Tailscale and "Block Non-VPN Traffic"

From what I’ve garnered, the “Block Non-VPN Traffic” does not work with Tailscale, is this correct? When I enable the option I lose all connectivity, so I presume this is the case. So, is there currently a way to create a kill switch for Tailscale either through shell or LuCi? Or is there an expected upcoming release that will have this feature? I’m running the latest snapshot 4.3.2 on a Slate Plus and also had the same behavior on stable 4.2.1. Thank you.

Yes, this option is not available for Tailscale.
We are no plans for this feature yet, and Tailscale has many higher priority issues to resolve.
After solving those issues, we will consider it.

Thank you. Do you know of any way to manually set this up via LuCi or the shell? It’s absolutely critical for me that the VPN not leak and buying this router which was Tailscale compatible, I assumed it capable of doing so out of the box.

1 Like

I am not an expert on Tailscale but isn’t Tailscale designed to transcend all things like VPNs and other NAT and security layers to connect your devices together? Why would anyone want to block Tailscale from doing what it was created to do? I am just curious.

For reference only as a temporary solution.
This script detects the tailscale running status and disables internet when it is disconnected.

#!/bin/sh
	ip=`ifconfig tailscale0 | awk '/inet /{print $2}' | awk -F : '{print $2}'`
	offline=`tailscale status | grep $ip | grep offline`
	if [ -n "status" ]; then
		ubus call network.interface.wan down > /dev/null
	fi

After tailscale is restored, you can restart the network by executing ubus call network.interface.wan up or at LuCI.

You can upload this script to your router and call it from LuCI’s crontab page as schedule.
Or add a loop to keep it running

#!/bin/sh
while true
do
	sleep 10
	ip=`ifconfig tailscale0 | awk '/inet /{print $2}' | awk -F : '{print $2}'`
	offline=`tailscale status | grep $ip | grep offline`
	if [ -n "status" ]; then
		ubus call network.interface.wan down > /dev/null
	fi
done
2 Likes

Is there anything that we can do in the gl device firewall?

thank you, but does this not leave room for ip leaks? between the point in time the exit node goes down and the next run of this script. as you know, a major use case for gl-inet routers are working remotely so this would be problematic.

how is the “Block Non-VPN Traffic” feature implemented for Wireguard currently?

For OpenVPN and wireguard client:

“Block Non-VPN Traffic” is some firewall rules:

# disable lan wan forward
config rule 'safe_mode_lan'
	option name 'safe_mode_lan'
	option proto 'all'
	option src 'lan'
	option dest 'wan'
	option target 'DROP'
	option enabled '1'

# disable guest wan forward
config rule 'safe_mode_guest'
	option name 'safe_mode_guest'
	option proto 'all'
	option src 'guest'
	option dest 'wan'
	option target 'DROP'
	option enabled '1'

# mark DNS traffic, which is different than lan - wan forward traffic as it's INPUT traffic
config rule 'safe_mode_mark'
	option name 'safe_mode_mark'
	option src '*'
	option device 'br-+'
	option dest_port '53'
	option set_xmark '0x20000/0x20000'
	option target 'MARK'
	option enabled '1'

# save mark to connection 
config rule 'safe_mode_mark_save'
	option name 'safe_mode_mark_save'
	option src '*'
	option device 'br-+'
	option dest_port '53'
	option set_xmark '0x20000/0x20000'
	option extra '-j CONNMARK --save-mark --nfmask 0x20000 --ctmask 0x20000'
	option target 'MARK'
	option enabled '1'

# drop upstream DNS query generated by dnsmasq daemon.
config rule 'safe_mode_mark_drop'
	option name 'safe_mode_mark_drop'
	option dest 'wan'
	option dest_port '53'
	option mark '0x20000/0x20000'
	option target 'DROP'
	option enabled '1'

All the rules take care of wan traffic but not tailscale interface.
The first two rules are for general forward traffic, the following three rules are for port 53 DNS query traffic.

Now the case for tailscale:

When tailscale is used as exit node, the route rule will ensure the tailscale0 is the default route.
Which guarantees the general forward traffic is protected even while exit node is offline.
However, the DNS query traffic is not protected.

We should make dnsmasq’s upstream set as 100.100.100.100 to prevent leaks.
The previous script doesn’t work for DNS leak prevention.

The workaround should be setting custom DNS to 100.100.100.100:

I’m using flint2 firmware 4.5.5.

Thank you for that.

So you are saying using “Block Non-VPN Traffic” will prevent leaks if we also simply set the custom DNS under “DNS Server Settings” to 100.100.100.100? Is this the MagicDNS resolver, if so then I guess we would need to enable that on the tailscale side too.

Also I was wondering if this is needed if in Tailscale we have “Override local DNS” enabled? My experience with this setting forces dns queries to go through the tailscale tunnel and resolve at the other side from the DNS IP specified.

By default, clients of your network will use their local DNS settings for all queries. To force clients to always use nameservers you define, you can enable the “Override local DNS” toggle.
DNS in Tailscale · Tailscale Docs

There is also client side option, so I guess you can do it on a client-by-client basis. I usually have both enabled anyway.

I think for Linux it is this flag.
tailscale up --accept-dns=true

Curious what your thoughts on this is @hansome. Thanks!

100.100.100.100 is reserved for CG-NAT.
So it’s just “invalid” - you could enter 127.0.0.1 as well, I would say.

Here is where I got the info from:

Tailscale’s MagicDNS when enabled sets up 100.100.100.100 as a local DNS server that you can use to do reverse lookups.

Ok, then this is some special tailscale thingy.

Yes, in my test, I didn’t touch any settings on tailscale admin console.