TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (THREAD #1 CLOSED)

[Wheemer1]

@ViktorJaep have you done the 1.68.0-1.68.1 update?

I just tried to update 1.68.0 to 1.68.1 and for the first update ever, it hung on the the tailscale up line.
Manually downgraded to 1.68.0; same
Manually downgraded to 1.66.4; same
Rebooted Router. Same.
Just my system, bad SSD or Tailscale might have broken something ?

# Health check:
#     - not logged in, last login error=fetch control key: Get "https://controlplane.tailscale.com/key?v=97": context canceled

# Health check:
#     - not in map poll
unexpected state: NoState

[EDIT] It seemed to have fixed itself, not sure how, but tailscale up lines seem to take a long time to "take".

Update worked fine for me on two different routers.

 

[XIII]

It's fixed in 1.0.17b1. I believe he's running .14

Indeed. Let’s wait for 1.0.17 and the next Tailscale update.

 

[Old-Timer1]

ive just instaled this script and in the Tailmon UI it shows as being up and running but on the tailscale official dashboard the device shows as offline.

Any ideas where I am gong wrong guys?

Thank you

 

[Viktor Jaep]

ive just instaled this script and in the Tailmon UI it shows as being up and running but on the tailscale official dashboard the device shows as offline.

Any ideas where I am gong wrong guys?

Thank you

While Tailmon is running, from a separate SSH window, can you run "tailscale status", and please post those results?

 

[Old-Timer1]

While Tailmon is running, from a separate SSH window, can you run "tailscale status", and please post those results?

Thank you for your reply, I just had to update the tailscale version and restart and it works great now.

Only issue is when I am connected to the tailscale instance on my router from my phone, the download speed is 1-2mbps

any idea what could be wrong there?

And here is a screenshot of the status

 

[Wheemer1]

Is there any way to get tailscale dns to automatically work? I mean the machine names to resolve to the local ip or at least tailscales machine ip.

I realize I can add my own dns entries, but just wondered if it was possible so that it works more seamlessly.

 

[jksmurf]

Hey all,

I think I managed to get this all installed and working on a new asus router/Merlin thanks to (jksmurf). Dont understand much on how it all works but diggin through docs are easy enough. So thanks again to everyone.

Great that you got it up and running, it’s satisfying when it works.

I’m in the same boat as you TBH, I am not really that clued up on networking or Tailscale and @Viktor Jaep’s intention with TAILMON was to provide the platform for installing it on our little Routers, but to be fair to him, expanding outside that to all things Tailscale is just Pandora’s Box.

Tailscale’s website has a plethora of information on tailscale itself (including use cases) and whilst much of the more technical items are over my head, to their credit they do provide some good resources for more fundamental questions in the first instance.

So what I’m going to do is to attempt to respond briefly here and provide some responses with reference links so you can investigate further, and if I’m wrong, I hope to be corrected.

The reason I have need of this in the first place is due to having a 5g modem providing Internet at my office location. Typical CGNAT. I have about 30 security cameras I need to view, get motion, alarms in real time.

My use-case is also CGNAT and for you a subnet-router attached to tailscale at that end gives you the possibility to access all the devices in that subnet that sit behind (or even alongside) it.

The question I have is how does Tailscale work/handle a vpn connection like this between two locations?
---location 1 is a typical fiber isp.
---location 2 is 5g Tmobile isp, CGNAT situation.

Just need to access both locations as a typical vpn viewing one big network.

Additional question I have as I still havent gotten my head around how Tailscale works...

Do I only need to connect the Routers at both ends in Tailscale in order to see everything behind the routers? Like cameras, servers, etc...??

Yes. I believe you need to set up site to site (TAILMON does this) and you only need one Router at each end configured as a subnet router. You can then access each device behind that remote subnet router “as if” it were local by typing in its IP address. From that link:

“Use site-to-site layer 3 (L3) networking to connect two subnets on your Tailscale network with each other. The two subnets are each required to provide a subnet router but their devices do not need to install Tailscale. This scenario applies to Linux subnet routers only.”

Or

Does every single device assigned an ip behind each router also needs to be added to Tailscale?

No. See above. They will of course have their local IP; they do not need to be added to Tailscale. Once you have established the connection to that remote subnet, then WebGUI, ping, SSH are all conducted using their original subnet IP address “as if” they were local.

Lastly....
Im not a big fan of having to connect to tailscale on the website, set up an account and have my data go through yet another strangers servers so this all works.... I really want my own private point to point vpn servers over public internet using my own static ips. I need a high level overview on how to go about this...

I’m not 100% sure about this side of things, however see here.

“Is my traffic routed through your servers?​

No. Tailscale routes traffic over the shortest path possible. In most cases, this is a direct, peer-to-peer connection. In cases where a direct connection cannot be established, devices will communicate by bouncing traffic off of one or more geographically distributed relay servers, called DERPs. The traffic that bounces through our relay servers is encrypted and no different security-wise than the other dozen hops your Internet packets already make when passing over the network from point A to B.”

You can actually see, in the TAILMON status window, if you have a direct or DERP connection.

Im done with the monthly nickel dime subscriptions for ddns, vpn, etc... services that go on forever.... this bothers me way more than security issues as my data is still going through someone I dont know.

again, thanks for the help jksmurf...

Provided your needs and numbers of devices on your tailnet remains below the free vs paid threshold, then you won’t be subject to those subscriptions. I would comment however (I have no skin in the game here, not trying to sell any service) that if this is really to safeguard your business you might want to seek professional advice.

HTH

k.

 

[Viktor Jaep]

Thank you for your reply, I just had to update the tailscale version and restart and it works great now.

Only issue is when I am connected to the tailscale instance on my router from my phone, the download speed is 1-2mbps

any idea what could be wrong there?

And here is a screenshot of the status

Interesting... how are you measuring this speed? What are you using to test this? What's your setup/bandwidth look like on both ends?

 

[Viktor Jaep]

Is there any way to get tailscale dns to automatically work? I mean the machine names to resolve to the local ip or at least tailscales machine ip.

I realize I can add my own dns entries, but just wondered if it was possible so that it works more seamlessly.

If I remember correctly, I believe that @ColinTaylor may have some good experience with this he may be able to share? You may also be able to go back in time in this thread, as there may be some mention to these methods here...

 

[Viktor Jaep]

BTW... updated both my GT-AX6000 and the RT-AX88U from 1.68.0 to 1.68.1 without issue on TAILMON v1.0.17b1. I think it's time to get this rolled out...

What's new?
v1.0.18 - (June 15, 2024)
- PATCH: Thanks to @Wheemer1, he noticed that when hitting (R)estart, that it would overwrite the custom mode changes that were originally saved with the default custom mode settings. A new function takes care of making sure (R)estarts will now apply any custom mode changes when the service/connection restarts.
- PATCH: Also, thanks to @Wheemer1 for the suggestion to formally add the '--accept-routes' command line argument into TAILMON. A new menu item (6) under then setup/configuration menu has been added that asks whether or not you want to enable this option. Special care needed to be taken when this option gets disabled, as a 'tailscale up --reset' command needs to be issued before it can be completely disabled without having to endure tailscale warnings.
- PATCH: Thanks to @rung, added another email notification coming from TAILMON when the router was rebooted or manually reset, to indicate that TAILMON has restarted after an unexpected router reboot. TAILMON looks at router uptime, and if it's set to automatically start within the first 10 minutes of the router coming back up, it will send you an email.
- PATCH: Updated some of the "site-to-site" wording changes on item #6 in the configuration/setup menu, and associated menu item description per @jksmurf's suggestion. Thanks!

Download link (or update directly within AMTM/TAILMON):

curl --retry 3 "https://raw.githubusercontent.com/ViktorJp/TAILMON/master/tailmon.sh" -o "/jffs/scripts/tailmon.sh" && chmod 755 "/jffs/scripts/tailmon.sh"

Significant Screenshots:

Added the new option (6) to add the site-to-site networking option that adds the "--accept-routes" switch to your tailscale up commandline.

More detail on item (6)

Now showing that "--accept-routes" gets appended by default when the menu item is enabled.

 

[Rajjco]

Updated from 1.66 to 1.68.1 without any issues.

Noticed some odd behavior on Apple device compared to Android Device when Tailscale set to run In Kernel mode.

When using Kernel mode my Apple device cannot connect to lan services example: Jellyfin server on lan network.
However the Android device can connect to all services hosted on my lan network In Kernel mode.

This issue occurred at version 1.66.

 

[jksmurf]

Kernel mode

I’ve no idea about what change from pre to post 1.66 might be causing your specific issue, but have you ever done a —reset (now in TAILMON). Asking due to the change in the stateful filtering defaults introduced in 1.66, which were changed 180deg in the next update after that.

Also wondering if the type of routing shown in the summary table might be worth checking out?

 

[Threska49]

Good job and it may make CGNAT easier to deal with.

CGNAT is the problem nail... Is Tailscale the hammer?

I am currently using pfSense for a home network with 5 web servers for family and friends. I have: 2 WANs, Fiber and Cable, and they are configured for fail-over DDNS to flip the DNS IPs when they fail-over or if the IP is refreshed HAProxy to handle the subdomains I configured for each web...

forum.tailscale.com

 

[jksmurf]

Good job and it may make CGNAT easier to deal with.

@Viktor Jaep is the man !

And there is no “may” as far as I’m concerned, getting past CGNAT by configuring Tailscale with a subnet router got me access to my remote device. Love it!

 

[Rajjco]

I’ve no idea about what change from pre to post 1.66 might be causing your specific issue, but have you ever done a —reset (now in TAILMON). Asking due to the change in the stateful filtering defaults introduced in 1.66, which were changed 180deg in the next update after that.

Also wondering if the type of routing shown in the summary table might be worth checking out?

View attachment 59493

Just tested Kernel mode after updating to 1.68.1 and looks like it fixed the issue both ios and android devices can access lan services normally.

Not sure what has been changed might have to dig deeper in change logs between versions.

 

[phneeley]

Just tested Kernel mode after updating to 1.68.1 and looks like it fixed the issue both ios and android devices can access lan services normally.

Not sure what has been changed might have to dig deeper in change logs between versions.

Also working for me on Custom mode. I had switched to Userspace mode due to this issue alone. Glad it seems to be working now.

 

[jksmurf]

Also working for me on Custom mode. I had switched to Userspace mode due to this issue alone. Glad it seems to be working now.

Custom mode uses Kernel mode as the starting point so that makes sense. Glad it’s working for you both. Everytime Tailscale posts an update @Viktor Jaep lives in fear of them breaking something

Can you confirm that for the purposes of the running of Tailscale, TAILMON’s Custom Mode acts as if it is in Kernel Mode?

That's correct... when selecting custom mode, it basically configures itself into Kernel mode, and gives you the freedom to change the various command lines.

 

[Viktor Jaep]

Custom mode uses Kernel mode as the starting point so that makes sense. Glad it’s working for you both. Everytime Tailscale posts an update @Viktor Jaep lives in fear of them breaking something

I can barely sleep knowing a Tailscale update will just break everything.

 

[joe scian]

Thanks for this brilliant implementation of Tailscale on our routers. It fixed my inability to use OVPN Server and access devices ( camera and ASUS Router ) behind my bridged CGNAT 4G LTE Router from remote sites.

 

[Old-Timer1]

Interesting... how are you measuring this speed? What are you using to test this? What's your setup/bandwidth look like on both ends?

Hi Victor, thank you for your help.

I measured speed with the speedtest.net app from ookla, today was averaging 8-10mb download speed so a little better than yesterdays 1mb
For the test I used my xiaomi 14 android device.
We have a 1gb fibre connection at home
Router is an RTAC86U

Something strange I noticed today:

I have a VPS hosted install of adguard home. I put it's IP into the DNS server 1 field in the LAN section of my router and when i do a dnsleak test, I see QUAD9's nameservers which is fine and I have ad blocking.

But...... When I run your script and connect to my home network remotely via tailscale, and do a dns leaktest , it shows my ISP's nameservers and I dont have ad blocking.

I'm wondering is there a setting i need to change?

Any help appreciated,

Thank you guys