I would like to run tailscale as a gateway to a private network.
One some of the machines in the private network, I do not want to install tailscale, but I still want to be able to access some services via the tailnet ip addresses (100.x.y.z).
My question is a variation of the question asked here:
Can I use tailscale interface as gateway? - Linux - Tailscale
I tried the following:
- Set up two machines in AWS in the same subnet
- Machine A, IP: 10.0.28.155, set up tailscale
- On Machine A, ran these:
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
- Machine B, IP: 10.0.23.212, did not set up tailscale
- Verified that I could connect to A from B, and B from A. Using 10.0.x.x addresses.
- Verified on machine A, I could ping 100.99.67.52 (tailscale address)
- Verified on machine B, I could not ping 100.99.67.52
- On machine B, I did: ip route add 100.0.0.0/24 via 10.0.28.155 dev eth0
- On machine B, I could still not ping 100.99.67.52
- On Machine A I did:
ip r
default via 10.0.16.1 dev eth0
10.0.16.0/20 dev eth0 proto kernel scope link src 10.0.28.155
169.254.169.254 dev eth0
iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ts-input all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ts-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ts-forward (1 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK set 0x40000
ACCEPT all -- anywhere anywhere mark match 0x40000
DROP all -- 100.64.0.0/10 anywhere
ACCEPT all -- anywhere anywhere
Chain ts-input (1 references)
target prot opt source destination
ACCEPT all -- ip-10-0-28-155.xxx.beta.tailscale.net anywhere
RETURN all -- 100.115.92.0/23 anywhere
DROP all -- 100.64.0.0/10 anywhere
- On machine B I did:
ip r
10.0.16.0/20 dev eth0 proto kernel scope link src 10.0.23.212
100.0.0.0/24 via 10.0.28.155 dev eth0
169.254.169.254 dev eth0
iptables --list
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Is it possible for me from machine B to access 100.x tailnet addresses via machine A?
I read this article, Subnet routers and traffic relay nodes · Tailscale , but that only seems to cover the case
of where machine A can access addresses in the local network attached to machine B.