What's new

TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (THREAD #1 CLOSED)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Deleted all those directories and reinstalled fresh from amtm. Also repaired binaries to entware. After installation -
1. no files in /var/run/tailscale
2.var/lib/tailscale - 3 files
3. opt/var/run/tailscale - does not exist
4./opt/var/lib/tailscale - does not exist

exactly same errors as previously
Hmmm. I’m going to have to defer to Viktor (on leave) or Colin for what might be happening here. Did you have a look at the wiki uninstall approach btw?


btw the reason I suggested also deleting the other dirs is that a fresh Tailmon install (1.58 is installed via entware first) creates the /opt/var/run/tailscale and opt/var/lib/tailscale dirs but when you update tailscale via Tailmon it puts the tailscale files into /var/run/tailscale and /var/lib/tailscale, including future versions.

I believe the —statedir switch in ARGS (in /opt/etc/init.d/S06tailscaled) is a mechanism used to facilitate the swap between them i.e.

Code:
ARGS="--state=/opt/var/tailscaled.state --statedir=/opt/var/lib/tailscale"

FYI see Colin’s request in entware GitHub regarding the same.
 
Last edited:
Hmmm. I’m going to have to defer to Viktor (on leave) or Colin for what might be happening here. Did you have a look at the wiki uninstall approach btw?
Yeah, I would take the approach of trying to uninstall using the opkg method (opkg remove tailscale), and manually delete as many folders as you can that it could be leaving behind. Then manually try to install using opkg... ie. opkg install tailscale ... and seeing if you get any strange error messages during this simple install process.

Does that continue to give you issues? If so... then you probably have bigger problems to fry... like dealing with a possibly corrupt entware environment. Also, see if there's any interesting syslog messages displaying during this time?
 
Yeah, I would take the approach of trying to uninstall using the opkg method (opkg remove tailscale), and manually delete as many folders as you can that it could be leaving behind. Then manually try to install using opkg... ie. opkg install tailscale ... and seeing if you get any strange error messages during this simple install process.

Does that continue to give you issues? If so... then you probably have bigger problems to fry... like dealing with a possibly corrupt entware environment. Also, see if there's any interesting syslog messages displaying during this time?

I did that no errors. Then initiated tm through amtm - same errors as before -
on a working tailmon install on my remote AX86U opt/var/lib/tailscale is there with json file conf file 2 txt files and files and certs directory. No such directory exists in new install on local AC86U.
 
I did that no errors. Then initiated tm through amtm - same errors as before -
on a working tailmon install on my remote AX86U opt/var/lib/tailscale is there with json file conf file 2 txt files and files and certs directory. No such directory exists in new install on local AC86U.
Reaching here, but have you tried a complete entware uninstall removal and then entware reinstall, followed by the Tailmon install? i.e. not an entware repair, but a full on entware uninstall, removal?
 
I think I might found a bug. Below are example steps to reproduce the issue and for sure this can be triggered by other things in our routers, but well that's what I found when I was randomly saving something in GUI and then CLI.

Preconditions:
- tailmon installed (keepalive + start on boot = enabled)
- tailscaled started (connected/working)

Steps: (change 1 with 2 if your --eee initial status is different <pwr show>)
0) iptables-save > before.txt
1) pwr config --eee on
2) pwr config --eee off
3) iptables-save > after.txt
3a) optionally wait 2minutes
4a) diff before.txt after.txt
OR
4b) iptables-save | grep ts

Expected: iptables configuration for Tailscale is lost (ts-input, ts-forward etc. chains are lost); TAILMON is not able to recover
Actual: TAILMON healthcheck restarts tailscaled service if iptables chains related to tailscale were lost.

Related:
- https://github.com/ViktorJp/TAILMON/blob/main/tailmon.sh#L2801
- https://github.com/tailscale/tailscale/issues/5002
- https://github.com/tailscale/tailscale/issues/5424#issuecomment-1297122549

My understanding is we need a bit of additional logic which we don't have (see last link related to systemd service) which will check additionally for something like iptables xyz is present if not = FAIL -> restart tailscaled.

Currently I'm thinking of having temporary workaround in maybe /jffs/firewall-start which would for example always restart/kill taiscaled process.
 
I installed this last night on my AX58U and added to my existing tailnet. In admin I can see the router, I can even use it as an exit node (though I have a NAS running Tailscale for that purpose). For whatever reason, however, I can't access machines on the tailnet from behind that router. In other words, if I try to get the web UI for a device on another network (but on my tailnet), I can't do it from a laptop connected to the router - but if I use the Tasilscale client on the laptop, or if I connect via another router that goes to the tailnet, it works fine. I've tried Tailscale IP for the device to no avail.

Routers advertised and approved, site-to-site enabled. Not sure what else to check.
 
I installed this last night on my AX58U and added to my existing tailnet. In admin I can see the router, I can even use it as an exit node (though I have a NAS running Tailscale for that purpose). For whatever reason, however, I can't access machines on the tailnet from behind that router. In other words, if I try to get the web UI for a device on another network (but on my tailnet), I can't do it from a laptop connected to the router - but if I use the Tasilscale client on the laptop, or if I connect via another router that goes to the tailnet, it works fine. I've tried Tailscale IP for the device to no avail.

Routers advertised and approved, site-to-site enabled. Not sure what else to check.
I use these command line options:
Code:
--advertise-exit-node --advertise-routes=192.168.1.0/24
 
I use these command line options:
Code:
--advertise-exit-node --advertise-routes=192.168.1.0/24
My operators are below. As you see, the only difference is my subnet range (appropriate for this network) and --accept-routes (which I believe should be set, but to be clear, I've tested without it).
Code:
--advertise-exit-node --advertise-routes=192.168.29.0/24 --accept-routes

I keep wondering about the config on the remote routers where I'm trying to access stuff, but again, if I connect my laptop to my tailnet using the desktop client, or even a different router I have that connects to the tailnet, it works fine - the variable is this router using Tailmon. Not sure what else to try or check.
 
My operators are below. As you see, the only difference is my subnet range (appropriate for this network) and --accept-routes (which I believe should be set, but to be clear, I've tested without it).
Code:
--advertise-exit-node --advertise-routes=192.168.29.0/24 --accept-routes

I keep wondering about the config on the remote routers where I'm trying to access stuff, but again, if I connect my laptop to my tailnet using the desktop client, or even a different router I have that connects to the tailnet, it works fine - the variable is this router using Tailmon. Not sure what else to try or check.
I also had to override dns:

SmartSelect_20240806_105550_Samsung Internet.jpg


Not sure why but it works with this setting for me.
 
Not sure how/why this would work (since IP's don't use name resolution) but set it to my gateway IP to check and still no dice.
Still just guessing here, but I have tailscale service version "v1.70.0" and the following default options:
Code:
ARGS: --tun=userspace-networking --state=/opt/var/tailscaled.state --statedir=/opt/var/lib/tailscale
PREARGS: nohup
 
Still just guessing here, but I have tailscale service version "v1.70.0" and the following default options:
Code:
ARGS: --tun=userspace-networking --state=/opt/var/tailscaled.state --statedir=/opt/var/lib/tailscale
PREARGS: nohup
Same here. This is really odd.
 
Same here. This is really odd.
I think I misunderstood your problem. Now that I read it, it's opposite from what I first thought. I can access the devices behind router from outside via the tailnet. I now see you are trying to connect the other way around to devices outside the router. I haven't tried that. Sorry.
 
Last edited:
Reaching here but I think (based on your additional arguments) you used Custom mode which uses Kernel mode, could you try a simple userspace mode to see if it makes any difference?
I used the standard userspace mode from the beginning.
Interestingly, if I look at the route table I don't see any 100.* IPs, which would seem odd to me.

Code:
default via 192.168.88.1 dev eth4
127.0.0.0/8 dev lo scope link
192.168.12.0/24 dev eth3 proto kernel scope link src 192.168.12.221
192.168.12.1 dev eth3 proto kernel scope link
192.168.29.0/24 dev br0 proto kernel scope link src 192.168.29.1
192.168.88.0/24 dev eth4 proto kernel scope link src 192.168.88.254
192.168.101.0/24 dev br1 proto kernel scope link src 192.168.101.1
239.0.0.0/8 dev br0 scope link

I'm wondering if the WAN Failover script is in some way in conflict here? That's purely a guess. I'm really stumped.
 
I think I misunderstood your problem. Now that I read it, it's opposite from what I first thought. I can access the devices behind router from outside via the tailnet. I now see you are trying to connect the other way around to devices outside the router. I haven't tried that. Sorry.
The way I read this description, you could only achieve what your are trying to do in kernel mode and not user space mode:
https://tailscale.com/kb/1112/userspace-networking

Without a network inteface how would your local devices tunnel out of your network?
 
The way I read this description, you could only achieve what your are trying to do in kernel mode and not user space mode:
https://tailscale.com/kb/1112/userspace-networking

Without a network inteface how would your local devices tunnel out of your network?
Interesting. What's peculiar is that I did try to swap this to the kernel last night (which locked up my router for a bit...that was fun), and it still didn't work. Confirmed it was running in the kernel, but no 100* on the routing table and no accessing non-local clients in my tailnet.
 
Interesting (but very good) experience with Tailscale/TAILMON.

I am running “kind of a” dual wan in my house. I have a T-Mobile Sagemcom modem plugged into an old AX58U with a unique SSID and IP network address range. It came as part of a deal with moving over to T-Mobile phones. It’s pretty low cost - and I have used it in the past when my main WAN (Starlink) gets flaky.
My primary WAN is Starlink plugged into an AX88U Pro. Again, unique SSID and a different (luckily) network address.

I installed TAILMON on both. Enabled advertise routes and also accept routes.

In the past I would changes SSID to which router I wanted to check/work on.

Now I can be on either but easily access the other. i.e I can have both WebUI windows open at the same time on my laptop. I can now mount my NAS on both routers, etc., if after updating the main router and my wife’s iPhone switches over to T-Mobile she can still print on a printer on the main network.

What is interesting is that I really did nothing to route tables, ip tables etc. Just installed TAILMON and let it run.
Easier then I thought.

Hmm, wonder if I could do some kind of Dual WAN Failover with tailscale as the core.
Found this as I have the same setup but Tailscale is not working right.
I run the WAN Failover script via AMTM (which I also used to install Tailmon) on an AX58U running Merlin (a version from prob a year ago? I should update but sometimes that gets fickle). My failover is TMOHI, my main is fiber.

I have essentially three networks - two, in two other locations - are behind glinet routers running Tailscale and have subnet routing turned on. All those device see each other, and if I'm elsewhere, I can connect to Tailscale via the desktop client and it works great. I also have a third network which, until recently, just had Tailscale running on a NAS. This allowed a solid Exit Node, and the subnet routing worked so I could access devices on this third network without a problem.

Recently, I put Tailmon on the AX58U however so that I could, without running a desktop client, have a machine on that third network and directly reach anything on the other networks on my tailnet. I installed Tailmon via the script, enabled subnet routing (and authorized in admin), and it looked okay...but it doesn't work. The connection in --status always shows idle, and the routing table (from CL ip routing) doesn't show 100.* IPs at all. I can't access other device on the tailnet from inside this network. I really can't figure out why.

I've got posts on this thread and on reddit but no dice yet.

  • Are you using the native WAN Failover or the WAN Failover script (which is far more reliable). Asking as I'm wondering if the script is impacting the routing table that generates automatically.
  • Do you see a 100.* IP on your routing table (from the CLI when using ip route)?
  • Any other thoughts?
Very stuck and would appreciate any input.
 
Found this as I have the same setup but Tailscale is not working right.
I run the WAN Failover script via AMTM (which I also used to install Tailmon) on an AX58U running Merlin (a version from prob a year ago? I should update but sometimes that gets fickle). My failover is TMOHI, my main is fiber.

I have essentially three networks - two, in two other locations - are behind glinet routers running Tailscale and have subnet routing turned on. All those device see each other, and if I'm elsewhere, I can connect to Tailscale via the desktop client and it works great. I also have a third network which, until recently, just had Tailscale running on a NAS. This allowed a solid Exit Node, and the subnet routing worked so I could access devices on this third network without a problem.

Recently, I put Tailmon on the AX58U however so that I could, without running a desktop client, have a machine on that third network and directly reach anything on the other networks on my tailnet. I installed Tailmon via the script, enabled subnet routing (and authorized in admin), and it looked okay...but it doesn't work. The connection in --status always shows idle, and the routing table (from CL ip routing) doesn't show 100.* IPs at all. I can't access other device on the tailnet from inside this network. I really can't figure out why.

I've got posts on this thread and on reddit but no dice yet.

  • Are you using the native WAN Failover or the WAN Failover script (which is far more reliable). Asking as I'm wondering if the script is impacting the routing table that generates automatically.
  • Do you see a 100.* IP on your routing table (from the CLI when using ip route)?
  • Any other thoughts?
Very stuck and would appreciate any input.
I will need to see if Tailscale actually adds entries to iptables or not... I have a feeling it doesn't, and uses it's own method of routing.
 
My
I will need to see if Tailscale actually adds entries to iptables or not... I have a feeling it doesn't, and uses it's own method of routing.
My understanding (at least in user mode) is that when you connect to devices on the local lan from the tailnet, it appears to the device to be coming from the router ip, not some new vpn subnet like the other vpn servers do. So if the tailnet process initiates the outbound connection to the tailnet, this whole scheme eliminates any need to touch iptables.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top