I've got a NAS/Server at home. I've all but severed all external access to my network now with the adoption of Tailscale. One thing remained elusive with regards to security. My router. I used the tailscale subnet router to expose my home network subnet range within my Tailscale VPN, and now I can access my router!
I use subnet routers to remotely manage a couple synchronized holiday light displays. Works great to be able to access all the lighting controllers that you can’t install Tailscale on!
I really love this tool! Now I’m able to connect to my server from anywhere using the local ip address! It’s awesome because I don’t have to use a different one and I can program it to auto mount the volumes using the same ip.
This is excellent. I am a student of networking who just started. This is a bit confusing still. But I gather that is possible to use tailscale in the router to send a WOL command to wake up my pc as if the request came from inside the LAN. Which is precisely what I want to do
Hi Thank you for the clear explanation of subnet routers. I have been battling for a long time to share files or folders over the internet and using your example i managed to get it working. Thanks once again for your video
Thanks Alex, as always great videos. I’m using TS to bring in a VPS public IP to my self hosted mail server. The mail server is a Synology box that can reside on any connection anywhere as a result - it just needs to be able to get its Tailscale instance connected. The Synology is also setup to use the VPS as an exit node so it appears with the correct IP for sending emails. The VPS is running Debian and simply port forwards the required ports to the Synology. Slick, reliable and fast.
I have multiple devices configured as a subnet router for the same subnet. Can I prioritize which devices are attempted first? I have a nas with a wired connection which I want to be the primary router, but I also have a backup router configured on a device with more limited bandwidth because its WiFi.
A very detailed tutorial. However, I like to know if the devices behind subnet routers (like TVs, printers, cameras...) can access the node outside of the local network via subnet router?
Not sure how this is different than designating my server running Tailscale as an Exit Node. Can you explain the scenarios that would recommend running as an Exit Node vs running as a plain subrouter?
Before all, thank you all Tailscale team for this awesome tool, it's magic. I am trying to connect to my printer through a subnet from my Android phone outside my home network, but my phone can't "see" the printer. Is it a Android app issue, or am I doing something wrong? Thank you.
Yeah, I have the same question. There is no "translation" possible, right? For example, if you have location A with 192.168.0.0/24 and location B with 192.168.0.0/24 as well, but you want to include location b into your tailnet, it would be nice if the whole network gets mapped to a free ip range on your tailnet (for example 100.64.20.0/24) so that local devices in location A are still accessible. Is this possible?
is there a way to not allow all the subnet to be accessible for remote users but allow specific ip and port, for example i want to allow users from accounting to access only account server.
claro que terá impacto no desempenho. Você está trabalhando com dados que trafegam pela internet, mesmo simulando uma lan ou sub-rede. Então, haverá sim, perdas de pacotes e atrasos de envio e recebimento. Quanto maior a velocidade up/down e melhor os dispositivos, menor será a perda de desempenho.
Would be really great to get an advanced video about using subnet routers to talk the opposite way too, i got it working at some point by configuring the subnet router as gateway for the ts ip range in my network. also how does tailscale auth play into this topic? can i use the external ip range now in rules? another question how to solve conflicting ip ranges from multiple subnet routers.
Coloque em cada roteador uma faixa de ip de distribuição diferente. Por exemplo, no rorteador 1: 192.168.1/24, roteador 2: 192.168.2/24. Assim, voce nem precisa libear o compartilhamento de rede local e não haverá conflito de ip.
Hi Alex, thank you for all the details setup for tailscale. Can you please do a video on how to Auto start tailscale when out of range of home wifi and auto turn off tailscale when back in the house wifi? Or is it even possible? I'm using android phone. Thanks in advance!
something that would be cool would be to put a docker container with tailscale with subnetroute but i guess that would only work if the docker container had macvlan that rests on the subnet itself.
Very useful video, I have one question though, I have succesfully enabled 2 subnet routes (debian server both), one local and one remote. The problem is that when both are enabled I cannot reach my local containers with local IPs like 192.168.0.xx. As soon as I disable the local subnet I can reach my containers and my remote network but obviously not the other way around. Any ideas? thanks
You might need to add a route like this. Though you mention containers so I’m not 100% sure what your layout is. ip rule add to 10.42.0.0/20 priority 2500 lookup main
@@Tailscale Thank you for your reply, in my local network I have this server running tailscale and also running docker containers, if I enable subnet routes on the remote site I can reach remote network just fine but if I enable subnets on my local server also then I cannot reach my local ips not my local containers with local ips 192.168.0.xx but I still can reach the remote network with their local ip 192.168.178.xx. I think both subnets are conflickting to each other somehow. Thank you
Hi Alex, I’m trying to configure IP forwarding on a MikroTik router running in a Docker container. My goal is to redirect traffic from outside to an embedded web server behind a subnet router. I've come across references like Tailscale's subnet guide, but it primarily focuses on Linux setups rather than Docker-based MikroTik environments. Could someone provide a clear example or a step-by-step guide to achieve this? Specific details about NAT rules, firewall settings, and any Docker-specific configurations would be very helpful. Thanks in advance for your help!
I'm using sublet router so i can use local ip address because then i don't have to change the ip address on the app and website when accessed when in local network and not using tailscale. But using tailscale subnet router, https is not available, for example on synology. Maybe you can explain how to enable https in subnet router or can we use synology certificate?
Followed this tutorial but I was not able to find my printer on the network, I was trying to use my devices that were on the network away from my network.
Can I then logically setup a subnet router inside my local network and route all devices inside my network through another node as an exit node for example a node in another country as makeshift IP masker for my entire local network? - Is that possible? I do not have the option to use my actual router.
I am trying to add printers to my tailnet via subnet routers. I had no problem setting up subnet routers and it works fine, but I would like to be able to send documents to my printer when I’m not home. I understand this is an issue with AirPrint due to multicast and I’m currently working on a fix with ZeroTier, but would like to know if anyone was able to find a cleaner solution.
Why tailscale website is not working ? When ever I am trying to visit and download tailscale setup file it is showing "this site can't be reached" ?? Why ?
Thanks Alex. Such a great explanations you're doing. I've got a couple of questions though: 1. Given two environments: A machine XXX running Tailsacle in site S01 on a local network 192.168.1.0/24, and a remote machine YYY acting as a subnet-router running in another site S02 in which the network is also 192.168.1.0/24. The question: Would this work? I guess this would cause a conflict. Knowing that you don't have access to the router configuration on both sites to change the network configuration, how do you suggest setting the subnet-router to access devices in S02 that you can't install Tailscale on? 2. (much simpler question 😅): Is there a Discord server for the Tailscale commnity to chat/exchange on? Thanks in advance.
I put in all the IP Forwarding prompts and I still get the message in the Tailscale settings: "Unable to relay traffic This machine has IP forwarding disabled and cannot relay traffic. Please enable IP forwarding on this machine to use relay features like subnets or exit nodes."
If you've done the sysctl commands, did you reboot? If you've tried the basics I'd encourage you to open a support ticket with us at support@tailscale.com and we'll get you straightened out. - Alex
First thing is thank you for taking the time to make these videos. I'm not trying to be negative here i'm just offering some constructive criticism. You make these videos and explain alot of things but then skip over the other stuff like we're super computer programmers or something. Those kinda people dont need these videos, the people watching your videos are just normal people trying to make something work more than likely, for me its a plex server. For the others who knows but im pretty sure im right. Im technology inclined but i still struggle with the more advanced stuff that you like to not talk about lol. So Ive setup my subnet routers by following along but how are people supposed to connect to my plex server now? What IP address do i use the tailscale one or the one provided by my router 192.168? It would be helpful if you could explain the rest of it like how to connect a printer and how to connect a tv or how to connect whatever really. Youve got to tailor your content more toward your audience (dumb it down a little and slow it down a little more lol). Other than that great videos lol. I hope you dont take this the wrong way lol
Explaining how to set it up and use it doesn't help us understand how it's working. I opened this video hoping to understand exactly what it's actually doing, but what I got was a sales pitch. "Look how easy it is!" Oh, fine... But, "easy" usually isn't secure, and so why should I trust this? How do I know my network remains secure, even from the people at Tailscale? Forget "policy". How do I know that it's protected by enough "technological" barriers to prevent someone with top level access to Tailscale's control servers to grant themself permision to add themselves to my network? Explain THAT to me, and then I'd be sold. And, don't bother telling me that nothing is ever perfectly secure, or that a malicious patch could be pushed. No, thank you, Captain Obvious! You really think I don't already know that?
@@Diastolicflame That usually just means that YOU are the product, because nothing is ever really free. I wouldn't care if they paid me to use it, if it's going to provide somebody with a backdoor into my network.
@@Tailscale Uhh... This does not fully explain how Tailscale prevents an unauthorized party from gaining access to the coordination server and adding themself to the network. You describe how you outsource the authentication to third-parties. However, what's to prevent that third-party from, suffering a breach, or themselves resetting my password, and using the new credentials to access Tailscale? Actually, there are probably ways they could simply generate a valid access credential, even without resetting the password in a way completely tranparent to the user. Also, how is the user's database kept secure? Is it encrypted end-to-end with an independant key, with that credential never being shared with either Tailcale, or tied to the third-party authentication? For example, by using an independant key held exclusively client-side? Proton Mail offers an option to use a two-password scheme, with one never leaving the client. I'd like to have assurance that no outside party can either, suffer a breach, or be compelled to provide access to the account, as happened in the Lavabit case. Considering the level of potential exposure, I'd need some assurance that even with unfettered access to the account, an outside party would be unable to aquire anything other than what minimal PII and logs are necessary to provide the service, and the end-to-end encrypted blobs, of course. I'm already aware that we're able to self-host our own instance. However, I'm not asking about that.
I love how clear and concise you are with all the complicated network variables. Thank you for publishing these wonderful videos!
Tailscale = black magic. Thanks, Alex.
Dear Alex - i bloody started programming just watching your videos :D
I've got a NAS/Server at home. I've all but severed all external access to my network now with the adoption of Tailscale. One thing remained elusive with regards to security. My router. I used the tailscale subnet router to expose my home network subnet range within my Tailscale VPN, and now I can access my router!
Really like this Tailscale Explained series. Any plans to create deeper-dive videos around Tailscale Access Control?
I use subnet routers to remotely manage a couple synchronized holiday light displays. Works great to be able to access all the lighting controllers that you can’t install Tailscale on!
I really love this tool! Now I’m able to connect to my server from anywhere using the local ip address! It’s awesome because I don’t have to use a different one and I can program it to auto mount the volumes using the same ip.
i feel, it's just a Magic when i use Tailscale all time man :) thank you for this video
This is excellent. I am a student of networking who just started. This is a bit confusing still.
But I gather that is possible to use tailscale in the router to send a WOL command to wake up my pc as if the request came from inside the LAN. Which is precisely what I want to do
Hi
Thank you for the clear explanation of subnet routers. I have been battling for a long time to share files or folders over the internet and using your example i managed to get it working.
Thanks once again for your video
Thanks Alex, as always great videos. I’m using TS to bring in a VPS public IP to my self hosted mail server. The mail server is a Synology box that can reside on any connection anywhere as a result - it just needs to be able to get its Tailscale instance connected. The Synology is also setup to use the VPS as an exit node so it appears with the correct IP for sending emails. The VPS is running Debian and simply port forwards the required ports to the Synology. Slick, reliable and fast.
Can you please make a video on how to set up tailscale on a openwrt router? Thanks!
I have multiple devices configured as a subnet router for the same subnet. Can I prioritize which devices are attempted first? I have a nas with a wired connection which I want to be the primary router, but I also have a backup router configured on a device with more limited bandwidth because its WiFi.
A very detailed tutorial. However, I like to know if the devices behind subnet routers (like TVs, printers, cameras...) can access the node outside of the local network via subnet router?
That was an incredibly well explained and overall well done video. Thanks!
It's work like a magic. Thank you Alex.
So beautiful, I cant contain my joy
Not sure how this is different than designating my server running Tailscale as an Exit Node. Can you explain the scenarios that would recommend running as an Exit Node vs running as a plain subrouter?
Can Tailscale be installed directly in my home wifi router? Maybe as a service? or with OpenWRT? I would love to see a video about that!
Can't believe. So magical tool. Thanks!!
Do you have mikrotik and/or ubiquiti on the waiting list?
wouldn't it be nice to add tailscale to esp32 devices
Before all, thank you all Tailscale team for this awesome tool, it's magic. I am trying to connect to my printer through a subnet from my Android phone outside my home network, but my phone can't "see" the printer. Is it a Android app issue, or am I doing something wrong? Thank you.
What if the network ranges are the same on both sides? I guess this can't be done, right?
Yeah, I have the same question. There is no "translation" possible, right? For example, if you have location A with 192.168.0.0/24 and location B with 192.168.0.0/24 as well, but you want to include location b into your tailnet, it would be nice if the whole network gets mapped to a free ip range on your tailnet (for example 100.64.20.0/24) so that local devices in location A are still accessible. Is this possible?
Awesome video 📹 as always
is there a way to not allow all the subnet to be accessible for remote users but allow specific ip and port, for example i want to allow users from accounting to access only account server.
Will there be any performance impact using the subnet router method versus a native installation on the devices I am routing this traffic to?
claro que terá impacto no desempenho. Você está trabalhando com dados que trafegam pela internet, mesmo simulando uma lan ou sub-rede. Então, haverá sim, perdas de pacotes e atrasos de envio e recebimento. Quanto maior a velocidade up/down e melhor os dispositivos, menor será a perda de desempenho.
Would be really great to get an advanced video about using subnet routers to talk the opposite way too, i got it working at some point by configuring the subnet router as gateway for the ts ip range in my network.
also how does tailscale auth play into this topic? can i use the external ip range now in rules?
another question how to solve conflicting ip ranges from multiple subnet routers.
Coloque em cada roteador uma faixa de ip de distribuição diferente. Por exemplo, no rorteador 1: 192.168.1/24, roteador 2: 192.168.2/24. Assim, voce nem precisa libear o compartilhamento de rede local e não haverá conflito de ip.
Hi Alex, thank you for all the details setup for tailscale. Can you please do a video on how to Auto start tailscale when out of range of home wifi and auto turn off tailscale when back in the house wifi? Or is it even possible? I'm using android phone. Thanks in advance!
Thanks again Alex
Such a crispy video.
How I can use my Iphone or Ipad as exit node. is there a video for this ?
I love y'all so much!
something that would be cool would be to put a docker container with tailscale with subnetroute but i guess that would only work if the docker container had macvlan that rests on the subnet itself.
my bother and i have our own tailscale accounts is this how we link the 2
Very useful video, I have one question though, I have succesfully enabled 2 subnet routes (debian server both), one local and one remote. The problem is that when both are enabled I cannot reach my local containers with local IPs like 192.168.0.xx. As soon as I disable the local subnet I can reach my containers and my remote network but obviously not the other way around. Any ideas? thanks
You might need to add a route like this. Though you mention containers so I’m not 100% sure what your layout is.
ip rule add to 10.42.0.0/20 priority 2500 lookup main
@@Tailscale Thank you for your reply, in my local network I have this server running tailscale and also running docker containers, if I enable subnet routes on the remote site I can reach remote network just fine but if I enable subnets on my local server also then I cannot reach my local ips not my local containers with local ips 192.168.0.xx but I still can reach the remote network with their local ip 192.168.178.xx. I think both subnets are conflickting to each other somehow. Thank you
Hi! Which is the cheapest device that is capable of acting as a subnet router?
Can you do Derp server next please? My host and clients are behind cgnat. I would like to know how we could solve this issue
Thank you Alex 🎉
Hi Alex,
I’m trying to configure IP forwarding on a MikroTik router running in a Docker container. My goal is to redirect traffic from outside to an embedded web server behind a subnet router. I've come across references like Tailscale's subnet guide, but it primarily focuses on Linux setups rather than Docker-based MikroTik environments.
Could someone provide a clear example or a step-by-step guide to achieve this? Specific details about NAT rules, firewall settings, and any Docker-specific configurations would be very helpful.
Thanks in advance for your help!
I'm using sublet router so i can use local ip address because then i don't have to change the ip address on the app and website when accessed when in local network and not using tailscale. But using tailscale subnet router, https is not available, for example on synology. Maybe you can explain how to enable https in subnet router or can we use synology certificate?
Followed this tutorial but I was not able to find my printer on the network, I was trying to use my devices that were on the network away from my network.
Thanks Alex.
Or Android?
and how about exit nodes?
Can a invited user also have access to my subnet router?
Can I then logically setup a subnet router inside my local network and route all devices inside my network through another node as an exit node for example a node in another country as makeshift IP masker for my entire local network? - Is that possible? I do not have the option to use my actual router.
I am trying to add printers to my tailnet via subnet routers. I had no problem setting up subnet routers and it works fine, but I would like to be able to send documents to my printer when I’m not home. I understand this is an issue with AirPrint due to multicast and I’m currently working on a fix with ZeroTier, but would like to know if anyone was able to find a cleaner solution.
Why tailscale website is not working ? When ever I am trying to visit and download tailscale setup file it is showing "this site can't be reached" ?? Why ?
We want start on boot for the android client
Sudo:
It's Soo-dough, in your super user dojo, but if you want to do something as a su, then you can su-doo.
How to run subnet router on android phone?
no MacOS instructions?
Thanks Alex. Such a great explanations you're doing. I've got a couple of questions though:
1. Given two environments: A machine XXX running Tailsacle in site S01 on a local network 192.168.1.0/24, and a remote machine YYY acting as a subnet-router running in another site S02 in which the network is also 192.168.1.0/24.
The question: Would this work? I guess this would cause a conflict.
Knowing that you don't have access to the router configuration on both sites to change the network configuration, how do you suggest setting the subnet-router to access devices in S02 that you can't install Tailscale on?
2. (much simpler question 😅): Is there a Discord server for the Tailscale commnity to chat/exchange on?
Thanks in advance.
You're looking for our 4via6 subnet routing to solve for overlapping subnet ranges. - Alex
tailscale.com/kb/1201/4via6-subnets
I put in all the IP Forwarding prompts and I still get the message in the Tailscale settings: "Unable to relay traffic
This machine has IP forwarding disabled and cannot relay traffic. Please enable IP forwarding on this machine to use relay features like subnets or exit nodes."
If you've done the sysctl commands, did you reboot? If you've tried the basics I'd encourage you to open a support ticket with us at support@tailscale.com and we'll get you straightened out.
- Alex
all good, but I cannot access my router which will send the packets to an exit node!!
My first thought was "this guy sounds exactly like Alex from Self-hosted"
He’s a great guy
First thing is thank you for taking the time to make these videos. I'm not trying to be negative here i'm just offering some constructive criticism. You make these videos and explain alot of things but then skip over the other stuff like we're super computer programmers or something. Those kinda people dont need these videos, the people watching your videos are just normal people trying to make something work more than likely, for me its a plex server. For the others who knows but im pretty sure im right. Im technology inclined but i still struggle with the more advanced stuff that you like to not talk about lol. So Ive setup my subnet routers by following along but how are people supposed to connect to my plex server now? What IP address do i use the tailscale one or the one provided by my router 192.168? It would be helpful if you could explain the rest of it like how to connect a printer and how to connect a tv or how to connect whatever really. Youve got to tailor your content more toward your audience (dumb it down a little and slow it down a little more lol). Other than that great videos lol. I hope you dont take this the wrong way lol
Wow!
You mean this IP code behaves like all other proper IP code!?
Hi Alex,can you make a video in German?
Nein. Mein Deutsch ist schlecht.
For now you’ll just have to enjoy an Americanized Alex!
What about IOS
Explaining how to set it up and use it doesn't help us understand how it's working. I opened this video hoping to understand exactly what it's actually doing, but what I got was a sales pitch. "Look how easy it is!" Oh, fine... But, "easy" usually isn't secure, and so why should I trust this? How do I know my network remains secure, even from the people at Tailscale? Forget "policy". How do I know that it's protected by enough "technological" barriers to prevent someone with top level access to Tailscale's control servers to grant themself permision to add themselves to my network? Explain THAT to me, and then I'd be sold. And, don't bother telling me that nothing is ever perfectly secure, or that a malicious patch could be pushed. No, thank you, Captain Obvious! You really think I don't already know that?
Its free though
@@Diastolicflame That usually just means that YOU are the product, because nothing is ever really free. I wouldn't care if they paid me to use it, if it's going to provide somebody with a backdoor into my network.
Hi Chad,
We have a comprehensive explanation over on our blog. Hope this helps! tailscale.com/blog/how-tailscale-works
- Alex
@@Tailscale Uhh... This does not fully explain how Tailscale prevents an unauthorized party from gaining access to the coordination server and adding themself to the network. You describe how you outsource the authentication to third-parties. However, what's to prevent that third-party from, suffering a breach, or themselves resetting my password, and using the new credentials to access Tailscale? Actually, there are probably ways they could simply generate a valid access credential, even without resetting the password in a way completely tranparent to the user.
Also, how is the user's database kept secure? Is it encrypted end-to-end with an independant key, with that credential never being shared with either Tailcale, or tied to the third-party authentication? For example, by using an independant key held exclusively client-side? Proton Mail offers an option to use a two-password scheme, with one never leaving the client.
I'd like to have assurance that no outside party can either, suffer a breach, or be compelled to provide access to the account, as happened in the Lavabit case. Considering the level of potential exposure, I'd need some assurance that even with unfettered access to the account, an outside party would be unable to aquire anything other than what minimal PII and logs are necessary to provide the service, and the end-to-end encrypted blobs, of course.
I'm already aware that we're able to self-host our own instance. However, I'm not asking about that.
Get used to that. If they don't like a technical question you ask them, they just blacklist you