Issue using a subnet route with Tailscale

1

User Q: Is it possible that I can get in touch with someone to go through some issues I am facing specifically about subnet route with Tailscale?

I am trying to test to use a pair of Linux server (Ubuntu) running tailscale client to function as encrypted gateway, per diagram below.

Goal - encrypting traffic between two subnets (192.168.101.0/24 and 192.168.102.0/24) behind the tailscale servers (Tailscale-1 and Tailscale-2)

So far:

  1. pinging between two tailscale interfaces are OK.
  2. ip_forward enabled on both Tailscale-1 and Tailscale-2
  3. subnet route enabled on both Tailscale-1 and Tailscale-2
  4. accept routes enabled on both Tailscale-1 and Tailscale-2
  5. unable to ping from 192.168.101.0/24 to 192.168.102.0/24
    image (1)
    image (1)976×563 29.7 KB
2

Support: I looked at your CLI logs, thanks.
Do all PCs on 192.168.101/24 and 192.168.102/24 have routes to the other subnets via Tailscale-1 and Tailscale-2?

Are you using “tailscale up --snat-subnet-routes=false?”

It looks like you your two Ubuntu machines are no longer advertising 192.168.102.0/24 and 192.168.101.0/24. You had ran “tailscale up --advertise-routes=…” with those values once and accepted them in the admin panel, but then you ran “tailscale up” again later without those values and that made the machines stop accepting those routes, even though other clients are sending traffic that way.

3

User: I re-issued the commands on both sides:

Linux tailscale-1
tailscale up --advertise-routes=192.168.101.0/24

Linux tailscale-2
tailscale up --advertise-routes=192.168.102.0/24

Same issue remains. It seems like the tailscale dropped the packet somewhere along the way.

I performed a couple of tests:

  1. ping from the Linux tailscale-1, to the tailscale-2 (client IP), successful.
  2. ping from PC-1 to tailscale-2, failed. (the snat didn’t happen)

My questions are:

  1. Is the SNAT a must, which means the tailscale interface will only encrypt/forward packet from it’s own client address (as source)?

  2. Is it the responsibility of “tailscale up --snat-subnet-routes=true” to install NAT rule into iptables? there is no PREROUTING nat rule.

4

Support: The issue is that tailscale-2 is not configured to accept subnet routes from remote machines, so it’s refusing packets that come from the remote subnet route. We don’t make this obvious in the UI, so it’s easy to miss. If you add --accept-routes=true to both tailscale-1 and tailscale-2, in addition to the other --advertise-routes flag.

Unlike the more client-oriented OSes, Linux doesn’t accept remote routes by default, because it can lead to confusing behavior if a machine is both a subnet router and also accepting subnet routes from elsewhere. In your case though, that’s exactly what you want for a site-to-site VPN.

5

Wow it was not clear to me that the options needed to be passed like this together. That could have been a lot more clear on the quick start page.
Site A
tailscale up --advertise-routes=10.201.150.0/24,10.201.200.0/24 --accept-routes=true --snat-subnet-routes=true
Site B
tailscale up --advertise-routes=192.168.86.0/24 --accept-routes=true --snat-subnet-routes=true