TAILMON TAILMON v1.0.20 -July 27, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (THREAD #1 CLOSED)

[jksmurf]

I will add that snat to both ends of the site-2-site and see if it makes any difference.

I have to ask here, if it works doing what you want it to, as is, why?
Just to test ?

What do you expect or hope to improve; or change?

 

[JGrana]

I have to ask here, if it works doing what you want it to, as is, why?
Just to test ?

What do you expect or hope to improve; or change?

Just to test. I did enable it on one router. Really didn’t make any difference, it least in my use cases. Went back to TAILMON’s command line.

 

[ColinTaylor]

Pleased to see that Entware's tailscale package has just been updated from 1.68.2-1 to 1.68.2-3 to include the fixes to S06tailscaled I suggested. Note that it also adds Entware's coreutils-nohup as a prerequisite although that's not necessary for asuswrt.

 

[jksmurf]

Pleased to see that Entware's tailscale package has just been updated from 1.68.2-1 to 1.68.2-3 to include the fixes to S06tailscaled I suggested. Note that it also adds Entware's coreutils-nohup as a prerequisite although that's not necessary for asuswrt.

Thank you @ColinTaylor for posting the two requests up on Github, it's been a wee while but they did get on to it in the end, so great result.

Cheers, k.

 

[alan6854321]

Tailscale binary was updated to 1.72.0 yesterday.

 

[ah1750]

Just wanted to say thanks for such an amazing job with this. I have a home network stuck behind a CGNAT system and this was super easy and extremely effective to get around that... 4G CGnatted systems are very common in Europe, so this is a big help. How do I contribute a coffee or beer money though?

 

[JGrana]

Now that the Entware team (and @ColinTaylor ) fixed up tailscale, is there any reason for having tailmon update using the direct “tailscale update”? Entware will always be a bit behind, but at least an opkg update/upgrade will be consistent with other applications on the routers.

 

[JGrana]

Just wanted to say thanks for such an amazing job with this. I have a home network stuck behind a CGNAT system and this was super easy and extremely effective to get around that... 4G CGnatted systems are very common in Europe, so this is a big help. How do I contribute a coffee or beer money though?

Asuswrt-Merlin AddOn Developers Donation Links

AddOn developers create many useful scripts, WebUI addon pages, system extensions and useful utilities to enhance Asuswrt-Merlin supported routers. These "devs", like RMerlin, do this all voluntarily. This requires lots of time, effort, support of users, upkeep and maintenance. They do it for...

www.snbforums.com

@Viktor Jaep is in the list.

@ColinTaylor , many of us thank you for your wealth of information and many contributions.
Can I add you to the list? PM me. ;-)

 

[jksmurf]

Pleased to see that Entware's tailscale package has just been updated from 1.68.2-1 to 1.68.2-3 to include the fixes to S06tailscaled I suggested. Note that it also adds Entware's coreutils-nohup as a prerequisite although that's not necessary for asuswrt.

@ColinTaylor did you mean to write updated from 1.58.2-1 to 1.68.2-3?

Asking as the original Tailscale entware install was based on 1.58.2-1, but I wasn’t aware of an interim update?

k.

 

[ColinTaylor]

@ColinTaylor did you mean to write updated from 1.58.2-1 to 1.68.2-3?

Asking as the original Tailscale entware install was based on 1.58.2-1, but I wasn’t aware of an interim update?

k.

No I did mean 1.68.2-1 to 1.68.2-3. There was an additional update on 16th August just for tailscale that replaced the version from 9th August.

 

[jksmurf]

No I did mean 1.68.2-1 to 1.68.2-3. There was an additional update on 16th August just for tailscale that replaced the version from 9th August.

Okey dokey, sorry, I missed that one!
Was just that 1.58.2-1 was one number removed from 1.68.2-1, so I thought surely that can’t be a coincidence.

 

[ah1750]

Ok, this probably should be a new thread but is it possible to setup Tailscale via Wireguard on a remote Asus router using only the Asus remote app? I.e. just adding information to the Wireguard VPN setup in the GUI? I currently only have access to the remote router via the GUI due to a CGNAT. Or is there another way to get remote access to my LAN that's behind CGNAT using just the Asus web GUI?

 

[dfunked]

Just wanted to chip in and say thanks too. Up and running in a few minutes and does exactly what I needed it to do.

 

[jksmurf]

Ok, this probably should be a new thread but is it possible to setup Tailscale via Wireguard on a remote Asus router using only the Asus remote app? I.e. just adding information to the Wireguard VPN setup in the GUI? I currently only have access to the remote router via the GUI due to a CGNAT. Or is there another way to get remote access to my LAN that's behind CGNAT using just the Asus web GUI?

Only if you can already get a WG connection running, which, if it is behind CGNAT is not possible as far as I am aware. But neither WG nor OPenVPN nor any (?) other VPNs or remote access mechanisms can get past CGNAT AFAIK.

The beauty of Tailscale (TS) or ZeroTier (ZT) running as a subnet router on your network, is that it will run behind a CGNAT Service and "advertise" the address; but your scenario is a chicken-egg situation. Have a look at a previous discussion here and here.

What you 'could' do is buy a Fixed (Static) IP for 1 month (which removes CGNAT), then assuming you have a VPN setup already or Asus's own Instant Guard, use the WebGUI to get in and enable SSH (if not already) then log on to the CLI using Putty and install TS (TAILMON) via amtm.

Once you are happy it is running, drop the static IP and revert to the CGNAT service, knowing you now have TS running, which gets past it.

Or just toss the current ISP and get one without CGNAT, which is what I did after my commitment for 1 year was up.

[EDIT] I forgot to add, if you could send someone to your remote location with a little RPi or Intel NUC or even an AppleTV (iOS17 capable, very simple to setup), pre-prepared with Tailscale configured as a subnet Router, they could just connect that device to your remote router by an ethernet cable (LAN port) and it will "advertise" your network address and allow you to Tailscale in to the network "as if you were there locally", at which point you could install TS (TAILMON) remotely. But the fact that someone went there with your little box of tricks means they could (almost) have as easily installed Tailscale for you...

 

[alan6854321]

Tailscale binary updated AGAIN to 1.72.1

This one is Linux-only and has something to do with DNS failures over TCP.
So, it might be worth installing.

 

[bearly_an_enthusiast]

Can someone help me connect to my routers WebUI+ SSH from outside the network through my tailnet? Currently using it in "Kernel Mode" with Exit Node & Subnets advertised. I have tried using TailScale Serve (#166) and read through this discussion (starting at #342). I'm unable to connect using Tailnet address.

 

[ColinTaylor]

Can someone help me connect to my routers WebUI+ SSH from outside the network through my tailnet? Currently using it in "Kernel Mode" with Exit Node & Subnets advertised. I have tried using TailScale Serve (#166) and read through this discussion (starting at #342). I'm unable to connect using Tailnet address.

Are you saying this is a problem specifically with access the router itself, but accessing other devices on the router's LAN works OK?

How are you accessing the router's GUI, e.g. http://192.168.50.1 ?

Does your router have a public IP address or is it behind NAT?

What does the output of tailscale status show? Is your client shown as "active"?

Are both the router and your client shown as Connected on https://login.tailscale.com/admin/machines ?

What is your client device?

 

[bearly_an_enthusiast]

Are you saying this is a problem specifically with access the router itself, but accessing other devices on the router's LAN works OK?

Yes. The problem is accessing the WebUI and/or SSH through tailscale, outside the network. Accessing other devices on the router's LAN works fine.

How are you accessing the router's GUI, e.g. http://192.168.50.1 ?

Accessing http://192.168.50.1 works fine while on LAN. Accessing hostname.tailfXfXX.ts.net does not work (I am also using tailscale cert for SSL certificate in WebUI). Currently using another node inside network to advertise 192.168.50.1/32 so that I can manage it from outside of network.

Does your router have a public IP address or is it behind NAT?

It has a public IP and not behind NAT.

What does the output of tailscale status show? Is your client shown as "active"?

It shows the list of online devices with the client being active (device2):

username@router:/tmp/home/root# tailscale status
100.X.X.X   router        username1    linux   idle; offers exit node
100.X.X.X   device1       username2    iOS     -
100.X.X.X   device2       username2    macOS   active; direct PUBLIC_IP:41641
...

Are both the router and your client shown as Connected on https://login.tailscale.com/admin/machines ?

Yes they are both connected (device2 & router as shown above)

What is your client device?

macOS Safari -> RT-AX88U router

 

[ColinTaylor]

Thanks for the info @bearly_an_enthusiast.

Yes. The problem is accessing the WebUI and/or SSH through tailscale, outside the network. Accessing other devices on the router's LAN works fine.


Accessing http://192.168.50.1 works fine while on LAN. Accessing hostname.tailfXfXX.ts.net does not work (I am also using tailscale cert for SSL certificate in WebUI). Currently using another node inside network to advertise 192.168.50.1/32 so that I can manage it from outside of network.

It's not entirely clear whether you've tried this but you need to be accessing the router using its 192.168.50.1 address (rather than hostname.tailfXfXX.ts.net) as this is what httpd(s) and dropbear are listening on. hostname.tailfXfXX.ts.net would resolve to something like 100.66.22.55 which won't work.

You might have more luck using hostname.tailfXfXX.ts.net if tailscale was running in Userspace mode rather than Kernel mode as that replaces the entire network stack and performs various "tricks". But I haven't tested this theory.

 

[rung]

At one point, many versions ago, I started using the --advertise-exit-node for this exact reason. Seemed to work, so I left it in there. Not sure if it's still needed.