Tailscale version - latest
Your operating system & version - ubuntu 20.04
We’re currently using two sites, one Azure and one in OVH (in VMware). I was looking to use a s2s connection to get both sites talking to each other, but wondered if tailscale could be an option using a subnet router in each site. Tell me so far if this is madness!
I’m using opnsense in OVH and have tried to create an ubuntu box with accept-routes enabled alongside advertising subnets, and then a route to this as a gateway configured in opnsense.
While tailscale all seems to work (The tailscale box is accessible, and advertises the routes successfully), I can’t get any other box to successfully use the ubuntu box as a router. It’s setup as a gateway in opnsense, it has the route assigned to it, and checking the traffic it goes to the ubuntu box with tailscale, but it doesn’t appear to go anywhere.
eg. of command line I have on tailscale box is this:
sudo tailscale up --accept-routes --advertise-routes=192.168.100.0/24
As described, my guess would be with routing in Azure. For example if the OVH workstation sits on a 192.168.100.0/24 LAN, and the Azure servers are on a VPC using 10.128.0.0/24, we would expect to see the two Tailscale subnet routers as:
OVH tailscale: sudo tailscale up --accept-routes --advertise-routes=192.168.100.0/24
Azure tailscale: sudo tailscale up --accept-routes --advertise-routes=10.128.0.0/24
Let’s further assume that the Azure tailscale node has a VPC address of 10.128.0.7.
The Azure Servers need to have a route that 192.168.100.0 is reached via gateway 10.128.0.7. Tailscale can’t help with this, the VPC within Azure needs to have a route installed.
I will make one other observation though: this is using Tailscale like an IPsec tunnel, and doesn’t benefit from most of Tailscale’s feature set.
The Azure routing side is fine. Any tailscale client, alongside using the tailscale host in OVH can ping/connect to all the azure machines. It just appears that using this ubuntu box as a subnet router doesn’t work.
You mention using this as an IPSEC tunnel which I had thought tailscale would be helpful for. But would you advise against this? For this setup, we cannot install tailscale clients on all boxes as they are created manually as a testing area and cloned, so we can’t guarantee that every box would have the client.
Ubuntu is widely used as a subnet router. Though there may be something unique about deploying in this way or this environment, Ubuntu itself does work as a subnet router.
I guess the thing that jumps out of the presence of a firewall between the subnet router and the nodes it is trying to connect. I’m sure you’ve configured the OPNsense firewall to allow the traffic in, but that is where I’d be focussing for debugging.
If OVH supports adding routes within the VPC, you could consider swapping the order so the Ubuntu subnet relay sits behind the OPNsense firewall along with all of the rest of the nodes. OVH would need a route pointing the IP address range of the Azure VPC to the Ubuntu subnet router.
Thanks for the reply (and sorry for my slow reply). The routing seems fine, I can use tailscale from any other network and it connects to azure no problem via the tailscale nodes there. I can also connect fine from the tailscale node in OVH without issue to Azure via the tailscale mesh. Just seems to be other hosts when using the tailscale as a subnet router that fail.