Tailscale on Asus RT-AX86U router

[Aerandir14]

Hello,

I've been trying to make Tailscale work on my Asus router for the last few days.

I actually made it run successfully by installing the tailscale package on Entware.

However, I noticed that if I configure Tailscale to override local DNS with my router's Tailscale IP, my Tailscale devices won't get any answer from the DNS anymore.
I noticed that if I disable IPv4 firewall on the Asus webpage, my Tailscale devices succeed to resolve their DNS requests, but it looks like the firewall activates again a few seconds later and I lose DNS resolution again.
It seems like the router won't answer any DNS request that don't come from a routed IP address. By using Tailscale, the DNS requests come from 100.100.100.100 and I can't find how to configure my router for it to accept requests from Tailscale devices.

The only way for my Tailscale requests to be answered is to set a Subnet Route to my local IP range on another Tailscale device, and set the Tailscale DNS to my router's local IP address.
I found a tutorial explaining how to install Tailscale on a pi-hole where they explain how to solve this issue (DNS working with local network IP address but not with Tailscale IP address), but it's recommended to enable "listen on all interface, permit all origins" but I can't find anything similar on my router.

I added "interface=tailscale0" to dnsmasq.conf.add, with no success.

If you have any idea about how to configure the router to accept DNS request outside of the local IP address, I'd be very grateful!
Thanks !

 

[Aiadi]

Being able to easily run Tailscale (or Zerotier) is one feature that I am really missing just now and would love it if it could be one day added to Asus (or indeed the incredible Merlin's) firmware UI.

 

[jksmurf]

Being able to easily run Tailscale (or Zerotier) is one feature that I am really missing just now and would love it if it could be one day added to Asus (or indeed the incredible Merlin's) firmware UI.

Does anyone know if there’s been any development on this, I’d love to see it too.

I’ve just got a new ISP in a holiday home and they use CG-NAT so apparently is the reason my home setup using OVPN and Wireguard accesses don’t work.

Someone mentioned I should use Tailscale but it seems quite techy to install whereas OVPN and Wireguard install and run beautifully and reliably on Merlin..

 

[Aiadi]

Does anyone know if there’s been any development on this, I’d love to see it too.

I’ve just got a new ISP in a holiday home and they use CG-NAT so apparently is the reason my home setup using OVPN and Wireguard accesses don’t work.

Someone mentioned I should use Tailscale but it seems quite techy to install whereas OVPN and Wireguard install and run beautifully and reliably on Merlin..

I have been unable to find any movement on this at all which is an absolute shame and why I have unfortunately had to abandon my beloved Asus in favour of GL.iNet router for now.

 

[Jeffrey Young]

I don't use Tailscale myself, but from your description, you probably need to add some firewall rules to both accept traffic and forward traffic from and to the Tailscale interfaces.

 

[jksmurf]

I have been unable to find any movement on this at all which is an absolute shame and why I have unfortunately had to abandon my beloved Asus in favour of GL.iNet router for now.

Oh, that's interesting. I have a GLiNET Beryl AX (MT3000) as a Travel Router and I know GLiNET implemented Tailscale in their OpenWRT-based FW, so that's an option, but like you, I love the Merlin F/W. To move to another Router just for that would be a shame.

My use case is a Holiday House where I recently installed Fibre Access and the ISP apparently operates using "CG-NAT", which does not allow VPN through as it is not a Static or Public IP Address.

 

[RandomUser777]

I have been able to install an run Tailscale on my RT-AX86u_Pro, but after a few minutes the router crashed and reboots.

The VSZ% (virtual memory size) jumps right to ~70% - basically utilizing the balance of all other jobs. If I do not teerminate the process within a couple minutes, the router crashes. But for that short period, the router connects properly, and I am able to access it via all other clients, and the router is also able to provide local subnet access.

If anyone could fic the crashing problem, this would be awesome.

 

[Aiadi]

And if anyone could create a script to run Tailscale on Merlin then that would be even more awesome. I mean much much more awesome.

 

[glens]

You downloaded a tailscale-armv*.spk package from their website?

Can't say I'd be inclined to register for such, but be that as it may, our routers are Linux boxes indeed, though not really "general purpose" Linux boxes. If it /does/ run well on our routers then perhaps you're trying to do too much with yours as a "general" Linux device otherwise.

Does nothing "native" re VPN (something I've never yet felt the need to employ) "fill the bill" for you? Got no other GNU/Linux "device" on your network which would be better able (more suitable) for the task? (Another thing I've never yet felt either the need, or desire, to do - since the time Windows 95 was fixin' to be released - was have /anything/ other than GNU/Linux controlling any of my computing hardware. : )

 

[jksmurf]

You downloaded a tailscale-armv*.spk package from their website?

Can't say I'd be inclined to register for such, but be that as it may, our routers are Linux boxes indeed, though not really "general purpose" Linux boxes. If it /does/ run well on our routers then perhaps you're trying to do too much with yours as a "general" Linux device otherwise.

Does nothing "native" re VPN (something I've never yet felt the need to employ) "fill the bill" for you? Got no other GNU/Linux "device" on your network which would be better able (more suitable) for the task? (Another thing I've never yet felt either the need, or desire, to do - since the time Windows 95 was fixin' to be released - was have /anything/ other than GNU/Linux controlling any of my computing hardware. : )

All good questions, sorry I didn’t catch this earlier.

Actually whilst my GLiNET MT3000 device runs Tailscale (and it seems from the GLiNET forum this is not without its challenges), I am coming to the conclusion that the ASUS Routers that I have, whilst potentially able to run Tailscale, are probably not powerful enough to run it properly without affecting their main function as a Router.

Add to that the complexity of implementation by ASUS and/or Merlin, I think I am best served by an independent device, for a subnet router, which is all I need to access an RT-AX86U Pro 9000km away.

I have experimented with a RPI3 and RPI4, per my write up here and I have also repurposed a fanless Thin Client ( a DELL WYSE5070) with DietPi running Tailscale only, but I also put Windows on it with Tailscale, out of curiosity.

That along with Tailscale now adding Subnet Router capabilities to their AppleTV range running iOS 17 (4K v1 and above devices and the AppleTV HD, although beware the latter only has 10/100 Ethernet), a device which is low power, silent and has a decent CPU and is always on, makes (along with various options above, not an RPI3 though) it possible for “everyday” folks like me to relatively easily add a subnet router.

Would a “Tailscale Toggle” in the ASUS Router Admin Page itself have been nice, an implementation that didn’t need a script that needed to be tweaked, and was all in the one box? Yes absolutely. It might still come (to ASUS Routers) with more powerful processors, it might even be possible now, but I am ok with where the other options have landed.

Tailscale isn’t quite a quick as WG natively and Merlin has made WG relatively easy to implement, so there are alternatives. I went for Tailscale as the remote router is behind a CGNAT connection. I could pay extra for a static IP if I really wanted to.

k.

 

[RandomUser777]

I have been able to successfully install tailscale on my RT-AX86U-Pro after several different methods and (unfortunately) without much help from the forum.

So, I want to share what worked for me:

- install Entware from AMTM

- install tailscale & tailscaled from CLI with the following three commands

1- "opkg install ca-bundle"
2- "opkg install tailscale"
3- "opkg install tailscaled"

download updated binaries from tailscale's website (I used "tailscale_1.54.0_arm64.tgz")

extract, copy and overwrite them to /opt/bin/ (I used WinSCP). Make sure they have the same permissions as the originals (executable, etc)

edit /opt/etc/init.d/S06tailscaled to point to correct files (make sure your /mnt paths exist/are correct for your setup):

#!/bin/sh
ENABLED=yes
PROCS=tailscaled
ARGS="-tun=userspace-networking -statedir /mnt/entware/tailscale/"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func



***Reboot ROUTER****
SSH to CLI
run "tailscale update"
run "tailscale login"

insert this code into firewall-start (make sure your subnet is correct):

tailscale up --accept-routes --advertise-routes=192.168.50.0/24
***Reboot ROUTER****

ETA: Also, I forgot to make sure to mention that these entries are also in my services-start script:
-------
/opt/etc/init.d/S06tailscaled start
tailscale up --accept-routes --advertise-routes=192.168.50.0/24
-------

Everything should be up and running. It has been flawless for me for weeks now.

 

[Aiadi]

I have been able to successfully install tailscale on my RT-AX86U-Pro after several different methods and (unfortunately) without much help from the forum.

So, I want to share what worked for me:

- install Entware from AMTM

- install tailscale & tailscaled from CLI with the following three commands

1- "opkg install ca-bundle"
2- "opkg install tailscale"
3- "opkg install tailscaled"

download updated binaries from tailscale's website (I used "tailscale_1.54.0_arm64.tgz")

extract, copy and overwrite them to /opt/bin/ (I used WinSCP). Make sure they have the same permissions as the originals (executable, etc)

edit /opt/etc/init.d/S06tailscaled to point to correct files (make sure your /mnt paths exist/are correct for your setup):

#!/bin/sh
ENABLED=yes
PROCS=tailscaled
#ARGS="--state=/opt/var/tailscaled.state --tun=userspace-networking -statedir /mnt/routerusb1/tailscale/"
ARGS="-tun=userspace-networking -statedir /mnt/entware/tailscale/"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func



***Reboot ROUTER****
SSH to CLI
run "tailscale update"
run "tailscale login"

insert this code into firewall-start (make sure your subnet is correct):

tailscale up --accept-routes --advertise-routes=192.168.50.0/24
***Reboot ROUTER****

Everything should be up and running. It has been flawless for me for weeks now.

Congrats on getting it to work and very well done. Despite your great instruction this still sounds way above my paygrade and I have moved to the GL-MT6000 (Flint 2) mostly to have this feature built-in to router's GUI. I hope that one day @RMerlin or someone might incorporate this fantastic feature into the main firmware or at least produce an easy to install and run script.

 

[jksmurf]

extract, copy and overwrite them to /opt/bin/ (I used WinSCP). Make sure they have the same permissions as the originals (executable, etc)

Thanks for this, in case I feel bold or rather pluck up the courage to give it a try, can you please elaborate on this part (I use WinSCP a reasonable amount) but by originals do you mean the same file permissions as the file you downloaded or the ones in that directory already?

Could you show a WinSCP screenshot of these files please, if you get time?

edit /opt/etc/init.d/S06tailscaled to point to correct files (make sure your /mnt paths exist/are correct for your setup):

by this statement can I assume you mean only this path I,e. to one of the Routers USB ports? I have Diversion running on a USB Port already

/mnt/routerusb1/tailscale/

Have you implemented Tailscale‘s autoupdate feature via the CLI? And does it work automagically?

tailscale set --auto-update

My last question is how much (if any) does this take away from the Router acting in its primary capacity as a Router? Let’s say I have 20 Wi-Fi clients, among them several kids watching Netflix or Disney or some other streaming show, and 10 IoT devices, and I Tailscale into the Router to do something, will they (or I) see an impact from this (due to the Router not being able to keep up, not due to the drain on bandwidth).

Thanks !

k.

 

[RandomUser777]

Thanks for this, in case I feel bold or rather pluck up the courage to give it a try, can you please elaborate on this part (I use WinSCP a reasonable amount) but by originals do you mean the same file permissions as the file you downloaded or the ones in that directory already?

Yes, make sure the permissions are the same as the original binaries installed with opkg (chmod 755).

You will see that I backed up the original binaries (*.org).

Could you show an WinSCP screenshot of these files please, if you get time?


by this statement can I assume you mean only this path I,e. to one of the Routers USB ports? I have Diversion running on a USB Port already

You need to set a path on your USB/SSD for tailscale to store settings and tokens.

I chose to create this folder at /mnt/entware/tailscale

I cleaned up the /opt/etc/init.d/S06tailscaled edits from my testing. Just make sure the italicized path exists in the location you want it:
----------------
#!/bin/sh

ENABLED=yes
PROCS=tailscaled
ARGS="-tun=userspace-networking -statedir /mnt/entware/tailscale/"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
------------

Also, I forgot to make sure to mention that these entries are also in my services-start script:
-------
/opt/etc/init.d/S06tailscaled start
tailscale up --accept-routes --advertise-routes=192.168.50.0/24
-------

Have you implemented Tailscale‘s autoupdate feature via the CLI? And does it work automagically?

tailscale set --auto-update

I did not. I have issued the update command from CLI successfully, but I am usually of the mindset that updates will happen when I want them to, not when someone else does

My last question is how much (if any) does this take away from the Router acting in its primary capacity as a Router? Let’s say I have 20 Wi-Fi clients, among them several kids watching Netflix or Disney or some other streaming show, and 10 IoT devices, and I Tailscale into the Router to do something, will they (or I) see an impact from this (due to the Router not being able to keep up, not due to the drain on bandwidth).

Thanks !

k.

I have ~25 wireless clients (kids on youtube, prime, spotify, virtual learning, etc. Multiple security cameras with BlueIris. Some IoT devices. Plus 3 AiMesh nodes) and a few wired clients active simultaneously. Also running an OVPN server and client on the router, alongside tailscale. Router has not even flinched.

If you get a chance to try this, please let me know if you are successful. I did this a few times between firmware resets just to make sure it wasn't a fluke, and it has been working perfectly for weeks.

 

[jksmurf]

Yes, make sure the permissions are the same as the original binaries installed with opkg (chmod 755).

View attachment 55933
View attachment 55934

You will see that I backed up the original binaries (*.org).



You need to set a path on your USB/SSD for tailscale to store settings and tokens.

I chose to create this folder at /mnt/entware/tailscale

I cleaned up the /opt/etc/init.d/S06tailscaled edits from my testing. Just make sure the italicized path exists in the location you want it:
----------------
#!/bin/sh

ENABLED=yes
PROCS=tailscaled
ARGS="-tun=userspace-networking -statedir /mnt/entware/tailscale/"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
------------

Also, I forgot to make sure to mention that these entries are also in my services-start script:
-------
/opt/etc/init.d/S06tailscaled start
tailscale up --accept-routes --advertise-routes=192.168.50.0/24
-------






I did not. I have issued the update command from CLI successfully, but I am usually of the mindset that updates will happen when I want them to, not when someone else does


I have ~25 wireless clients (kids on youtube, prime, spotify, virtual learning, etc. Multiple security cameras with BlueIris. Some IoT devices. Plus 3 AiMesh nodes) and a few wired clients active simultaneously. Also running an OVPN server and client on the router, alongside tailscale. Router has not even flinched.

If you get a chance to try this, please let me know if you are successful. I did this a few times between firmware resets just to make sure it wasn't a fluke, and it has been working perfectly for weeks.

Thank you for all that, really appreciate you taking the time. I might take some deep breaths and give it a whirl in the next week or so.

k.

 

[jksmurf]

I chose to create this folder at /mnt/entware/tailscale

Assume that /entware/ is the new name of your USB ?

EDIT: ok for me I guess it will be my DIVEXT4 dir (Diversion on a USB formatted as EXT4, hence the name) currently on a USB stick. Might consider to change that to an SSD first, for reliability.

 

[RandomUser777]

Assume that /entware/ is the new name of your USB ?

EDIT: ok for me I guess it will be my DIVEXT4 dir (Diversion on a USB formatted as EXT4, hence the name) currently on a USB stick. Might consider to change that to an SSD first, for reliability.

Yes, that is the USB partition/disk name.

 

[jksmurf]

If you get a chance to try this, please let me know if you are successful. I did this a few times between firmware resets just to make sure it wasn't a fluke, and it has been working perfectly for weeks.

Recording my (succesful) trial so I can work backwards to delete/undo if needed:

1. I backed up my current Router config and jffs from the WebAdmin GUI. Also (using WinSCP) my list of DHCPs in jffs/nvram/ (custom_clientlist, dhcp_staticlist). Also asus_device_list and cfg_device_list for good measure.

2. I have Diversion installed (on USB in the Router, called DIVEXT4) so I am assuming that installation installed Entware already. In any case when I typed amtm into the CLI (SSH into Router using Putty), then selected i, then ep, it showed "This router runs Entware aarch64-k3.10 Server in use: bin.entware.net" so I am assuming that it is already running.

3. I then pressed 1 to check for any updated Entware packages (as I noticed one of your commands 'opkg' was on the list and wanted the latest). I was a bit surprised it updated them all when I hit enter again (not exit) but that was OK.

4. I had to add the firewall-start file (I used WinSCP to do this, selecting 'File, New' while in the /jffs/scripts/ dir). I gave it the same permissions as the services-start file that was already in that /jffs/scripts/ dir. I am not sure if this is correct or not, all rwxr-xr-x.

The reason I checked for and added this file at this point was in case any of the steps taken or commands issued prior to editing these files looked for and added anything to them. I did not edit them at this point, see below for when I did so.

5. When I extracted (d/l from here https://pkgs.tailscale.com/stable/tailscale_1.58.2_arm64.tgz ) the .tgz file to my windows desktop (generic path is https://pkgs.tailscale.com/stable/#static choose arm64, for future ref), I got the tailscale and tailscaled files as shown in your screencap, but also a systemd dir. I am not sure if I should have copied that dir across too (after step 6 below). I did not do so and that seems OK.

6. I then ran these commands via the CLI (SSH into Router using Putty):

opkg install ca-bundle
opkg install tailscale
opkg install tailscaled

The output was as follows:

XXXXX@RT-AX86U-0E30:/tmp/home/root# opkg install ca-bundle
Installing ca-bundle (20230311-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/ca-bundle_20230311-1_all.ipk
Configuring ca-bundle.
XXXXX@RT-AX86U-0E30:/tmp/home/root# opkg install tailscale
Installing tailscale (1.46.1-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/tailscale_1.46.1-1_aarch64-3.10.ipk
Configuring tailscale.
XXXXX@RT-AX86U-0E30:/tmp/home/root# opkg install tailscaled
Unknown package 'tailscaled'.
Collected errors:
* opkg_install_cmd: Cannot install package tailscaled.
XXXXX@RT-AX86U-0E30:/tmp/home/root#

The first two went OK, the last one threw an error as above in bold, but checking the contents of the /opt/bin/ dir via WinSCP, it seemed to have put the tailscaled file in there anyway?

7. I then copied the tailscale and tailscaled files I had extracted above (on my Windows Desktop) across to /opt/bin/ using WinSCP.

8. When I edited /opt/etc/init.d/S06tailscaled I found most of these lines were already in that file; IIRC I only had to change the mounted USB device name (to DIVEXT4) and delete some text off one line.

#!/bin/sh

ENABLED=yes
PROCS=tailscaled
ARGS="-tun=userspace-networking -statedir /mnt/DIVEXT4/tailscale/"
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func

I then rebooted the router by issuing reboot at the CLI.

9. firewall-start mods

When I edited the firewall-start file, I added #!/bin/sh to the top as it was empty, having been newly created by me, as described above. I do not know if it was needed, but other files seemed to have it, so it ended up like this:

#!/bin/sh
tailscale up --accept-routes --advertise-routes=192.168.XX.0/24

EDIT: I also added this line as recommended below.

tailscale set --auto-update

10. services-start mods (XX being my subnet).

IIRC this file already had “Diversion # added by amtm” and some other lines in it.
I added:

/opt/etc/init.d/S06tailscaled start
tailscale up --accept-routes --advertise-routes=192.168.XX.0/24

EDIT: I also added this line as recommended below.

tailscale set --auto-update

11. Update and Login

Running "tailscale update" from the CLI, it said it was already the latest (which I expected as I downloaded the latest in an above step)
running "tailscale login" gave me a specific URL (which I copied to a Browser, Chrome) which allowed me to add the Device to my existing Tailnet. All good.

12. I would like to eventually set this behind a CGNAT ISP, so I needed it to be set up as a Subnet Router.

ref. https://tailscale.com/kb/1019/subnets

I did this from the Tailscale Admin (https://login.tailscale.com/admin/machines). It works from my Phone (LTE) to my Router, so far so good. However I also checked if it worked WITHOUT being designated a Subnet Router; it did not. Maybe there are other Tailscale admin selections I am missing?

13. I then checked the "tailscale status" by issuing that command from the CLI which said (as well as listing all of my Tailscale Devices):

# Health check:
# - dns-os: getting OS base config is not supported
# - dns: getting OS base config is not supported

I have no idea what this means but presumably it is because ASUS Merlin FW is not supported by Tailscale or something like that?

ref. https://pkg.go.dev/tailscale.com/net/dns#pkg-variables

14. I then ran tailscale set --auto-update manually from the CLI, which seemed to work (no errors) but does it need to go into firewall-start or services-start? If not, then I am not sure where to put it to make it check automatically?

EDIT: response below suggests both.

15. Files to Delete if Undoing

The install seems to also have installed two other files locale.new and localedef.new (I think, sorry did not screencap early enough) are these new?. If so, they are files I can delete later if undoing this, along with deleting tailscale and tailscaled, and editing the firewall-start file and service-start files to stock. What else would I need to do to go back to scratch, can I just reset jffs in the WebGUI (Format JFFS partition at next boot from Advanced/System Tab) then restore the Config files I saved above?

I will try this setup for a while. I really have no idea what I am doing here or what these CLI commands all mean, but I am pretty good at following directions.

Thank you once again for your patience and clear directions, nice to have one device doing it all!

k.

 

[RandomUser777]

Recording my (succesful) trial so I can work backwards to delete/undo if needed:

1. I backed up my current Router config and jffs from the WebAdmin GUI. Also (using WinSCP) my list of DHCPs in jffs/nvram/ (custom_clientlist, dhcp_staticlist). Also asus_device_list and cfg_device_list for good measure.

2. I have Diversion installed (on USB in the Router, called DIVEXT4) so I am assuming that installation installed Entware already. In any case when I typed amtm into the CLI (SSH into Router using Putty), then selected i, then ep, it showed "This router runs Entware aarch64-k3.10 Server in use: bin.entware.net" so I am assuming that it is already running.

3. I then pressed 1 to check for any updated Entware packages (as I noticed one of your commands 'opkg' was on the list and wanted the latest). I was a bit surprised it updated them all when I hit enter again (not exit) but that was OK.

4. I had to add the firewall-start file (I used WinSCP to do this, selecting 'File, New' while in the /jffs/scripts/ dir). I gave it the same permissions as the services-start file that was already in that /jffs/scripts/ dir. I am not sure if this is correct or not, all rwxr-xr-x.

I already had some custom firewall scripting, so the file was already generated, sorry I didn't think of mentioning that.

5. When I extracted (d/l from here https://pkgs.tailscale.com/stable/tailscale_1.58.2_arm64.tgz ) the .tgz file to my windows desktop (generic path is https://pkgs.tailscale.com/stable/#static choose arm64, for future ref), I got the tailscale and tailscaled files as shown in your screencap, but also a systemd dir. I am not sure if I should have copied that dir across too (after step 6 below). I did not do so and that seems OK.

I didn't move the systemd contents either, intending only to update the binary and keeping all other configs just as entware/opkg set them up.

6. I then ran these commands via the CLI (SSH into Router using Putty):

opkg install ca-bundle
opkg install tailscale
opkg install tailscaled

The output was as follows:

XXXXX@RT-AX86U-0E30:/tmp/home/root# opkg install ca-bundle
Installing ca-bundle (20230311-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/ca-bundle_20230311-1_all.ipk
Configuring ca-bundle.
XXXXX@RT-AX86U-0E30:/tmp/home/root# opkg install tailscale
Installing tailscale (1.46.1-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/tailscale_1.46.1-1_aarch64-3.10.ipk
Configuring tailscale.
XXXXX@RT-AX86U-0E30:/tmp/home/root# opkg install tailscaled
Unknown package 'tailscaled'.
Collected errors:
* opkg_install_cmd: Cannot install package tailscaled.
XXXXX@RT-AX86U-0E30:/tmp/home/root#

The first two went OK, the last one threw an error as above in bold, but checking the contents of the /opt/bin/ dir via WinSCP, it seemed to have put the tailscaled file in there anyway?

I noticed that as well, and just ignored the errors.

7. I then copied the tailscale and tailscaled files I had extracted above (on my Windows Desktop) across to /opt/bin/ using WinSCP.

8. Update and Login

running "tailscale update" from the CLI, it said it was already the latest (which I expected as I downloaded the latest in an above step)
running "tailscale login" gave me a specific URL (which I copied to a Browser, Chrome) which allowed me to add the Device to my existing Tailnet. All good.

Thumbs up!

9. I would like to eventually set this behind a CGNAT ISP, so I needed it to be set up as a Subnet Router.

ref. https://tailscale.com/kb/1019/subnets

I did this from the Tailscale Admin (https://login.tailscale.com/admin/machines). It works from my Phone (LTE) to my Router, so far so good. However I also checked if it worked WITHOUT being designated a Subnet Router; it did not. Maybe there are other Tailscale admin selections I am missing?

That's part of the same use case as me - traversing CGNAT. I have subnet routing enabled.

10. I then checked the "tailscale status" by issuing that command from the CLI which said (as well as listing all my my Tailscale Devices):

# Health check:
# - dns-os: getting OS base config is not supported
# - dns: getting OS base config is not supported

I have no idea what this means but presumably it is because ASUS Merlin FW is not supported by Tailscale or something like that?

That is my assumption also.

ref. https://pkg.go.dev/tailscale.com/net/dns#pkg-variables

11. I then ran tailscale set --auto-update from the CLI, which seemed to work (no errors) but does it need to go into firewall-start or services-start? If not, then I am not sure where to put it to make it check automatically?

I would put those in both files, actually. Not sure if necessary, but won't hurt.

12. The install seems to also have installed two other files locale.new and localedef.new (I think, sorry did not screencap early enough) are these new?. If so, they are files I can delete later if undoing this, along with deleting tailscale and tailscaled, and editing the firewall-start file and service-start files to stock. What else would I need to do to go back to scratch, can I just reset jffs in the WebGUI (Format JFFS partition at next boot from Advanced/System Tab) then restore the Config files I saved above?

To undo, just delete the tailscale files/folder and the lines added to firewall- and service-start. No need to zap all of JFFS (it's a bad idea to do so anyway unless you are factory resetting)

I will try this setup for a while. I really have no idea what I am doing here or what these CLI commands all mean, but I am pretty good at following directions.

Thank you once again for your patience and clear directions, nice to have one device doing it all!

k.

My pleasure. Glad you could replicate and even add a few more details.

 

[jksmurf]

That is my assumption also.

# Health check:
# - dns-os: getting OS base config is not supported
# - dns: getting OS base config is not supported

I have no idea what this means but presumably it is because ASUS Merlin FW is not supported by Tailscale or something like that?

I wonder if one of the more experienced or qualified folks on here might clarify this particular point.

Apart from that, it’s great so far !