Skip to main content

Setting up Tailscale as a VPN Subnet Router and Exit Node on Debian

Prerequisites

Before you begin, ensure you have the following:

  • A Debian-based Linux system.
  • A valid Tailscale authentication key. Replace tskey-auth-............ in the script with your actual key.
  • The desired subnet CIDR, which you should replace with your own if it differs.

Step 1: Creating and Running the Script

  1. Create a new Shell script or copy the following script to a file, e.g., tailscale-setup.sh. This script automates the installation and configuration of Tailscale. If you don't require the iptables rules for subnet routing through Tailscale, you can remove them from the script. Here's the updated script without those iptables rules:
#!/bin/bash

# Install sudo if not already installed
if ! command -v sudo &>/dev/null; then
    echo "sudo is not installed. Installing..."
    apt-get update
    apt-get install -y sudo
fi

# Enable IP forwarding and IPv6 forwarding
echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv4.conf.all.accept_source_route = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.accept_source_route = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

# Update and install prerequisites (curl)
sudo apt update
sudo apt upgrade
sudo apt install -y curl

# Install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh

# Prompt for Tailscale authentication key
read -p "Enter Tailscale authentication key: " AUTH_KEY

# Prompt for first subnet CIDR
read -p "Enter first subnet CIDR (e.g., 192.168.0.0/24): " SUBNET_CIDR

# Prompt if user wants to add a second subnet
read -p "Do you want to add a second subnet? (y/n): " ADD_SECOND_SUBNET

if [[ $ADD_SECOND_SUBNET == "y" ]]; then
    # Prompt for second subnet CIDR
    read -p "Enter second subnet CIDR (e.g., 10.0.0.0/24): " SECOND_SUBNET_CIDR
fi

# Start Tailscale as an exit node and subnet router
sudo tailscale up --auth-key=$AUTH_KEY --accept-routes --advertise-routes=$SUBNET_CIDR,$SECOND_SUBNET_CIDR --advertise-exit-node &

# Display Tailscale status
sudo tailscale status

# Keep the script running to maintain the Tailscale connection
read -r -d '' _ </dev/tty

Replace the AUTH_KEY and SUBNET_CIDR variables with your actual authentication key and subnet CIDR.

Make the script executable: bash Copy code chmod +x tailscale-setup.sh Run the script to set up Tailscale as a subnet router and exit node: bash Copy code ./tailscale-setup.sh

Step 2: Understanding the Script

Let's break down what each part of the script does:

Update and Install Prerequisites: The script starts by updating the package repository and installing curl, which is required to download Tailscale.

Install Tailscale: It uses curl to download and install Tailscale on your system.

Enable IP Forwarding: The script enables IP forwarding and IPv6 forwarding in your system's configuration to allow routing of network traffic.

Configure iptables: It configures iptables to perform Network Address Translation (NAT) for the specified subnet CIDR on the tailscale0 interface, allowing devices in the subnet to access the internet through the Tailscale exit node.

Start Tailscale: Tailscale is started with the provided authentication key, and the --accept-routes, --advertise-exit-node, and --advertise-routes options are used to configure Tailscale to act as a subnet router and exit node while advertising the specified routes.

Display Tailscale Status: It displays the status of the Tailscale connection to verify that it is active and functioning correctly.

Keep the Script Running: To maintain the Tailscale connection, the script keeps running, waiting for user input. Do not close the script to ensure the VPN connection remains active.

Conclusion You've successfully set up Tailscale as a VPN subnet router and exit node on your Debian-based system. This configuration allows you to securely connect devices and networks using Tailscale while maintaining control over your routing and subnet access.

Remember to keep the script running to maintain the Tailscale connection. You can customize the subnet CIDR and other settings as needed for your specific network requirements.