Tailscale Direct Connections with an OpenWRT router

usr · July 17, 2025, 3:07am

Hi, I have a bunch of my devices on my tailnet, (including my homelab), but I dont have my router in my tailnet
When I was running the stock firmware of my router (TP-Link), I could successfully make DIRECT connections to all my tailnet devices (those outside my local network, & inside my local network), I believe it was doing this via UPnP as I saw a bunch of tailscale connections under the UPnP section of the WebUI

I recently switched my routers firmware to OpenWRT, now I cannot make direct connections to my tailnet devices which are not already in my local network, tailscale connections are relayed via DERP. One notable exception to this is my android phone, I cannot make any Direct connections to any device in my tailnet (even if they are in my local network), whereas I could before I switched to OpenWRT.

So:

How can I configure my OpenWRT router to allow direct connections in my tailnet?
(optional) How can I get my phone to use direct connections? (if you believe its a client side issue)

FYI, im not completely comfortable with directly opening up ports to the internet, however I believe I am behind a double NAT & my upstream internet provider is a "reliable Internet and IT solution company for flats"

brada4 · July 17, 2025, 3:23am

You need to install UPNP support:
miniupnpd-nftables and luci-app-upnp
Then enable UPNP in luci app or editing /etc/config/upnp file

usr · July 17, 2025, 3:37am

Thank you , will try this, first I need to expand my storage so I can install the package, I will buy a USB storage device and cofigure it using exroot

brada4 · July 17, 2025, 4:03am

Dont add usb. You can hsve upnp even on 8mb routers

brada4 · July 17, 2025, 4:04am

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall
df -k

usr · July 17, 2025, 4:50am

Hi, thanks for the reply.
FYI this is my router model: https://openwrt.org/toh/tp-link/archer_c2_ac750#tab__hardware_highlights
I seem to have less than 8MB of usable storage:

DF -h:

root@router:~# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 4.0M      4.0M         0 100% /rom
tmpfs                    27.5M      1.4M     26.1M   5% /tmp
tmpfs                    27.5M     56.0K     27.5M   0% /tmp/root
tmpfs                   512.0K         0    512.0K   0% /dev
/dev/mtdblock4            1.3M    572.0K    772.0K  43% /overlay
overlayfs:/overlay        1.3M    572.0K    772.0K  43% /

ubus:

{
        "kernel": "6.6.73",
        "hostname": "router",
        "system": "MediaTek MT7620A ver:2 eco:6",
        "model": "TP-Link Archer C2 v1",
        "board_name": "tplink,archer-c2-v1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "ramips/mt7620",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

/network

root@router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted ipv6 address'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '192.168.1.227'

config device
        option name 'eth0.2'
        option macaddr 'redacted mac addr 1'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        option hostname '*'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '0'

config switch
        option name 'switch1'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch1'
        option vlan '1'
        option ports '1 2 3 4 6t'

config switch_vlan
        option device 'switch1'
        option vlan '2'
        option ports '0 6t'

firewall

root@router:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

brada4 · July 17, 2025, 7:09am

You should not install/upgrade packages.
Install luci-app-attendedsysupgrade and use it to compact installation back into squashfs with all upgrades.