I installed the Tailscale package on my OWrt router that is configured with VLANs and a segmented network.
Should I create a new VLAN segment to place tailscale on or does that sort of defeat the purpose of some of its utility? (I know tailscale has ACL that can be used to control things from its side.)
The tailscale tunnel is its own L3 network (routed), so as long as it is a unique subnet relative to the networks on each side of the tunnel, nothing more needs to be done. And since it's a tunnel, it's not intended to directly connect to ethernet/wifi... VLANs are a concept that only actually applies to ethernet.
Does that answer your question?
If not, maybe you can state your goals and/or concerns so we can address those.
Yes I noticed it was an unmanaged interface, yet traffic still flowing and able to connect.
My concern was that tailscale was connected to the router itself and would have access to / from all VLAN'd segments of my network since connecting thru the router itself, but it sounds like that is not exactly the case?
I am just looking to keep each portion of my home network segmented and isolated as best I can and control all the important stuff flowing in / out.
I have AdGuard set up in its own vlan segment by itself with port 53 redirects, but not the other DNS mitigations, and I am also not sure if or how much those may play into messing with a stock tailscale install and / or prevent tailscale from working its "magic".
Ultimately I am hoping to be able to connect to my home network while on my work WiFi and use my OWrt as an exit node to get around work wifi restrictions and avoid having to use my mobile data while at work.
Currently, if I connect to my dedicated privacy VPN app on my phone, it bypasses my work wifi's restrictions (presumably using the VPN's own encrypted DNS?), but connecting via the tailscale app on my phone to my tailscale exit node at home does not achieve the same result... still trying to figure that one out.
This is a firewall thing, not a VLAN thing.
Assuming that tailscale is assigned its own fireall zone, if your intent is to only allow it to be an exit node to the internet and to not allow remote access to your local network(s), you would simply allow fowarding from tailscale > wan and nothing else.
Yes, that is one intent. However, at I also want to be able to access other local hosts and services such as my 3D printer interface (VLAN20), Proxmox host (VLAN40), PC desktop (VLAN10), etc. as well.
Ok... in that case, you can either allow forwarding to your lan(s), or you can create specific rules to allow the individual resources (if you want all else to be blocked).
If I allow forwarding from tailscale to my LAN vlan, which itself has access to WAN, do I need to also allow tailscale's fw zone to forward directly to WAN or should I only have tailscale's forward set to my LAN zone so it has to traverse through the LAN segment of my network and abide by the LAN rules already set in my firewall?
If you want remote places in the Tailscale tunnel to access the Internet through your local ISP, forwarding from vpn to wan is required. Forwarding vpn to lan only applies when the destination IP is in lan thus the packet will be output to an interface in the lan zone.
You can make the forwarding conditional by writing specific rules having src vpn and dest wan rather than a general allow forward.
There is no VLAN to create.
There are two features, the Exit Node and Subnet Router that can be configured on the Router.
The Exit Node is point at which you can exit the Tailnet and onto the Internet. Thus remote devices will appear to be at your home, but you will not have access to your home network.
tailscale up –advertise-exit-node
If you want Remote Access to specific VLANs/Subnets on your home network then you have to enable the Subnet Router and add those VLANs/Subnets.
tailscale up --advertise-routes=10.0.10.0/24,10.0.20.0/24 --accept-routes
I don't understand what you are saying, can you expand on this?