Tailscale exit node only for certain subnet

SUPPORT QUESTIONS
1

Tailscale version: 1.32.1
Your operating system & version: Unifi USG-3P v4.4.56 (VyOS) [Debian 7]

Is it possible to selectively use a tailscale client as an exit node? I currently have tailscale deployed on a UDM-Pro and an USG-3P. The UDM-Pro is configured as an exit node. Is it possible to only send traffic from a certain address group on the USG-3P over tailscale0? Previously, with wireguard I used the following config:

{
    "firewall":{
        "group":{
            "address-group":{
                "VIA_VPN_ADDRESSES":{
                    "address":[
                        "10.2.1.0/24"
                    ]
                }
            }
        },
        "modify":{
            "LOAD_BALANCE":{
                "rule":{
                    "2001":{
                        "action":"modify",
                        "modify":{
                            "table":"1"
                        },
                        "protocol":"all",
                        "source":{
                            "group":{
                                "address-group":"VIA_VPN_ADDRESSES"
                            }
                        }
                    }
                }
            }
        }
    },
    "protocols":{
        "static":{
            "interface-route":{
                "10.10.10.0/23":{
                    "next-hop-interface":{
                        "wg1":"''"
                    }
                },
                "10.1.0.0/16":{
                    "next-hop-interface":{
                        "wg1":"''"
                    }
                },
                "10.3.0.0/16":{
                    "next-hop-interface":{
                        "wg1":"''"
                    }
                }
            },
            "table":{
                "1":{
                    "interface-route":{
                        "0.0.0.0/0":{
                            "next-hop-interface":{
                                "wg1":"''"
                            }
                        }
                    }
                }
            }
        }
    },
    "service":{
        "nat":{
            "rule":{
                "5001":{
                    "outbound-interface":"wg1",
                    "protocol":"all",
                    "source":{
                        "group":{
                            "address-group":"VIA_VPN_ADDRESSES"
                        }
                    },
                    "type":"masquerade"
                }
            }
        }
    }
}

Is something similar possible with tailscale? I tried specifying the --exit-node= option, but it completely bricked my security gateway, forcing a factory reset.

2

How did you get this working on the USG? I’ve got the MIPS package downloaded but I’m not sure where to go from there.

3

I created a GitHub repo for the installation script:

4

Thanks for the message! I was over halfway done doing the same thing except writing it as a service managed with an init.d script. Might as well save myself the rest of the effort.

5

Did you have a particular way to make start run on reboot that persists through OS updates? Any reason I shouldn’t wrap your manage.sh in an initscript?

6

As far as I know, VyOS doesn’t have an init system apart from post-config, which is already implemented.

7

Did you have a particular way to make tailscale connect on reboot on the USG?

8

If you run the install script, it should install the post-config script, which runs on reboot for me. Can you check its presence? Otherwise the install script may be broken.

9

There is a post-config script that it copies, named 10-tailscaled.sh and the contents are empty:

#!/bin/sh

Nothing there. Should I put tailscale up or bash /config/tailscale/manage.sh start in there or what?

10

And did you ever get the exit node working on your USG?