How to NAT-route network to Tailscale?

Sawtaytoes

2/5/24, 10:55 AM

EDIT: I already spent 3 days going through different possible ways of handling this and settled on iptables. This is like the biggest-kept secret to me. No matter how much I read, I feel like I'm missing some critical information to doing something as simple as pre- and post-routing redirection.

I want to send 100% of the network traffic for PC-A in one location to PC-B in another location using PC-R as a Tailscale router. I will most likely need an iptables configuration.

The setup:

PC-A cannot run Tailscale.
PC-R, the router, will be a Raspberry Pi running Raspbian with a single Ethernet NIC.
The Raspberry Pi is connected to a Tailscale network which creates a tailscale0 virtual interface.
All incoming traffic is sent from the Raspberry Pi to a Tailscale exit node (similar to how other VPNs can securely send all your network traffic).

The gateway on PC-A will be set to PC-R's eth0 (LAN) since tailscale0 is virtual (and therefore not able to be accessed by PC-A).

Because PC-A is sending data to PC-R's eth0, I need to route all PC-R's incoming traffic to tailscale0 and visa versa.

Knowing this, how do I set up iptables or similar to route incoming traffic on eth0 to tailscale0?

1413

1 + 3

static-routes

router

route

iptables

tailscale

TomTom

2/5/24, 11:28 AM

You literally ask us to do your job of reading the configuration. Bad news: Requests for product, service, or learning material recommendations are off-topic because they attract low quality, opinionated and spam answers, and the answers become obsolete quickly. Instead, describe the business problem you are working on, the research you have done, and the steps taken so far to solve it.

Sawtaytoes

2/5/24, 9:24 PM

I've spent 3 days on this problem going from TrueNAS running Tailscale to OpenWRT to pfSense, and today, Raspbian w/ iptables. Telling the whole history of how I got to needing iptables won't get answered. That's why I simplified and said "PC-A, PC-B, I have a router in-between, how do I route packets?". Much simpler. I'm expecting someone to say `iptables -t nat PRE something` and `iptables -t nat POST something`. That's all I need to figure out. None of this has to do with Tailscale specifically. If I said OpenVPN, it would be the same issue. I need to NAT route a virtual interface.

TomTom

2/5/24, 9:33 PM

And the answer would be the same. You babbling around 3 days because it takes you more to learn the basics properly is not our problem. You can take 3years to do what others do in a week (reading documentation and understanding ip routing) - that does not make the question valid.

Score:1

Server

Sawtaytoes

2/6/24, 12:09 AM

After searching more, I found nearly the exact same question answered here without any sus: https://serverfault.com/a/431607/189877.

After testing through everything, this is my solution:

sudo iptables -t nat -A POSTROUTING -o tailscale0 -j MASQUERADE

Not sure exactly what this does. To remove it, do this command:

sudo iptables -t nat -D POSTROUTING -o tailscale0 -j MASQUERADE

Note the -D.

-A appends and -D deletes. It's the same command otherwise.

The rule is only temporary and will be gone after a restart. You may need iptables-persistent to keep it around. Not actually sure how to properly keep iptables rules after a restart though.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to NAT-route network to Tailscale?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.