How can I use tailscale as a gateway?

I would like to run tailscale as a gateway to a private network.
One some of the machines in the private network, I do not want to install tailscale, but I still want to be able to access some services via the tailnet ip addresses (100.x.y.z).

My question is a variation of the question asked here:

Can I use tailscale interface as gateway? - Linux - Tailscale

I tried the following:

  1. Set up two machines in AWS in the same subnet
  2. Machine A, IP: 10.0.28.155, set up tailscale
  3. On Machine A, ran these:
sysctl net.ipv4.ip_forward=1
sysctl net.ipv6.conf.all.forwarding=1
  1. Machine B, IP: 10.0.23.212, did not set up tailscale
  2. Verified that I could connect to A from B, and B from A. Using 10.0.x.x addresses.
  3. Verified on machine A, I could ping 100.99.67.52 (tailscale address)
  4. Verified on machine B, I could not ping 100.99.67.52
  5. On machine B, I did: ip route add 100.0.0.0/24 via 10.0.28.155 dev eth0
  6. On machine B, I could still not ping 100.99.67.52
  7. On Machine A I did:
ip r

default via 10.0.16.1 dev eth0
10.0.16.0/20 dev eth0 proto kernel scope link src 10.0.28.155
169.254.169.254 dev eth0
iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ts-input   all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ts-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ts-forward (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK set 0x40000
ACCEPT     all  --  anywhere             anywhere             mark match 0x40000
DROP       all  --  100.64.0.0/10        anywhere
ACCEPT     all  --  anywhere             anywhere

Chain ts-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  ip-10-0-28-155.xxx.beta.tailscale.net  anywhere
RETURN     all  --  100.115.92.0/23      anywhere
DROP       all  --  100.64.0.0/10        anywhere
  1. On machine B I did:
ip r

10.0.16.0/20 dev eth0 proto kernel scope link src 10.0.23.212
100.0.0.0/24 via 10.0.28.155 dev eth0
169.254.169.254 dev eth0
iptables --list

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Is it possible for me from machine B to access 100.x tailnet addresses via machine A?

I read this article, Subnet routers and traffic relay nodes · Tailscale , but that only seems to cover the case
of where machine A can access addresses in the local network attached to machine B.

1 Like

Any ideas as to how to get this to work?

1 Like

Machine A will need to be configured as a subnet router so that tailscale will route traffic for the 10.x network.

Machine C (100.99.67.52) will need to be configured with --accept-routes so that replies at machine C to packets from the 10.x network are routed via the subnet router on machine A.

1 Like

OK, I tried this:

export MACHINE_A_IP=10.0.28.155
export MACHINE_B_IP=10.0.23.212
  1. On Machine A (running tailscale):
tailscale up --snat-subnet-routes=false --advertise-routes=10.0.0.0/16
 ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 10.0.28.155  netmask 255.255.240.0  broadcast 10.0.31.255
        inet6 fe80::4a3:e5ff:fedb:bffa  prefixlen 64  scopeid 0x20<link>
        ether 06:a3:e5:db:bf:fa  txqueuelen 1000  (Ethernet)
        RX packets 8920  bytes 2490692 (2.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8015  bytes 868529 (848.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tailscale0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1280
        inet 100.86.91.83  netmask 255.255.255.255  destination 100.86.91.83
        inet6 fe80::201:40e1:faaa:eeb1  prefixlen 64  scopeid 0x20<link>
        inet6 fd7a:115c:a1e0:ab12:4843:cd96:6256:5b53  prefixlen 128  scopeid 0x0<global>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 164  bytes 16906 (16.5 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 172  bytes 12365 (12.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
ip r
default via 10.0.16.1 dev eth0
10.0.16.0/20 dev eth0 proto kernel scope link src 10.0.28.155
169.254.169.254 dev eth0
iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ts-input   all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ts-forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ts-forward (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK set 0x40000
ACCEPT     all  --  anywhere             anywhere             mark match 0x40000
DROP       all  --  100.64.0.0/10        anywhere
ACCEPT     all  --  anywhere             anywhere

Chain ts-input (1 references)
target     prot opt source               destination
ACCEPT     all  --  ip-10-0-28-155.xxx.beta.tailscale.net  anywhere
RETURN     all  --  100.115.92.0/23      anywhere
DROP       all  --  100.64.0.0/10        anywhere
  1. On Machine B (not running tailscale, but on same LAN as Machine A):
ip route add 100.64.0.0/10 via $MACHINE_A_IP dev eth0
ip r

default via 10.0.16.1 dev eth0
10.0.16.0/20 dev eth0 proto kernel scope link src 10.0.23.212
100.64.0.0/10 via 10.0.28.155 dev eth0
169.254.169.254 dev eth0
iptables --list

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
  1. On Machine A:
# ping 100.105.242.97
PING 100.105.242.97 (100.105.242.97) 56(84) bytes of data.
64 bytes from 100.105.242.97: icmp_seq=1 ttl=64 time=144 ms
  1. On Machine B:
ping 100.86.91.83
PING 100.86.91.83 (100.86.91.83) 56(84) bytes of data.
^C
--- 100.86.91.83 ping statistics ---
72 packets transmitted, 0 received, 100% packet loss, time 72678ms

Is there anything else I should do to get this to work?

Thanks.

2 Likes

I just checked 100.86.91.83 and the routes still need approval - step 3 has some guidelines:

1 Like

Thanks, I will do that.

@rodrigc Have you solved your problem yet? I have the same question。

@herotheo No, I never got this to work. On Linux, the way that Tailscale configures firewall rules via ipfw plus use of a tun device to connect to the Tailnet makes things difficult for me to figure out.

What I have been told is:
“if you do networking / iptables changes to hook into it, but even then the Tailscale network interface needs the traffic to come in encrypted via WireGuard, so knowing the IP / mapping it to the correct IP in the cluster doesn’t help with that.”

I have not been able to come up with a concrete proof of concept of this with a working prototype.

1 Like