I’ve been playing with Tailscale on a GL-AR300M (NAND) and a GL-MT2500.
Standard OpenWRT/Luci with the packages pulled down from the public repos has been the best result for me. I don’t see the GL.iNet web UI as a useful thing. Luci and ssh/command line are better options. Configuring Tailscale on command line and firewall in luci.
have been running the tailscale 1.36.0 versions on
shadow: OpenWrt 22.03.3, r20028-43d71ad93e
brume2: OpenWrt 21.02-SNAPSHOT, r15812+873-46b6ee7ffc. (beta2)
Welcome to the forum. I am sure that a lot of users here including myself would greatly disagree with your statement of “I don’t see the GL.iNet web UI as a useful thing”. It has been incredibly useful for someone like myself who does not wish to use Luci or command lines.
I think early iterations of the GLI UX did provide a good bit of value add, especially for less technically inclined users. I don’t necessarily have a problem with many of the “features” that have been added in recent releases, but unfortunately the some of the choices that have been made in their implementation break basic functionality for other packages in the OS (including Tailscale, ironically). To me, that is where the GL.iNet UX transitions from a minor value add to a substantial negative. I get that I’m in a minority with that view, but the stock firmware build actually hinders me from using the device as I would like to.
some feedback form my side - I want the physical switch to be able to toggle tailscale exit node tunnel. It’s my primary VPN, so it would be very useful for me if I could flick the switch and then all traffic goes over my selected tailscale exit node
(not related to tailscale - but turning on/off DNS-over-TLS/HTTPS (NextDNS) as a switch would also be very useful for dealing with captive portals, then enabling DNSoH again after authentication succeeded)
Latest snapshot, having the same issue that was reported here: Router is able to ping and connect to devices within the tailnet, but devices connected to the router aren’t able to do so
Can you go more into detail what settings you did to get tailscale in general working? Added a new unmanaged interface in luci and assigned it to the tailscale interface, added firewall rules to allow to/from lan/wan.
Also tried adding static routes to manage the entire 100.x.x.x address space and route it over the tailscale device, but my clients are still not able to get a connection going. Just ends up timing out.
Actually just managed to get it working (like it usually is after posting publicly about being stuck :p)
What I did:
In luci, go to interfaces, add new unmanaged interface. Name tailscale, Firewall settings: Create new zone “tailscale”, Interface: tailscale0
In firewall settings, add new zone forwarding for tailscale → lan, tailscale → wan, lan → tailscale
In firewall settings, go to NAT Rules, add new NAT rule: Protocol: any, Outbound zone: any, Source/Destination: any, Action: masquerade. Go to “Advanced Settings” and set “Outbound device” to tailscale0 interface
Rebooted the router and now all my clients are able to communicate to devices within the tailnet
While it’s working now, these steps shouldn’t be necessary at all if tailscale is considered to be first-party supported. it should setup those firewall routes automatically, similar to how OpenVPN is handled, when these checkboxes are set:
Last one, I managed to get MagicDns on my clients working as well.
Trick is to set DNS forwarding for your tailscale domain xxx.ts.net to the tailscale DNS server (100.100.100.100)
In Luci: Network → DHCP and DNS → Add a forwarding record like '/mytsdomain.ts.net/100.100.100.100'
Honestly, this is pretty great. I can access my entire tailnet just by having the router connected. There are some security implications of using the router as gateway into the tailnet (ACL, etc.) but still very cool. Makes me wish the UniFi UDM I’m using as my primary router had similar functionality
what sort of magic is in the included 1.32.2-dev version of tailscale that is not in the mainline tailscale repo?
I am able to get the 1.32.2-dev version to work with using an exit node on a new beryl AX but if I pop in 1.36.x nothing can get out of the router. tailscale stops connecting and no traffic passes through.
I am familiar with the mwan3 and firewall rule 52 type stuff, not finding the current issue that just makes tailscale work fine other than when using an exit node.
with above setting,
client(subnet: 192.168.8.0/24) did not connect to tailscale device(subnet: 100.64.0.0/10),
and tailscale device did not also connect to 100.96.63.18.
but finally resolved problem with cli command like below.
sudo tailscale up --advertise-routes=192.168.8.0/24 --accept-routes
but finally resolved problem with cli command like below.
sudo tailscale up --advertise-routes=192.168.8.0/24 --accept-routes
I found that this cli command must be needed if IPv6 with NAT setting.
With IPv6 Native or Passthrough or Disabled IPv6, above GUI setting may work properly.
Hi @FountainHospital thanks for this tutorial. This is exactly what I’m looking to do instead of setting up tailscale on each client.
I am struggling with your setup though. Do you think you could help me? I followed the interface and firewall setup exactly like you described, but here’s what I get when everything is done:
ping /t 100.77.178.119
Pinging 100.77.178.119 with 32 bytes of data (ping from a client connected to the router with tailscale):
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
...
Request timed out.
Request timed out.
Request timed out.
Reply from 100.77.178.119: bytes=32 time=210ms TTL=63
Reply from 100.77.178.119: bytes=32 time=38ms TTL=63
Reply from 100.77.178.119: bytes=32 time=40ms TTL=63
Request timed out.
Request timed out.
My tailscale SSH sessions connect and on the first keypress they disconnect. Looks like some settings fight with each other. Also, I cannot access advertised routes from other nodes.
I can provide logs/screenshots if necessary.
P.S. I am using Beryl AX MT-3000 FW v4.2.1
Did some more testing. Enabled one of tailscale exit nodes. The router itself reports exit node IP, but a client connected to the router reports router’s WAN IP. Before setting up these firewall rules, when I enabled exit node - all traffic stopped and clients did not get internet. Not good…
Tried to disable mwan3 - no changes. Reverting back.
My main goal is not to access the router via WAN or LAN, but to access my tailnet via the router from devices connected to it
Sorry I’m not fully sure. I just checked my setup and it’s mostly what I wrote in my previous 2 posts, of course with Tailscale turned on in the normal gl-inet router settings. Then added DNS forwarding for my tailscale domain
DNS forwarding is a bit wonky and sometimes my .ts.net domain works, sometimes it doesn’t. But direct IP so far has been working for me
I’m not using the exit-node stuff currently but I’ll see if I have some time later to poke around with it
@jdub I tried disabling mwan3 - this lead me to no changes…
I read on on one of the threads here that tailscale process keeps restarting and this is what I experience as well. Even going back to GL.Inet GUI I can see Tailscale Connecting (yellow) … Connected (green) … Connecting … Connected.
I think when the next firmware arrives I’ll try to wipe all tailscale leftovers and try again,
When trying to manually add firewall rules via a Tailscale interface, something causes a tailscale down/tailscale up loop
This is my experience now. I like the idea of not touching GL.Inet UI (until they work on it) and doing it all in luci/SSH. I will try it in the next few days.
From what I’ve gathered so far --advertise-routes 192.168.8.1 is necessary not only for inbound (from tailnet to router) but also for outbound: Clients → Router with TS → tailnet.
Disabling mwan3 is critical for the exit node functionality, which I am currently not too concerned but nice to have working
Oh… Yeah, I also edited the service file to delete the line they added that does the service start/restart based on the gui. Essentially it “works” if you remove all the Gl.iNet stuff