I understand that if I have a machine running the tailscale client, a device running the tailscale client can access ‘dumb’ devices on my LAN via a subnet router.
What I can’t find is if it’s possible to do the reverse. My specific example is I have a TV away from home that I would like to be able to access my home LAN. I thought I could achieve this using a laptop with tailscale setup as a subnet router and make the tv connect to it and route back that way.
I’ve tried various things and got nowhere (this is all Windows btw)
I thought I’d got close with this scenario:
Laptop A is in home network (Site A), running as an exit node. (home lan is 192.168.68.0/24)
Laptop B is at the remote site (Site B). Network here is 192.168.8.0/24. I tried doing various things with windows hotspot but it doesn’t give any control over dhcp settings. So what I’ve now tried is adding a second wireless adapter to the laptop and then using a travel router setup as 10.11.12.1. The travel router is not connected to the internet - purely being used as an AP.
I’ve set a static IP on Laptop B’s second wifi of 10.11.12.2 and then configured the travel router’s DHCP to set the default gateway to be this (10.11.12.2). Laptop B is running some router software (qBik Wingate).
If I then connect another device to the travel router (Device C) I get a 10.11.12.x IP and also have internet access (and to confirm Wingate is doing its job, if I stop it then Device C loses internet as expected so I’m happy that part of things is working correctly).
I can then tell Laptop B to use Laptop A as an exit node and if I do a whatismyip from laptop B, I get the correct public IP from the home network.
If I do a whatismyip on Device C, I get the public IP from site B, so it’s not using the tunnel.
WinGate just uses the same routes as configured in Windows so I don’t have to (and can’t) change any routing within WinGate
Is what I’m trying to do even possible? Should I just rip it up and setup pfsense at both sites or similar instead?
You didn’t mention what os is running on both laptops. With Linux this is quite straightforward. You need to add a route on the client needing access to the remote site with the tailscale node as the next hop. Of course the tailscale node must be configured to forward traffic.
It’s all Windows (10 and 11).
One thing I fundamentally don’t know and isn’t clear to me from the docs is, am I supposed to be adding router software (Wingate in my case) to the ‘proxy’ laptop or does tailscale do that itself when I configure it as a subnet router?
If Linux can do it, I might try creating a Linux VM on laptop B instead and use that as the subnet router and see if I have any more luck.
Just feels like this is way too complicated and I’m missing something obvious
I just checked what Wingate basic functionalities are and yes it provides what Linux can do natively. Basically, a computer is not supposed to accept traffic from another computer to transfer to a third one. Furthermore, traffic is limited to a subnet in which a computer lies. What you want is both, send traffic for a host on another subnet to computer which is supposed to forward it and keep track of these packets to be able to dispatch the replies to the correct destinations.
In other terms, tou are looking for a router. A want to communicate with X through B and optionally Y. A and B are on the same subnet. B and X are able to communicate directly or through Y. A <—> B <—> Y <—> X.
A without Tailscale
B and Y with Tailscale
X without Tailscale
B and Y must be:
OS Level: configured to accept traffic for another subnet and forward it (nat) . In Linux it is called masquerading.
Application Level: configured (Tailscale) to play the router role.
A and X must know where (to which computer) traffic needs to be sent in order to reach each other. An « ip route » must be configured.
Ah thanks,
So until now I just had Laptop A (home LAN) running as an exit node.
Laptop B (remote site) advertising as a subnet router, running wingate (to make it a router) and then configured it to use exit node of Laptop A. I assumed anything hitting it would then be routed to the exit node automatically but clearly that isn’t the case.
I’ll try switching off exit nodes completely, setting up the subnet router (not sure which end this needs to be so I’ll do it on both laptop A and B), have wingate setup on both of them and then put in a static route of 0.0.0.0/255 on laptop B to laptop A then in theory anything using laptop b as its gateway should get routed automatically to laptop A (I think)