Hi,
I just wanted to record my experience so far with a Tailscale install on an RPi 4B, prior to doing the same on a Pi 3.
Hopefully it will help the less network-savvy folks that want to try it, like me. I am good at following instructions but I really don’t know what is happening underneath (and if all you want is the end result that is all that really matters). So this is a pretty low-tech explanation, but hopefully all in one place (for primarily Windows users). It assumes you know how to use SSH (Putty) and WinSCP.
Feel free to correct any misunderstandings I might have, that will help others too.
My main purpose for this install is to configure a headless RPi to act as a subnet router to an ASUS RT-AX86U Router I want to access some 9000km’s away. I have been using Wireguard and a (bought) static IP (set up on that Asus Router) to get past CGNET limitations (ISP) for VPNs. The RT-AX86U does not have a Tailscale option (even in Merlin FW which I use), but some folks have installed it using a somewhat complicated method, at least one which is beyond me.
My understanding is that by installing Tailscale on the Pi and configuring it as a subnet router, the subnet Router (the Pi) can join my “tailnet” and I can then essentially access that remote router, whose network the Pi is physically attached to (via Ethernet cable; or even Wifi).
1. INSTALL THE IMAGE TO THE SD CARD:
In the install instructions, Tailscale talk about installing ‘raspbian’ but when you look for that OS for the Pi, this site Raspberry Pi OS – Raspberry Pi says it is now called “Raspberry Pi OS” so I installed the Imager from that site on to my Windows PC.
This site Operating system images – Raspberry Pi (which has the images for a manual install to the SD Card) describes 32 bit images, 64 bit images, images with Desktop and Lite images. As my device is to be headless, I just went for Lite, 64bit (Bullseye).
This site Mesh VPN with Raspberry Pi 64-bit and Tailscale. | by Dickson Chow | Medium says “The latency remains the same but the throughput increased by about 44 percent when compared against Raspberry Pi OS 32-bit. What an improvement going to 64-bit!” hence the choice. No idea if it is really that much better or not, not too fussed for now.
The imager SW installs the OS (that you select) to the SD Card. There are also a number of advanced options which you “should” enable (especially your Wifi if using that to connect the Pi to your Wifi network and enabling SSH), which are well described here https://hotkey404.com/advanced-options-of-raspberry-pi-imager/
2. SSH TO THE PI AND INSTALL TAILSCALE:
I had the Pi connected up via HDMI to a monitor but you don’t really need it, as long as you can SSH to issue instructions from your Windows machine, see advanced options above (I use putty) into the Pi. Once connected to the Pi, from the instructions here Download · Tailscale, I ran the “install with one command” line. If you want to manually install it, select the Raspberry Pi OS from the drop down and follow those instructions.
The one line command is this:
curl -fsSL https://tailscale.com/install.sh | sh
If you already have a Raspberry Pi OS on your Pi you can issue these instructions first, to update it according to this site Installing Tailscale to the Raspberry Pi - Pi My Life Up
sudo apt update
sudo apt upgrade
Then issue that one-line instruction above.
3. START TAILSCALE:
As per this page, you then need to ‘start’ Tailscale Download · Tailscale, see step 3
sudo tailscale up
I also got this message, "To authenticate, visit:
https://login.tailscale.com/a/xxxxxxxxxxxxxxx "
Before trying that authenticating line I issued (as per step 4)
tailscale ip -4
which gives you the IP address for information.
Before running that authenticate line (which is easiest to do from Window, or even an iOS device, it is probably best to do step 4 below first.
I say this as when I got the “To authenticate” message above, I tried to run https://login.tailscale.com/a/xxxxxxxxxxxxxxx on the Pi (via SSH) but it just threw an error message.
4. SET UP THE PI AS A SUBNET
So, as you are actually trying to set up the Pi as a subnet you need to follow these instructions here Subnet routers and traffic relay nodes · Tailscale
Due to using another website for instructions, it seems I tried to “advertise” the routes first (Step 2), but that was a non-starter. This is what I did that caused the error (FYI):
tailscale up --advertise-routes=192.168.9.0/24
Warning: IP forwarding is disabled, subnet routing/exit nodes will not work.
See https://tailscale.com/s/ip-forwarding
Access denied: prefs write access denied
So there’s a good reason why there is a step 1 and THEN a step 2 :-).
So STEP 1 is “Enable IP Forwarding” this is dependent on whether you have a specific file in your system. To find this out, I used WinSCP, which for me (non-Linux person) is like a little file manager for Linux systems. Once installed and (assuming you know the IP address, use and password, all same as SSH via Putty), you can “navigate” to see if you have the /etc/sysctl.d directory it refers to, then issue the first set of commands in Subnet routers and traffic relay nodes · Tailscale; otherwise issue the second set.
I have no idea about whether the node uses firewalld or not, but I do not need it for my install.
5. LOGIN TO AUTHENTICATE:
Once I had issued those commands, I then issued https://login.tailscale.com/a/xxxxxxxxxxxxxxx from Windows.
I am not sure if this was out of sequence or not but it works OK.
6. DISABLE KEY EXPIRY:
Assuming you have Tailscale installed on either Windows, iOS or some other device, you should see the various nodes that are part of the tailnet; including the Pi, which should now show up with a blue “subnets” tag below the Machine. As I do not want this key to expire, being headless 9000 kms away, and they do so every 6 months) if you select the 3 dots next to the subnet machine you can simply disable key expiry; simple.
Tailscale have very good instructions here: Key Expiry · Tailscale
- CHECK ROUTE SETTINGs:
Select the 3 dots next to the subnet machine and check (enable if not enabled) that it says “Subnet Routes” and has the devices you cannot install Tailscale on selected (in my case I chose the network 192.168.9.0/24, but I could have chosen just the Router that I cannot out Tailscale on (192.168.9.1) by issuing this in step 4 above (the Windows machine is included independently in my tailnet as I already put Tailscale on it):
sudo tailscale up --advertise-routes=192.168.9.1
8. TURN OFF LEDs.
My next job is to turn off the LED lights on the RPi, which is well covered here:
9. REDUCE LOG VERBOSITY
Next, my aim is to reduce the verbosity of logs thrashing the SD Card (many say use an SSD but that looks like another mission!). Reducing log verbosity is covered here for Linux Disabling Tailscale Logs on Linux | puddle.town but that site does not have clear instructions for the RPi.
However there is a parameter called “TS_NO_LOGS_NO_SUPPORT” for Tailscale where you:
add the tailscaled --no-logs-no-support (or TS_NO_LOGS_NO_SUPPORT=true) env variable
You add it to the end of the file /etc/default/tailscaled using Putty.
I could not use WinSCP here, as it did not allow root rw permission.
# Environment variable added by SmurfsHK
TS_NO_LOGS_NO_SUPPORT=true
======================================================
To write ANY file (as root i.e. sudo) from Putty, use this syntax:
sudo nano /etc/default/tailscaled
where (here):
- ‘tailscaled’ = the file you want to edit;
- ‘sudo’ allows you to amend that file as the root user, with rw permissions (where the files are rw).
- ‘nano’ starts up and allows you to navigate a crude “text editor” and add the above lines and save the file.
See:
Logging, auditing, and streaming · Tailscale and 1.32.0 · tailscale/tailscale Wiki · GitHub
[EDIT1]
10. SECURITY:
Despite the note on this blog, Tailscale doesn't want your password · Tailscale I am still a wee bit concerned that on my devices with saved gmail account passwords, I can just choose login straightaway with google and it goes straight in, no password or other authentication method requested.
If anyone leaves a PC open, or an iOS device momentarily unlocked, anyone can get straight in (admittedly Wireguard on iOS did this too, but not OpenVPN). I am looking for ways to have the default where it forces you to have to login in to the gmail account i.e. no saved password.
[EDIT2]
11. SUBNET ROUTER NOT SHOWING IN MAIN ROUTER WEBADMIN
Refer my separate post Tailscale subnet router is connected but not showing up in Routers webadmin?
I hope that helps someone else; if you have constructive suggestions (or corrections, order of steps etc.), please do add them, but I’d like to keep them simple please. There’s so many high level instructions out there by well-meaning folks who know exactly what they are doing (and why), but ultimately if it is too high level, folks like me just struggle.
cheers
k.