[SOLVED] Tailscale subnet router limited to only some devices?

Networking Networking Software
,
22

I had my parents test it on their Roku. Took forever to figure out OpenWRT, but here’s what I did.

I have Tailscale configured with public DNS**. That’s important if you want to do this yourself the way I did.

Step 1 - Reconfigure Gateway on their Network

Their router is currently OpenWRT, not yet UniFi, so this is what I did.

Update /etc/config/dhcp:

config host
        option name 'nas'
        option ip '192.168.20.144'
        option mac 'D0:50:99:C2:B7:0E'

config host
        option name 'RokuUltra'
        option ip '192.168.20.142'
        option mac 'AC:AE:19:FC:21:A4'
        option dns '1'
        option tag 'gateway_to_my_network'

config tag 'gateway_to_my_network'
        list dhcp_option '3,192.168.20.144' # Gateway address
        list dhcp_option '6,100.100.100.100' # Tailscale's DNS server

After changing that config, run these commands:

uci commit dhcp
/etc/init.d/dnsmasq restart

After I did that, they had to unplug and plugin Ethernet on the Roku, so it could pull the correct IP information.

At this point, all traffic is routed through the NAS which as IP forwarding enabled:

image
image919×180 7.17 KB

Step 2 - Setup Exit Node on NAS in their network

I needed to both connect to the exit node in the Docker container, and I needed to route all incoming traffic to Tailscale as well.

This box does not need to be a subnet router. I wasn’t able to test that situation.

Access the Tailscale Docker container’s shell and run:

tailscale set --exit-node=MY_NETWORK_NODE_NAME --exit-node-allow-lan-access

Change MY_NETWORK_NODE_NAME to the name of the exit node.

Then go to TrueNAS’s shell and run this:

sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE

This sets all incoming traffic to pass traffic through to tailscale0 using NAT, so all IPs appear as though they’re they NAS’s Tailscale IP.

Done!

And that’s it! Once those steps are done, you can circumvent Netflix’s one-house policy :stuck_out_tongue:.

This was a fun project.

2 Likes
23

Not sure if it helps after the fact, but there is an additional tool to view applied iptables rukes

sudo iptables-save

Which prints the current rules to screen.

Then

sudo iptables-save >> Sawsiptables.file

You can edit the file line by line if you wanted to change routing for some ip’ or sources or such. (Singe arrow clears and saves new, double adds onto any existing, or new) Then

sudo iptables-restore Sawsiptables.file

But you got it working regardless

1 Like
24

I did see ipstables-save, and I tried doing iptables-restore on it right after, but it errored :frowning:.

This was a “get it working and document it” kinda thing. Now that I’m done, I reverted all my changes since this was a proof-of-concept that isn’t currently needed.

Can’t believe I got this working on the NAS, also can’t believe it all came down to 1 line of iptables. Literally 1 line that took 3 days to figure out because I was scared of iptables.

I built a pfSense box, setup a Raspberry Pi with 2 OSs, and spent hours looking at videos and reading articles until I finally found a single answer on a Linux StackExchange question asking about the exact same issue for OpenVPN’s tun0. Wow…

TrueNAS makes a bad router. If I wanted a permanent solution I’d use the Raspberry Pi.

Another issue with using the NAS is all traffic coming in from LAN, including SMB and Tailscale exit node traffic, gets routed as well. So ideally, I’d have a separate router (the Raspberry Pi) specifically designated to this one task.

2 Likes
25

UPDATE

I got the iptables-restore thing working :+1:. Worked great with the correct 1-line command.

I finally set this up at my parent’s house full-time; more than my NAS demo, but multiple things changed:

  1. I got a new router and gave them my old UniFi USG.
  2. UniFi’s system is, by far, the worst router software I’ve used when you wanna do something interesting. I wasn’t able to accomplish this task in UniFi even though EdgeOS supports it. I even tried running VLANs with all UniFi managed switches, and it wasn’t able to assign devices to VLANs over DHCP. As far as I understand it, that’s called 802.1Q.
  3. I turned off DHCP in UniFi on their network and configured the old OpenWRT router as a DHCP-server. I setup DHCP options 3 (gateway) and 6 (DNS) as the UniFi router.
  4. Then, like before, I changed the DHCP entries on only a few machines to run through a Raspberry Pi 3B acting as a Tailscale VPN router.

Full Configuration

OpenWRT LAN interface

image
image1076×1112 72.3 KB

image
image1031×634 35.5 KB

image
image1031×865 54.2 KB

OpenWRT Devices

image
image1939×547 52.1 KB

image
image1162×289 18.8 KB

UniFi Network

image
image2547×636 63.8 KB

image
image1529×1102 37.1 KB

Why UniFi sucks for this

When I was doing it with VLANs in UniFi, the Raspberry Pi needed 2 Ethernet adapters. One for the main network and another for the VLAN network.

UniFi lets you set the gateway address, but that means everything on that VLAN, including the Raspberry Pi, points to the Raspberry Pi as a gateway. Unless I statically assigned its gateway as the UniFi router, there was no way for it to access the Internet from inside the VLAN.

My solution was 2 Ethernet adapters, but that took 2 switch ports and was completely unnecessary. And like I said, this only worked on switch ports. I’d have to create a separate WiFi SSID to VLAN 2 other wireless-only devices.

I also tried creating firewall rules to and from the VPN VLAN, but was unable to communicate with devices on that other subnet. It shouldn’t be this hard to figure out.

In the end, I think using OpenWRT as a DHCP server was the simplest route since I already got it working, and they already had it on their own router.

VPNing only specific domains

One thing I’d like to do is route only certain domains through Tailscale, but I’m not versed enough in iptables to figure that out.

No IPv6

I have absolutely no clue how to figure out IPv6 outside of UniFi. I can set it up in OpenWRT, but there’s no UniFi WAN interface to grab IPs with that prefix. I ended up just turning it off in UniFi and OpenWRT.

1 Like
26

If the solution is ugly, but it works, it’s a “Bodge” in our parlance. or a Jerry Rigged solution. or Janky.
I love such.

Obviously there Should be a way to do it with the proper gear, but if it’s a hot mess of fail, then simply getting it working the way you did, is a win!

2 Likes
27

Thanks! Yeah, it’s super jank, but the functionality is solid. I can easily add new devices to the VPN now. I’m specifically documenting everything on this forum, so I don’t forget what I was thinking when I try to change something in the future.

The final solution is surprisingly less-jank than using UniFi + VLANs or UniFi + JSON :man_shrugging:.

I’m just glad OpenWRT is behind NAT now. One less thing I have to worry about. Although, Tailscale subnets make it easy to target, and I can even install Tailscale on the device itself provided I add more storage.

1 Like
28

Hey man, I’m trying to implement a solution similar to what you did but I need some help.

What I have so far:

  1. Raspberrypi acting as an exit node at my friend’s house.
  2. Raspberrypi that my Roku ultra connects to, that is connected to my router (Roku <-----> RPi <-----> router)

To get this to work do I just need to have raspberrypi #2 use raspberrypi #1 as an exit node and run the command “sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE” on raspberrypi #2?

29

Were you able to get this working?

I’m not certain what steps you took, so it’s a bit difficult to understand exactly how you have it setup.

There are other ways to set this up in the Raspberry Pi, but I’m not an expert at IP tables or much of Linux networking.

The way my config worked, the DHCP server in the router told the Roku to use the Raspberry Pi as a Gateway, and the Raspberry Pi is setup to send all packets that come in through the VPN.