Tailscale network

Routes

Advertise routes on node:

tailscale set --advertise-routes=192.168.223.20/32,192.168.223.21/32

This route advertisement needs to get approved in the Headscale UI!

All other nodes need to accept routes advertised by other routes:

sudo tailscale set --accept-routes

Show advertised routes:

tailscale debug prefs

Subnet router

In cases where you can't install Tailscale on every device on your physical network, you can set up a subnet router to access these devices from your tailnet. Subnet routers respect features like access control policies.

• Docs: Subnet routers
  • Quick guide: Configure a subnet router Setup:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

nftables

• Suppor nftables is still WIP
  • nftables support just got merged

This commit adds nftable rule injection for tailscaled. If tailscaled is started with envknob TS_DEBUG_USE_NETLINK_NFTABLES = true, the router will use nftables to manage firewall rules.