Deploying TAILSCALE as an Alternative to ZEROTIER on OpenWRT

Translated and Formatted Markdown Content

OpenWRT Deploying TAILSCALE as an Alternative to ZEROTIER by Rabbit Dad’s Grocery Store

During the pandemic lockdown, many people might have a need to remotely access distant devices. In the domestic network environment, Dandelion/iKuai’s SD-WAN is either a free small pipe or requires purchasing bandwidth. The commonly used free ZEROTIER uses the UDP protocol, making it prone to QoS issues from ISPs, and it’s not reliable for long. Services like FRP also require paying for the setup and maintenance of a cloud server. Eventually, we discover the TAILSCALE service based on WIREGUARD, which is not difficult to deploy, perfectly substitutes for ZEROTIER, is free and stable. After a few days of use, it truly feels great. The official TAILSCALE client documentation covers various common platforms but notably lacks OpenWRT. This document records the deployment process and the pitfalls encountered.

1. Installing TAILSCALE on OpenWRT

The OpenWRT software package already includes TAILSCALE’s PKG, which can be selected and integrated directly during the OpenWRT firmware compilation process (the specific location is “Network——VPN——TAILSCALE”) or installed through the OpenWRT backend graphical interface (TAILSCALE and TAILSCALED must be installed simultaneously). Below only records the configuration method on the OpenWRT side.

tailscale up # Start the tailscale service; a device login verification link will pop up if successful

Click or copy the HTTPS address into the browser. If you are already registered and logged into TAILSCALE, you can see that the OpenWRT device is online in your backend. Next, set TAILSCALE to start automatically on boot.

/etc/init.d/tailscale enable # Enable to start on boot
ls /etc/rc.d/S*tailscale* # Verify if it has successfully joined the startup items

The third step is to add a new network interface on OpenWRT and set the firewall rules. The interface name is arbitrary. In the “Basic Settings,” select “Static address” for the protocol, then choose the internal virtual addresses allocated by the TAILSCALE website for both IPV4 and IPV6. Set the IPV4 subnet mask to “255.0.0.0,” check the “tailscale0” Ethernet adapter under “Physical Settings,” and add the new interface to the LAN zone in “Firewall Settings.”

The fourth step is to add custom firewall rules in the firewall settings, then restart the firewall:

iptables -I FORWARD -i tailscale0 -j ACCEPT
iptables -I FORWARD -o tailscale0 -j ACCEPT
iptables -t nat -I POSTROUTING -o tailscale0 -j MASQUERADE

After completing the above steps, devices connected after OpenWRT can ping the distant TAILSCALE nodes.

2. Configuring External Access to OpenWRT Internal Devices

TAILSCALE allows the configuration of virtual LAN routing (Subnet), enabling remote devices to access local network devices behind the OpenWRT node. In the OpenWRT SSH command line interface, enter:

tailscale up --accept-routes --advertise-routes=X.X.X.X/24 # X.X.X.X is the local address segment of the OpenWRT device

The second step is to find the corresponding OpenWRT device in the TAILSCALE management interface and approve the SUBNET routing.

Once the settings are completed, remote devices can access all devices within the LAN where the OpenWRT device is located using their local IP addresses.

It is important to note that currently, domestic online tutorials omit the –accept-routes command in SUBNET operations. According to the official documentation, all Linux-based systems need to use the –accept-routes parameter for local routing settings to take effect.

Finally, let’s take a look at the speed of accessing the local TAILSCALE nodes from home’s Unicom line across ISPs during peak hours. The latency is still quite decent, as it is based on the Linux darling WIREGUARD.