Dear Users,
The current GL router GUI supports "Allow Remote Access WAN" and "Allow Remote Access LAN", we believe these two options already cater to the needs of the vast majority of our users.
When these options are enabled (and the subnets are approved in the Tailscale cloud console), the GL router advertises its WAN and LAN subnets to the tailnet. This allows devices bound the same tailnet to receive these routes, enabling remote access to devices/clients of WAN and LAN of the GL router.
SCENARIO:
Some users have pointed out that the GL router's WAN connection may be behind multiple layers of NAT. In other words, the WAN's parent network (upstream network) might consist of several network layers (multiple different subnets).
WHY:
In this case, if the GL router only advertises the WAN subnet ("Allow Remote Access WAN"), other devices in the tailnet will be unable to access the router WAN parent network. This is because the router hasn't advertised the WAN parent subnets, and therefore tailnet devices are unaware of these routes.
And the GL router cannot automatically and accurately determine the WAN parent network/subnets (in a multi-layered NAT environment). To have the GL router advertise these parent network routes, manual configuration is required.
PREREQUISITE:
As for how to know the WAN parent network information, if you are the network administrator, you will already know this information. If you are not, you can consult the network administrator or maintenance personnel. Alternatively, you can traceroute 8.8.8.8 in router SSH to check how to hop, but this method may not be entirely accurate due to the potential presence of multiple network layers or interface traffic splitting rules, and unable to know subnet mask.
Consulting the administrator or maintenance personnel is the most reliable approach.
GUIDE-A:
Once you have obtained the WAN parent subnet information, you can configure Tailscale as follows to bring the GL router advertise these routes to the tailnet:
-
Log in to the GL GUI and toggle off Tailscale.
-
SSH login the router SSH log in to the Router - GL.iNet Router Docs 4
-
Edit Tailscale’s startup script:
vi /usr/bin/gl_tailscale -
Navigate down to line 226 (the line number may not be exact due to potential firmware updates, but it should be approximately there).
Move the cursor to the position immediately after$paramon this line.
Press theikey to enter edit mode.
Manually insert a comma (,) after$param, and then enter the WAN parent subnets.
For instance:,192.168.25.0/24,192.168.99.0/24,172.16.2.0/24.
Be sure to note the space before--timeout 3s."
Example:
timeout 10 /usr/sbin/tailscale up --reset --accept-routes $param,192.168.25.0/24,192.168.99.0/24,172.16.2.0/24 --timeout 3s --accept-dns=false > /dev/null
Save and exit: press Esc on the keyboard, type :wq and press Enter.
-
Login to the GL GUI, re-enable the Tailscale, and enable the options "Allow Remote Access WAN" and "Allow Remote Access LAN".
-
Enter the Tailscale cloud console, find your GL router, click "Edit routes settings", you can see that it has reported the WAN parent subnet you manually added.
After all are approved, tailnet will announce these routes.
Note:
- This configuration requires basic knowledge of Linux/OpenWRT and familiarity with SSH operations. Recommended to back up your current router configuration before performing this modification.
- This tailscale script will persist even after router restarts, and will only be lost when you upgrade the router firmware or reset the firmware.
