How to announce routes with Tailscale add-on in Home Assistant

Raspberry Pi
1

Hi, I’m running Tailscale as an addon of Home Assistant (HA) on a Raspberry Pi. I don’t have access (to my knowledge) to the ssh console in the addon container and cannot run commands easily.

At first I was running HA and the other devices in a simple common VLAN (192.168.68.x). Tailscale was advertising this vlan and I could access other devices on the vlan from other tailscale machines.

I then purchased a Unifi dream machine pro as router and created 2 separated vlans:

  • common vlan: 192.168.1.x (running the router interface and HA)
  • previous vlan 192.168.68.x

Tailscale advertised both vlans and I could still access the iot devices on the “legacy” vlan although tailscale was in another vlan.

When I added wifi access points from the same brand, the common vlan was forced by the router as a management vlan and HA was not responding anymore. I had to move it to another vlan. So I created 5 vlans overall:

  • management vlan 192.168.1.x (router console, access points, protected by the router)
  • common vlan 192.168.2.x (HA, NAS, printer)
  • new IoT vlan 192.168.3.x (50% of the IoT devices here)
  • guest vlan 192.168.5.x (for users)
  • legacy IoT vlan 192.168.68.x (50% of the devices still there, being migrated to the other iot vlan)

All vlans are at the moment fully interconnected, there is no restriction, multicast, igmp snooping, etc. are enabled. HA sees and talks to all IoT devices on the different vlans, no issue except for discovery protocols if they cannot work across vlans.

Then now tailscale only advertises vlan 192.168.2.x (which I don’t want to advertise) and the previously announced vlans, i.e. 192.168.1.x and 192.168.68.x are still there but greyed out and proposed with a “remove” button as they are not advertised anymore.

I have no way to advertise the new vlans manually as I do not have access to the ssh console of the Tailscale addon, and the option is not visible in the tailscale console.

I would like to know if anyone has been through the same issue and has found any workaround please?

Many thanks!
B

2

Hi again,

For info I found out that the official Tailscale addon was deprecated, although not specified as such, while there’s another one that does the job instead, including a configuration option to announce routes from the add-on.

Alternate add-on is here:

For devices on the announced routes to be reachable from the container running Tailscale, the following configuration needs to be set in the addon (in addition to auth_key and hostname):

advertise_routes: the routes to be anounced
userspace_networking: needs to be enabled (important or the route will be announced but routing will not exit the container!)

3

Hi BenZoFly!

It seems I have had similar problems with my HA & Tailscale, or at least so I have understood. I do have generic understanding of the network, HA configuration and such, but after I read you post I must admit I may have lost my path :slight_smile:

Could you please elaborate what I may need to do in my case, based on your findings.

The case:

My local network (192.168.1.0/24), HAOS installed with tsujamin’s Tailscale addon. Remote network (192.168.2.0/24) and lots of IoT devices. Between is fully working Tailscale network.

The HAOS does not seem to “see” the remote subnet, at the remote side there is a Tailscale node with published subnets. and all other clients in the same Tailscale network can see all the devices from all the available networks (192.168.1.0/24, 192.168.2.0/24, Tailnet).

As I read your post I realised that the problem indeed must be in the way networking has been handled inside HAOS containers - and If I have now understood correctly the “Internal routing” between HAOS containers needs to be activated.

From this point I need some help to understand how the configuration on the tsujamin’s Tailscale add-nn need to be for such routing to happen.

The ultimate goal would be that the HAOS core and all add-ons (containers) are able to see, ping and communicate to all networks locally and all the published sub networks Tailscale is advertising from the remote side.

The needed extra configuration should then include “advertise_routes” and “userspace_networking”. The actual format of these configurations in the add-on’s YAML is something I am not that familiar with, nor understand the correct format of the parameters.

I read the Tailscale documentation about these, but as there were options not used in the YAML configuration format I got totally lost about how to do this.

I tried following but was not able to get the routes to work as planned:

advertise_routes: 192.168.2.0/24
userspace_networking: true <— I think that is fundamentally wrong!?

Any chance to have few thoughts from you for this? Much appreciated!

Br: Mac (OH1MAC)

4

Hi,

I think I was trying to solve another problem.

In my case I am using a client (e.g. my mobile) to access remotely Home Assistant, which is located in a vlan 192.168.2.x and itself talks to IoT devices in the vlans 192.168.3.x and 192.168.68.x.

I wanted to lock the IoT networks from the internet but still access the devices remotely via their local ip. So I am using HA as a jump server to the local network, after having crossed the Tailscale network so to say.

But I understand that you’re trying to do something different, the two vlans are at different exit points of the Tailscale network, right?

If that’s the case, then you need 2 routing nodes, one locally for routing 192.168.1.x and another one in the other location to announce the route 192.168.2.x. A Tailscale node only announces local vlans.

But I may have not grasped what you try to achieve?

Regards,
B

Edit: re-reading your post, if HA is the only node on the one side, then HA is a single client, not a routing node. No need to announce routes if the devices on the « other side » only look for HA. You need a routing node on the other side to bridge Tailscale with you local lan though. This one will announce 2.x network. Then HA will know where to bounce to access the other nodes on the other side.

My addon configuration to reach other vlans locally to the HA instance

image
image1328×981 30.5 KB