate to Network -> Firewall and create a firewall zone (edit your current one or create a new one).

  • Name: tailscale
  • Input, output, forward: set all to ACCEPT
  • Enable masquerading and MSS clamping.
  • Covered networks select tailscale.
  • Allow forward to destination zones: LAN  (WAN if you decide to use it as an exit node).
  • Allow forward from source zones: LAN

Save and apply.

Restart firewall and tailscale:

  • /etc/init.d/firewall restart
  • /etc/init.d/tailscale restart

Please, let me know if this helped.

Kind Regards,

Andzej

Best answer
by anonymous

Hi Andzej,
first of all, thanks for replay.

I am unable to create interface like you described, because there is missing the custom intercae option, respectively it is grayed out and I can not choose it (as in the picture):

But as mentioned before, in the CLI if I execute the commnd "ifconfig" the "tailscale0" interface is present:

I was able to change the firewall as follows (at your advice):


After this changes, when I start tailscale with the command "tailscale up --advertise-routes=192.168.4.0/24" on the RUTX11, I am able to ping or also to connect to the tailscale devices (100.x.x.x)  on the tailscale network from the Client-NB (see the picture in my first post - IP: 192.168.4.113) , however, if I run the command "tailscale up --advertise-routes=192.168.4.0/24 --exit-node=100.93.155.21 --exit-node-allow-lan-access=true" so basicaly use the synology as exit not for the 192.168.4.0/24 subnet, I can not ping any internet site (DNS works), tailscale network and lokal networks are reachable.

I will make some more tests.

Best Regards, Juraj.

by anonymous
Hi,

Have you configured your exit node to allow internet access for your subnet?

You should still be able to enter interface name into '--custom--' even if it is grayed out. Could you please try that?

Kind Regards,

Andzej
by anonymous

Hi Andzej,
it turns out to be true, that it is possible to enter the interface name into  '--custom--' even if it is grayed out.

I have configured my exit node to allow internet access for the subnet. As can be seen here:

I have now realized, why the exit-node is not working on the Synology device - for the devices in the subnet-network:
On Linux devices, you have to start the tailscale with the flag --accept-routes:

sudo tailscale up --accept-routes

Otherwise, on linux devices, the route will not be discovered, es written here.

BUT as written here, Tailscale on Synology currently can do --advertise-routes but not --accept-routes.

After running Tailscale on Raspberry Pi on the 10.0.0.0/24 network (as in picture in my first post) and propagating exit-node and accepting routes with:

tailscale up --advertise-exit-node --accept-routes

Everything works as expected, I am able to use the Raspberry Pi as an exit-node also form the subnet behind the RUTX11.
Running tailscale on RUTX11 with:

tailscale up --advertise-routes=192.168.4.0/24 --exit-node=raspberrypi --exit-node-allow-lan-access=true

I very much appreciate your help.

Best regards,
Juraj.