Tailscale network

Routes

Show details including routes:

tailscale status --json

Advertise

Show advertised routes by current node:

tailscale debug prefs | jq .AdvertiseRoutes

Advertise routes on node:

tailscale set --advertise-routes=192.168.223.20/32,192.168.223.21/32

This route advertisement needs to get approved in the Headscale UI! All other nodes need to accept routes advertised by other nodes (see below).

Accept

Show if client is accepting routes advertised by oder nodes:

tailscale debug prefs |jq .RouteAll

Accept all routes advertised by other nodes:

sudo tailscale set --accept-routes

Show advertised routes by peers:

tailscale status --json \
  | jq '.Peer[] | "\(.HostName) \((.PrimaryRoutes // ["-"])[])"' | sort

Subnet router

In cases where you can't install Tailscale on every device on your physical network, you can set up a subnet router to access these devices from your tailnet. Subnet routers respect features like access control policies.

• Docs: Subnet routers
  • Quick guide: Configure a subnet router Setup:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

nftables

• Suppor nftables is still WIP
  • nftables support just got merged

This commit adds nftable rule injection for tailscaled. If tailscaled is started with envknob TS_DEBUG_USE_NETLINK_NFTABLES = true, the router will use nftables to manage firewall rules.