Turning on both Tailscale and Wireguard Client on 4.5 is broken? GL.iNet GL-MT3000 (Beryl AX)

I just recently upgraded my routers firmware to the latest version 4.5.0
I am using both Tailscale and the VPN (WG Client) feature of my router.
I would use the VPN feature of my router using Proton VPN Wireguard configuration. And this would route all my traffic going out to the internet via that VPN.

And then I would use Tailscale on the router itself and configured it as the exit-node via CLI. I have 2 phones which will then have Tailscale client and use my router as an exit-node.

At first before I upgraded it to 4.5 the Tailscale will use the routers public WAN IP (not the VPN IP) for the client to connect into.

root@OpenWrt:/usr/bin# tailscale netcheck

Report:
        * UDP: true
        * IPv4: yes, 112.224.252.34:58740 <<<<< PUBLIC NON VPN IP
        * IPv6: no, but OS has support
        * MappingVariesByDestIP: false
        * HairPinning: false
        * PortMapping:
        * CaptivePortal: false
        * Nearest DERP: Hong Kong
        * DERP latency:

And the router will then egress the traffic out into the VPN. Basically with this configuration the latency is lower.

But now at version 4.5 | Tailscale now always use my VPN IP for the other device to connect into.

root@OpenWrt:~# tailscale netcheck

Report:
        * UDP: true
        * IPv4: yes, 103.195.255.23:58882 <<<<< VPN IP 
        * IPv6: no, but OS has support
        * MappingVariesByDestIP: true
        * HairPinning: false
        * PortMapping:
        * CaptivePortal: false
        * Nearest DERP: Tokyo
        * DERP latency:

The traffic is going IN and OUT thru the VPN causing very high latency.

Also i have notice that when I turn off the VPN feature and turn on Tailscale by itself. My client devices cannot use the exit-node using the non VPN public WAN IP.

My client devices will have a broken internet as if it cannot find the router as the exit-node.

I might be wrong, but I guess this is because of trying to solve the IP leak problem. Since local services on the router could cause an IP leak all of them are included in using VPN since firmware version 4.5

(Maybe @alzhao could confirm if I am right?)

It would be possible to modify the scripts so tailscaled would be run as a user within the group nonevpn - but OpenWrt does not natively support running services as different users, so here someone must modify the existing scripts to build a wrapper for it.

tailscale using the routers public WAN IP (not the VPN IP) will be more reasonable.
We accidentally introduce this issue.

I’ve seen a case where the s2s network overlays on OpenVPN client.
That’s a similar situation we’re facing.

The workaround to make tailscale traffic(port 41641 etc.) go through Non-VPN interface is to insert a IP rule, use the following command:

uci set network.policy_default_rt_vpn_ts=rule
uci set network.policy_default_rt_vpn_ts.lookup='main'
uci set network.policy_default_rt_vpn_ts.priority='1099'
uci set network.policy_default_rt_vpn_ts.mark='0x80000/0xc0000'
uci set network.policy_default_rt_vpn_ts.invert='0'
uci commit network
/etc/init.d/network reload

This works!

Thank you so much!

Will this persists even after reboot? And also after 4.5 can you fix this permanently. Also update tailscale please

Yes, it can survive reboot.

Sure.

Hi @hansome and @admon

Everything seems to be working fine now when both Tailscale and ProtonVPN (WG Client) is turned on.

My router is setup as a Tailscale Exit Node and client devices (pc and phones) would use my Routers NON VPN IP to connect into the router and egress the traffic via the ProtonVPN (WG) VPN IP. I am using this kind of setup when my client devices would use insecure networks like cafe shops or at the office.

However i still found some bugs listed below.

1. When using the above setup “Tailscale (exit node turned on) and ProtonVPN (as internet breakout)”. While browsing Youtube and Youtube music on client devices streaming would heavily buffer. However videos on Facebook and any other streaming site is buffering fine, downloading and casual browsing also works great. Somehow Youtube services are the one only affected. But when I’m connected directly on the router with ProtonVPN still on. It would buffer perfectly fine. I also tested internet speed and its all good, ping from router to client via tailscale is just around <40ms and from router to internet via Proton is about <50ms.

2. Now when i turn OFF ProtonVPN (WG Client) and still use Tailscale (Exit node), client devices is still connected to the router using Tailscale but this time it is having problems with connecting to the internet. Basically with this kind of setup, client devices will now use the routers NON VPN WAN IP for both Tailscale connectivity and egress for internet traffic.

Bugs above are experience on version 4.5 firmware. As far as i can remember i did not experience both of this on the latter version of the firmware. I also tried upgrading Tailscale to the latest version on the router and tried turning off “Block Non-VPN Traffic” and “Services from GL.iNet Use VPN” when using WG Client but issue still persists. Also a note, I am using Secure DNS using NextDNS profile.

Their’s a 3rd one almost forgot.

3. When i issue nslookup google.com on the router while tailscale is ON output below:

root@OpenWrt:~# nslookup google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

I believe the normal behavior should be that when tailscale is ON the router should use 100.100.100.100 as the name server as shown in the logs below (this is when i updated tailscale to the latest version)

root@OpenWrt:~# nslookup google.com
Server:         100.100.100.100
Address:        100.100.100.100#53

This issue is non existent in the latter version, managed to fix it by updating tailscale i dont know why.

@hansome it should be fixed in v4.6.2? I checked all the network policies with uci get, however, even if all of them was set to these values, with Tailscale enabled and MullvadVPN on Client, I can't reach out any website.