I'm getting enthusiastic about using Tailscale as a VPN under OpenWrt. I've successfully installed the package and even compiled a third-party app, 'luci-app-tailscale' to help configure it. It was easy to setup VPN "servers" (exit nodes) on a RP4 running Raspberry Pi OS and a mini x86 computer running Debian. No port forwarding or special configuration needed for those - they work great and automatically update.
However, configuring it on a router running OpenWrt to be a "client" and route all Internet traffic through the remote exit node (server) has not been so easy. I did find the wiki here:
However, setting it up this way doesn't work. No access to the Internet at all with this method from the router. The router is detected on the Admin/machines page of Tailscale as "connected" and I've done everything you're suppose to on "Edit Route Settings" on the Tailscale admin page.
I'm guessing some kind of Firewall setting is wrong somewhere either in the tailscale0 interface or the Network Firewall configuration settings. I've tried everything I can think of. Just hoping someone else has a working configuration and can clue me on on what my mistake might be here and share the steps that actually work.
I've also noticed that the latest version of tailscale in the official OpenWrt repository is 1.58.2-1 and after installing it there is a warning on the tailscale admin page: "This machine is running a version with a known security vulnerability. It’s recommended to update to 1.80.0." I have not discovered a way to do that.
Anyone have a link to the source code repository for tailscale 1.80.0? That seems to be the latest in the snapshots, but I want to compile it within a custom build. Where is the repo I can clone that will work with OpenWrt? The main repository has version 1.58.2-1
Thanks so much. When I cloned the main repository the old version was loaded. Twice! Because I thought I’d made some mistake. I still don’t know what my mistake was.
Some time ago I succeeded to do a cross-compile of very recent tailscale on ubuntu, targeting MIPS (architecture of my openwrt). Also including some size reductions, build was for stand-alone image, not requiring any external libraries. Ran perfectly on my openwrt device. All this is possible, because tailscale is done in go language. You might check out org tailscales docs on their site, regarding "crosscompile". I simply copied generated image to openwrt, and voila, it worked. No need for all the obsolete openwrt tailscale stuff.
The current tailscale is 1.80.2 now and I didn't know about the required tailscaled package either so I've made some errors here. Compiling the packages for kernel 5.15.173 for ipq806x/chromium is so far beyond my skill level.
I’m working on getting the OpenWrt router to be a client and connect to an exit node setup in another country. Have not got it to work this way. I’m sure it’s related to configuring the firewall properly in the tailscale0 interface AND the dnsmasq firewall setup. My trial and error method has discovered that Tailscale will create a second tailscale0 interface when initiated from the command line. Hard to troubleshoot.
Your statement is a bit confusing because Tailscale has Clients and Exit Nodes/Subnet Routers. However Routers are not Clients as they are configured as Exit Nodes/Subnet Routers.
Local Tailscale Clients(mac, PC, iPhone, Apple TV, ..) can connect to a remote Router/Exit Node in another country without Tailscale on the local Router.
It would be useful if you can indicate the model number of the Router and I can provide some guidance with installation instructions.
Edit: If you are looking to establish a Site-to-Site connection, then you would need Tailscale installed at both the Local & Remote Router withTailscale Subnet Router enabled.
The entire purpose of the app on OpenWrt is to act as a client OR an exit node. I wouldn't need it to operate as an exit node to connect it to another exit node.
Just to repeat my original question to clarify. I have Tailscale running as an exit node on a mini computer. It works well. I can connect to it from a another computer, a phone, and a pad just fine. Perfectly set up and running and authorized on the admin panel. Done.
Now, I am setting up an OpenWrt router in a DIFFERENT location. I want to use this router to connect to the exit node in the OTHER location. The mini computer is the exit node. I want the OpenWrt router to connect to the internet through the mini computer's exit node so that any machines connected to the OpenWrt router appear to be in the location of the mini computer's exit node. I realize they are not strictly client and server, but I'm using those terms to describe the setup I'm trying to achieve. I'm not setting up either as a subnet router.
The goal of this question is to get the OpenWrt router setup as a "client." So far, I have not by trial and error figured out how the firewall on the OpenWrt router's 'tailscale0' Interface needs to be configured to do this and/or how the dnsmasq firewall needs to be configured to do this. They both have to be exactly so. That's my issue.
It appears that tailscale will not be easy to turn off and on from luci. Tailscale has the advantage of working in a double NAT situation and needs no open ports on the exit node. Seems like the future of VPN to me.
My other issue is trying to compile tailscale from source code using the latest version because the OpenWrt repository has an older version with a security flaw.
A "client" is commonly called a "road warrior" in general VPN terms. It is an endpoint device such as a phone, laptop, or tablet. It holds a single IP address on the tunnel. Everything that the client sends through the tunnel has a source of its single tunnel IP. Everything sent through the tunnel to the client has a destination of that IP.
A subnet router is different since it has one or more LANs behind it with possibly multiple endpoint users on the LAN each with their own LAN IP. The router routes from the LAN to the tunnel, preserving the source device's individual IP. The other end of the tunnel is usually also a router. It needs to be aware of which lan is at which tunnel so that it can return packets to the proper remote LAN. A centrally administered VPN like Tailscale simplifies this. For the destination based routing to work, every LAN at every site needs to have a unique IP range in the whole network.
An Exit Node is simply an extension of the Subnet Router, where one of its local subnets is the Internet. Any packet that has a destination IP that is not otherwise known in the network is considered that by default (thus the concept of Default Route) it is a request for the Internet and will be routed through the Exit Node.
Note that it is possible to hide a LAN behind a Client by using NAT (masquerade) to convert the LAN device addresses to appear to come from the client's single tunnel IP. This is not an ideal solution compared to having full routing throughout the network that you own. NAT is generally used only at the transition point to the network that you don't own, since the owner of that network is only going to give you one IP address.
To simplify this even more... I want to use Tailscale the way I can now use OpenVPN and Wireguard tunnels. Tailscale adds the feature of not having to open a port on the server side. I have Tailscale working wonderfully and well on absolutely everything except OpenWrt. I understand all the terms and terminology. I know all about servers and clients - all of it and all the little details and technicalities. What I don't know is how to compile the latest source code and incorporate it into a custom firmware build because the OpenWrt repository has an older version with a security flaw. What I don't know is how to setup the numerous firewall settings to make the OpenWrt router act as a VPN client with Tailscale in the same way OpenVPN and Wireguard do.
Note, much of the Wiki is no longer applicable including the iptables-nft issue.
The following command will enable the Exit Node on the Router. This will give you access to the Internet at the OpenWrt Router end, but NO access to the LAN devices of the OpenWrt Router.
tailscale up --advertise-exit-node
However if you also want access to LAN devices at the OpenWrt Router end, the LAN Subnet of the OpenWrt Router needs to be advertised. In the following example 10.0.1.0/24 is the LAN Subnet of the OpenWRT Router.
tailscale up --advertise-routes=10.0.1.0/24 --accept-routes --advertise-exit-node
[Tailscale Clients + Min Computer as Exit Node]-LAN-[ISP Router]<----> [OpenWrt Router as Exit Node]-LAN-[Tailscale Clients]
This will allow all Tailscale Clients access to both Exit Nodes.
Tailscale is supported on a wide variety of Clients and because Tailscale is a Mesh VPN, no special Road Warrior configuration is needed. All members of the Tailnet have access to each other and the Exit Nodes regardless of location.
However if you are looking to establish a Site-to-Site or "Client/Server" VPN -to use OpenVPN terminology, without installing Tailcale on individual Clients then you will need to enable Subnet Route Feature at both ends.
[Min Computer as Exit Node/Sunbet Route]-Devices-LAN-[ISP Router] <----> [OpenWrt Router as Exit Node/Subnet Route]-LAN-Devices
Yes. I want everything connected to Site B to appear to be at Site A. I think I have the package working but exactly what the firewall settings in the 'tailscale0' interface and Network, Firewall need to be configured correctly at site B. My Site A exit node is working fine and when I choose it as the exit node on my computer, phone, etc - it works perfectly.
