openwrt tailscale overview
some notes for getting tailscale to work on openwrt (assumes an openwrt
23.x).
broadly the instructions on the openwrt wiki are accurate. however, there are a few more steps that seem to be required.
of note the installation of the ip[6]tables-nft packages
opkg install iptables-nft
opkg install ip6tables-nft
after these are installed, i found it useful to restart the tailscale service.
service tailscale restart
then setup the site routes.
# tailscale up --advertise-routes=10.10.0.0/24 --accept-routes=true --netfilter-mode=off
the --netfilter-mode=off flag is an openwrt requirement. don’t forget the
--accept-routes=true flag for site-to-site VPN support. after that it’s all
standard route setting in the tailscale dashboard.
opnsense userspace operational nit
there’s an issue with the NAT traversal on the opnsense (zenith) that requires an outbound NAT rule to be installed for LAN source traffic. anything coming from the announced routes at an opnsense site needs to be NAT’d to the tailscale interface.
this manifested itself as asymmetry in the traffic handling. far end (openwrt)
saw the correct src-address for an incoming ping but the icmp reply wasn’t
making its way to the originating opnsense connected host.
firewall > NAT > outbound - define the following rule:
- interface
tailscale - src-addr:
lan net - src-port:
* - dst-addr:
* - dst-port:
* - NAT address:
tailscale address
this pfsense video had the goods re: the complementary outbound NAT requirements.
meta
- tags: 2024, TIL, vpn, routing, tailscale, opnsense, openwrt
- location: duluth, mn
- weather: nice