TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (THREAD #1 CLOSED)

[ColinTaylor]

@Dr.Rom Remove the static routes. They should not be necessary (and the interface is wrong anyway) as the tailmon daemon creates its own routing rules.

In the first instance try testing with --snat-subnet-routes=true and --stateful-filtering=false. If that works then change --snat-subnet-routes to false.

P.S. Although unrelated to your question you probably want to set --accept-dns=false on each router as well to prevent tailscale interfering with your local DNS configuration.

EDIT: I forgot to mention, --stateful-filtering is a new parameter introduced in tailscale v1.66.

 

[Viktor Jaep]

Hello

I’ve been asked to move my question here even though I don’t think it was Tailmon related per-say but rather in setting up Tailscale for site to site. But maybe someone here will be able to guid me.


I need help to setup a Site-to-site connection using Tailscale (1.66.4) with two RT-AX86U_Pros running on the latest Merlin firmware

Both routers have Tailmon install. First one has 192.168.1.0/24 advertised. The other has 192.168.2.0/24. I have set both to --accept-routes --snat-subnet-routes=false. All settings are allowed through Tailscale admin page. I have also set routing in:

LAN—>Route—>Static routes to yes

In router A with ip 192.168.1.1: Network 192.168.2.0 Mask: 255.255.255.0 Gateway: 192.168.1.1 interface: LAN

In router B with ip 192.168.2.1: Network 192.168.1.0 Mask: 255.255.255.0 Gateway: 192.168.2.1 interface: LAN

Tailscale is connected but still non Tailscale devices can’t reach or ping the devices in the other network

Only Tailscale devices can reach the whole network.

Can anyone please point me to what am I messing?

Thank you

First... can you post what you have configured for your Tailscale Service switches/options, as well as your Tailscale Connection switches? Like drop the actual commandlines into this thread here.

Have you had a look at:

Site-to-site networking · Tailscale Docs

Learn how to connect two subnets in your tailnet with each other.

tailscale.com

EDIT... no worries - @ColinTaylor's got this!

 

[Dr.Rom]

Thank for your reply. I lost remote connection to one router as I was switching static routes off and it dropped from Tailscale. It seems I’m stuck now until I would be physically there in front of that router to do a restart which I can do in 10 hours.

@ColinTaylor : thanks I’ll try your suggestion as soon as I get the said router back online.

@Viktor Jaep : Thanks. That website is where I started.

Router A has tailscale up --advertise-routes=192.168.1.0/24 --accept-routes --snat-subnet-routes=false (now offline, static ip)

Router B has/had: tailscale up --advertise-exit-node --advertise-routes=192.168.2.0/24 --accept-routes --snat-subnet-routes=false (*, behind CGNAT)

* Now I have “set” --snat-subnet-routes=true --stateful-filtering=false
And waiting to see the effect when I set it to the other router when I get it back online

MagicDNS is disabled. I’ll test the effect of --accept-dns=false later as I’m currently mainly using IP addresses to ping/ssh to other devices

I hope that answers your question. If not please tell me what have I missed and I would be happy to provide it.

 

[jksmurf]

EDIT: I forgot to mention, --stateful-filtering is a new parameter introduced in tailscale v1.66.

I believe the default for this parameter is now off, so as long as you didn’t enable it (if you did, you need to reset it), then you don’t even need to add it.

 

[jksmurf]

So on my to-do list...

1.) Determine if I can figure out what entware version is installed, and if it's below a certain threshold, put a stop to running the script until that version has been updated.
2.) Do more error/status checking on the install of tailscale entware packages, and during the startup of the service/connection... and if it errors out, present better messaging around that, and potentially stopping the script in order to do more troubleshooting.

Was hoping @ColinTaylor could help us with the troubleshooting of the “illegal instruction” error message and whether it is amtm, TAILMON or the entware folks that should download the _nohf versions for a particular architecture (tailscale armv7sf-k2.6 package or armv7sf-k3.2 package); assuming that is actually the correct solution and I am unsure whether it is or not.

I’m wondering why @ohnggni didn’t experience this but @vorski did, both having similar router architectures.

 

[ColinTaylor]

I believe @vorski's problem is the same as I experienced on my RT-AC68U which has the same architecture.

I haven't had a chance to go back and double-check it but I believe part of his problem is that which you linked to on the Entware github. Namely, he needs to remove the tailscale package and install the tailscale_nohf package instead.

EDIT: I have confirmed that installing the tailscale_nohf package fixes the Illegal instruction error on my RT-AC68U. From there you could probably use the update option to download the current static build for generic arm platforms.

The other issue he has is that his Entware installation is out of date. Entware has dropped support for armv7sf-k2.6. @vorski should update amtm and then choose the option to "repair" the Entware installation. This should point Entware at a more recent repository that is at least partially up to date.

The third, unrelated issue is that his firmware is also out of date.

 

[Viktor Jaep]

I've been looking into what can be done to limit usage based on Entware version... I'm not seeing a straightforward way yet. @ColinTaylor ... seeking your advice here, please. What method would you propose that would halt usage of TAILMON depending on a certain router/architecture/firmware/entware version? Just so that we're not running into problems with people trying to hit update, or trying to start an old not-updated version, and getting all kinds of errors because of it?

 

[jksmurf]

EDIT: I have confirmed that installing the tailscale_nohf package fixes the Illegal instruction error on my RT-AC68U. From there you could probably use the update option to download the current static build for generic arm platforms.

That’s great @ColinTaylor, thanks so much for hauling out your old armv7 based device and testing it . I think he might have already updated entware at some stage, as in the last few posts he did say he got Tailscale v1.58.2-1, just not the nohf version of it.

@Viktor Jaep now has a way forward for a TAILMON update either by:

(a) adding messaging with instructions or
(b) by having TAILMON detect the older architecture and automatically installing the tailscale_nohf version.

Option (b) would be cool if it worked, but I wonder if amtm could recognize this in the first instance, maybe a question for @thelonelycoder?

For @vorski for completeness and because I asked you to hold off (and maybe also for @ohnggni), a summary for you, (until TAILMON is updated) is to:

1. Uninstall TAILMON, uninstall entware, which you already did.
2. Update your firmware (highly recommended, but not a must).
3. Update amtm from within amtm.
4. Install entware from within amtm; or repair current install.
5. Manually install tailscale via the CLI using step 1 in the wiki but replace opkg install tailscale with opkg install tailscale_nohf. The installation of the normal tailscale and not the tailscale_nohf version on this router architecture is the underlying reason for the "illegal instruction" error.
6. Install TAILMON, setup up your Tailnet, configure settings, check you have a running connection.
7. Then update Tailscale from within TAILMON. I ‘think’ this update method should work. If not then manually update it following the wiki i.e. from the CLI root issue tailscale update.

Let us know how you get on!

k.

 

[ColinTaylor]

Install entware from within amtm; or repair current install. Please check the armv7sf-k3.2 version is installed during this process.

I don't think this is correct for his RT-AC5300 router. I believe his router's architecture is armv7l 2.6.36.4brcmarm, the same as my RT-AC68U.

 

[jksmurf]

I don't think this is correct for his RT-AC5300 router. I believe his router's architecture is armv7l 2.6.36.4brcmarm, the same as my RT-AC68U.

Oh . TBH I’m lost on this one, will need to leave it to you. Will remove the references for clarity.

I just assumed there were only two for armv7 devices, i.e. the older (v1.46.1-1) entware packages and newer packages (v1.58.2-1), based on the repository pic below for https://bin.entware.net/.

 

[ColinTaylor]

You're confusing architecture with repository. The k2.6 repository on bin.entware.net is no longer updated. There is an alternative k2.6 repository being somewhat supported at maurerr.github.io.

 

[jksmurf]

You're confusing architecture with repository. The k2.6 repository on bin.entware.net is no longer updated. There is an alternative k2.6 repository being somewhat supported at maurerr.github.io.

Ok , all good. I’m definitely not going to argue the toss on this one!

Just wrote that initially as in my test with my RT-AX3000 (yup, different architecture) I watched the messages during the entware install (see pics bit unclear) described above, which downloaded from the k3.2 repository.

I thought this was correct as you referred (above) to the k2.6 repository being out of date. I’ve got no idea if or how repository relates to architecture. Anyway as I said I just removed it completely to avoid confusion. All good!

 

[Ratfink]

Hi everyone,

I was hoping to gain some clarity.

• Have an ASUS RT-AC5300 with Merlin installed.
• Have a working (Customizable, Aftermarket)5g Modem with IP Passthrough working.
• Need to setup a VPN so I can access my network, workstations(RDP), cameras, etc...

Appologies, this doesnt appear easy or very clear and Im struggling to grasp any ordered instructions, steps, etc...

---Prior to installing Tailmon on Asus Router/Merlin, Entware needs to be installed. But Asus vrrsion of Optware which is DownloadMaster needs to be unistalled first???$#%%

---- Then several links and more confusion, and months of wasted time later.....

Again, my sincerest appologies for complaining. I know a ton of work went into this but it appears there is no detailed procedure for Asus router setup? I would gladly pay someone to simply walk me through this or actually do this... I figured a monthly paid service to Tailmon would have some sort of customer support? But appears to be non existent....

Is there a reasonable step by step procedure for installing on an Asus/Merlin Router? Or Tailmon paid support options?

Thanks

 

[jksmurf]

Hi everyone,

I was hoping to gain some clarity.

• Have an ASUS RT-AC5300 with Merlin installed.
• Have a working (Customizable, Aftermarket)5g Modem with IP Passthrough working.
• Need to setup a VPN so I can access my network, workstations(RDP), cameras, etc...

Appologies, this doesnt appear easy or very clear and Im struggling to grasp any ordered instructions, steps, etc...

---Prior to installing Tailmon on Asus Router/Merlin, Entware needs to be installed. But Asus vrrsion of Optware which is DownloadMaster needs to be unistalled first???$#%%

---- Then several links and more confusion, and months of wasted time later.....

Again, my sincerest appologies for complaining. I know a ton of work went into this but it appears there is no detailed procedure for Asus router setup? I would gladly pay someone to simply walk me through this or actually do this... I figured a monthly paid service to Tailmon would have some sort of customer support? But appears to be non existent....

Is there a reasonable step by step procedure for installing on an Asus/Merlin Router? Or Tailmon paid support options?

Thanks

Hi,

OK, I will try my best, based on the information you have supplied and assuming you are comfortable with SSH and the CLI; and WinSCP; and are familiar with amtm; and have the latest Asuswrt-Merlin firmware installed:

1. Please note that we have only recently discovered variances with entware tailscale version based on older (your) Router architecture, that was not available at the time of testing of TAILMON, which to be fair is a pretty new Addon, literally 1 month old.
2. It seems OPTWARE is old, outdated and not recommended as a package manager. It was installed via the GUI DownloadMaster as you noted.
3. It is recommended you first Uninstall Download Master via the GUI. If you run into issues have a look here for files to remove and where to remove them (you can use WinSCP to do this).
4. To delete the remnants of Optware, you need to (i) format the USB drive on which it was installed and (ii) tidy up the /jffs/scripts folder (on the router). I believe on your Router you can still use the GUI (Administration, System) to do (ii) i.e. format jffs partition at next boot; but suggest you reboot again just to be sure. Note that doing so you will lose any scripts you have installed.
5. TBH, reading items 2-4 above, if you have the patience to take screenshots of all your Routers settings, I would update it (if not already) to the latest version of Asuswrt-Merlin and then do some hard resets, then start from a nice clean version without Optware or any legacy settings. You will however have to type in all the normal router settings you saved on the screenshots. You will need to setup your Modem again too.
6. So assuming 4 (or 5) above leaves you with a clean (no Optware, no legacy scripts) Router, the next steps are relatively simple.
7. Put in a USB, via SSH, go to the CLI, run amtm, set the theme (t), run (u) update, select (i) to show available scripts, install (fd) the format disk script and proceed to format the USB as EXT4, journaled, USB. Make sure you name it.
8. From within amtm again, run (i), then looking at the list you should see an option (ep), to install Entware. Run this, allow it to install to your USB. NOTE: I have not stated go and repair entware (amtm, (ep), (4)) nor to update entware (amtm, (ep), (1)) as it is a new install. Had you elected to continue from a previous entware install I would recommend this.
9. Exit (e) amtm to the CLI.
10. Next, for your RT-AC5300 (only) from the CLI, type opkg install tailscale_nohf. For info, in case others try this, the CLI approach and the command stated here is not needed and should not be used for more recent routers.
11. Next, from amtm, go to (i) again, then select (tm) to install TAILMON, setup up your Tailnet, try express install first, configure settings per instructions, approve the routes in the Tailscale Webadmin and check you have a running connection.
12. Then update Tailscale from within TAILMON itself. I ‘think’ this update method should work. If not then manually update it following the wiki i.e. from the CLI root issue tailscale update.

Let us know how you get on!

And whilst you're clearly frustrated, take a deep breath, I am sure if you walk through the steps, you will get there. You might get unexpected results, it is not an issue, just come back and state clearly what you have done and what you are seeing. We will try our best to help.

k.

 

[Ratfink]

HI Jksmurf,

Thankyou very much, I think I can muddle through this.

I have a couple questions.

• I have latest version of Merlin installed.
• Router is reset to factory defaults. Literally defaults, no changes, nothing other than using the gui wizard to setup the wifi security.. thats it.
• I have no usb plugged in or in use at all in Router.
• What is Optware? Does Optware reside internally on the Router? OR Is Optware used on usb drives to deploy scripts? Wear does Optware reside in order to be removed from? If I have never used a usb drive then Optware wouldnt exist in the first place? Then I wouldnt have to uninstall Optware to begin with?

From what Im reading Optware/Entware resides on the USB Drive NOT the internal drive on the Router?

 

[jksmurf]

HI Jksmurf,

Thankyou very much, I think I can muddle through this.

I have a couple questions.

• I have latest version of Merlin installed.

Great, good start .

• Router is reset to factory defaults. Literally defaults, no changes, nothing other than using the gui wizard to setup the wifi security.. thats it.

Also good.

• I have no usb plugged in or in use at all in Router.

Plug one in please, you need it for entware, which is in turn needed for Tailscale/TAILMON. You can format it from amtm's (fd) script.

• What is Optware? Does Optware reside internally on the Router? OR Is Optware used on usb drives to deploy scripts? Wear does Optware reside in order to be removed from? If I have never used a usb drive then Optware wouldnt exist in the first place? Then I wouldnt have to uninstall Optware to begin with?

From what Im reading Optware/Entware resides on the USB Drive NOT the internal drive on the Router?

Optware is just a package manager, like Entware. I believe Optware is also installed to a USB, but I do not know for sure, as I have never used Optware TBH.

However as you wrote (above), this line (that follows), I assumed you had both the DownloadMaster and Optware installed...

"But Asus vrrsion of Optware which is DownloadMaster needs to be unistalled first???$#%%"; typos left in for authenticity...

No biggy; if you have reset your Router, jffs will be clear and amtms' (fd) will format the Disk "as new" so any Optware that might have been on it will be gone now. I believe (not 100% sure) that that Optware package manager is normally installed to a USB disk (not the Router), but if you never installed it, it won't be there and really it doesn't matter as you're about to format it.

Yes; Entware does reside on the USB (is needed by the Tailscale Install), which is why you need one and need to format it as above.

k.

 

[Dr.Rom]

@Dr.Rom Remove the static routes. They should not be necessary (and the interface is wrong anyway) as the tailmon daemon creates its own routing rules.

In the first instance try testing with --snat-subnet-routes=true and --stateful-filtering=false. If that works then change --snat-subnet-routes to false.

P.S. Although unrelated to your question you probably want to set --accept-dns=false on each router as well to prevent tailscale interfering with your local DNS configuration.

EDIT: I forgot to mention, --stateful-filtering is a new parameter introduced in tailscale v1.66.

I did

tailscale down
tailscale up --reset && tailscale up --accept-routes --advertise-routes=192.168.1.0/24 --snat-subnet-routes=false --stateful-filtering=false --accept-dns=false

That gave me “Some peers are advertising routes but --accept-routes is false”

So I did

tailscale set --accept-routes=true

tailscale up --accept-routes --advertise-routes=192.168.1.0/24 --snat-subnet-routes=false --stateful-filtering=false --accept-dns=false

This ran with no error/hint

But still no effect

It seams Tailscale run in accept-routes= false as default

I’m running Tailscale in userspace

Router A has

{
"ControlURL": "https://controlplane.tailscale.com",
"RouteAll": true,
"AllowSingleHosts": true,
"ExitNodeID": "",
"ExitNodeIP": "",
"InternalExitNodePrior": "",
"ExitNodeAllowLANAccess": false,
"CorpDNS": false,
"RunSSH": false,
"RunWebClient": false,
"WantRunning": true,
"LoggedOut": false,
"ShieldsUp": false,
"AdvertiseTags": null,
"Hostname": "",
"NotepadURLs": false,
"AdvertiseRoutes": [
"192.168.1.0/24"
],
"NoSNAT": true,
"NoStatefulFiltering": true,
"NetfilterMode": 2,
"AutoUpdate": {
"Check": true,
"Apply": true
},
"AppConnector": {
"Advertise": false
},
"PostureChecking": false,
"NetfilterKind": "",
"DriveShares": null,
"Config": {
"PrivateMachineKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
"PrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
"OldPrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
"UserProfile": {
"ID": …,
"LoginName": "dr",
"DisplayName": "Dr",
"ProfilePicURL": "https://l…",
"Roles": []
},
"NetworkLockKey": "nlpriv:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"NodeID": "…"
}
}

Router B has

{
"ControlURL": "https://controlplane.tailscale.com",
"RouteAll": true,
"AllowSingleHosts": true,
"ExitNodeID": "",
"ExitNodeIP": "",
"InternalExitNodePrior": "",
"ExitNodeAllowLANAccess": false,
"CorpDNS": false,
"RunSSH": false,
"RunWebClient": false,
"WantRunning": true,
"LoggedOut": false,
"ShieldsUp": false,
"AdvertiseTags": null,
"Hostname": "",
"NotepadURLs": false,
"AdvertiseRoutes": [
"0.0.0.0/0",
"::/0",
"192.168.2.0/24"
],
"NoSNAT": true,
"NoStatefulFiltering": true,
"NetfilterMode": 2,
"AutoUpdate": {
"Check": true,
"Apply": true
},
"AppConnector": {
"Advertise": false
},
"PostureChecking": false,
"NetfilterKind": "",
"DriveShares": null,
"Config": {
"PrivateMachineKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
"PrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
"OldPrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
"UserProfile": {
"ID":,
"LoginName": "dr",
"DisplayName": "Dr.",
"ProfilePicURL": "https://…",
"Roles": []
},
"NetworkLockKey": "nlpriv:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"NodeID": "…"
}
}

 

[ColinTaylor]

For debugging purposes try using --snat-subnet-routes=true on each router like I suggested.

 

[Dr.Rom]

Yes I tried both values. Now I changed them to true.

I came across this link and was optimistic that your suggestion regarding --stateful-filtering would be the answer to my issue but that was not the case

 

[Viktor Jaep]

It's too bad such a simple scenario of bridging 2 networks together like this could be this difficult. I think once we have this all figured out, we need to add this to the OP or @ColinTaylor's Tailscale wiki!