Is it possible to create a custom entry point?

Hi all,
I have a multi-WAN network where WAN1 is primary and WAN2 as backup and also serves as a port forward to the VPN but the tailscale don’t know about that wan2 public ip.
Is there a way to set manually entrypoint?

Is Tailscale running on WAN2 ?

Tailscale running on LNA with udp port forward from WAN2.
By default all traffic go out through WAN1

1 Like

Hi evergreen,

It sounds like you want to have tailscale run on a node inside your network, but automatically failover to using WAN2 to route tailscale traffic if WAN1 doesn’t work, right?

Tailscale doesn’t really have to handle multiple WANs - that’s the job of your local router, to set up failover and/or load balancing between them. Tailscale just uses whatever is your current “primary” WAN link to route its traffic. But if one of those WANs goes down, and your router automatically switches traffic to the other one, Tailscale should notice this in <60 seconds and fix up all its connections to use the newly-selected link. You shouldn’t need to set up any port forwarding or change any tailscale settings to make this work.

If that’s not working for you, please let us know some more specifics about your setup and symptoms.

1 Like

Everything you said is correct.
The thing is that Tailscale does not know about WAN2. I as a network administrator know that WAN2 is the best way to connect inside so it is a good idea allow the owner to append entrypoint manually.
Tailscale can take this to the next level and monitor the connection speed and choose if the entrypoint I added is most efficient and etc…

Basically Tailscale is subject to the routing set up in your kernel.

Are WAN1 and WAN2 separate routers on different internal LAN IP
addresses? Or are they two WANs on the same local IP? If it’s the
former, you can configure your local kernel to route to one or the
other. If it’s the latter, the only thing you can do is configure
failover correctly on your router.

Generally speaking, I don’t know of a reason why you’d want to route
tailscale over one interface and your regular internet traffic over a
different interface (since Tailscale nodes could be anywhere on the
Internet). Thus, routing at that layer is up to your OS.

Thanks for this discussion.

It’s simpler than it sounds, It’s been working like this for several years with openvpn and recently also with wiregurd.

The reason is bandwidth.
WAN1 is an asymmetrical connection, high download speed and limited upload 500/5, so it is excellent for normal uses.
WAN2 has 20/20 symmetrical bandwidth and is excellent for RDP and uploading files to the local network smoothly even when WAN1 is busy

1 Like

Okay, so I assume tailscaled is running on “multi WAN router” in your diagram. It sounds like what you want is to have two routing tables, something like this:

For almost all traffic:
ip route add default via

For tailscale traffic:
ip route add default via

You should be able to split your routing tables using Linux’s policy routing (“ip rule”). Luckily, tailscaled already configures its own traffic to use fwmark rule 0x80000, so something like this should work (untested by me):

ip rule add pref 100 fwmark 0x80000 lookup 100
ip route add default table 100 via

Please let us know if it works.

1 Like