I wanted to have a go with the new Tailscale package so I installed it and have it joined to my Tailnet. From the RUT itself I can ping other hosts on the tailnet. It shows “connected” and has a correctly assigned IP on the tailscale0 interface.
But, I cannot ping, ssh, or access the LuCI interface of the RUTX from any other hosts in the Tailnet. Additionally, I don’t see a way to allow it in the Firewall Zones setup or assign an interface to it in LAN/WAN.
Update: I created a Firewall rule like this (dest. address == the RUTX tailnet IP) and it seems to work. But I don’t know if this is “correct”. It should at the very least be mentioned somewhere or perhaps made into a toggle directly on the Tailscale config page in LuCI as this is probably a very common use case (to allow device to be accessed from behind CGNAT)
Anyone else using the Tailscale package who can comment on this? Did I handle this correctly?
Teltonika: are there any docs on this, or please consider some hints in the UI to warn users that no incoming connections are possible until this step is completed?
Have you tried to add a zone in Network->Firewall similar to te one automagically built for wireguard ?
In lan zone, add it to “Allow forward to destination zones” and “Allow forward from source zones”, and set tailscale=>lan to Accept/accept/Accept.
@flebourse Yes I did try that but the tailscale / tailnet interface does not show up in the list of networks the way Wireguard does. So I don’t think I am able to create a zone in this way. Maybe some manual config editing… ?
Are you sure you need to set “Covered Networks” ? The field stays empty for the zerotier case and the ztxxx interface works fine.
EDIT: older versions had an “Add new” option there.
I have added " option device ‘tailscale+’" to the firewall zone in /etc/config/firewall.
I tried to follow a mix of your guidance and the steps from that page, which don’t really align with the options available in LuCI for 7.6. I added it manually as a “LAN” interface… and created the zone…
Ended up with a bit of an odd config. Pretty sure it’s close but not quite there
After this, I compared the configs, and found that these were the changes.
Added to /etc/config/network
config interface 'ifLan1'
option area_type 'lan'
option force_link '1'
option proto 'none'
option device 'tailscale0'
option name 'tailscale'
Added to /etc/config/firewall
config zone '22'
option name 'tailscale'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
option network 'ifLan1'
I’m able to ping/ssh in and out. And, it survives a reboot. Again, not sure if this is “right”, but it works. The only oddball thing is that the IP address isn’t shown on the status pages:
Feels like the tailscale interface/zone should be automatically added when the package is installed and the config is enabled, instead of requiring the manual steps.
How did you get tailscale to install? On my RUT240 it says package not found.
“Unknown package tailscale. Package installation encountered an error, removing previously installed packages.” It is not in the list of packages I can install in the gui either.
Just saw your message. I’d like to try it. Tailscale says almost anything can be a client.
But I need more space. The install aborted neeing 1.9m more space. What packages can i remove to get 3 more megabyte? Maybe i should go for 6 because after freeing 3, maybe it will need more.
