When setting up a home lab or managing multiple networks, having secure access to your local network devices while away is crucial. Tailscale offers an elegant solution through subnet routing, but there's a critical step that many guides miss. This post will walk you through the complete setup, including the essential iptables masquerade rule that makes everything work.

Prerequisites

• A Linux VM or machine that will act as your subnet router
• Tailscale account (free tier works fine)
• Basic understanding of networking concepts
• Root/sudo access on your subnet router

Step 1: Initial Setup

First, install Tailscale on your chosen subnet router machine:

curl -fsSL https://tailscale.com/install.sh | sh

After installation, authenticate your device:

sudo tailscale up

Step 2: Enable IP Forwarding

Your subnet router needs to be able to forward traffic between networks. Enable this by adding these settings to /etc/sysctl.conf:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf

Apply the changes:

sudo sysctl -p

Step 3: Configure Subnet Routes

Now, we'll tell Tailscale about your local network. Replace 192.168.0.0/24 with your actual network CIDR:

sudo tailscale up --advertise-routes=192.168.0.0/24 --accept-routes

Step 4: The Critical Fix - Adding IP Masquerade

This is the step that many guides miss, but it's essential for making subnet routing work. Without it, traffic won't flow properly between your Tailscale and local networks:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Replace eth0 with your actual network interface name (you can find this using ip a).

To make this persistent across reboots:

sudo apt-get install iptables-persistent
sudo netfilter-persistent save

Why is this step crucial?

The masquerade rule is vital because:

1. It enables NAT (Network Address Translation) for traffic passing through your subnet router
2. Makes responses from local devices route back correctly through Tailscale
3. Without it, your local devices won't know how to respond to Tailscale traffic

Step 5: Enable Subnet Routes in Tailscale Admin Console

1. Go to the Tailscale Admin Console
2. Find your subnet router machine
3. Enable subnet routes for this device
4. Approve the advertised routes

Step 6: Testing the Setup

To test your configuration:

1. Connect a device (like your phone or laptop) to Tailscale
2. Disconnect from your local network (use mobile data or a different WiFi)
3. Try to access a device on your local network through its IP address
4. If everything is working, you should be able to reach your local network devices

Troubleshooting

If you're having issues:

1. Verify IP forwarding is enabled:

sysctl net.ipv4.ip_forward

2. Check if routes are being advertised:

tailscale status --json | grep Routes

3. Verify iptables masquerade rule:

sudo iptables -t nat -L -n -v

4. Check Tailscale connectivity:

tailscale netcheck

Security Considerations

Remember to:

• Keep your subnet router updated
• Monitor access logs
• Use strong authentication
• Regularly audit your Tailscale network
• Consider implementing additional firewall rules

Conclusion

While setting up Tailscale subnet routing might seem straightforward, the often-overlooked iptables masquerade rule is crucial for proper functionality. Without it, you might find that traffic isn't flowing as expected between your Tailscale and local networks.

By following this guide and ensuring you've implemented the masquerade rule, you should have a fully functional subnet router that allows secure access to your local network from anywhere in the world.

Remember to test your setup from outside your local network, as testing from within your network won't give you an accurate picture of remote access functionality.