I have a Brume 2 (FW 4.5) and have enabled AdGuard + Tailscale. I’m not using any other VPN (Wireguard is off). I’ve setup Subnet routing and I can reach any device in my network when I’m connected to the Tailscale network. This works.
I’m now trying to use the AdGuard DNS when connected to Tailscale but for some reason this does not work. To keep it simple I disabled MagicDNS in Tailscale, and just added my Brume/AdGuard tailscape IP as global nameserver like below.
The Brume is has a Tailscale IP address of 100.x.x.75).
Whatever I try after setting custom nameservers in Tailscale 100.100.100.100 is acting as the main DNS (this could be because it falls back to 100.100 because my nameserver is not working?):
❯ scutil --dns
DNS configuration
resolver #1
search domain[0] : internal.home.net
nameserver[0] : 100.100.100.100
if_index : 19 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100200
The DNS ports are not blocked:
❯ nc -v -z 100.xx.xx.75 53
Connection to 100.xx.xx.75 port 53 [tcp/domain] succeeded!
❯ nc -v -z 100.xx.xx.75 3053
Connection to 100.xx.xx.75 port 3053 [tcp/dsom-server] succeeded!
~ ❯
But when trying to use the DNS with dig it fails:
❯ dig @100.xx.xx75 www.google.com
; <<>> DiG 9.10.6 <<>> @100.xx.xx.75 www.google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Is there anything I’m missing? There is some documentation on getting it to work with PiHole and Unbound but I can’t seems to find anything how to get it working with AdGuard/Glinet/OpenWRT.
There’s this guide that suggests adding --accept-dns=false and I tried this as well in the by ssh’ing into my brume and running talescale up --accept-dns=false + default params but it doesn’t seem to have a change.
Anyone that could point me in the right direction - would be great to have 1) resolve my internal hostnames and 2) have adblocking when connected to Tailscale VPN.
Hey, have the exact same issue with my synology NAS running Adguard well in my local net but being unavailable to make it work with tailscale. Everythink else tailscale-wise works perfectly. Did you find a solution?
If you enable the Tailscale custom domain (DNS), the traffic of the router will go through to the Taliscale server from port 53, and never back to the ADG (to port 3053). Seems these two functions are conflicted.
Testing routers: MT6000 and MT3000, Firmware: v4.7.0 and v4.6.9
It seems it is available to fulfill your request.
Long story short, you just need to add a port forwarding rule to redirect DNS queries arriving on the tailscale0 interface's port 53 to localhost's port 3053 where AdGuard Home is listening
Here are the specific steps for reference: 1. Enable Tailscale in the GL interface, and ensure that the router is successfully bound to your Tailscale account. 2. Go to the Tailscale Admin Console-->DNS-->Global nameservers, and choose Custom. Enter the AdGuardHome-running router's Tailscale virtual IP address(it should be 100.X.Y.Z) and enable Override local DNS(optional).
At the moment, you can notice that all DNS queries from devices in your Tailnet are being sent to this router's 53 port. However, AdGuard Home is listening on port 3053. Therefore, we need to configure a rule to redirect these DNS queries to the local host's 3053 port.
3. Go to the LuCI interface and add a new interface.
Set the Protocol to "Unmanaged" and the Device to tailscale0.
Note: Currently you might currently observe that Tailscale is rebooting itself, resulting in a repeated "up" and "down" cycle.
To address this, please click "Stop" when this button is available. This will allow Tailscale to have a break to reconnect and create the tailscale0 device, and then make this interface work again.
Perfect solution! I had some issues with the New Interface Save&Apply confirming (it would timeout). Rebooted the router to start fresh, disabled Tailscale's "Allow Remote Access LAN" setting in GL UI, and tried again to great success, after which I re-enabled the LAN access with that toggle.
Not sure if that was my block for the configuration not applying in LuCI, but works now!
Mon Feb 17 03:27:59 2025 user.notice firewall: Reloading firewall due to ifup of TAILSCALE (tailscale0)
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Network device 'tailscale0' link is down
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity loss
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Interface 'TAILSCALE' is now down
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Interface 'TAILSCALE' is disabled
Mon Feb 17 03:27:59 2025 user.notice firewall: Reloading firewall due to ifdown of TAILSCALE ()
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Interface 'TAILSCALE' is enabled
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Network device 'tailscale0' link is up
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Interface 'TAILSCALE' is setting up now
Mon Feb 17 03:27:59 2025 daemon.notice netifd: Interface 'TAILSCALE' is now up
Mon Feb 17 03:27:59 2025 user.notice firewall: Reloading firewall due to ifup of TAILSCALE (tailscale0)
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Network device 'tailscale0' link is down
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity loss
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' is now down
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' is disabled
Mon Feb 17 03:28:00 2025 user.notice firewall: Reloading firewall due to ifdown of TAILSCALE ()
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' is enabled
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Network device 'tailscale0' link is up
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' is setting up now
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' is now up
Mon Feb 17 03:28:00 2025 user.notice firewall: Reloading firewall due to ifup of TAILSCALE (tailscale0)
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Network device 'tailscale0' link is down
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity loss
Mon Feb 17 03:28:00 2025 daemon.notice netifd: Interface 'TAILSCALE' is now down
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' is disabled
Mon Feb 17 03:28:01 2025 user.notice firewall: Reloading firewall due to ifdown of TAILSCALE ()
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' is enabled
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Network device 'tailscale0' link is up
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' is setting up now
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' is now up
Mon Feb 17 03:28:01 2025 user.notice firewall: Reloading firewall due to ifup of TAILSCALE (tailscale0)
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Network device 'tailscale0' link is down
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity loss
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' is now down
Mon Feb 17 03:28:01 2025 daemon.notice netifd: Interface 'TAILSCALE' is disabled
Mon Feb 17 03:28:02 2025 user.notice firewall: Reloading firewall due to ifdown of TAILSCALE ()
Mon Feb 17 03:28:02 2025 daemon.notice netifd: Interface 'TAILSCALE' is enabled
Mon Feb 17 03:28:02 2025 daemon.notice netifd: Network device 'tailscale0' link is up
Mon Feb 17 03:28:02 2025 daemon.notice netifd: Interface 'TAILSCALE' has link connectivity
Mon Feb 17 03:28:02 2025 daemon.notice netifd: Interface 'TAILSCALE' is setting up now
Mon Feb 17 03:28:02 2025 daemon.notice netifd: Interface 'TAILSCALE' is now up
Same thing happened to me.
Not sure why - but it started looping after woking fine for quite some time. Tried to flash preview firmware on my Flint 2 hoping maybe it'll be fixed there - for some reason AdGuard Home page at port 3000 went completely missing and I lost my internet access. Tried reading logs, something about missing ip tables preventing it to launch.
Tried few thing, failed, had to reset router loosing all my settings. Clean setup, reading this guide again, did everything - it went looping when I stopped tailscale interface and restarted it afterwards. Updated tailscale to latest version - same thing. But if I just stop and don't restart - everything works just fine.
I was restarting it for no reason, managed to bork my router, had to wipe it - just to find out if that interface starts looping - I just have stop and don't touch it. Didn't sleep whole night because i didn't just press "stop"...
Going to comment on this to (hopefully) save someone else the headache…
I have been trying to get a 2 router setup going (Flint 2 home router, Beryl AX travel router) via Tailscale to route all of my travel router traffic through the Flint 2. I had AdGuard running on the home router, as well as my DNS settings. Then I set up Tailscale to use my home router as an exit node for my travel router - but network wasn’t working on the travel router.
I updated my tailscale to the latest version by ssh’ing into the routers, and applied the port forwarding rule on an existing zone, tailscale0, that was there already for me (so I didn’t need to create the new interface etc). Solved the problem. Thank you!!
Hey, i had to sign up to thank you for this. I used johnz post to set this up a while back, and worked perfectly fine for ages. I then (stupidly) decided it would be a good idea to update the Flint 2 firmware. Damn. Bad idea. All hell broke loose. Got most things sorted in the end but couldn’t get the DNS via tailscale routed to adguard. Realised tailscale was constantly trying to connect and failing. Then noticed the interface in Luci was on loop as well. After reading your comment, i deleted the interface and used the zone/device that was already there - tailscale0. Finally it all worked! Thankyou.
Are either of you two able to provide more guidance on how you got that tailscale0 device to show up directly in the port forwarding rules. I've got a flint 2 on 4.7.7 and it doesn't show up automatically AND like you guys, when I manually create that interface and link it to the tailscale0 device, the router goes crazy.
Any advice would be amazing.
Edit: it seems that 4.8.2 is when that tailscale0 option no longer is manually required. I needed to update. All Good!!! Everything is working as expected.
I didn’t create any interfaces - I had a network device (Network → Interfaces → Devices) called tailscale0 by default. I used that for the forwarding rule (Incoming IPv4, From tailscale0, To this device, port 53, Forward to lan port 3053).
And just saw your edit - so looks like you solved it
I also have a network device tailscale0 in (Network > Interfaces > Devices) but couldn’t select tailscale0 in the Firewall > Port Forwards in the source zone field.
Unfortunately, if I add Tailscale as an interface, it goes into a loop of doom and I can’t stop it.
My LuCi firmware is: OpenWrt 23.05-SNAPSHOT / LuCI Master git-25.232.45327-e242d56
Flint 3 firmware is: Version 4.8.1
Thanks for the quick reply and link to the firmware Bruce. I’ll look to try it out when the network is not being used. It was good to read the patch notes of the beta and snapshot - is there also a list of known issues with these versions?
If there are bugs, users will report them on the forum.
Currently no major bugs have been received or known, you can experience it on your personal router.
and I can’t stop it.