Site-to-Site Communications

I am trying to build a PoC to connect to different environments (Azure and AWS) using subnet routers and site-to-site VPN but I have’t been able to get the non-tailscale clients to be able to see one another and I’m not sure what I’m missing.


Commands on both tailscale machines as per Site-to-site networking · Tailscale:

mangle -A FORWARD -i tailscale0 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

tailscale up --advertise-routes= --snat-subnet-routes=true --accept-routes


echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

tailscale up --advertise-routes= --snat-subnet-routes=true --accept-routes

AWS Windows machines:

route add
route add

Azure Windows machine:

route add
route add

Results with --snat-subnet-routes=true:

Tailscale subnet routers can ping each other on the tailnet and other LAN subnet
Tailscale machines can ping machines on the other LAN subnet.
Windows non-tailscale machines cannot ping machines other on the other LAN subnet or tailnet

Seems like I’m almost there with this but if I’m missing something on the Windows side I can’t figure it out.

Results with --snat-subnet-routes=false:

Tailscale subnet routers can ping each other on tailnet and other LAN subnet
Tailscale subnet routers cannot ping other machines on the other LAN subnet
Windows non-tailscale machines cannot ping tailnet or machines on the other LAN subnet

Windows firewalls of
No ACLs define

1 Like

Have you progressed with this since asking? I am also having Site to Site problems. I am using two Mac Mini’s running Tailscale at different sites and non-tailscale machines at Site 1 can’t access non-tailscale machines at Site 2 and vice versa. I also can’t appear to get the --snat-subnet-routes flag to function on the macOS terminal.

I have two Unifi USG and am hoping to configure the static routes on those rather than on each individual non-tailscale machine.

The information about Site to Site isn’t sufficiently detailed enough for me.

Nope, unfortunately I’ve given up on it for the time being. There doesn’t seem to be any good information out there about solving this issue. I’ve seen a few other posts about similar problems but no solutions.

I’m Having the same issue. I’m running the following command on two ubuntu boxes in my lab. “sudo tailscale up --advertise-routes= -accept-routes=true --snat-subnet-routes=false --reset” on the other box I’m running “sudo tailscale up --advertise-routes= -accept-routes=true --snat-subnet-routes=false --reset”. No errors when I come up on either box. Console shows both routes accepted. Pinging from → I’m getting timeout. When I run a capture on the router interface I clearly see the source address of the pings being 100.114…x.x (the tailscale interface on the 172.16.x.x tailscale router). Clearly the switch isn’t doing anything. Not sure where to bring this up TailScale

Opened a support ticket with TailScale, he didn’t see any configuration issue but he did notice that I was using DERP Relays to communicate between routers. I had noticed the DERP protocol being used when I did a “tailscale ping” between the router’s TailScale addresses but I thought that was the way it worked. I thought I would fix that issue while waiting for a reply on the main issue. I looked at the article that the tech support engineer shared (What firewall ports should I open to use Tailscale? · Tailscale). I wasn’t blocking any ports outbound so I tried to vanilla the configuration as far as possible. In the current configuration the two tailscale routers were being triple natted and coming out with the same public IP. When I reconfigured the network so it was only a single NAT same IP it still didn’t work (still seeing DERP pings). When I reconfigured the network so they were single NAT with unique IP’s it worked (saw direct ping reply’s with “tailscale ping” between routers). Ok, fixed that problem. I decided to check to see if the TailScale natting problem went away since I fixed something…yep it worked now. So if you see DERP pings between your TailScale routers the “–snat-subnet-routes=false” will have no effect. You have to fix the DERP issue before this solution will work. Unfortunately, the solution I was testing for a client requires that the multiple routers come out of the same NATed network…I wont be able to suggest TailScale. Hope this helps with your troubleshooting.

I had the same issue. I ended up using a site to site ipsec tunnel. You could also use wireguard directly. I still use tailscale but not with subnet routers enabled.

I’m a newbie, therefore excuse my question, why do you define the first route on you Windows machines as:

route add

Your tailnet addresses look very different to me.

Read this article. What are these 100.x.y.z addresses? · Tailscale and this one Site-to-site networking · Tailscale