VPN Policy based on the Client Device is a fantastic feature that allows certain devices to send traffic through either Wireguard or OpenVPN, while keeping all other devices off VPN.
For those who are under CG-NAT, adding Tailscale as an option to the VPN Client dashboard would be great, as an exit note can be chosen to channel all traffic via TS.
Tailscale is already an option. It's underneath it's own tailscale option in the gui. There is also the option "Allow Remote Access LAN" which will do what you are describing.
Can it discriminate what devices go through tailscale and what goes through regular WAN?, for example, I want two devices filtered by MAC to use tailscale exit node only, like what's done using VPN Policy Based on Client Device
Tailscale is not a standard VPN server, it cannot edit route tables or mark traffic.
This kind of features are not supported.
Hello, may I ask you the usage scenario of this requirement?
Which devices need this under what circumstances?
Hi Lun, very similar to the current VPN Policy based on the Client Device setting currently available.
Let's say I have an OTT box provided by my Cable TV/internet company which provides IPTV. It will only work at home (within ISP's IP range) In other words, if I take it out of the house, or abroad, it won't work.
If the ISP provides a public IP, this is easy, set up a "Per Device Policy", filter by MAC and set up a Wireguard VPN only for a list of devices. This can be done with gl.inet already, and it works just fine. (Provided of course that there's a VPN Server at home)
However, if/when the provider switches their customers to CG-NAT, Wireguard will no longer work.
Enter Tailscale. I can set up a gl inet gateway/router as a Tailscale exit node on the GUI, but on the other end, I would need to route all traffic from those devices only to the tailscale exit node.
This is transparent to the OTT, since it will look as connected to a local ISP, much like how it works now.
This setting can be added as another option on the VPN Dashboard screen, just under Wireguard and OpenVPN, if feasible. Understandably there are challenges routing with ACL's or routing tables since Tailscale is not a standard VPN service. Until every ISP adopts IPv6, CG-NAT is a reality for many.
Thank you for your detailed explanation — I believe I now understand your request.
You’re looking to have GL.iNet’s VPN Policy Routing support routing traffic from specific client devices through a Tailscale Exit Node, allowing an OTT box (or similar device) to appear as if it’s still connected to the home network, even when used remotely. This would provide a seamless “at home” experience and bypass CG-NAT limitations that prevent the use of traditional VPN servers like WireGuard.
Your use case is very clear, and we see the value in such a feature, especially as more ISPs adopt CG-NAT. We’ll discuss this internally to assess the feasibility of per-device routing support for Tailscale Exit Nodes in the future.
Thanks again for your thoughtful feedback!
