Tailscale

Tailscale creates a virtual network between hosts. It can be used as a simple mechanism to allow remote administration without port forwarding or even be configured to allow peers in your virtual network to proxy traffic through connected devices as an ad-hoc vpn.

You can read more about how Tailscale works here.

opkg update
opkg install tailscale

After installing Tailscale, run the command below and finish device registration by pasting the given link into a web browser and authenticating via a supported method:

tailscale up

Once registered, device connectivity can be seen by using the “status” command:

tailscale status

Create a new unmanaged interface via LuCI: Network → Interfaces → Add new interface

• Name: tailscale
• Protocol: Unmanaged
• Device: tailscale0

Create a new firewall zone via LuCI: Network → Firewall → Zones → Add

• Name: tailscale
• Input: ACCEPT (default)
• Output: ACCEPT (default)
• Forward: ACCEPT
• Masquerading: on
• MSS Clamping: on
• Covered networks: tailscale
• Allow forward to destination zones: Select your LAN (and/or other internal zones or WAN if you plan on using this device as an exit node)
• Allow forward from source zones: Select your LAN (and/or other internal zones or leave it blank if you do not want to route LAN traffic to other tailscale hosts)

Click Save & Apply

OpenWrt 22.03 and later, use nftables (superseding iptables) as a backend to firewall4. Tailscale is unable to configure nftables automatically and this prevents the tailscale daemon from initializing properly and forwarding traffic.

A workaround for this issue has been applied to the master branch. If you're unable or unwilling to run an image built from the master branch, the following steps can be used as a manual workaround on 22.03.x Credit: aricade, csrutil, youngt2:

Install iptables-nft

opkg install iptables-nft

Restart the daemon

service tailscale restart

When starting Tailscale, you must prevent iptables rules from being created with the --netfilter-mode=off flag. This setting will be preserved in /etc/tailscale/tailscaled.state for future boots.

tailscale up --netfilter-mode=off

Complete the setup as usual

In order to get tailscale to cooperate well with LuCI, you will need to create a new managed interface and firewall zone for tailscale.

1. Create a new unmanaged interface via LuCI: Network → Interfaces → Add new interface

• Name: tailscale
• Protocol: Unmanaged
• Device: tailscale0

2. Create a new firewall zone via LuCI: Network → Firewall → Zones → Add

• Name: tailscale
• Input: ACCEPT (default)
• Output: ACCEPT (default)
• Forward: ACCEPT
• Masquerading: on
• MSS Clamping: on
• Covered networks: tailscale
• Allow forward to destination zones: Ensure that your WAN zone is selected. (Add LAN here as well if you intend to allow hosts in your tailscale network to connect to hosts on your LAN)
• Allow forward from source zones: Select your LAN and/or other internal zones (Leave this blank if you do not want to route LAN traffic to hosts on your tailscale network, e.g a WAN-only exit node)

3. Click Save & Apply

4. Restart tailscale and add the routes you want to advertise to peers using the --advertise-routes option with a comma separated list of network addresses and CIDRs.

tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24

You can also also use --advertise-exit-node node here to offer both subnet routes and a WAN gateway to your tailscale network:

tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24 --advertise-exit-node

5. Open the Machines page in the Tailscale admin interface. Once you've found the machine from the ellipsis icon menu, open the Edit route settings.. panel, and approve exported routes and or enable the Use as exit node option.

6. Devices on either subnet should be able to route traffic over the VPN. If you've configured this device to be an exit node, it should now be selectable from your tailscale apps as an Exit Node. You can test connectivity with tools like ping or traceroute.

Tailscale cannot be installed on devices with 16MB or less of flash memory because the package and its dependencies consume too much space. Until the day that there is a separate “tailscale-lite” build, your best bet is to compile (or cross-compile) it yourself from upstream sources and use the multicall binary build target. To reduce the filesize further, you can strip debugging symbols and run the resulting binary through a packer, like upx. As of 1.32.3, this will result in nearly a 90% reduction in size (from ~46MB to ~4.8MB).

Instead of running the optimized binaries directly, it is recommend that you repack the tailscale.ipk, and tailscaled.ipk packages with the smaller optimized binaries. This will let you benefit from OpenWrt conventions like init scripts, opkg installation receipts, etc, keeping your installation sane and consistent while still being able to use the smaller binaries.

If your device has only 16MB of flash or less, you will need to share the multicall binary between both of the tailscale and tailscaled packages. To do this, stub out the large /usr/sbin/tailscale{d} binaries contained within these packages, install them, manually copy the optimized binary to the device, and then replace the stubs with symlinks. More detailed instructions on how to do this are below.

The official Tailscale small binary build guide is here:

• https://tailscale.com/kb/1207/small-tailscale/

Tips:

• upx 3.96 produces broken mips binaries, use the latest version. Upx can handle all executable formats, so you don't need to run it under the target architecture.
• You can shave off an additional MB or so with strip --strip-all. This strips even more than when using go build ldflags. Look for the binutils package of your target architecture. For my MIPS target, on Linux that was binutils-mips-linux-gnu, on macOS the same MacPorts package is called mips-elf-binutils.
• You should reset your git checkout of Tailscale to a tagged stable release to ensure compatibility with the OpenWrt package you're repacking. This also makes troubleshooting easier on yourself in the future and is best practice.
• Be very careful when repacking your .ipk not to include leading paths. An absolute path in the root of the package will produce an unusable .ipk.
• Don't forget to symlink /usr/sbin/talescale.combined to /usr/sbin/tailscale and /usr/sbin/tailscaled.
• If installing on 22.03, don't forget to apply the work arounds listed earlier on this page.
• On slow devices, upx packed executables may appear to hang at first when you run them but this is normal; higher startup time for lower storage costs.
• It's a good idea to check that your tailscale.combined actually runs on your target architecture with a simple ./tailscaled --version on the target device before going to the trouble of repacking.

Other useful links:

• https://zyfdegh.github.io/post/202002-go-compile-for-mips/
• https://serverfault.com/questions/163487/how-to-tell-if-a-linux-system-is-big-endian-or-little-endian/749469#749469

Shell history on macOS where I built tailscale from source for a big endian mips target:

sudo port install go mips-elf-binutils upx
git clone https://github.com/tailscale/tailscale.git
cd tailscale
git checkout tags/v1.32.3 -b v1.32.3
env GOOS=linux GOARCH=mips GOMIPS=softfloat go build -o tailscale.combined -tags ts_include_cli -trimpath -ldflags="-s -w" ./cmd/tailscaled
/opt/local/bin/mips-elf-strip --strip-all tailscaled.combined
upx --lzma --best tailscaled.combined # (v3.96 has deadlock bug)

The steps below were performed on Debian Linux. I repacked the OpenWrt .ipk for the tailscale and tailscaled packages and replaced the large binaries with small stub scripts that always return true. I did this so that the pre/post scripts will run successfully and the opkg database at /usr/lib/opkg will be consistent. The packages were installed manually and stub files deleted post installation. The multicall binary was then uploaded and symlinks created.

# convenience variables
package=tailscaled_1.32.3-1_mips_24kc.ipk
release=22.03.3
arch=mips_24kc

# download .ipk
wget https://downloads.openwrt.org/releases/${release}/packages/${arch}/packages/${package}
mkdir ${package%%.ipk}
pushd ${package%%.ipk}
tar -xvf ../${package}

# data
mkdir data
pushd data
tar -xvf ../data.tar.gz
echo -e '#!/bin/sh\ntrue\n' > usr/sbin/${package%%_*}
tar --numeric-owner --group=0 --owner=0 -czf ../data.tar.gz *
popd
size=$(du -sb data | awk '{ print $1 }')
rm -rf data

# control
mkdir control
pushd control
tar -xvf ../control.tar.gz
sed -i "s/^Installed-Size.*/Installed-Size: ${size}/g" control
tar --numeric-owner --group=0 --owner=0 -czf ../control.tar.gz *
popd
rm -rf control

# repack .ipk
tar --numeric-owner --group=0 --owner=0 -cvzf ../${package} debian-binary data.tar.gz control.tar.gz
popd

Repeat this repack process for both tailscaled and tailscale packages. You should now have two repacked packages similar to tailscale_1.32.3-1_mips_24kc.ipk and tailscaled_1.32.3-1_mips_24kc.ipk. Copy these files to /tmp on your device. You'll have to do this from OpenWrt as an sftp server is not included with dropbear/OpenWrt.

# copy files
scp remote:/tmp/tailscale.combined /tmp
scp remote:/tmp/tailscaled_1.32.3-1_mips_24kc.ipk /tmp
scp remote:/tmp/tailscale_1.32.3-1_mips_24kc.ipk /tmp

# install repacked packages
opkg install /tmp/tailscaled_1.32.3-1_mips_24kc.ipk
opkg install /tmp/tailscale_1.32.3-1_mips_24kc.ipk

# remove stubs and link multicall binary
rm /usr/sbin/tailscaled
rm /usr/sbin/tailscale
cd /usr/sbin
cp /tmp/tailscale.combined .
ln -s tailscale.combined tailscaled
ln -s tailscale.combined tailscale

# verify
tailscale --version
tailscaled --version

You're now ready to continue to openwrt_2203_issue.