Did I set up bi-directlonal subnet correctly?

I am very excitedly setting up Tailscale to enable my local security camera system (NVR) to FTP images to an FTP server in the cloud.

I have the network “working”, but since I’m a bit of a networking noob, I am hoping that someone here can confirm that I’ve set this up correctly. Here’s what I did. Is it correct?

  • I followed the Tailscale instructions to set up the Tailscale network, and install the Tailscale client on several linux servers.
  • I confirmed that I could ping those servers from each other.
  • I then set up a Raspberry Pi running Ubuntu on my local network. I installed the Tailscale client as a subnet router on the PI. I started the client in subnet router mode, advertising my LAN addresses.
  • I went through the remaining instructions to get the subnet router working, and was able to ping my LAN from the Tailscale VPN.
  • However, I was unable to ping servers on the Tailscale VPN from my LAN. After thinking this through, I realized that my local devices were routing their packets to my cable company gateway, and this gateway knew nothing about the Tailscale VPN!
  • So, I added an explicit route in my cable company router. This rule routes any packets addressed in the range used by Tailscale (i.e., 100.64.0 0/10) to the local IP of my subrouter.
  • It works! I can now ping servers on the Tailscale VPN from any device on my LAN!

As a networking novice, I’m unsure if I did the setup correctly, or if their is a better way. For example, I am thinking that I could have configured my security cam NVR to route to the Tailscale VPN directly rather than modify the cable router route table. This would, I believe, limit the traffic that can find its way from my LAN onto the VPN. I might experiment a bit with my NVR settings to see if I can get this to work.

So…my questions are:

  • Did I set up the subnet router, correctly, in the best way?
  • Are there any security considerations I need to think about? (I realize that I need to think about whether I want any device on my VPN to be able to address all devices on my LAN.)
  • I understand that all traffic on the VPN is encrypted. So, unsecured FTP from my NVR to an FTP server on Digital Ocean or AWS over my VPN will be encrypted once the traffic passes through the subnet gateway. Correct? I understand that the FTP traffic from the NVR to the subnet gateway on my LAN is unprotected.

Thanks in advance for your comments/suggestions!


I think you have a good grasp of things. How you have it set up is a good solution, with the caveats that you’ve mentioned.

You can use ACLs to restrict access through a subnet router as well.
If you remove the default “Allow anyone anywere” ACL, you can specify only the connections you want to have. So if only 100.x.y.z should have only FTP access to your LAN resource at you can add a line:

[{"Action": "accept", "src": ["100.x.y.z"], "dst": [""],},],

Likewise, you can explicitly allow LAN IPs to access tailnet resources. If it’s not listed in your ACL, then it’s deny by default.

That will help with some of your security concerns.

Thanks, Jay!

I haven’t learned about how to use the ACLs yet, but they are definitely on the “must-do” list. At the moment I only have a couple of test servers on the VPN, but I eventually plan to add my main servers, PCs, laptops, etc. Before I do that, I want to give some though to who should access what.

So far, I have been very pleased with Tailscale. It has been super-easy to set up, even for this noob. Everything seems to just work which is how it should be. :slight_smile:

That’s what we’re shooting for! If it doesn’t just work, let us know - support@tailscale.com