Tailscale - accept connections? Firewall zone?

Hi I am running Firmware 7.6 on a RUTX11

I wanted to have a go with the new Tailscale package so I installed it and have it joined to my Tailnet. From the RUT itself I can ping other hosts on the tailnet. It shows “connected” and has a correctly assigned IP on the tailscale0 interface.

But, I cannot ping, ssh, or access the LuCI interface of the RUTX from any other hosts in the Tailnet. Additionally, I don’t see a way to allow it in the Firewall Zones setup or assign an interface to it in LAN/WAN.

Am I doing something wrong? Any guidance?

Update: I created a Firewall rule like this (dest. address == the RUTX tailnet IP) and it seems to work. But I don’t know if this is “correct”. It should at the very least be mentioned somewhere or perhaps made into a toggle directly on the Tailscale config page in LuCI as this is probably a very common use case (to allow device to be accessed from behind CGNAT)

Anyone else using the Tailscale package who can comment on this? Did I handle this correctly?

Teltonika: are there any docs on this, or please consider some hints in the UI to warn users that no incoming connections are possible until this step is completed?

Have you tried to add a zone in Network->Firewall similar to te one automagically built for wireguard ?
In lan zone, add it to “Allow forward to destination zones” and “Allow forward from source zones”, and set tailscale=>lan to Accept/accept/Accept.

@flebourse Yes I did try that but the tailscale / tailnet interface does not show up in the list of networks the way Wireguard does. So I don’t think I am able to create a zone in this way. Maybe some manual config editing… ?

Are you sure you need to set “Covered Networks” ? The field stays empty for the zerotier case and the ztxxx interface works fine.
EDIT: older versions had an “Add new” option there.

I have added " option device ‘tailscale+’" to the firewall zone in /etc/config/firewall.

Hmm. From [OpenWrt Wiki] Tailscale :

I tried to follow a mix of your guidance and the steps from that page, which don’t really align with the options available in LuCI for 7.6. I added it manually as a “LAN” interface… and created the zone…

Ended up with a bit of an odd config. Pretty sure it’s close but not quite there

This looks good you have a 100.x.x.x address on the interface !

So I have configured tailscale on an RUTX11 with covered networks empty and an OpenWRT as described above, both can ping each other.

I undid the manual fw rule I created before and tried to configure everything via the GUI.

Here are screenshots of what I did

After this, I compared the configs, and found that these were the changes.

Added to /etc/config/network

config interface 'ifLan1'
	option area_type 'lan'
	option force_link '1'
	option proto 'none'
	option device 'tailscale0'
	option name 'tailscale'

Added to /etc/config/firewall

config zone '22'
	option name 'tailscale'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	option network 'ifLan1'

I’m able to ping/ssh in and out. And, it survives a reboot. Again, not sure if this is “right”, but it works. The only oddball thing is that the IP address isn’t shown on the status pages:

Feels like the tailscale interface/zone should be automatically added when the package is installed and the config is enabled, instead of requiring the manual steps.

Yes, the integration appears to be incomplete.

This topic was automatically closed after 15 days. New replies are no longer allowed.

Hello guys, just wanted to share the we are aware of the issue at will be fixed with 7.7 FW release, no hotfix planned

Okay, thank you for that.

I saw this in the release notes for 7.06.5

I haven’t had a chance to test it, yet