How to Set Up Tailscale on OpenWrt

  • Post author:WunderTech
  • Post last modified:May 10, 2024
  • Post category:OpenWrt
  • Reading time:8 mins read

Share what you're reading!

In this tutorial, we will look at how to set up Tailscale on OpenWrt.

Tailscale is a zero-configuration VPN, which means that without any port forwarding, you’ll be able to access all the devices on your local network. Running Tailscale in OpenWrt is a great option as it’ll be running on your router and you won’t have to dedicate a secondary device to it.

Tailscale is a great option for really anyone, though there are some users who have a CGNAT where using Tailscale is necessary for VPN connectivity.

How to Set Up Tailscale on OpenWrt

We will look at how to set up Tailscale on OpenWrt below.

1. In my opinion, the easiest way to get Tailscale working on OpenWrt is by utilizing SSH. SSH into OpenWrt using your favorite SSH client or by running the command below in Windows PowerShell or the MacOS Terminal.

ssh root@[OPENWRT_IP]

2. Run the commands below to update and install Tailscale, as well as start the service.

opkg update
opkg install tailscale
opkg install iptables-nft
/etc/init.d/tailscale start

3. After Tailscale is fully installed (it will take a few minutes), run the commands below to enable, start, and bring up the Tailscale tunnel.

NOTE: If you would like to advertise a local subnet (so that you can access it from outside of your local network), add the advertise routes section below with the subnet that you’d like to use.

If you’d like to advertise an exit node (explained in a later step for a full-tunnel VPN), you must use the exit node section below.

tailscale up --netfilter-mode=off --advertise-routes=[SUBNET] --advertise-exit-node
tailscale up command.

4. After running this command, an authentication URL will be displayed. Copy this URL and paste it into a web browser, then log in to Tailscale.

accessing the webpage to connect tailscale.

5. After navigating to the webpage and logging in, select Connect to connect OpenWrt to your Tailscale account.

connecting openwrt to tailscale. How to Set Up Tailscale on OpenWrt.

6. Tailscale should now be configured! You can move on to the next step to configure the local subnets/exit node.

Exit Node/Subnet Routes

If you set up Tailscale as an Exit Node, the Exit Node can be used as a full-tunnel VPN. The image below shows what a full-tunnel vs split-tunnel VPN is, but the important point is that all traffic will be routed through Tailscale if you use an exit node.

Therefore, if you’re on public Wi-Fi, it’s probably a good idea to use this feature as you’ll be tunneling all traffic through Tailscale (thus, securing the connection).

showing how a split-tunnel vpn routes only local traffic to the network while a full tunnel routes everything.

A few things must be configured to set this an exit node in Tailscale:

1. On the Tailscale website, select Machines, then the three ellipses next to your OpenWrt system, then Edit Route Settings.

tailscale machine page.

3. If you want to use a full-tunnel VPN, enable the subnet route and use as exit node. This will configure a full-tunnel VPN.

If you only want to use a split-tunnel VPN (meaning only being able to access the subnet in the screenshot below), select that option, but do not select the “use as exit node” option.

subnet/exit node settings in tailscale.

Before moving on, there are additional changes that must be made and there’s a great article on Reddit that explains how to do it. MAKE SURE you add this information in OpenWrt if you’d like to utilize an exit node.

4. If you want to use an exit node, select Use Exit Node (on whatever application you’re using) and change the exit node to the Docker machine.

If you do not want to use the exit node, select None, but ensure that Allow LAN Access is enabled so that you’re able to connect to your local devices.

NOTE: The screenshot below uses pfSense, but it’ll be the same for your OPNsense configuration.

forcing the android tailscale app to use the exit node.

5. Tailscale is now configured! You can now add other devices or simply connect to Tailscale from an external network to access all of your local devices.

Conclusion & Final Thoughts

This tutorial looked at how to set up Tailscale on OpenWrt. Tailscale is slightly more confusing to set up on OpenWrt than other operating systems, but it’s still one of the easiest and fastest ways of setting up a VPN server on OPNsense.

It is important to note that this isn’t a traditional VPN the way that OpenVPN or WireGuard is, but it’s the fastest way to access your local network and doesn’t require any port forwarding.

Thanks for checking out the tutorial on how to set up Tailscale on OpenWrt. If you have any questions on how to set up Tailscale on OpenWrt, please leave them in the comments!


Frank is an IT professional with 14+ years experience and the creator of WunderTech. He focuses on sharing his experience with others on computer hardware, servers, software, networking, and self-hosted apps. He has a BS in Computer Information Systems and an MBA. Learn more about Frank in his bio.