Tailscale on EdgeRouter

https://tky.io/2020/11/running-tailscale-on-a-ubiquiti-edgerouter/

https://github.com/jamesog/tailscale-edgeos

The GitHub link shows how to configure the repository and configure a script to reinstall Tailscale after a firmware upgrade (normally, firmware upgrades wipe out any third party software you’ve installed).

Running the “tailscale up” command is similar to any other Linux system, except you’ll use at least the advertise-routes option to allow remote Tailscale devices to access your router’s LAN network. I use 192.168.20.0/23, even though the LAN is a /24, so the Tailscale route will not be preferred over the local route (if a Tailscale-connected device is directly connected to the LAN). Exit-node allows you to use your router as a proxy for internet traffic when using a device in a remote location.

tailscale up --advertise-routes 192.168.20.0/23 --advertise-exit-node

Authenticate the device using the link provided (or use –authkey tskey-XXX – https://login.tailscale.com/admin/authkeys). The “advertise route” and “exit node” options have to be enabled from the Tailscale machines page to activate them and get them to work.

Now, to allow local devices on your LAN to connect to Tailscale devices without installing the client, NAT rules need to be set up. SSH’ing into the router and enter configure mode, run these commands, then commit and save.

router# set service nat rule 5012 description Tailscale
router# set service nat rule 5012 outbound-interface tailscale0
router# set service nat rule 5012 protocol all
router# set service nat rule 5012 type masquerade

Communication should now be possible between a LAN-connected device (without Tailscale installed) and another device running Tailscale.

Aside from Tailscale’s built in DNS, I have the EdgeRouter performing DNS for LAN and remote devices. I first updated my remote devices’ static-host-mappings to their new Tailscale IPs:

set system static-host-mapping host-name [device.domain.com.] inet [100.x.y.z]

Then, to allow remote Tailscale devices to use the EdgeRouter’s DNS server, tell the router to listen for DNS requests on the Tailscale interface:

set service dns forwarding listen-on tailscale0

In the Tailscale settings (https://login.tailscale.com/admin/dns), add a custom nameserver, set the IP to the EdgeRouter’s Tailscale IP, then enable the Override local DNS option.

Alternatively, set the EdgeRouter to do split DNS the internal domain only and add NextDNS (with your account ID) as the global nameserver. This should make regular internet DNS queries faster, and the logging in NextDNS shows the device name (queries are also DNS over HTTPS).

To allow LAN clients to resolve MagicDNS names and you’re using dnsmasq, you can add this option to the router’s config (replace the ts.net domain with the one specific to your Tailscale network):

set service dns forwarding options server=/tail***.ts.net/100.100.100.100

So far, Tailscale has been very slick, powerful, and easy to use. The remote Linux servers are also pulling the DNS config so they can access my LAN devices by name. The only downside I see is that the client uses a ton of RAM, at least compared to ZeroTier, which is a problem on the EdgeRouter X with 256MB RAM and other apps like NextDNS (which leaks memory and brings the router to a crawl until the service is restarted).

Tasks:  94 total,   1 running,  63 sleeping,   0 stopped,   1 zombie
%Cpu(s):  9.6 us, 24.6 sy,  0.0 ni, 59.0 id,  6.2 wa,  0.0 hi,  0.6 si,  0.0 st
KiB Mem :   253192 total,     7660 free,   167764 used,    77768 buff/cache
KiB Swap:        0 total,        0 free,        0 used.    36416 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
27776 www-data  20   0   92296  10344   1840 S  43.3  4.1   0:24.21 python
   71 root       0 -20       0      0      0 S  26.4  0.0 150:56.71 loop8
 3829 www-data  20   0   21488  12700   1536 S   9.1  5.0  28:10.23 lighttpd
   36 root      20   0       0      0      0 S   4.9  0.0  34:25.55 kswapd0
29382 root      20   0  171272   9736   1396 S   4.9  3.8  16:05.43 ubnt-util
27783 root      20   0  619928  24124   2556 S   4.2  9.5   0:22.05 tailscaled
28086 chris     20   0    6996   1472    924 R   2.6  0.6   0:01.85 top
  169 root      20   0    4012    236      0 S   1.3  0.1   2:08.33 cron
 3446 Debian-+  20   0   22848  11884    428 S   1.3  4.7 282:05.23 snmpd
  572 root      20   0   21408    788    372 S   0.7  0.3   7:59.13 ubnt-cfgd
  822 chris     20   0   10288    656      0 S   0.7  0.3   0:23.94 systemd
22441 root      20   0  670192  17976   1500 S   0.7  7.1  12:19.77 nextdns
    7 root      20   0       0      0      0 S   0.3  0.0  43:25.87 ksoftirqd/0
    8 root      20   0       0      0      0 I   0.3  0.0  82:49.20 rcu_sched
   14 root      20   0       0      0      0 S   0.3  0.0 473:08.40 ksoftirqd/1
  868 zerotie+  20   0   20444   6388      0 S   0.3  2.5   2673:43 zerotier-one
 2157 chris     20   0   12712    832     84 S   0.3  0.3   0:10.60 sshd
23928 dnsmasq   20   0    8304    992    532 S   0.3  0.4   0:22.87 dnsmasq
24889 root      20   0       0      0      0 I   0.3  0.0   0:04.46 kworker/2:2

Issues installing updates

The EdgeRouter’s root certificate store hasn’t been updated, which means that you’ll get an error when trying to install updates to the Tailscale package using apt:

chris@R1# sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Calculating upgrade... Done
The following packages will be upgraded:
  tailscale
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.7 MB of archives.
After this operation, 13.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Err:1 https://pkgs.tailscale.com/stable/debian stretch/main mipsel tailscale mipsel 1.56.1
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Failed to fetch https://dl.tailscale.com/stable/tailscale_1.56.1_mipsel.deb  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?

The right way to fix this is to update the certificates: https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d#answer/729d58df-f538-4d46-8432-2d90a45820b2

chris@R1:~$ sudo -i
root@R1:~# sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
root@R1:~# curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
root@R1:~# update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
125 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Then run the update:

chris@R1:~$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Calculating upgrade... Done
The following packages will be upgraded:
  tailscale
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 27.7 MB of archives.
After this operation, 13.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 https://pkgs.tailscale.com/stable/debian stretch/main mipsel tailscale mipsel 1.56.1 [27.7 MB]
Fetched 27.7 MB in 14s (1944 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 37103 files and directories currently installed.)
Preparing to unpack .../tailscale_1.56.1_mipsel.deb ...
Unpacking tailscale (1.56.1) over (1.54.0) ...
Setting up tailscale (1.56.1) ...
chris@R1:~$

Issues installing updates

Share this: