Classification need with Tailscale, remote access, and local access.

Submitted ⁨⁨9⁩ ⁨months⁩ ago⁩ by ⁨gazter@aussie.zone⁩ to ⁨selfhosted@lemmy.world⁩

I encountered something I don’t quite understand, and I was hoping someone could enlighten me. I set up Tailscale on my router with subnets, so I could remotely access my home network. This worked great. Then, at home, I was happily browsing the internet on my main PC, and decided to dial into another machine on my network. It couldn’t access it at all. Disconnecting Tailscale on my main PC restored lconnectivity. I don’t understand what is happening here- the only thing I can think of is that my internet traffic was being routed through Tailscale, but I don’t have an exit node. TL,DR: home PC sees Internet but not LAN when connected to Tailscale, why and how fix?

source

Comments

Sort:hotnew top

dieTasse@feddit.org ⁨9⁩ ⁨months⁩ ago
I think you might also make your tailscale on router an exit node. I remember when I was setting things up for me I had issue like yours, but on the phone. Everything was working when I used data, but when I connected to my local wifi it didn’t see the stuff on subnet ip’s. Setting it as exit node helped. Also make sure everything is approved in your tailscale admin.

source
irmadlad@lemmy.world ⁨9⁩ ⁨months⁩ ago
Just throwing this out there: Are you using a separate VPN for your PC? For instance, my PC has a commercial VPN and Tailscale. Talescale connects me to the remote server for ssh/sftp etc, while my VPN connects to everything else. I had to do some tinkering to get them to both work simultaneously. Without the tinkering, Tailscale would not connect to the server.

If you are just using Tailscale with no other VPN then disregard this, and take the advice form others here.

source
- gazter@aussie.zone ⁨9⁩ ⁨months⁩ ago
  I have a commercial VPN, but I am not connected. What tinkering did you have to do?
  
  source
  - irmadlad@lemmy.world ⁨9⁩ ⁨months⁩ ago
    My commercial VPN has a VPN kill switch and an Advanced Kill switch in case the regular kill switch wasn’t enough…lol. Unchecking both of those allowed Tailscale to connect to my remote server for ssh/sftp/administration, while the commercial VPN covers everything else. The only thing I guess you need to keep in mind is to engage the Kill Switch when downloading your Linux ISOs. Do a leak test beforehand.
    
    source
just_another_person@lemmy.world ⁨9⁩ ⁨months⁩ ago
Your default routes are being set incorrectly. If you’re using it as an exit node, then you need to make sure it’s only being used as such for other clients on the Tailnet. You also need to make sure you’re splitting your routes correctly so that the default route on your router isn’t set for something on the Tailnet.

Generally speaking, if you’re not familiar with networking and routing, you don’t need to change the subnet settings if using a Tailscale client on your router. You also shouldn’t be advertising routes from it for your own network, or else you could end up getting issues like you’re seeing because your routing tables will be broken while Tailscale is active.

One more thing: Tailscale on your router doesn’t make it a server, it’s still a Tailscale client. You still need to setup your routing in the Tailscale server to make sure it’s not duplicating routes like this.

source
- gazter@aussie.zone ⁨9⁩ ⁨months⁩ ago
  I kind of follow what you’re putting down.
  
  I am not using an exit node. How do I go about splitting my routes?
  
  What I want to achieve is ‘normal’ access for within the lan, as well as remote access over tailscale for things I cannot run tailscale on.
  
  source
  - just_another_person@lemmy.world ⁨9⁩ ⁨months⁩ ago
    Tailscale is a group of clients on a Tailnet which are all equal, unless you tell it otherwise. That means you need to set the client you installed on your router as a subnet router.
    
    Even then, if you’re not familiar with networking, you’ll probably have duplicate routes if you’re not paying attention. The other option is to just install Tailscale on each server you want access to.
    
    source
    -> View More Comments
rtxn@lemmy.world ⁨9⁩ ⁨months⁩ ago
How did you set up subnet advertisements on the router, and which subnets? Did you touch the ACL in the tailnet’s admin console?

On the home PC, did you accept advertised routes with the Tailscale client?

What happens when you ping a host on the LAN using tailscale ping ADDR? What happens when you try to tracert or tracepath to it?

source
- gazter@aussie.zone ⁨9⁩ ⁨months⁩ ago
  I set up subnet advertisements by doing tailscale set --advertise-routes=192.168.1.0/24. I did not touch ACL.
  
  The home PC is Windows, the context menu for the tray app give the option to ‘use tailscale subnets’ which is enabled- I assume this is the equivalent of accepting advertised routes.
  
  From the home PC, tailscale ping 192.168.1.2 returns a pong, from the tailscale IP. tracert fails.
  
  source
  - rtxn@lemmy.world ⁨9⁩ ⁨months⁩ ago
    That’s unfortunate, I have no idea how Tailscale does routing on Windows. Try running the client without accepting any subnet advertisements.
    
    I’ve also found this: tailscale.com/kb/1023/troubleshooting#lan-traffic… The solution might be to advertise a larger subnet (e.g. 192.168.1.0/23) to make the route advertisements on the tailnet less specific than on the LAN. Advertising a larger subnet won’t cause any additional issues because it’s in a private IP range.
    
    source