TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!)

[Rajjco]

Running into a few kinks and I can’t quite figure out why.

Prior to having Tailscale on my AX86U via TAILMON, I ran subnet routes through one of my Tailscale-enabled Raspberry Pis, primarily for the purpose of accessing my router and a few RPi-based servers when outside my home. Everything seemed to work great.

But now that I’m running the subnet routes directly from the Tailscale-enabled AX86U, I can’t seem to access the RPis at their local IP addresses when outside the home. I’m using the same flags I’ve always used on the Raspberry Pi (--accept-dns=false --advertise-routes=192.168.50.0/24), and the subnet routes have been approved in the Tailscale console.

Not sure what the issue is.

try adding --advertise-exit-node

 

[darkj2k]

Not really my field, but have you tried adding the --snat-subnet-routes=false option to both your subnet routers; although it did not seem to help the OP in that thread, sorry.

https://www.reddit.com/r/Tailscale/comments/1cabhj4/update_has_broken_working_sitetosite_networking

Thanks for info but it was not working either.

 

[darkj2k]

Did you approve the routes in the Tailscale console?

I did for both router.

 

[ColinTaylor]

@darkj2k In your first screenshot --accept-routes=true was not set, presumably because you tried to add it after having already installed tailscale. I suggest you set it manually from the command line of each router:

tailscale set --accept-routes=true

Did you read the information I linked to regarding stateful filtering? If you're using version 1.66 or later and want LAN clients to connect to the other network you need to set --stateful-filtering=false.

If it still doesn't work I suggest you uninstall tailscale from both routers and then reinstall it afresh. This time do not update the version of tailscale. See if that makes a difference.

 

[phneeley]

A) Did you approve the subnet routes within the tailscale console web page?

B) How are you trying to access your devices, via IP or hostnames or FQDN?

Yes, subnet routes are approved in the console.

I’m attempting accces via SSH and local IP addresses, which I’ve never had an issue with when using the RPi as the subnet router.

try adding --advertise-exit-node

I first wanted to try to replicate exactly the settings I had with my RPi, per the description in my post.

I’ve since tried adding an exit node flag in the router, but still having the same issue as described.

Interestingly, when I revert to using the RPi advertised routes and turn off the router-advertised routes, I can still connect to the router’s Tailnet IP from inside the home network using a device that is at that moment not connected to the Tailnet.

I cannot do that same thing using the RPis’ Tailnet IP addresses.

 

[Rajjco]

Yes, subnet routes are approved in the console.

I’m attempting accces via SSH and local IP addresses, which I’ve never had an issue with when using the RPi as the subnet router.



I first wanted to try to replicate exactly the settings I had with my RPi, per the description in my post.

I’ve since tried adding an exit node flag in the router, but still having the same issue as described.

Interestingly, when I revert to using the RPi advertised routes and turn off the router-advertised routes, I can still connect to the router’s Tailnet IP from inside the home network using a device that is at that moment not connected to the Tailnet.

I cannot do that same thing using the RPis’ Tailnet IP addresses.

Have you checked your firewall rules on the RPi devices?

sudo ufw status numbered

 

[ColinTaylor]

Interestingly, when I revert to using the RPi advertised routes and turn off the router-advertised routes, I can still connect to the router’s Tailnet IP from inside the home network using a device that is at that moment not connected to the Tailnet.

This is to be expected. Tailscale is still running on the router. Devices on your LAN are using the router as their default gateway therefore they can reach its Tailnet IP address.

I cannot do that same thing using the RPis’ Tailnet IP addresses.

Again, expected behaviour. Your Pi is not acting as a router for your LAN.

 

[phneeley]

I’ve now switched to Userspace Mode using the subnet and exit node options and everything works as expected.

 

[Viktor Jaep]

I’ve now switched to Userspace Mode using the subnet and exit node options and everything works as expected.

For some reason I've always have had better luck with userspace mode myself... glad you got it working!

 

[jksmurf]

I’ve now switched to Userspace Mode using the subnet and exit node options and everything works as expected.

Good pickup. So if you keep everything the same and just switch one thing, Userspace mode to to Kernel mode (only), it fails (and is repeatable) to produce the connectivity you were after? Interesting catch!

 

[evo17paul]

I’ve now switched to Userspace Mode using the subnet and exit node options and everything works as expected.

Good find indeed. Must admit have only configured I. userspace mode and my ask is similar to your own, and therefore I didn't recognise this failure

Good job on finding a solution

 

[ColinTaylor]

So if you keep everything the same and just switch one thing, Userspace mode to to Kernel mode (only), it fails (and is repeatable) to produce the connectivity you were after?

I'd also be interested in the answer to this @phneeley. Are you using QoS or AiProtection?

 

[phneeley]

I don’t have enough technical know-how to explain why things seem to be working fine in Userspace mode vs Custom mode. Apart from advertising routes and the exit node (both used in both modes), the only additional flag I was attempting to run in Custom mode was --accept-dns=false.

I have QoS and AiProtection both enabled.

 

[Viktor Jaep]

Jeez... I feel bad for those who have to manage a large Tailscale network with thousands of devices... wonder if they have any auto update functionality, or ways to push updates. These updates seem to be coming fast one after another... Yeah, me on my little 5 device tailnet is COMPLAINING. LOL

 

[jksmurf]

I don’t have enough technical know-how to explain why things seem to be working fine in Userspace mode vs Custom mode. Apart from advertising routes and the exit node (both used in both modes), the only additional flag I was attempting to run in Custom mode was --accept-dns=false.

I have QoS and AiProtection both enabled.

No problem there with technical nous, was just seeing if you could, with ALL your current settings under userspace mode, make the change to kernel mode and see if it fails, thus confirming it is a mode change that makes it go TU. Thanks

 

[jksmurf]

wonder if they have any auto update functionality, or ways to push updates

Updating Tailscale · Tailscale Docs

Learn how to update the Tailscale client on various platforms.

tailscale.com

Auto updates … recommended …

 

[Viktor Jaep]

Updating Tailscale · Tailscale Docs

Learn how to update the Tailscale client on various platforms.

tailscale.com

Auto updates … recommended …

"Auto-updates are currently not supported on Synology and Linux distributions based on Arch Linux"

Well, that's like more than half of my devices...

 

[ColinTaylor]

Updating Tailscale · Tailscale Docs

Learn how to update the Tailscale client on various platforms.

tailscale.com

Auto updates … recommended …

Read further:

Auto-updates​

Tailscale can automatically apply client updates as they are released. To apply the update, the same mechanism is used during the initial client installation. For example, if the client was installed using a Linux package manager, that package manager will be used to upgrade the installed package.

In other words - Entware package updates. Except in reality using tailscale update bypasses this method. Go figure.

 

[Viktor Jaep]

Read further:

In other words - Entware package updates. Except in reality using tailscale update bypasses this method. Go figure.

Yeah, that's basically what I had to do... Ubuntu went automatically. Windows was automatic. The routers require manual intervention. No biggie. I'm just a big complainer.

 

[jksmurf]

No biggie. I'm just a big complainer.

Haha maybe you or @ColinTaylor can raise a ticket on Tailscales GitHub. Maybe other Arch Linux users (GLiNET, Openwrt?) have a similar issue and it’ll gain traction (unless someone already complained..)