I am very excitedly setting up Tailscale to enable my local security camera system (NVR) to FTP images to an FTP server in the cloud.
I have the network “working”, but since I’m a bit of a networking noob, I am hoping that someone here can confirm that I’ve set this up correctly. Here’s what I did. Is it correct?
- I followed the Tailscale instructions to set up the Tailscale network, and install the Tailscale client on several linux servers.
- I confirmed that I could ping those servers from each other.
- I then set up a Raspberry Pi running Ubuntu on my local network. I installed the Tailscale client as a subnet router on the PI. I started the client in subnet router mode, advertising my LAN addresses.
- I went through the remaining instructions to get the subnet router working, and was able to ping my LAN from the Tailscale VPN.
- However, I was unable to ping servers on the Tailscale VPN from my LAN. After thinking this through, I realized that my local devices were routing their packets to my cable company gateway, and this gateway knew nothing about the Tailscale VPN!
- So, I added an explicit route in my cable company router. This rule routes any packets addressed in the range used by Tailscale (i.e., 100.64.0 0/10) to the local IP of my subrouter.
- It works! I can now ping servers on the Tailscale VPN from any device on my LAN!
As a networking novice, I’m unsure if I did the setup correctly, or if their is a better way. For example, I am thinking that I could have configured my security cam NVR to route to the Tailscale VPN directly rather than modify the cable router route table. This would, I believe, limit the traffic that can find its way from my LAN onto the VPN. I might experiment a bit with my NVR settings to see if I can get this to work.
So…my questions are:
- Did I set up the subnet router, correctly, in the best way?
- Are there any security considerations I need to think about? (I realize that I need to think about whether I want any device on my VPN to be able to address all devices on my LAN.)
- I understand that all traffic on the VPN is encrypted. So, unsecured FTP from my NVR to an FTP server on Digital Ocean or AWS over my VPN will be encrypted once the traffic passes through the subnet gateway. Correct? I understand that the FTP traffic from the NVR to the subnet gateway on my LAN is unprotected.
Thanks in advance for your comments/suggestions!