Help to configure tailscale as a proxy service

I have my own TAILSCALE network and on several devices (windows, android, ios) running the client with the USE_EXIT_NODE option I can get all my internet traffic routed through the exit node I selected, it's useful and working fine

Since I need to use the same system also on other devices which don't have TS client I'd like to use a OpenWRT device to do this.
I managed to install OpenWRT 22.03 on a GL-MT300N-V2 portable router and also have tailscale running on it. I can see the router connected into my TS network and I can ping to/from it other devices of my network

My problem is how to configure everything in OpenWRT to route all inbound/outbound traffic of all connected devices (by cable or wifi) to that interface. I guess more or less I need to do the following:

1. Create an Interface with the TS client local IP and DHCP service
2. Connect that interface to the router LAN and WIFI
3. Adjust accordingly the routes/firewall rules

PS: An alternative version to using exit-node is to configure the router to use a proxy server on the tailscale network (10.). In windows for example I can just set up the system proxy to my remote node which is running a proxy server, and I can get all my traffic routed through that node. This is also working fine on windows*

my competence with networking and openwrt is not good enough, please help

Create a new tailscale firewall zone.

image937×479 103 KB

Make the zone forwardings look like this:

image711×290 14.3 KB

Run tailscale advertising the lan subnet, e.g

tailscale up --advertise-routes=192.168.2.0/24 --advertise-exit-node

Go to tailscale Admin console->Machine->Edit route settings

That should do it.

Thank you so much pavelgl,

I made some steps forward following your advices, I was able to ping a remote TS client from my local client and by locally enabling the proxy to that node I was also able to navigate. But then I noticed that wifi wasn't connecting well, something wrong maybe related to my previous attempts so I tried to clear up the configuration and now I cannot reinstall and have tailscale running on openwrt....

I've tried both with and the script <openwrt-tailscale-enabler-v1.32.0-89418f5-autoupdate> but in both cases I end up with problems and errors before being able to authenticate my new TS node and move on....

what is the official/right procedure to install tailscale on latest openwrt 22.03?

thanks again

Using opkg worked for me on 22.03.2.

opkg update; opkg install kmod-tun tailscaled tailscale

Ok pavegl, I also needed to install iptables-nft but now seems to be finally working fine. Thanks again

Another two points please:

1. the installed version of TS is quite old 1.24.2-3 (OpenWrt)
   is it possible (and how) to update it to the most recent 1.32.2 ?

2. about proxy/gateway setting
   now when I connect a windows10 client either by LAN or WIFI and I set the proxy of the system to another remote TS client running as exit node I can have my internet traffic routed through that client (see script below)
   How can I have the same function done in my OpenWRT router natively, I mean without having to do anything on any LAN/WIFI connected client? I suppose I need to assign the default gateway and dns server to my remote TS address or set it as proxy server but I don't know how to do this in OpenWRT

RegLocate = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer"
objShell.RegWrite RegLocate,"100.(my address)","REG_SZ"
RegLocate = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride"
objShell.RegWrite RegLocate,"localhost;127.*;10.*;193.*;172.16.*;172.17.*;172.18.*;172.19.*;172.20.*;172.21.*;172.22.*;172.23.*;172.24.*;172.25.*;172.26.*;172.27.*;172.28.*;172.29.*;172.30.*;172.31.*;192.168.*;"
RegLocate = "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable"
objShell.RegWrite RegLocate,"1","REG_DWORD"

Sorry, no idea.

I'm not sure what's the use of connecting the router to another "exit node", but you can try the following (no guarantee it will work).

Set up a public upstream DNS provider in /etc/config/dhcp.
Set a metric for the wan interface.
When the tailscale service is up, run:

ip route add default via $exit_node_IP dev tailscale0 onlink

If it works, you could use a hotplug script to dynamically create/delete the default route.

Well, the meaning of all of this project is to be able to connecting some "dumb" devices to a free internet for updates, fixes, etc.
I live in a country where internet is severely restricted so basically I need a router which is able to provide open&unrestricted internet connection to any device connected to it either by cable or wifi.
I'm using a Gli-net M300 Mango router and before I was able to do this by having a server-client wireguard connection set into it but this system has been blocked recently so I need something else. I have different TS remote nodes configured as exit_node and so far this solution is working on all devices I can run TS on but not on dumb/embedded devices

About your instructions my competence level is too low... please explain a bit more in detail what I should do to in Luci/SSH to test your solution pls

uci set network.wan.metric='100'
uci add_list dhcp.@dnsmasq[0].server='8.8.8.8'
uci add_list dhcp.@dnsmasq[0].server='1.1.1.1'
/etc/init.d/network restart; /etc/init.d/dnsmasq restart; /etc/init.d/tailscale restart

ip route add default via $exit_node_IP dev tailscale0 onlink

Replace $exit_node_IP with the IP address of the exit node (note that the route is not persistent).

If it works save the changes - uci commit
Otherwise, just reboot the device.

I tried 3 times,
the first time the router kinda of shutdown after the first 4 commands

restarted
the second time I was able to issue all 4+1 commands, I still had communication with the router but no internet at all

restarted
the third time I didn't get the IP address by DHCP so coudn't even connect to SSH

reboot again
after reboot if I set my windows client to use the TS exit node as a proxy everything's working well. is there a way to have this automatically done by OpenWrt ?

Actually today I found the router was basically reset to initial OpenWRT status.. no more ext4 storage configured to USB no more tailscale or anything else..

So I reinstalled everything and I'm planning to see some tutorial on how routes work in general

Hey, any updates on how this is going? I'd like to do something similar. Thanks!

unfortunately not yet..
I'm stuck in redirecting the traffic from connected clients to my remote TS node providing internet access (acting as an exit-node in TS terminology)

tailscale is running in OpenWRT router, I can ping my TS nodes in all clients so I only need to have the router telling all connected clients to use the right address as Gateway to the internet

Hello, any news? I would also be interested, if there is a solution.
Thanks.

I've recently updated the Tailscale page on the wiki with details on how to use Tailscale as (what their documentation refers to) a "subnet router".

Maybe this is of use to you: @laktibrada, @randomodbuild, @StefanoA70 ?

Feedback welcome:

Hi @joshenders, thanks for the update, I have already found a solution to my problem, which was a problem at synology tailscale, since I wanted to use synology as exit node and not problem of openWRT. As Tailscale on Synology currently can do --advertise-routes but not --accept-routes, the synology as an exit-node did not work with with subnet router, After installing tailscale at raspberryPi everything works as expected.

Thank you for the screen shot. That helped me get my GL-MT3000 tailscale working on exit node right away.