last modified on

Tailscale is a Virtual Private Network (VPN) product for creating simple low-configuration VPNs between Linux, Mac, and Windows computers, as well as iOS devices.

Rather than a “hub and spoke” model, where all devices dial in to the same VPN server, it builds a peer-to-peer network of WireGuard connections between your machines, with Tailscale itself authenticating and arranging those connections.

I have been using its free tier for a few weeks, and below are some of my notes.


Bridging a LAN to the VPN

One nice feature of Tailscale is the ability to bridge existing networks with the VPN. This is very useful for devices in the home that cannot run Tailscale themselves, such as IoT devices.

Here I will show how I have bridged Tailscale with my LAN. This is an adaptation of the guide from Tailscale themselves.

First, some definitions:

This example will be using nftables, but can also be done with iptables.

In abstract

cluster_0Tailscale VPNcluster_1LANphonephonerelayrelayphone--relayserverserverphone--serverrelay--serverbulbbulbrelay--bulbrouterrouterrelay--routerinternetinternetrouter--internet
  1. Set up Tailscale to route traffic from the VPN into the LAN.
  2. Enable packet forwarding inside the Linux kernel on the relay node. This allows the relay node itself to route traffic from the VPN into the LAN.
  3. Enable IP masquerading on the relay node. This a form of Network Address Translation (NAT) to make traffic from the VPN to the LAN appear to come from the relay node.

Setting it up

  1. On the relay node, run:

    $ sudo tailscale up -advertise-routes=
  2. Go to the Tailscale admin console and authorize subnet routes for the relay node.

  3. Back on the relay node, enable IP forwarding:

    $ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
  4. Enable IP masquerading for the LAN-facing interfaces:

    $ sudo nft add rule ip nat POSTROUTING oifname "enp2s0" counter masquerade

    Alternatively, for iptables:

    $ sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o enp2s0
  5. Confirm it works by pinging a machine on your LAN from a machine that’s not, for example pinging from a phone with the Tailscale VPN on mobile data.

Making it persistent

To make enable IP forwarding on boot:

$ cat /etc/sysctl.d/50-forwarding.conf

To enable NAT on boot with nftables, add the following to /etc/nftables.conf:

table ip tailscale_nat {
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname "enp2s0" masquerade

Reboot the relay node and confirm that it all still works.