Skip to main content

# Setting up Tailscale as a VPN Subnet Router and Exit Node on Debian

Tailscale is a versatile VPN solution that allows you to securely connect your devices and networks. In this guide, we will walk you through setting up Tailscale as both a subnet router and an exit node on a Debian-based system using a Shell script.

Prerequisites

Before you begin, ensure you have the following:

  • A Debian-based Linux system.
  • A valid Tailscale authentication key. Replace tskey-auth-............ in the script with your actual key.
  • The desired subnet CIDR, which you should replace with your own if it differs.

Step 1: Creating and Running the Script

  1. Create a new Shell script or copy the following script to a file, e.g., tailscale-setup.sh. This script automates the installation and configuration of Tailscale.

    #!/bin/bash
    
    # Tailscale authentication key (replace with your key)
    AUTH_KEY="tskey-auth-kuNbtx2CNTRL-9svk36a1gM7XHyMfLWzFN7qksbcTBzFs"
    
    # Subnet CIDR (replace with your subnet if different)
    SUBNET_CIDR="192.168.0.0/24"
    
    # Update and install prerequisites (curl)
    sudo apt update
    sudo apt upgrade
    sudo apt install curl
    
    # Install Tailscale
    curl -fsSL https://tailscale.com/install.sh | sh
    
    # Enable IP forwarding and IPv6 forwarding
    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
    echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
    echo 'net.ipv4.conf.all.accept_source_route = 1' | sudo tee -a /etc/sysctl.conf
    echo 'net.ipv6.conf.all.accept_source_route = 1' | sudo tee -a /etc/sysctl.conf
    sudo sysctl -p /etc/sysctl.conf
    
    # Configure iptables for subnet routing
    sudo iptables -t nat -A POSTROUTING -s $SUBNET_CIDR ! -d $SUBNET_CIDR -o tailscale0 -j MASQUERADE
    
    # Start Tailscale as an exit node and subnet router
    sudo tailscale up --auth-key=$AUTH_KEY --accept-routes --advertise-exit-node --advertise-routes=$SUBNET_CIDR &
    
    # Display Tailscale status
    sudo tailscale status
    
    # Keep the script running to maintain the Tailscale connection
    read -r -d '' _ </dev/tty
    

Replace the AUTH_KEY and SUBNET_CIDR variables with your actual authentication key and subnet CIDR.

Make the script executable: bash Copy code chmod +x tailscale-setup.sh Run the script to set up Tailscale as a subnet router and exit node: bash Copy code ./tailscale-setup.sh

Step 2: Understanding the Script

Let's break down what each part of the script does:

Update and Install Prerequisites: The script starts by updating the package repository and installing curl, which is required to download Tailscale.

Install Tailscale: It uses curl to download and install Tailscale on your system.

Enable IP Forwarding: The script enables IP forwarding and IPv6 forwarding in your system's configuration to allow routing of network traffic.

Configure iptables: It configures iptables to perform Network Address Translation (NAT) for the specified subnet CIDR on the tailscale0 interface, allowing devices in the subnet to access the internet through the Tailscale exit node.

Start Tailscale: Tailscale is started with the provided authentication key, and the --accept-routes, --advertise-exit-node, and --advertise-routes options are used to configure Tailscale to act as a subnet router and exit node while advertising the specified routes.

Display Tailscale Status: It displays the status of the Tailscale connection to verify that it is active and functioning correctly.

Keep the Script Running: To maintain the Tailscale connection, the script keeps running, waiting for user input. Do not close the script to ensure the VPN connection remains active.

Conclusion You've successfully set up Tailscale as a VPN subnet router and exit node on your Debian-based system. This configuration allows you to securely connect devices and networks using Tailscale while maintaining control over your routing and subnet access.

Remember to keep the script running to maintain the Tailscale connection. You can customize the subnet CIDR and other settings as needed for your specific network requirements.