Point-to-point VPN using tailscale

Nico1320 · May 15, 2023, 6:45pm

Hello,

I wanted to set up a PTP VPN using Tailscale since I cannot use Wireguard because i cant get access to port forwarding in this complex. The purpose is to connect my smart devices to my MQTT server back home. Tail scale works atm but when I try to set it up as a client on "mothership", I lose access to it immediately.

Complex

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd81:6f09:6fc7::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '10.0.1.1'
        list dns '1.1.1.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 0t'

config interface 'wwan'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'

config interface 'mothership'
        option proto 'wireguard'
        list addresses '10.0.5.4/32'
        option private_key 'redacted'
        option auto '0'

config wireguard_mothership
        option description 'mothership'
        option preshared_key 'redacted'
        option route_allowed_ips '1'
        option persistent_keepalive '25'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host 'redacted'
        option endpoint_port '51820'
        option public_key 'redacted'
        option private_key 'redacted'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option forward 'ACCEPT'
        list device 'tailscale0'

config forwarding
        option src 'tailscale'
        option dest 'lan'

config forwarding
        option src 'tailscale'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'tailscale'

config forwarding
        option src 'wan'
        option dest 'tailscale'

config nat
        option name 'Tailscale'
        list proto 'all'
        option src '*'
        option target 'MASQUERADE'
        option device 'tailscale0'

Mothership
I used these commands to setup tailscale
tailscale up --netfilter-mode=off --exit-node-allow-lan-access --exit-node="Complex_ip"

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'tailscale_nl'

config interface 'tailscale_nl'
        option proto 'none'
        option device 'tailscale0'