How-to: Tailscale

<aside> ℹ️

This is largely copy and pasting commands from this page over SSH to make it work. If you hover over the code blocks you’ll find a copy button. It’ll be included by default in future PiFi builds for simple setup.

</aside>

Step 1: Connect to SSH

Firstly, ensure you are connected to PiFi on your computer, open Terminal and enter the following:

ssh-keygen -R 192.168.3.14;
ssh [email protected]

<aside> ℹ️

Enter yes to accept the ye

</aside>

<aside> ℹ️

Enter your admin password when prompted (this is the password you set in the PiFi app when setting up)

</aside>

Step 2: Install Dependencies

Update packages

Install packages

opkg update
opkg install tailscale iptables-nft curl 
/etc/init.d/tailscale start
/etc/init.d/tailscale enable

<aside> ℹ️

Compared to previous guide there’s a new package curl - so it’s wroth running the above again.

</aside>

Step 3: Update Tailscale

wget -O update-tailscale.sh "<https://raw.githubusercontent.com/pifi-org/update-tailscale/refs/heads/main/update-tailscale.sh?$>(date +%s)" && sh update-tailscale.sh --force

Step 4: Configure Firewall as Exit Node

# Create the Tailscale zone
uci set firewall.@zone[-1+1]=zone
uci set firewall.@zone[-1].name='Tailscale'
uci set firewall.@zone[-1].input='ACCEPT'
uci set firewall.@zone[-1].output='ACCEPT'
uci set firewall.@zone[-1].forward='ACCEPT'
uci set firewall.@zone[-1].masq='1'
uci set firewall.@zone[-1].mtu_fix='1'
uci add_list firewall.@zone[-1].device='tailscale0'

# Forwarding: Tailscale -> lan
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='Tailscale'
uci set firewall.@forwarding[-1].dest='lan'

# Forwarding: Tailscale -> wan
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='Tailscale'
uci set firewall.@forwarding[-1].dest='wan'

# Forwarding: lan -> Tailscale
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='lan'
uci set firewall.@forwarding[-1].dest='Tailscale'

# Forwarding: wan -> Tailscale
uci add firewall forwarding
uci set firewall.@forwarding[-1].src='wan'
uci set firewall.@forwarding[-1].dest='Tailscale'

# NAT masquerade from LAN to tailscale0
uci add firewall nat
uci set firewall.@nat[-1].name='Tailscale'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='MASQUERADE'
uci add_list firewall.@nat[-1].proto='all'
uci set firewall.@nat[-1].device='tailscale0'

# Commit changes and reload firewall
uci commit firewall
/etc/init.d/firewall reload

Step 4: Enable Tailscale (+ Advertise-Exit Node)

tailscale up --netfilter-mode=off \\
  --advertise-routes=192.168.3.0/24,10.0.0.0/24,10.0.1.0/24 \\
  --advertise-exit-node \\
  --accept-routes