I’m able to enable tailscale on my travel (AXT1800, fw: 4.5.16) router and on my home Linux server (tailscale up --advertise-exit-node).
Router settings:
Tailscale settings:
I’ve tried enalbing routes for both 192.168.8.0/24 and 172.20.0.0/16
In both cases after enabling custom exit node and enabling subnet routing, wifi is still connected but internet is made unavailable.
User
root@GL-AXT1800:~# ifconfig
br-lan Link encap:Ethernet HWaddr
inet addr:192.168.8.1 Bcast:192.168.8.255 Mask:255.255.255.0
inet6 addr: /60 Scope:Global
inet6 addr: /64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:178508 errors:0 dropped:0 overruns:0 frame:0
TX packets:221331 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:197236131 (188.0 MiB) TX bytes:2676058898 (2.4 GiB)
br-lan-ifb Link encap:Ethernet HWaddr
inet6 addr: /64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:177548 errors:0 dropped:0 overruns:0 frame:0
TX packets:177548 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:199652428 (190.4 MiB) TX bytes:199652428 (190.4 MiB)
eth0 Link encap:Ethernet HWaddr
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Base address:0x1000
eth0-ifb Link encap:Ethernet HWaddr
inet6 addr: /64 Scope:Link
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth1 Link encap:Ethernet HWaddr
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Base address:0x1200
eth2 Link encap:Ethernet HWaddr
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Base address:0x1400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2303 errors:0 dropped:0 overruns:0 frame:0
TX packets:2303 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:230848 (225.4 KiB) TX bytes:230848 (225.4 KiB)
tailscale0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:100.100.1.2 P-t-P:100.100.1.2 Mask:255.255.255.255
inet6 addr:/128 Scope:Global
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1280 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B) TX bytes:3500 (3.4 KiB)
wlan-sta0 Link encap:Ethernet HWaddr
inet addr:172.20.6.150 Bcast:172.20.255.255 Mask:255.255.0.0
inet6 addr: /64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:95099 errors:0 dropped:0 overruns:0 frame:0
TX packets:142322 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:4096
RX bytes:87672777 (83.6 MiB) TX bytes:181889459 (173.4 MiB)
wlan0-1 Link encap:Ethernet HWaddr
inet6 addr: /64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:140197 errors:0 dropped:0 overruns:0 frame:0
TX packets:90660 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:4096
RX bytes:181599753 (173.1 MiB) TX bytes:88921932 (84.8 MiB)
wlan1 Link encap:Ethernet HWaddr
inet6 addr: /64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2658 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:4096
RX bytes:0 (0.0 B) TX bytes:320730 (313.2 KiB)
Sans hardware addr/inet6 except for tailscale which uses 00-00-00…
root@GL-AXT1800:~# tailscale status
100.100.1.2 gl-ax1800 tailscale@ linux -
100.100.1.1 ts-exitnode tailscale@ linux active; exit node; direct 172.20.6.203:41641, tx 402804 rx 415308
root@GL-AXT1800:~# ip rule
0: from all lookup local
48: from all to 172.20.0.0/16 lookup main
49: from all to 192.168.8.0/24 lookup main
50: from all to 100.100.100.100 lookup 52
1099: from all fwmark 0x80000/0xc0000 lookup main
1100: from all lookup main suppress_prefixlength 0
1101: not from all fwmark 0x8000/0xc000 lookup 8000
5210: from all fwmark 0x80000/0xff0000 lookup main
5230: from all fwmark 0x80000/0xff0000 lookup default
5250: from all fwmark 0x80000/0xff0000 unreachable
5269: from all fwmark 0x80000/0x80000 lookup main
5270: from all lookup 52
32766: from all lookup main
32767: from all lookup default
root@GL-AXT1800:~# ip route show table 55
root@GL-AXT1800:~# ip route
default via 172.20.1.1 dev wlan-sta0 proto static src 172.20.6.150 metric 20
100.64.0.0/10 dev tailscale0 scope link
172.20.0.0/16 dev wlan-sta0 proto static scope link metric 20
192.168.8.0/24 dev br-lan proto kernel scope link src 192.168.8.1
root@GL-AXT1800:~#
This output is after enabling custom exit node and enabling both subnets on tailscale admin, 172… and 192…
hi,
Please try to add the “–accept-routes” option to the command.
tailscale up --advertise-exit-node --accept-routes
Sorry, yes i had tried this.
I ended up reinstalling ubuntu 22.04 and reinstalling tailscale on that server w/ ipv4 forwarding and ipv6 forwarding enabled.
I was finally able to get the AXT1800 router to use the server as the exit node.
The issue I’m having now is, when I set the router to use the custom exit node - I’m unable to access some websites.
Google.com works, netflix.com doesn’t, twitter works, ubuntu.com doesn’t.
I don’t know if it’s okay to assume I’m having DNS issues or not.
I think not since I’m able to resolve the domains, but I just can’t load the sites.
User
raz@Ubuntu-WSL2:~$ dig google.com
; <<>> DiG 9.16.48-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59844
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 183 IN A 142.250.189.142
;; Query time: 20 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Apr 15 22:06:11 EDT 2024
;; MSG SIZE rcvd: 55
raz@Ubuntu-WSL2:~$ dig netflix.com
; <<>> DiG 9.16.48-Ubuntu <<>> netflix.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39332
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;netflix.com. IN A
;; ANSWER SECTION:
netflix.com. 60 IN A 3.230.129.93
netflix.com. 60 IN A 52.3.144.142
netflix.com. 60 IN A 54.237.226.164
;; Query time: 40 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Apr 15 22:06:17 EDT 2024
;; MSG SIZE rcvd: 88
raz@Ubuntu-WSL2:~$ ping google.com
PING google.com (172.217.2.206) 56(84) bytes of data.
64 bytes from iad23s23-in-f206.1e100.net (172.217.2.206): icmp_seq=1 ttl=55 time=32.0 ms
64 bytes from iad23s23-in-f206.1e100.net (172.217.2.206): icmp_seq=2 ttl=55 time=105 ms
^[[A64 bytes from iad23s23-in-f206.1e100.net (172.217.2.206): icmp_seq=3 ttl=55 time=23.2 ms
64 bytes from iad23s23-in-f206.1e100.net (172.217.2.206): icmp_seq=4 ttl=55 time=42.6 ms
64 bytes from iad23s23-in-f206.1e100.net (172.217.2.206): icmp_seq=5 ttl=55 time=24.5 ms
64 bytes from iad23s23-in-f206.1e100.net (172.217.2.206): icmp_seq=6 ttl=55 time=51.3 ms
64 bytes from iad23s23-in-f206.1e100.net (172.217.2.206): icmp_seq=7 ttl=55 time=23.5 ms
^C
--- google.com ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6010ms
rtt min/avg/max/mdev = 23.182/43.130/104.790/27.053 ms
It looks like there is something wrong with the network of the device that is running as exit node.Could you load netflix and ubuntu on exit node?
Yeah I ended up pasting the wrong info, only showing you that I’m able to ping google 
… here’s the whole ordeal…
My setup:
Exit Node (Exit1): Linux machine set up as the exit node for my Tailscale VPN.
WSL2 on Windows Laptop: Configured to use Tailscale with Exit1 as its custom exit node, connecting through the AXT1800 travel router.
Issue: When connected via Tailscale to the exit node (Exit1), accessing Netflix results in SSL/TLS handshake failures from my WSL2 environment, while other connections, like Google, are successful.
Observations:
With custom exit node enabled this command hangs on my machine.
From wsl2 w/ exit1 custom exit nod enabled.
openssl s_client -connect netflix.com:443 -servername netflix.com
CONNECTED(00000003)
^C
raz@Ubuntu-WSL2:~$ openssl s_client -connect google.com:443 -servername google.com
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
This curl command hangs right at SSL / TLS handshake, also from wsl2 (behind router w/ exit1 exit node enabled)
curl -vL --http1.1 https://netflix.com
* Trying 54.160.93.182:443...
* TCP_NODELAY set
* Connected to netflix.com (54.160.93.182) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
Now if we run the commands directly on exit1, it’s able to complete the handshake.
raz@exit1:~$ openssl s_client -connect google.com:443 -servername google.com
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
raz@exit1:~$ openssl s_client -connect netflix.com:443 -servername netflix.com
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Secure Site ECC CA-1
verify return:1
depth=0 C = US, ST = California, L = Los Gatos, O = "Netflix, Inc.", CN = www.netflix.com
verify return:1
So really this causes issues w/ accessing some sites and also my bandwidth and jitter/latency is bad when I enable the custom exit node on the router.
Yes, so directly on the exit node - I’m able to access Netflix etc.
Directly from AXT1800 - I’m also able to access netflix.com directly…
But when the exit note is active and I’m on my laptop connected to the travel router, no can do.
Curl works on router.
Then we have the side-by-side wsl vs exit node
I’m not sure what commands to run, but if you could please let me know what target, direct from exit1, from wsl2 (behind tailscale travel router) or directly from the router I can do that.
And yeah curl also works directly from router.
Thanks for looking into this!
Did you enable Tailscale on wsl2, too?Could you turn off and try again? And have you enabled any other features like AdguardHome or parental control or vpn policy on AXT1800?
