PI as VPN router to access tailscale and use exit node

A bit of background. The German ISP Telekom has sometimes bad peering which can lead to degraded performance.
What i currently doing to circumvent this is i have tailscale running on all maschines in my home network, then i have a cloud instance running with tailscale that works as exit node.

Currently i am just using sudo tailscale up --advertise-routes=0.0.0.0/0,::/0 but i intend to switch to use the new exit node feature once 1.6 is available.
For all clients that can run tailscale this works great. I can use tailscale for all its awesome features plus as consumer vpn to and circumvent the routing issues my ISP has.

Now the issue comes with devices where i can not install tailscale on.
I though about the issue and bunch and figured i might be able to use a raspberry pi as vpn router for those devices.
Posts i found include Raspberry Pi WireGuard VPN gateway – mgnk
I also tried a bunch of ideas myself but i could not get it to work. So maybe someone with experience with iptables etc can give me a hand.

What i am trying to achieve:
non-ts-client —lan—> pi —tailscale—> exit-node → internet

Some things i tried:

  • i manually set gateway ip on the non-ts-client to the lan ip of the pi

  • i tried to add snat on the pi to allow traffic flowing via pi to the exit-node (i could not make this work yet)

    sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE
    sudo iptables -A FORWARD -i eth0 -o tailscale0 -j ACCEPT
    sudo iptables -A FORWARD -i tailscale0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

but i got as far as understanding that those rules do not play nice with tailscales iptable rules.

1 Like

As I think you discovered on Selecting an exit node causes local subnet to become unavailable · Issue #1527 · tailscale/tailscale · GitHub, using the exit node feature currently doesn’t work very well combined with setting up a router. It’s close, but our current security policy to block LAN access is what gets in the way.

As a temporary hack while we implement the feature in that bug, you can add some extra policy routing rules to make your LAN more preferred than the Tailscale routes (assuming your LAN is 192.168.0.0/24 on eth0, adjust if not):

ip rule add pref 5260 table 53
ip route add 192.168.0.0/24 dev eth0 table 53

This extra route will be consulted before the main Tailscale routing table, so traffic from the pi to your LAN will match that route instead of the Tailscale default route.

With that extra bit of config, the masquerade + other rules you set up should be enough to make this work.

Thanks for the quick help. Now it is kind of working. I have the following setup right now.

  • sudo ip rule add pref 5260 table 53
  • sudo tailscale up --advertise-routes=192.168.178.0/24 -exit-node=100.75.16.71
  • sudo ip route add 192.168.178.0/24 dev eth0 table 53
  • sudo iptables -t nat -A ts-postrouting -m iprange --src-range 192.168.178.39 -o tailscale0 -j MASQUERADE

On device 192.168.178.39 i can now access ifconf.co and see the ip of my exit node.
Ican also still access tailscale ips! Sow it seems we are almost there.
But for some reason not all websites work. Do you have an idea why this might be?

Small edit: i ran
sudo tailscale up --advertise-routes=192.168.178.0/24

sudo tailscale up --advertise-routes=192.168.178.0/24 -exit-node=100.75.16.71

And now even ifconf.co does not work so i don’t know if it ever worked correctly