Unable to route towards/over tailscale from UDM LAN (UDM Pro v3.0.20)

[FearNaBoinne]

UDM Pro, running OS v3.0.20 (Kernel 4.19.152 SMP) Installed Tailscale with install script

Configured with:

tailscale up --advertise-routes=10.10.0.0/23,10.10.2.0/24 --advertise-exit-node --advertise-tags=tag:udmpro --accept-routes

tailscale ip -4

100.105.87.25

Issue: Cannot ping local IP nor any other IPs.

'traceroute -n 100.105.87.25' goes to WAN port and the next hop router, then dies. 'traceroute -n 10.10.9.5' (10.10.9.0/24 is an advertized LAN behind another tailscale router) goes to WAN port and the next hop router, then dies.

Obviously the UDM Pro does NOT see the tailscale network, and thus has no idea how to route across the tailscale connection...

[FearNaBoinne]

Based on Discussion #51, I was able to get the daemon up and running in TUN mode, and now I can:

• ping remote tailscale IPs and the networks behind them from the UDM Pro shell,
• ping the local tailscale IP from my hosts,
• not ping the remote tailscale IPs from my hosts, let alone the networks behind them.

[midzelis]

@FearNaBoinne FWIW, I also had same problem as you, but I figured it out. Leaving my comments here, as it took me a very long time to figure out, and hopefully it can help others.

First off, you absolutely need ip rule add priority 5225 fwmark 0x80000 lookup 201 but you knew that already. And remove --tun userspace-networking from the tailscaled options.

Then, do tailscale up --exit-node-allow-lan-access --exit-node=YOUR_EXIT_NODE this is the vital step. Also, using a exit node like this will temporarily knock your UDM off the internet, so it is VITAL that you don't forget --exit-node-allow-lan-access or you'll be in a world of pain trying to recover your UDM, probably via factory reset if you don't have a console cable.

tailscale puts its routes in table 52 (ip route show table 52) you'll need to remove the default route, and if you are doing any sort of split networking (https://github.com/peacey/split-vpn) then also remove the the subnet from the throw route. (if using split-vpn script, be sure to add a route to the exit node before running the updown.sh script.)

All put together

cat /etc/default/tailscaled
# Set the port to listen on for incoming VPN packets.
# Remote nodes will automatically be informed about the new port number,
# but you might want to configure this in order to set external firewall
# settings.
PORT="41641"

# Extra flags you might want to pass to tailscaled.
#FLAGS="--state /data/tailscale/tailscaled.state --tun userspace-networking"
FLAGS="--socket /var/run/tailscale/tailscaled.sock --state /data/tailscale/tailscaled.state"

ip rule add priority 5225 fwmark 0x80000 lookup 201
tailscale up  --exit-node-allow-lan-access --exit-node=YOUR_EXIT_NODE

root@McDreamy:~# ip route show table 52
default dev tailscale0
throw 10.142.142.0/24
throw 10.200.200.0/24
throw my.private.ip.x/19
100.73.228.78 dev tailscale0
100.74.64.31 dev tailscale0
100.78.144.20 dev tailscale0
100.85.37.93 dev tailscale0
100.85.138.75 dev tailscale0
100.88.44.129 dev tailscale0
100.95.34.38 dev tailscale0
100.97.182.33 dev tailscale0
100.100.100.100 dev tailscale0
100.113.129.93 dev tailscale0
100.115.181.22 dev tailscale0
100.116.76.85 dev tailscale0
100.122.47.9 dev tailscale0
100.125.112.79 dev tailscale0
throw 127.0.0.0/8
throw 192.168.4.0/24
throw 192.168.99.0/24

ip route del default dev tailscale0 table 52
ip route del throw 192.168.3.0/24 table 52

and your good to go.

Btw, apparently 'exit node' is not just a simple routing rule. It appears that the exit node is saved into a preference file, and uploaded to the control plane. I wasn't able to make this work by NOT running it in --exit-mode.

Note - instead of exit node, you could try to just advertise default routes --advertise-routes=0.0.0.0/0 but I haven't tried this.

Now, after all that work, I might not use tailscale after all because a tailscale node act as both an exit node and use an exit node. :-( Probably going to end up using straight wireguard.

[FearNaBoinne]

tailscale up --exit-node-allow-lan-access --exit-node=YOUR_EXIT_NODE

My UDM Pro is my exit-node, but when I used it's name in the --exit-node parameter, it tells me invalid value "YOUR_EXIT_NODE" for --exit-node; must be IP or unique node name (Using it's IP tells me no node found in netmap with IP 1.2.3.4)