Introduction
Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source WireGuard protocol, which means only devices on your private network can communicate with each other.
A friend of mine uses an EdgeRouter X as their primary home router (behind CGNAT) and wanted a simple home VPN solution. I've used Tailscale before and thought it would be a great fit for them.
They'd install Tailscale on their laptop and the EdgeRouter, and that's it. Afterwards, they should be able to easily access their entire home network no matter where they go and play games over Steam Link, one of their main use cases for this.
A Few Considerations
- Upgrading the router's firmware will remove tailscale and it's configs, be sure to fully upgrade your EdgeRouter before doing this.
- While the unstable tailscale packages do work, try to stick with the stable releases.
- You will need an account with Tailscale to get this going. Go here to get that set up before continuing.
Installation
Ideally, make sure your EdgeRouter X is up to date before continuing.
Open a terminal or command prompt window, and SSH into your router:
ssh youradminuser@your.router.ip.address
Login as the admin user, and change directory to the root's home:
ubnt@EdgeRouter-X-5-Port:~$ sudo su
root@EdgeRouter-X-5-Port:/home/ubnt# cd
root@EdgeRouter-X-5-Port:~# Go here
to find the latest tailscale binary for the EdgeRouter, you will want to copy the link for the "mipsle" binary. At the time of this post, the current stable version is 1.54.0.
Download the package with curl, extract it, then change into the newly extracted directory for the version you downloaded.
root@EdgeRouter-X-5-Port:~# curl https://pkgs.tailscale.com/stable/tailscale_1.54.0_mipsle.tgz -o tailscale.tgz
root@EdgeRouter-X-5-Port:~# tar xzvf tailscale.tgz
tailscale_1.54.0_mipsle/
tailscale_1.54.0_mipsle/tailscaled
tailscale_1.54.0_mipsle/tailscale
tailscale_1.54.0_mipsle/systemd/
tailscale_1.54.0_mipsle/systemd/tailscaled.service
tailscale_1.54.0_mipsle/systemd/tailscaled.defaults
root@EdgeRouter-X-5-Port:~# cd tailscale_1.54.0_mipsle/
root@EdgeRouter-X-5-Port:~/tailscale_1.54.0_mipsle#
Now, move the binaries to the proper locations on the router and create the needed directories for data and the runtime socket.
root@EdgeRouter-X-5-Port:~/tailscale_1.54.0_mipsle# mv tailscale* /usr/sbin
root@EdgeRouter-X-5-Port:~/tailscale_1.54.0_mipsle# mv systemd/tailscaled.service /etc/systemd/system
root@EdgeRouter-X-5-Port:~/tailscale_1.54.0_mipsle# mv systemd/tailscaled.defaults /etc/default/tailscaled
root@EdgeRouter-X-5-Port:~/tailscale_1.54.0_mipsle# mkdir /var/lib/tailscale
root@EdgeRouter-X-5-Port:~/tailscale_1.54.0_mipsle# mkdir /run/tailscale
root@EdgeRouter-X-5-Port:~/tailscale_1.54.0_mipsle# cd
root@EdgeRouter-X-5-Port:~#
At this point, Tailscale has been installed.
NAT Configuration
We need to create a few rules so devices behind the EdgeRouter's LANs can access Tailscale clients (Say, your single laptop) outside the local network.
root@EdgeRouter-X-5-Port:~# configure
root@EdgeRouter-X-5-Port# set service nat rule 5012 description Tailscale
root@EdgeRouter-X-5-Port# set service nat rule 5012 outbound-interface tailscale0
root@EdgeRouter-X-5-Port# set service nat rule 5012 protocol all
root@EdgeRouter-X-5-Port# set service nat rule 5012 type masquerade
root@EdgeRouter-X-5-Port# commit
root@EdgeRouter-X-5-Port# save
root@EdgeRouter-X-5-Port# exit
root@EdgeRouter-X-5-Port:~#
Start Tailscale
Time to both join the EdgeRouter to your Tailnet and expose the local subnet to it. Change the subnet according to your setup. Once you bring the tailscale service online: In a web browser, go to the URL displayed in the terminal and follow the instructions to join the EdgeRouter to your Tailnet.
root@EdgeRouter-X-5-Port:~# systemctl enable --now tailscaled
root@EdgeRouter-X-5-Port:~# tailscale up --advertise-routes=192.168.0.0/24
To authenticate, visit:
https://login.tailscale.com/a/xxxxxxxxxxxx
Success.
If everything worked as expected, the EdgeRouter should now be joined and online. The second step for enabling your home's network is to go into your Tailscale admin console, and approve the subnet. Below is an exert from the tailscale documentation, located here.
Optional: Upgrading Versions
The command "tailscale update" will fail for an installation like this, as the EdgeRouter will not be able to reach out to any repo for a new version. To upgrade to a new version, follow these steps. While not recommended, I will be using a newer, unstable build for the example, upgrading from 1.54.0 to 1.55.58.
Remove the EdgeRouter from your admin console:
Login as root, and remove any previously downloaded tailscale version folder or archive
ubnt@EdgeRouter-X-5-Port:~$ sudo su
root@EdgeRouter-X-5-Port:/home/ubnt# cd
root@EdgeRouter-X-5-Port:~# ls
tailscale.tgz tailscale_1.54.0_mipsle
root@EdgeRouter-X-5-Port:~# rm tailscale.tgz
root@EdgeRouter-X-5-Port:~# rm -R tailscale_1.54.0_mipsle/
Download the latest binary and extract it, then change into that new directory.
root@EdgeRouter-X-5-Port:~# curl https://pkgs.tailscale.com/unstable/tailscale_1.55.58_mipsle.tgz -o tailscale.tgz
root@EdgeRouter-X-5-Port:~# tar xzvf tailscale.tgz
tailscale_1.55.58_mipsle/
tailscale_1.55.58_mipsle/tailscaled
tailscale_1.55.58_mipsle/tailscale
tailscale_1.55.58_mipsle/systemd/
tailscale_1.55.58_mipsle/systemd/tailscaled.service
tailscale_1.55.58_mipsle/systemd/tailscaled.defaults
root@EdgeRouter-X-5-Port:~# cd tailscale_1.55.58_mipsle/
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle#
Bring Tailscale down, stop the system service, then remove the socket directory.
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# tailscale down
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# systemctl stop tailscaled.service
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# rm -R /var/lib/tailscale
Install new binaries, the mv command will overwrite the old ones.
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# mv tailscale* /usr/sbin
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# mv systemd/tailscaled.service /etc/systemd/system
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# mv systemd/tailscaled.defaults /etc/default/tailscaled
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# mkdir /var/lib/tailscale
root@EdgeRouter-X-5-Port:~/tailscale_1.55.58_mipsle# cd
root@EdgeRouter-X-5-Port:~#
Start the Tailscale service, reload daemons, and re-authenticate like you did during the initial installation.
root@EdgeRouter-X-5-Port:~# systemctl daemon-reload
root@EdgeRouter-X-5-Port:~# systemctl start --now tailscaled
root@EdgeRouter-X-5-Port:~# tailscale up --advertise-routes=192.168.0.0/24
To authenticate, visit:
https://login.tailscale.com/a/xxxxxxxxxxxx
Success.
Your EdgeRouter should now be running the new version!
Optional: Exit Node
Tailscale also allows any Tailnet device to act as an exit node. This means you can direct your Tailscale client to route all public traffic through a specific device, which will then send your traffic out to the Internet. This can be useful if you are somewhere like a hotel, coffee shop, or any other untrusted network.
We can enable this with a few steps, when you are bringing Tailscale up, append the "--advertise-exit-node" flag.
root@EdgeRouter-X-5-Port:~# tailscale up --advertise-routes=192.168.0.0/24 --advertise-exit-nodeNext, log into the admin console and allow the exit node, here are a few steps from the tailscale knowledge base.
Have your device (Say, laptop) use the exit node:
Re-run tailscale up with the '--exit-node=' flag, passing the Tailscale 100.x.y.z IP address of the exit node.
root@EdgeRouter-X-5-Port:~# tailscale up --exit-node=<exit-node-ip>
You can find the IP address for the device from the admin console, or by running `tailscale status'.
Alternatively, set '--exit-node-allow-lan-access' to true to allow direct access to your local network when traffic is routed via an exit node.
root@EdgeRouter-X-5-Port:~# tailscale up --exit-node=<exit-node-ip> --exit-node-allow-lan-access=true
Final Thoughts
Any more involved configurations can be researched at the main Tailscale knowledge base, located here. It's a very useful resource when I've run into troubles configuring tailscale.
At this point, the laptop should have few to zero issues connecting to the home network. Tailscale updates fairly regularly, adding new features and increasing performance with each push. I have yet to run into any long-term issues using Tailscale where I do, and I am very happy to continue recommending it.
