In this tutorial, we will look at how to set up Tailscale on OpenWrt.
Tailscale is a zero-configuration VPN, which means that without any port forwarding, you’ll be able to access all the devices on your local network. Running Tailscale in OpenWrt is a great option as it’ll be running on your router and you won’t have to dedicate a secondary device to it.
Tailscale is a great option for really anyone, though there are some users who have a CGNAT where using Tailscale is necessary for VPN connectivity.
How to Set Up Tailscale on OpenWrt
We will look at how to set up Tailscale on OpenWrt below.
1. In my opinion, the easiest way to get Tailscale working on OpenWrt is by utilizing SSH. SSH into OpenWrt using your favorite SSH client or by running the command below in Windows PowerShell or the MacOS Terminal.
ssh root@[OPENWRT_IP]2. Run the commands below to update and install Tailscale, as well as start the service.
opkg update
opkg install tailscale
opkg install iptables-nft
/etc/init.d/tailscale start3. After Tailscale is fully installed (it will take a few minutes), run the commands below to enable, start, and bring up the Tailscale tunnel.
NOTE: If you would like to advertise a local subnet (so that you can access it from outside of your local network), add the advertise routes section below with the subnet that you’d like to use.
If you’d like to advertise an exit node (explained in a later step for a full-tunnel VPN), you must use the exit node section below.
tailscale up --netfilter-mode=off --advertise-routes=[SUBNET] --advertise-exit-node
4. After running this command, an authentication URL will be displayed. Copy this URL and paste it into a web browser, then log in to Tailscale.
5. After navigating to the webpage and logging in, select Connect to connect OpenWrt to your Tailscale account.
6. Tailscale should now be configured! You can move on to the next step to configure the local subnets/exit node.
Exit Node/Subnet Routes
If you set up Tailscale as an Exit Node, the Exit Node can be used as a full-tunnel VPN. The image below shows what a full-tunnel vs split-tunnel VPN is, but the important point is that all traffic will be routed through Tailscale if you use an exit node.
Therefore, if you’re on public Wi-Fi, it’s probably a good idea to use this feature as you’ll be tunneling all traffic through Tailscale (thus, securing the connection).
A few things must be configured to set this an exit node in Tailscale:
1. On the Tailscale website, select Machines, then the three ellipses next to your OpenWrt system, then Edit Route Settings.
3. If you want to use a full-tunnel VPN, enable the subnet route and use as exit node. This will configure a full-tunnel VPN.
If you only want to use a split-tunnel VPN (meaning only being able to access the 192.168.100.0/24 subnet in the screenshot below), select that option, but do not select the “use as exit node” option.
Before moving on, there are additional changes that must be made and there’s a great article on Reddit that explains how to do it. MAKE SURE you add this information in OpenWrt if you’d like to utilize an exit node.
4. If you want to use an exit node, select Use Exit Node (on whatever application you’re using) and change the exit node to the Docker machine.
If you do not want to use the exit node, select None, but ensure that Allow LAN Access is enabled so that you’re able to connect to your local devices.
NOTE: The screenshot below uses pfSense, but it’ll be the same for your OPNsense configuration.
5. Tailscale is now configured! You can now add other devices or simply connect to Tailscale from an external network to access all of your local devices.
Conclusion & Final Thoughts
This tutorial looked at how to set up Tailscale on OpenWrt. Tailscale is slightly more confusing to set up on OpenWrt than other operating systems, but it’s still one of the easiest and fastest ways of setting up a VPN server on OPNsense.
It is important to note that this isn’t a traditional VPN the way that OpenVPN or WireGuard is, but it’s the fastest way to access your local network and doesn’t require any port forwarding.
Thanks for checking out the tutorial on how to set up Tailscale on OpenWrt. If you have any questions on how to set up Tailscale on OpenWrt, please leave them in the comments!
