1.18.2 on Linux (Amazon Linux 2)
1.12.3 on MacOS
I have scanned the forums and found that most people get subnet routing working easily, but I am stuck in a very early stage.
I have an Amazon ec2 tailscale node that I want to advertise the 172.20.10.0/24 space (including itself at 172.20.10.182)
I have done the following steps on the Amazon ec2 instance that I want to be a subnet router:
- sudo tailscale up --advertise-tags=tag:central-infra --authkey=REDACTED --advertise-routes=172.20.10.0/24
- ensured that my Amazon instance has net.ipv6.conf.all.forwarding = 1
- ensured that my Amazon instance has sysctl net.ipv4.ip_forward = 1
- ensured that my Amazon instance does not do “Source / destination check”
- accepted the route from the Admin console’s Machine Settings to advertise 172.20.10.0/24
- set up two processes on this node at ports 9000 and 9999 (nginx and a simple
ls -l | nc -l 9999respectively)
- validated that my Mac can reach the Amazon node via the Tailscale IPs (
nc 100.106.77.78 9999) to make sure I don’t have an ACL blocking me
On my Mac, I have tailscale version 1.12.3. I am in an internal IP of 192.168.etc.
The documentation says
Clients on Windows, macOS, iOS, and Android will automatically pick up your new subnet routes.
On my Mac (as written above) I have been able to curl and netcat the Tailscale IP.
curl 172.20.10.182:9000 or
nc 172.10.182 9999 on the routed IP address just freezes.
I am mostly naieve when it comes to networking and have been a bit in the dark with how to debug at this point. Some basic questions:
- Is there any way for me to see from my client tailscale (my Mac laptop) that advertised routes are available to me? Facilely, as this is the limit of my networking knowledge I have run
traceroute 172.20.10.182 traceroute to 172.20.10.182 (172.20.10.182), 64 hops max, 52 byte packets 1 192.168.1.1 (192.168.1.1) 12.473 ms 2.354 ms 5.470 ms 2 220.127.116.11 (18.104.22.168) 15.111 ms 11.586 ms 12.212 ms
which is the limit of my debugging (pinging just gives me request timeouts)
- I have seen some hints at Enable IP forwarding on Linux · Tailscale that I may need to futz around with the firewall (generically,
firewall-cmd --permanent --add-masquerade). If this is something I should pursue, does anyone have a definitive set of commands I can run as I consider
iptablesa dark art?
- I have run various permutations of
--snat-subnet-routes=falsebut feel this is me just trying things arbitrarily.
- Are there any other common gotchas with AWS VPCs that might be affecting my ability to see anything?
Thanks for your time,