How to configure Tailscale 18.02 on 24.10 to access remote Exit Node

haow17 · March 4, 2025, 10:06am

Hello there,

I have a xiaomi ax3600 192.168.11.0/24 I installed Tailscale on it and connect to a remote Exit Node to access Internet. Recently I upgraded OpenWrt from 23.05.5 to 24.10.0 and upgraded Tailscale from 1.58 to 18.02.
Then problem came, my subnet members can no longer access Internet via the remote Exit Node which they used to work pretty well with Tailsccale 1.58. I did SEVERAL times fresh install of Tailscale by using opkg install tailscale on 24.10 but still no luck.

Also I noted there are warning message during installation process about iptables and ip6tables, but installation completed. The tailscale up and tailscale status commands returned nothing unusual, but the ip show address tailscale0 didn't retrieve any ipv4 address of my tailnet nor ipv6 address. For the interface setup, I tried both unmanaged and statistic when creating interface-protocol, and a dedicated firewall zone as this tutorial.

I can ping the Exit Node IP and the openwrt.org from both my laptop (192.168.11.218 DHCP) in router's subnet, and the router's Diagnose page. From the trace log of a test to the openwrt.org, I can see traffic was routed to Exit Node first then reached to openwrt.org finally. But the laptop cannot access Internet at all.

I don't if something wrong with the pkg, the configuration and the firewall. Can someone give me a hint? Thanks a lot.

scott68 · March 4, 2025, 10:34am

I have best luck using Tailscale Enabler. Script that downloades latest version and runs in temp. Simple, and just works.

Summit48 · March 4, 2025, 12:33pm

I just moved my response to over here.

It looks like you are not able to get a basic Tailscale configuration running on your Router.

I would suggest a clean install of OpenWrt v24.10.0 which automatically gives you access to Tailscale v1.80.2. This way the iptables-nftables issue and the Tailscale v1.58.2 security issue are both resolved without having to perform any special workarounds.

The OpenWrt Tailscale Wiki is very useful, however ignore the section on "iptables-nft issue" and "OpenWrt ssh access".

I would go as far as the " How to setup a Subnet Router/Exit Node" and test your configuration. After you are satisfied everything is working correctly then move to "Force LAN traffic to route through Exit Node" section as this is what allows the Subnet Route on the local OpenWrt Router to connect to a remote Router's Exit Node. At that point I can share my CLI syntax I used to make that possible. I am just doing some more testing at my end.

I have just done a factory reset of my OpenWrt Router in a bid to resolve some Exit Node issues with Tailscale, my EdgeRouter which is also running Tailscale is just fine.

Summit48 · March 4, 2025, 1:25pm

There is definitely a problem with Tailscale v1.80.2-r1 on OpenWrt. 24.10.0

Edit: It was a configuration issue, problem solved.

Summit48 · March 5, 2025, 3:40am

To connect the local Tailscale Subnet Route(192.168.1.0/24) on the OpenWrt Router to the remote EdgeRouter(ER-4) running a Tailscale Exit node the following CLI commands were entered.

root@usg-3p:~# tailscale up --accept-routes --advertise-routes=192.168.1.0/24

To authenticate, visit:

	https://login.tailscale.com/a/12345678abcdefgh

Success.
root@usg-3p:~# tailscale up --accept-routes --exit-node=ER-4 --exit-node-allow-lan-access --advertise-routes=192.168.1.0/24
root@usg-3p:~#

I used DNS Leak Test to verify the Subnet Route was exiting the remote Exit Node.

haow17 · March 6, 2025, 5:56am

How about the firewall configuration? I did fresh installation, both OpenWrt and Tailscale, ip address show tailscale0 is a problem that no tailnet ip obtained. I manually set with statistic protocol. I set firewall to lan side, other peers in tailnet can access router login page, but devices in lan still cannot access out.
I will do another try with OpenWrt 23.05.05 + Tailscale 1.80.2_r1

Summit48 · March 6, 2025, 12:12pm

Firewall configuration guidelines are contained in the OpenWrt Tailscale Wiki.

OpenWrt 23.05.5 only gives you access to Tailscale 1.58.2-1, it is unfortunately the way OpenWrt works. I would move to OpenWrt 24.10.0.

P.S. You may want to fix the typo in the Subject field of this thread, as it is Tailscale 1.80.2.

Summit48 · March 7, 2025, 4:05am

Does it show an IP4 & IP6 address with the following command?

tailscale ip

tailscale0 Protocol should be set to Unmanaged

Are you saying other remote Tailscale Clients can access the Router console, but LAN devices of the Router without a Tailscale Client cannot access the Remote Exit Node?

haow17 · March 7, 2025, 7:01am

Yep, I installed a Tailscale on my iPhone to test, when connected to my tailnet, Safari can access router's login page via its subnet ip 192.168.11.1. But my desktop in router's lan cannot open google.com.

haow17 · March 7, 2025, 7:02am

ah...it's a bit embarrassed...and more embarrassed is I didn't figure out how to change the subject

Summit48 · March 7, 2025, 9:46am

Remove the Exit Node on the Xiaomi AX3600(192.168.11.0/24), create and connect the Xiaomi Subnet Route to the Remote Router Exit Node. Replace RR with the name of the Remote Router. The --reset should remove the Exit Node on the Xiaomi. Remember to update the Tailscale Coordination Server to reflect the changes.

tailscale up --accept-routes --advertise-routes=192.168.11.0/24 --reset

tailscale up --accept-routes --exit-node=RR --exit-node-allow-lan-access --advertise-routes=192.168.11.0/24

Note, the Exit Node on the Xiaomi needed to be removed, because it is not possible to connect two Exit Nodes together.

Summit48 · March 16, 2025, 11:24am

Did you ever get this working?