Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to route towards/over tailscale from UDM LAN (UDM Pro v3.0.20) #61

Open
FearNaBoinne opened this issue Jun 8, 2023 · 3 comments
Open

Unable to route towards/over tailscale from UDM LAN (UDM Pro v3.0.20) #61

FearNaBoinne opened this issue Jun 8, 2023 · 3 comments

Comments

@FearNaBoinne
Copy link

FearNaBoinne commented Jun 8, 2023
edited

UDM Pro, running OS v3.0.20 (Kernel 4.19.152 SMP)
Installed Tailscale with install script

Configured with:
#tailscale up --advertise-routes=10.10.0.0/23,10.10.2.0/24 --advertise-exit-node --advertise-tags=tag:udmpro --accept-routes

#tailscale ip -4
100.105.87.25

Issue:
Cannot ping local IP nor any other IPs.

'traceroute -n 100.105.87.25' goes to WAN port and the next hop router, then dies.
'traceroute -n 10.10.9.5' (10.10.9.0/24 is an advertized LAN behind another tailscale router) goes to WAN port and the next hop router, then dies.

Obviously the UDM Pro does NOT see the tailscale network, and thus has no idea how to route across the tailscale connection...
@FearNaBoinne
Copy link
Author

Based on Discussion #51, I was able to get the daemon up and running in TUN mode, and now I can:

  • ping remote tailscale IPs and the networks behind them from the UDM Pro shell,
  • ping the local tailscale IP from my hosts,
  • not ping the remote tailscale IPs from my hosts, let alone the networks behind them.

@midzelis
Copy link

midzelis commented Jul 3, 2023

@FearNaBoinne FWIW, I also had same problem as you, but I figured it out. Leaving my comments here, as it took me a very long time to figure out, and hopefully it can help others.

First off, you absolutely need ip rule add priority 5225 fwmark 0x80000 lookup 201 but you knew that already. And remove --tun userspace-networking from the tailscaled options.

Then, do tailscale up --exit-node-allow-lan-access --exit-node=YOUR_EXIT_NODE this is the vital step. Also, using a exit node like this will temporarily knock your UDM off the internet, so it is VITAL that you don't forget --exit-node-allow-lan-access or you'll be in a world of pain trying to recover your UDM, probably via factory reset if you don't have a console cable.

tailscale puts its routes in table 52 (ip route show table 52)
you'll need to remove the default route, and if you are doing any sort of split networking (https://github.com/peacey/split-vpn) then also remove the the subnet from the throw route. (if using split-vpn script, be sure to add a route to the exit node before running the updown.sh script.)

All put together

cat /etc/default/tailscaled
# Set the port to listen on for incoming VPN packets.
# Remote nodes will automatically be informed about the new port number,
# but you might want to configure this in order to set external firewall
# settings.
PORT="41641"

# Extra flags you might want to pass to tailscaled.
#FLAGS="--state /data/tailscale/tailscaled.state --tun userspace-networking"
FLAGS="--socket /var/run/tailscale/tailscaled.sock --state /data/tailscale/tailscaled.state"

ip rule add priority 5225 fwmark 0x80000 lookup 201
tailscale up  --exit-node-allow-lan-access --exit-node=YOUR_EXIT_NODE

root@McDreamy:~# ip route show table 52
default dev tailscale0
throw 10.142.142.0/24
throw 10.200.200.0/24
throw my.private.ip.x/19
100.73.228.78 dev tailscale0
100.74.64.31 dev tailscale0
100.78.144.20 dev tailscale0
100.85.37.93 dev tailscale0
100.85.138.75 dev tailscale0
100.88.44.129 dev tailscale0
100.95.34.38 dev tailscale0
100.97.182.33 dev tailscale0
100.100.100.100 dev tailscale0
100.113.129.93 dev tailscale0
100.115.181.22 dev tailscale0
100.116.76.85 dev tailscale0
100.122.47.9 dev tailscale0
100.125.112.79 dev tailscale0
throw 127.0.0.0/8
throw 192.168.4.0/24
throw 192.168.99.0/24

ip route del default dev tailscale0 table 52
ip route del throw 192.168.3.0/24 table 52

and your good to go.

Btw, apparently 'exit node' is not just a simple routing rule. It appears that the exit node is saved into a preference file, and uploaded to the control plane. I wasn't able to make this work by NOT running it in --exit-mode.

Note - instead of exit node, you could try to just advertise default routes --advertise-routes=0.0.0.0/0 but I haven't tried this.

Now, after all that work, I might not use tailscale after all because a tailscale node act as both an exit node and use an exit node. :-( Probably going to end up using straight wireguard.

@FearNaBoinne
Copy link
Author

FearNaBoinne commented Jul 16, 2023
edited

tailscale up --exit-node-allow-lan-access --exit-node=YOUR_EXIT_NODE

My UDM Pro is my exit-node, but when I used it's name in the --exit-node parameter, it tells me invalid value "YOUR_EXIT_NODE" for --exit-node; must be IP or unique node name
(Using it's IP tells me no node found in netmap with IP 1.2.3.4)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@midzelis @FearNaBoinne