TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!)

[monorailmedic]

My

My understanding (at least in user mode) is that when you connect to devices on the local lan from the tailnet, it appears to the device to be coming from the router ip, not some new vpn subnet like the other vpn servers do. So if the tailnet process initiates the outbound connection to the tailnet, this whole scheme eliminates any need to touch iptables.

That may well be the case - so then we still end up with the core issue of "why doesn't this work?"

I'm remoted into a box on the network in question and I can't reach anything on the tailnet. Devices connected to Tailscale via any other connection can see each other, admin shows the router in question as connected. The red flag (beyond simply not working) is that --status always shows the router as idle.

 

[Viktor Jaep]

Found this as I have the same setup but Tailscale is not working right.
I run the WAN Failover script via AMTM (which I also used to install Tailmon) on an AX58U running Merlin (a version from prob a year ago? I should update but sometimes that gets fickle). My failover is TMOHI, my main is fiber.

I have essentially three networks - two, in two other locations - are behind glinet routers running Tailscale and have subnet routing turned on. All those device see each other, and if I'm elsewhere, I can connect to Tailscale via the desktop client and it works great. I also have a third network which, until recently, just had Tailscale running on a NAS. This allowed a solid Exit Node, and the subnet routing worked so I could access devices on this third network without a problem.

Recently, I put Tailmon on the AX58U however so that I could, without running a desktop client, have a machine on that third network and directly reach anything on the other networks on my tailnet. I installed Tailmon via the script, enabled subnet routing (and authorized in admin), and it looked okay...but it doesn't work. The connection in --status always shows idle, and the routing table (from CL ip routing) doesn't show 100.* IPs at all. I can't access other device on the tailnet from inside this network. I really can't figure out why.

I've got posts on this thread and on reddit but no dice yet.

• Are you using the native WAN Failover or the WAN Failover script (which is far more reliable). Asking as I'm wondering if the script is impacting the routing table that generates automatically.
• Do you see a 100.* IP on your routing table (from the CLI when using ip route)?
• Any other thoughts?

Very stuck and would appreciate any input.

Yeah, I can confirm... by default, there are no routes listed when tailscale is running.

 

[JGrana]

.

• Are you using the native WAN Failover or the WAN Failover script (which is far more reliable). Asking as I'm wondering if the script is impacting the routing table that generates automatically.
• Do you see a 100.* IP on your routing table (from the CLI when using ip route)?
• Any other thoughts?

Very stuck and would appreciate any input.

Sorry, not using any failover functions provided by the router. My wife’s iPhone will do the failover via a different SSID.
I do see 2 100.* networks in my routing table.

 

[Viktor Jaep]

I do see 2 100.* networks in my routing table.

Are you running it under "kernel" or "userspace" mode? I'm in the "userspace" camp. Wonder if that makes any difference?

 

[jksmurf]

Are you running it under "kernel" or "userspace" mode? I'm in the "userspace" camp. Wonder if that makes any difference?

I’m not sure if this post is 100% related but if it is then I’m in the Kernel mode camp .

 

[JGrana]

Are you running it under "kernel" or "userspace" mode? I'm in the "userspace" camp. Wonder if that makes any difference?

Yes, I’m running in kernel mode.
BTW, apologies for the late reply. I was OOT. When I checked my route table, I was in another state with my iPad which is running Tailscale. I simply ssh’d into my router, running tm. Easy peasy.

 

[Viktor Jaep]

PUBLIC NOTICE! Entware just got a refresh here on August 9/10 (depending where you are in the world)... and so after you update entware, it will overwrite your latest 1.70.0 tailscale binary version with the 1.68.2-1 version that comes packaged with entware... which will require you to reinstall 1.70.0 from the tailmon setup menu... Unfortunately it's another step, but it was quick and easy to get back to normal.

 

[jksmurf]

PUBLIC NOTICE! Entware just got a refresh here on August 9/10 (depending where you are in the world)... and so after you update entware, it will overwrite your latest 1.70.0 tailscale binary version with the 1.68.2-1 version that comes packaged with entware... which will require you to reinstall 1.70.0 from the tailmon setup menu... Unfortunately it's another step, but it was quick and easy to get back to normal.

Thanks for the heads up. Updated entware locally OK (without TS) but when I tried updating entware packages remotely, over a Tailscale (via Tailmon) connection it just got stuck and shut down tailscaled and didn't go any further (entware packages not updated).

Ended up using Wireguard (I have a WG server running on the remote router for emergencies if Tailmon doesn't connect), updating entware, then updated the TS ver 1.68 to 1.70.

 

[jhaf]

Hi newbie were, I have 2 asus rt-ac86u merlin with entware . I will like to use tailscale site2site
one site is 192.168.0.1 the other 192.168.1.1 and 192.168.2.1
My goal is that all computers can comunicate both ways.
Shall I use
tailscale up --advertise-routes=192.168.1.0/24,192.168.2.0/24 --snat-subnet-routes=false --accept-routes and
tailscale up --advertise-routes=192.168.0.0/24 --snat-subnet-routes=false --accept-routes

Thanks

 

[jksmurf]

Hi newbie were, I have 2 asus rt-ac86u merlin with entware . I will like to use tailscale site2site
one site is 192.168.0.1 the other 192.168.1.1 and 192.168.2.1
My goal is that all computers can comunicate both ways.
Shall I use
tailscale up --advertise-routes=192.168.1.0/24,192.168.2.0/24 --snat-subnet-routes=false --accept-routes and
tailscale up --advertise-routes=192.168.0.0/24 --snat-subnet-routes=false --accept-routes

Thanks

Hi,

Viktor's a bit tied up with work stuff atm, but just a wee heads up that Tailmon was set up primarily to put Tailscale on your Router with simple setups and configurations, but not really to delve deeply into the many, many configurations.

Having said that there's a very helpful user on Reddit (julietscause) who wrote up this "how to" on site2site, which I find helpful, perhaps start there, along with Tailscale's own resource on site2site.

https://www.reddit.com/r/Tailscale/comments/158xj52/comment/jteo9ll

The example given (for 2 subnets, but not 3) translates to:

tailscale up --advertise-routes=192.168.10.0/24 --snat-subnet-routes=false --accept-routes
tailscale up --advertise-routes=172.16.100.0/24 ---snat-subnet-routes=false --accept-routes

so it appears you're on the right track,

Once you get it setup, and it is not doing what you expect it to, come back with error messages or issues and I am sure someone might be able to help.

Have a look at "site2site" (only 4 hits), but more at the "site to site" (~19 hits) searches in this thread, a few folks have had good results, others mixed results, but it'll give you a good idea of the parameters used for each use case too.

btw there is a preset Site to Site function to set it up on each router (see pics), but it might not be the more advanced setup you are after.

HTH

 

[jhaf]

Hi,

Viktor's a bit tied up with work stuff atm, but just a wee heads up that Tailmon was set up primarily to put Tailscale on your Router with simple setups and configurations, but not really to delve deeply into the many, many configurations.

Having said that there's a very helpful user on Reddit (julietscause) who wrote this "how to" up on site2site, which I find helpful, perhaps start there, along with Tailscale's own resource on site2site.

https://www.reddit.com/r/Tailscale/comments/158xj52/comment/jteo9ll

The example given (for 2 subnets, but not 3) translates to:

tailscale up --advertise-routes=192.168.10.0/24 --snat-subnet-routes=false --accept-routes
tailscale up --advertise-routes=172.16.100.0/24 ---snat-subnet-routes=false --accept-routes

so it appears you're on the right track,

Once you get it setup, and it is not doing what you expect it to, come back with error messages or issues and I am sure someone might be able to help.

Have a look at "site2site" (only 4 hits), but more at the "site to site" (~19 hits) searches in this thread, a few folks have had good results, others mixed results, but it'll give you a good idea of the parameters used for each use case too.

btw there is a preset Site to Site function to set it up on each router (see pics), but it might not be the more advanced setup you are after.

HTH

Thank you will read all and come back.Thanks

 

[rung]

Thank you will read all and come back.Thanks

Haven't tried site2site but I am pretty sure you need to be in kernel mode for it to work (tailmon default is user space mode). Good luck and let us know if you get it working and how!

 

[jhaf]

@Viktor Jaep , just installed 17b on 2 routers (both on a different WAN). I was using Custom.
Changed to Kernel, added the enable “accept-routes” on both.

Worked like a charm.

Hi JGrana can you please share the cmd you use ? Thanks

 

[JGrana]

Hi JGrana can you please share the cmd you use ? Thanks

Sure @jhaf .

Here is the main router (AX88U Pro using Starlink)

And here is the “other site” an AX58U using TMobile for WAN

The AX58U is in the next room - it’s my backup WAN.

I did have a true remote site working - it’s 2300 miles away.
It used similar settings to the AX58U. Unfortunately - I tried to update it remotely and in the process disconnected it :-(
The good news is that I will be at that place in a few weeks and get it reconnected to my Tailscale network.

I need to do some research on how to update (or not ;-) remote sites.

 

[jhaf]

Sure @jhaf .

Here is the main router (AX88U Pro using Starlink)

View attachment 60920

And here is the “other site” an AX58U using TMobile for WAN

View attachment 60921

The AX58U is in the next room - it’s my backup WAN.

I did have a true remote site working - it’s 2300 miles away.
It used similar settings to the AX58U. Unfortunately - I tried to update it remotely and in the process disconnected it :-(
The good news is that I will be at that place in a few weeks and get it reconnected to my Tailscale network.

I need to do some research on how to update (or not ;-) remote sites.

THANK you will give a go thanks

 

[jksmurf]

I need to do some research on how to update (or not ;-) remote sites.

Mine is 9000kms away. I assume you meant FW update and not TAILMON updates or Tailscale updates?

TAILMON updates work fine over SSH, for FW updates I use MerlinAU, for beta FW updates I use the GUI and hold my breath.

I do have a backup WireGuard Server set up on the remote router for emergencies and I’ve used that once or twice when Tailmon didn't come back up (the recent entware update e.g.)

 

[jksmurf]

Here is the main router (AX88U Pro using Starlink)

Quick Q did you use the TAILMON site to site option I referred to above to set this up or just did it manually? Tx

 

[JGrana]

Quick Q did you use the TAILMON site to site option I referred to above to set this up or just did it manually? Tx

I used TAILMON for both routers. I had originally added that line, before @Viktor Jaep added the site-to-site option. After he did, I re-did the network and just selected the Site-to-Site setting in TAILMON.

I noticed I never did anything with SNAT. The site-to-site seems to be working fine, so I never added that.

 

[jksmurf]

I used TAILMON for both routers. I had originally added that line, before @Viktor Jaep added the site-to-site option. After he did, I re-did the network and just selected the Site-to-Site setting in TAILMON.

Thank you that is very useful and I am sure will be useful for others i.e. that you can just use Tailmon's site to site setup option on both routers and away you go.

I noticed I never did anything with SNAT. The site-to-site seems to be working fine, so I never added that.

Interesting, it seems like others have also left that snat statement off the command line.
That reddit thread goes some way to describe what you gain with it and why you may not need it.

Some other links describing what it does, that it might not always work as you expect:

• Snat off 01
• Snat off 02
• Snat off 03
• Snat off 04

The last link has this nice summary:

2.1) On the 192.168.57.254 device, advertise routes for 192.168.57.0/24:

    tailscale up --advertise-routes=192.168.57.0/24 --snat-subnet-routes=false --accept-routes

Command explained:
--advertise-routes: Exposes the physical subnet routes to your entire Tailscale network.
--snat-subnet-routes=false: Disables source NAT. In normal operations, a subnet device will see the traffic originating from the subnet router. This simplifies routing, but does not allow traversing multiple networks. By disabling source NAT, the end machine sees the LAN IP address of the originating machine as the source.
--accept-routes: Accepts the advertised route of the other subnet router, as well as any other nodes that are subnet routers.

 

[JGrana]

I will add that snat to both ends of the site-2-site and see if it makes any difference.