Setting up Tailscale on OpenWrt for Internal Network Penetration
{% notel default fa-info 💡 %}
😀 Recently, I configured a bypass gateway using the Octopus Planet S912, and the experience was decent. Later, I thought about setting up internal network penetration to interact with devices on the internal network when away from home. A friend previously recommended Tailscale as a convenient tool, which inspired this blog post.
{% endnotel %}
Installing Tailscale
I used the following project; readers may consider other deployment methods:
https://github.com/adyanth/openwrt-tailscale-enabler
Specific commands:
- Connect to OpenWrt via
ssh:
ssh root@<IP>- Download the project (you can choose the version yourself):
wget <https://github.com/adyanth/openwrt-tailscale-enabler/releases/download/v1.60.0-e428948-autoupdate/openwrt-tailscale-enabler-v1.60.0-e428948-autoupdate.tgz>
-
Extract the downloaded archive:
tar x -zvC / -f <File Name>

-
Update and install dependencies:
opkg updateopkg install libustream-openssl ca-bundle kmod-tun

-
Enable auto-start on boot:
/etc/init.d/tailscale enablels /etc/rc.d/S*tailscale*

-
Start Tailscale:
/etc/init.d/tailscale starttailscale up

-
Enable subnet routing:
tailscale up --accept-routes --advertise-routes=192.168.1.0/24 --accept-dns=falseNote: The format of the advertise-routes parameter may vary. Simply put, take the first three parts of your current OpenWrt IP address, set the last part to 0, and use subnet mask 255.255.255.0. That is
<original>.<original>.<original>.<0>/24. For example, if my OpenWrt IP is 192.168.1.254, then I need 192.168.1.0/24.

-
In the Tailscale admin console, go to routing settings, check the box, and save.

Configuring OpenWrt
Configuring Network Interface
In the LuCI interface:
- Add Interface
- Go to Network > Interfaces > Add New Interface.
- Name:
tailscale - Protocol: Static address
- Device: Select
tailscale0 - IPv4 address: Enter the IP assigned by Tailscale to the router (e.g.,
100.x.x.x). - Subnet mask:
255.0.0.0 - Firewall zone: Select
lan.
- Save and apply changes.


Adding Firewall Rules
In the LuCI interface:
- Go to Network > Firewall > Custom Rules.
- Add the following to allow Tailscale traffic:
iptables -I FORWARD -i tailscale0 -j ACCEPTiptables -I FORWARD -o tailscale0 -j ACCEPTiptables -t nat -I POSTROUTING -o tailscale0 -j MASQUERADE- Save and restart the firewall.

That’s it.