Finally I successfully set up Tailscale, but I get that ALL traffic from the openwrt router goes via tailscale.
I am not clear what shall I set and where to ensure that only the traffic for a specific IP class (192.168.2.1/24) will be routed via tailscale.
I set up PBR, but it does not work, the configuration I would like to have is:
192.168.1.1/24 --> WAN
192.168.2.1/24 --> Tailscale
192.168.3.1/24 --> Wireguard.
I have been able in the past to get the same configuration working with multiple wireguards, but the same method does not work anymore.
Where shall I change this configuration? routing? PBR? I am not clear...
I implemented it, but it does not work... it seems like, despite being configured correctly, they are ignored.
I run Tailscale via the "tailscale up --advertise-routes=192.168.1.0/24...." might have been that one the mistake? I should have used 192.168.2.0/24? I can't re-run it now, so I have this doubt.
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
list supported_interface 'TsIntDxb'
list supported_interface 'intat'
list supported_interface 'intnl'
list supported_interface 'Wg0NL'
list supported_interface 'lan'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'ISP'
option interface 'wan'
option src_addr '192.168.1.0/24'
config policy
option name 'TsAT'
option src_addr '192.168.2.0/24'
option interface 'TsIntDxb'
config policy
option name 'NL'
option interface 'wg0nl'
option src_addr '192.168.3.0/24'
root@OpenWrt:~#
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
It was disabled already: option route_allowed_ips '0'
The issue is that I always browse with Tailscale and if I set metrics, when I reboot, they are "forgotten" and even if present in the configuration they are not applied anymore.
Was it correct to run tailscale with the 192.168.1.1? Or should I have run it with 192.168.2.1?
default via 192.168.70.254 dev wan proto static src 192.168.70.64 metric 10
10.66.60.2 dev wg0nl proto static scope link metric 5
<TAILSCALE_IP_EDITED> dev tailscale0 proto static scope link metric 20
<WG_IP_EDITED> via 192.168.70.254 dev wan proto static metric 10
192.168.1.0/24 dev br-lan proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br-at proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev br-nl proto kernel scope link src 192.168.3.1
192.168.70.0/24 dev wan proto static scope link metric 10
I have reconfigured everything. It's little bit better, however, I still see conflicts and not everything is running smoothly, especially the PBR.
Without tailscale everything works perfectly, when I add it, problems start.
This is the final config I shall get:
192.168.1.0/24: ISP
192.168.2.0/24: VPN1 (WG)
192.168.3.0/24: VPN2 (WG)
192.168.4.0/24: VPN3 (WG)
192.168.99.0/24: Tailscale
On the Remote Server (OpenWRT), I run Tailscale with this command (192.168.20.1 is the IP of the router):
tailscale up --accept-routes --advertise-routes=192.168.20.0/24 --netfilter-mode=off --advertise-exit-node
On the Client (OpenWRT), I run Tailscale with this command (192.168.1.1 is the IP of the router):
tailscale up --advertise-routes=192.168.99.0/24 --accept-routes --netfilter-mode=off --exit-node=Public_IP_of_the_exit_node --exit-node-allow-lan-access=true --snat-subnet-routes=false
Is there something missing/wrong? As below the configuration. I tried also to run Tailscale on the client with 192.168.1.0 instead of 192.168.99.0, but I have the same issues.
Network
root@OpenWrt882:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'EDIT'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option metric '10'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
option metric '10'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
list dns '1.1.1.1'
list dns '1.0.0.1'
option metric '10'
config interface 'Wg0NL'
option proto 'wireguard'
option private_key 'EDIT'
list addresses '10.66.60.2/32'
list addresses 'fd42:41:41::2/128'
list dns '1.1.1.1'
list dns '1.0.0.1'
config wireguard_Wg0NL
option description 'SrvNL'
option public_key 'EDIT'
option preshared_key 'EDIT'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'EDIT'
option endpoint_port '8500'
option persistent_keepalive '25'
option route_allowed_ips '0'
config device
option type 'bridge'
option name 'br-nl'
list ports 'wlan1-1'
config interface 'intnl'
option proto 'static'
option device 'br-nl'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
config interface 'Wg0UK'
option proto 'wireguard'
option private_key 'EDIT'
list addresses '10.66.66.3/32'
list addresses 'fd42:42:42::3/128'
list dns '1.1.1.1'
list dns '1.0.0.1'
config wireguard_Wg0UK
option description 'SrvUK'
option public_key 'EDIT'
option preshared_key 'EDIT'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option endpoint_host 'EDIT'
option endpoint_port '51250'
option persistent_keepalive '25'
config device
option type 'bridge'
option name 'br-uk'
list ports 'wlan1-2'
config interface 'intuk'
option proto 'static'
option device 'br-uk'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
config interface 'Wg0CH'
option proto 'wireguard'
list dns '1.1.1.1'
list dns '1.0.0.1'
option private_key 'EDIT'
list addresses '10.66.67.2/32'
list addresses 'fd42:43:43::2/128'
config wireguard_Wg0CH
option description 'SrvCHF'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option persistent_keepalive '25'
option public_key 'EDIT'
option preshared_key 'EDIT'
option endpoint_host 'EDIT'
option endpoint_port '7500'
config device
option type 'bridge'
option name 'br-ch'
list ports 'wlan1-3'
config interface 'intch'
option proto 'static'
option device 'br-ch'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
config device
option type 'bridge'
option name 'br-at'
list ports 'wlan1-4'
config interface 'intat'
option proto 'static'
option device 'br-at'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
config interface 'Ts0AT'
option proto 'static'
option device 'tailscale0'
option ipaddr '<PUBLIC IP of the client OpenWRT>'
option netmask '255.255.255.255'
list dns '100.100.100.100'
option gateway '<PUBLIC IP of the server OpenWRT>'
option metric '5'
Firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'fwintnl'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'intnl'
option forward 'ACCEPT'
config zone
option name 'fwwg0nl'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'Wg0NL'
config forwarding
option src 'fwintnl'
option dest 'fwwg0nl'
config forwarding
option src 'fwwg0nl'
option dest 'wan'
config zone
option name 'fwintuk'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'intuk'
option forward 'ACCEPT'
config zone
option name 'fwwg0uk'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'Wg0UK'
config forwarding
option src 'fwintuk'
option dest 'fwwg0uk'
config forwarding
option src 'fwwg0uk'
option dest 'wan'
config zone
option name 'fwintch'
option input 'ACCEPT'
option output 'ACCEPT'
list network 'intch'
option forward 'ACCEPT'
config zone
option name 'fwwg0ch'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'Wg0CH'
option forward 'REJECT'
config forwarding
option src 'fwintch'
option dest 'fwwg0ch'
config forwarding
option src 'fwwg0ch'
option dest 'wan'
config zone
option name 'fwintts'
option input 'ACCEPT'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option forward 'ACCEPT'
list network 'Ts0AT'
list network 'intat'
list network 'lan'
config forwarding
option src 'fwintts'
option dest 'lan'
config forwarding
option src 'fwintts'
option dest 'wan'
PBR
config pbr 'config'
option verbosity '2'
option strict_enforcement '1'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
option enabled '1'
option resolver_set 'none'
list supported_interface 'Wg0NL'
list supported_interface 'intnl'
list supported_interface 'lan'
list supported_interface 'intuk'
list supported_interface 'Wg0UK'
list supported_interface 'intch'
list supported_interface 'Wg0CH'
list supported_interface 'intat'
list supported_interface 'Ts0AT'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'
config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'
config policy
option name 'WireGuard Server'
option interface 'wan'
option src_port '51820'
option chain 'output'
option proto 'udp'
option enabled '0'
config policy
option name 'ISP'
option src_addr '192.168.1.0/24'
option interface 'wan'
config policy
option name 'Wg0NL'
option src_addr '192.168.2.0/24'
option interface 'Wg0NL'
config policy
option name 'Wg0UK'
option src_addr '192.168.3.0/24'
option interface 'Wg0UK'
config policy
option name 'Wg0CH'
option src_addr '192.168.4.0/24'
option interface 'Wg0CH'
config policy
option name 'Ts0AT'
option src_addr '192.168.99.0/24'
option interface 'Ts0AT'
root@OpenWrt882:~#
Ip Route
default via 192.168.70.254 dev wan proto static src 192.168.70.64 metric 10
<Public IP of the Client OpenWRT> dev tailscale0 proto static scope link metric 5
192.168.1.0/24 dev br-lan proto static scope link metric 10
192.168.2.0/24 dev br-nl proto kernel scope link src 192.168.2.1
192.168.3.0/24 dev br-uk proto kernel scope link src 192.168.3.1
192.168.4.0/24 dev br-ch proto kernel scope link src 192.168.4.1
192.168.70.0/24 dev wan proto static scope link metric 10
192.168.99.0/24 dev br-at proto kernel scope link src 192.168.99.1
