{% markdown %} [Tailscale](https://tailscale.com) is a Virtual Private Network (VPN) product for creating simple low-configuration VPNs between Linux, Mac, and Windows computers, as well as iOS devices. Rather than a "hub and spoke" model, where all devices dial in to the same VPN server, it builds a peer-to-peer network of [WireGuard](https://www.wireguard.com/) connections between your machines, with Tailscale itself authenticating and arranging those connections. I have been using its free tier for a few weeks, and below are some of my notes.

contents…

[TOC]

## Bridging a LAN to the VPN One nice feature of Tailscale is the ability to bridge existing networks with the VPN. This is very useful for devices in the home that cannot run Tailscale themselves, such as IoT devices. Here I will show how I have bridged Tailscale with my LAN. This is an adaptation of the [guide from Tailscale themselves](https://tailscale.com/kb/1019/install-subnets). First, some definitions: - The **relay node** is the computer on my LAN doing the bridging. - The LAN-facing network interface on my relay node is **`enp2s0`**, but yours may differ. - The subnet for my LAN is **`192.168.16.0/24`**, but yours may differ. This example will be using [nftables](https://en.wikipedia.org/wiki/Nftables), but can also be done with [iptables](https://en.wikipedia.org/wiki/Iptables). ### In abstract 1. Set up Tailscale to route traffic from the VPN into the LAN. 2. Enable packet forwarding inside the Linux kernel on the relay node. This allows the relay node itself to route traffic from the VPN into the LAN. 3. Enable _IP masquerading_ on the relay node. This a form of Network Address Translation (NAT) to make traffic from the VPN to the LAN appear to come from the relay node. ### Setting it up

On the relay node, run:

$ sudo tailscale up -advertise-routes=192.168.16.0/24

Go to the Tailscale admin console and authorize subnet routes for the relay node.

Back on the relay node, enable IP forwarding:

$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

Enable IP masquerading for the _LAN-facing_ interfaces:

$ sudo nft add rule ip nat POSTROUTING oifname "enp2s0" counter masquerade

Alternatively, for iptables:

$ sudo iptables -t nat -A POSTROUTING -j MASQUERADE -o enp2s0

Confirm it works by pinging a machine on your LAN from a machine that's not, for example pinging 192.168.16.1 from a phone with the Tailscale VPN on mobile data.

### Making it persistent To make enable IP forwarding on boot: ```sh $ cat /etc/sysctl.d/50-forwarding.conf net.ipv4.ip_forward=1 ``` To enable NAT on boot with nftables, add the following to `/etc/nftables.conf`: ``` table ip tailscale_nat { chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "enp2s0" masquerade } } ``` Reboot the relay node and confirm that it all still works. {% endmarkdown %}