Tailscale VPN install: why must I stop and remove the mwan3 package? GL-MT1300

Is there a way I can configure the network or firewall settings on my Gl.inet device (GL-MT1300) so that Tailscale will work gracefully with mwan3?

I’ve successfully enabled Tailscale (1.18.2) on my gl.inet device by installing the Tailscale package on an SD card (loosely following the guide here: Running Tailscale on a Mango* Router - 🄱🄸🅃🅂🄽🄱🄾🄱🅂 Blog).

One thing bugs me, however. I’ve had to stop and remove the mwan3 package in order to be able to ping other Tailscale hosts or to route to remote subnets via the Tailscale interface.

Why must I remove mwan3? I would prefer to keep that package (if possible) so the gl.inet device can gracefully failover from one WAN connection to another (e.g. from WAN to tethering to wifi, etc).

Besides the details in the guide (linked above) I’ve added the following lines to /etc/config/network:

config interface ‘tailscale’
option proto ‘none’
option ifname ‘tailscale0’

I’ve added the following lines to /etc/config/firewall:

config zone ‘vpn_zone’
option name ‘tailscale’
option input ‘ACCEPT’
option forward ‘REJECT’
option output ‘ACCEPT’
option device ‘tailscale0’
option masq ‘1’
option mtu_fix ‘1’

config forwarding
option dest ‘tailscale’
option src ‘lan’

config forwarding
option dest ‘lan’
option src ‘tailscale’

And finally I had to remove mwan3: mwan3 stop && opkg remove mwan3 --force-depends
To re-iterate: Is there a way I can configure the network or firewall settings on my Gl.inet device (GL-MT1300) so that Tailscale will work gracefully with mwan3? Any ideas are appreciated.

If you do not remove mwan3, Tailscale cannot connect or you do not have Internet?

Can you give more details?

Internet always works.
Setup tailscale without disabling and removing mwan3: no ping to tailscale host or network.
Remove mwan3: can ping tailscale host and network.
See the following:

root@GL-MT1300:~# ping google
PING google.com (142.250.113.139): 56 data bytes
64 bytes from 142.250.113.139: seq=0 ttl=105 time=42.625 ms
64 bytes from 142.250.113.139: seq=1 ttl=105 time=41.989 ms
64 bytes from 142.250.113.139: seq=2 ttl=105 time=27.670 ms
^C
google.com ping statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 27.670/37.428/42.625 ms

root@GL-MT1300:~# tailscale version
1.18.2
tailscale commit: cc23fba40ac7ec4b60fe2210999a2f20101e0c7c
other commit: e21a681f4a9ffdef994234e4c3d857e8dc3bbb19
go version: go1.17.2-ts7037d3ea51

root@GL-MT1300:~# tailscale ping 100.125.5.11
pong from (100.125.5.11) via :41641 in 169ms

root@GL-MT1300:~# ping 100.125.5.11
PING 100.125.5.11 (100.125.5.11): 56 data bytes
^C
— 100.125.5.11 ping statistics —
24 packets transmitted, 0 packets received, 100% packet loss

root@GL-MT1300:~# ping 192.168.10.200
PING 192.168.10.200 (192.168.10.200): 56 data bytes
^C
— 192.168.10.200 ping statistics —
29 packets transmitted, 0 packets received, 100% packet loss

root@GL-MT1300:~# mwan3 stop && opkg remove mwan3 --force-depends
Removing package mwan3 from root…

reboot here

root@GL-MT1300:~# ping 100.125.5.11
PING 100.125.5.11 (100.125.5.11): 56 data bytes
64 bytes from 100.125.5.11: seq=0 ttl=128 time=761.909 ms
64 bytes from 100.125.5.11: seq=1 ttl=128 time=81.799 ms
64 bytes from 100.125.5.11: seq=2 ttl=128 time=90.931 ms
64 bytes from 100.125.5.11: seq=3 ttl=128 time=81.920 ms
^C
— 100.125.5.11 ping statistics —
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 81.799/254.139/761.909 ms

root@GL-MT1300:~# ping 192.168.10.200
PING 192.168.10.200 (192.168.10.200): 56 data bytes
64 bytes from 192.168.10.200: seq=0 ttl=63 time=224.051 ms
64 bytes from 192.168.10.200: seq=1 ttl=63 time=288.800 ms
64 bytes from 192.168.10.200: seq=2 ttl=63 time=258.725 ms
64 bytes from 192.168.10.200: seq=3 ttl=63 time=308.566 ms
64 bytes from 192.168.10.200: seq=4 ttl=63 time=251.003 ms
^C
— 192.168.10.200 ping statistics —
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 224.051/266.229/308.566 ms

There’s a conflict in the policy routing rules.

Here’s a script to build the latest version on Linux (requires git and go to be installed):

#!/bin/bash
set -uo pipefail
trap 's=$?; echo ": Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
IFS=$'\n\t'


function build_dist {
    echo Build: tailscale-${VERSION}_$1
    env GOOS=linux GOARCH=$1 ./build_dist.sh tailscale.com/cmd/tailscale  && mv tailscale{,-${VERSION}_$1}
    echo Build: tailscaled-${VERSION}_$1
    env GOOS=linux GOARCH=$1 ./build_dist.sh tailscale.com/cmd/tailscaled && mv tailscaled{,-${VERSION}_$1}
}

cd ~/code/tailscale
CURRENT_TAG="$(git describe --tags)"
git fetch --tags || true
REV="$(git rev-list --tags --max-count=1)"
LATEST_TAG="$(git describe --tags $REV)"
if [ "$CURRENT_TAG" != "$LATEST_TAG" ]; then
    git reset --hard
    git checkout "$LATEST_TAG"
    # patch policy routing rule priorities
    grep -lrP '\b52[1357]0\b' . \
        | xargs -n1 sed -Ei 's/\b52([1357])0\b/13\10/g'
fi
export VERSION=$(cat VERSION.txt)
build_dist amd64
build_dist arm
build_dist arm64
export GOMIPS=softfloat
build_dist mips

For the GL-MT1300, I believe you’ll want the mips version.

Here’s a patched one I compiled:

Hmmmmm ask and you shall receive - h/t ryanc!
My architecture is mipsle but it was an easy edit.
Here’s my compiled version for DL for mipsle architecture: tailscale-1.18.2_mipsle_gl.inet.zip - Google Drive
Ping is high (300ms compared to 80ms) but it now works with mwan3 enabled.
Can you share what the specific issue was? Have you submitted an issue to the Tailscale project?

For those who wish to compile themselves:
apt install git
snap install go --classic
mkdir /root/code
cd /root/code
git clone GitHub - tailscale/tailscale: The easiest, most secure way to use WireGuard and 2FA.
./mipsle.sh (script as follows):

#!/bin/bash
set -uo pipefail
trap 's=$?; echo ": Error on line "$LINENO": $BASH_COMMAND"; exit $s' ERR
IFS=$'\n\t'

function build_dist {
    echo Build: tailscale-${VERSION}_$1
    env GOOS=linux GOARCH=$1 ./build_dist.sh tailscale.com/cmd/tailscale  && mv tailscale{,-${VERSION}_$1}
    echo Build: tailscaled-${VERSION}_$1
    env GOOS=linux GOARCH=$1 ./build_dist.sh tailscale.com/cmd/tailscaled && mv tailscaled{,-${VERSION}_$1}
}

cd ~/code/tailscale
CURRENT_TAG="$(git describe --tags)"
git fetch --tags || true
REV="$(git rev-list --tags --max-count=1)"
LATEST_TAG="$(git describe --tags $REV)"
if [ "$CURRENT_TAG" != "$LATEST_TAG" ]; then
    git reset --hard
    git checkout "$LATEST_TAG"
    # patch policy routing rule priorities
    grep -lrP '\b52[1357]0\b' . \
        | xargs -n1 sed -Ei 's/\b52([1357])0\b/13\10/g'
fi
export VERSION=$(cat VERSION.txt)
build_dist amd64
build_dist arm
build_dist arm64
export GOMIPS=softfloat
build_dist mipsle
1 Like

2021.01.04 update: Ping is back down to normal and things work perfectly with above patched binaries.
@ryanc submitted a github issue with the tailscale project here: Compat issue: GL.iNet/mwan3 · Issue #3659 · tailscale/tailscale · GitHub

1 Like

Hi Strider
Is it possible for you to explain the steps you took to install Tailscale on the Mango router. Do you just replace the 2 directories, but follow BitsnBobs guide elsewhere?

I’m happy to report that as of Tailscale version 1.32.0 this issue is now solved and we no longer need patched binaries.

Here are my complete notes:

Install SD card

cat /etc/openwrt_release

opkg update
opkg install gdisk e2fsprogs kmod-fs-ext4 curl ca-bundle kmod-tun kmod-usb-storage kmod-usb-storage-uas usbutils block-mount

blkid
block detect | uci import fstab
uci set fstab.@mount[-1].enabled=‘1’
uci commit fstab
uci show fstab
reboot

Note, the storage will sometimes be mmcblk0 or sda1

#mkdir -p /mnt/mmcblk0/opt/tailscale/state
mkdir -p /mnt/sda1/opt/tailscale/state
#ln -s /mnt/mmcblk0/opt/ /opt
ln -s /mnt/sda1/opt/ /opt

copy binaries and folders from package downloaded off tailscale to /opt/tailscale

chmod +x /opt/tailscale/tailscale and tailscaled

ln -s /opt/tailscale/tailscale /usr/sbin/tailscale
ln -s /opt/tailscale/tailscaled /usr/sbin/tailscaled
vim /etc/init.d/tailscale

paste the following script:

#!/bin/sh /etc/rc.common

Copyright 2020 Google LLC.

SPDX-License-Identifier: Apache-2.0

/bin/sleep 30
USE_PROCD=1
START=80

start_service() {
local state_file
local port
local std_err std_out

config_load tailscale
config_get_bool std_out “settings” log_stdout 1
config_get_bool std_err “settings” log_stderr 1
config_get port “settings” port 41641
config_get state_file “settings” state_file /opt/tailscale/state/tailscaled.state

/usr/sbin/tailscaled --cleanup

procd_open_instance
procd_set_param command /usr/sbin/tailscaled

Set the port to listen on for incoming VPN packets.

Remote nodes will automatically be informed about the new port number,

but you might want to configure this in order to set external firewall

settings.

procd_append_param command --port “$port”

OpenWRT /var is a symlink to /tmp, so write persistent state elsewhere.

procd_append_param command --state “$state_file”

procd_set_param respawn
procd_set_param stdout “$std_out”
procd_set_param stderr “$std_err”

procd_close_instance
}

stop_service() {
/usr/sbin/tailscaled --cleanup
}

end paste

chmod +x /etc/init.d/tailscale

vim /etc/config/tailscale

paste the following:

config settings ‘settings’
option log_stderr ‘1’
option log_stdout ‘1’
option port ‘41641’
option state_file ‘/opt/tailscale/state/tailscaled.state’

end paste

vi /etc/config/network

config interface ‘tailscale’
option proto ‘none’
option ifname ‘tailscale0’

vi /etc/config/firewall

config zone ‘vpn_zone’
option name ‘tailscale’
option input ‘ACCEPT’
option forward ‘REJECT’
option output ‘ACCEPT’
option device ‘tailscale0’
option masq ‘1’
option mtu_fix ‘1’

config forwarding
option dest ‘tailscale’
option src ‘lan’

config forwarding
option dest ‘lan’
option src ‘tailscale’

cd /etc/init.d
service tailscale start
tailscale up --advertise-routes=192.168.8.0/24 --accept-routes

check things work

service tailscale enable
/etc/init.d/firewall restart
reboot

Also for WAN access to SSH and HTTP:

/etc/config/firewall:

config rule
option dest_port ‘22’
option src ‘wan’
option name ‘AllowSSH’
option target ‘ACCEPT’
list proto ‘tcp’

config rule
option dest_port ‘80’
option src ‘wan’
option name ‘AllowHTTP’
option target ‘ACCEPT’
list proto ‘tcp’

Upgrade tailscale binaries:

backup old state folders and binaries

upload new ones

chmod +x

reboot

If this is done after a system upgrade, then you need to rebuild scripts and services

2 Likes

Thanks
I have got tailscale installed on my MT300N router and it appears on my tailscale admin panel
Another question…if I attempt to route all my router traffic using an exit node, I use the command
tailscale up --exit-node=
However, the router hangs when I enter this command and I have to factory reset it.
Any idea why?
I would like to use the router/tailscale combination as a full tunnel VPN. So any device I connect the router has all the traffic directed to an exit node.