Tailscale Site to Site VPN Using Exit Node Server and OpenWrt Client IPv6 Not Working

Use case: I have a work computer that I can't install Tailscale directly on but want to use Tailscale at the OpenWrt router level to route all traffic of non-Tailscale devices on this router on the client side to a Linux exit node server that I have located at another location.

The problem: When I use the exit node using a device that has Tailscale installed directly, it works flawlessly. The real problem that I'm running into is on the client side trying to get the IP of devices that are not running Tailscale but connected to the OpenWrt router to work properly. I have Tailscale installed on my OpenWrt router and have it configured as a subnet router. I am running this command:
tailscale up --advertise-routes= --netfilter-mode=off --exit-node=100.xxx.xxx.xxx --exit-node-allow-lan-access=true

For context for the Netfilter, according to this OpenWrt documentation you have to do this with Tailscale and OpenWrt.

When I check my IP of a non-Tailscale device that is connected to the OpenWrt router, when I check the what is my IP address site on the exit node vs. on the client non-Tailscale device, it seems to show the IPv4 as matching the IPv4 of the exit node, but the IPv6 is different and it show the client side ISP and location and not the exit node ISP and location. I enabled IPv4 and IPv6. What is it that I'm doing wrong here? I have a feeling that it's something OpenWrt firewall related that I'm not doing correctly, I am a novice and am trying to teach myself this stuff as I go. I added the interface and the firewall zone in Luci as mentioned here: https://openwrt.org/docs/guide-user/services/vpn/tailscale/start?s[]=link
I don't know if I have to add any exit node IP here or not, I haven't added any IPs to these.

For context of documentation I've used, I have used:
https://openwrt.org/docs/guide-user/services/vpn/tailscale/start?s[]=link for the OpenWrt intstall and
https://tailscale.com/kb/1103/exit-nodes/ +
https://tailscale.com/kb/1019/subnets/ from Tailscale.

I just recently found https://tailscale.com/kb/1214/site-to-site/ but have not followed anything here, if I'm being stupid and missed a step let me know.

Update: It looks like I am able to SSH into the exit node server fine with Tailscale running on the OpenWrt router only. When I ran --curl ifconfig.me it looks like the public IPv4 is still matching the IPv4 on the client machine listed on what is my ip website, but it is still showing my location as the current location and not the exit node location. I think it may have something to do with what mk24 said below with the IPv6 issue somehow.

I was just looking, I think I may have found the issue? When I run --ip route on my exit node, the default route at that location is the same as my OpenWrt default route on the client side. I noticed on the site to site link(it will only let me post so many links) this note: " This scenario will not work on subnets with overlapping CIDR ranges, nor with 4via6 subnet routing." Could this be what my issue is? Do I just need to change my default route in OpenWrt on the client side?

The issue is definitely IPv6, changing the title.

When I connect to the what is my IP site it will successfully show my location as the location of my exit node, but only sees an IPv4 IP address but not an IPv6. When I do this on a non-Tailscale device connected to the subnet router, it will show my IPv4 address as matching my exit node IPv4, but it will show my location as my actual client side location which I assume it gets from my IPv6, and it does show an IPv6 and the IPv6 is different from that of the exit node.

I found this post on the Tailscale foruem Ipv6 does not work with exit node but this didn’t seem to answer the question, but I am a newbie to this stuff so maybe I’m just not getting it. I have run --sysctl -n net.ipv4.ip_forward net.ipv6.conf.all.forwarding over SSH on the exit node and got 1 and 1, so it looks like I do have both IPv4 and IPv6 enabled.

Has anyone else had a similar problem? What do I need to do to fix this?

it sounds like v4 goes through the tunnel but v6 does not. This seems understandable since it doesn't look like you've configured anything to route IPv6.

1 Like

What do I need to do to configure this? I'm curious too because it does work when I use a device that has Tailscale on it directly but not when I try to use a non-Tailscale device using the OpenWrt router.

Go to LAN/Ethernet Properties on non tailscale client and disable ipv6

Are you suggesting to do this on the client machine, or all IPv6 in OpenWrt? I kind of want to get it to work with IPv6 if I'm able, but if not I will just disable the IPv6.

You can try disable ipv6 on client side first and check is it working as you expected or not.
Then try disable it on the router.

Same problem, I followed the openwrt official setup instruction. (https://openwrt.org/docs/guide-user/services/vpn/tailscale/start).
If I use my android phone as exit node, everything worked well. But when I use my openwrt router as exit node, both site to site and exit node have something wrong with ipv6 address.
ping6 failed and all hops of traceroute6 output are my router, seemed getting stuck in some loop.