Home / Tech / Tailscale Subnet Routing and Orange Pi

Tailscale Subnet Routing and Orange Pi

rwilson 0

Still really impressed with Tailscale, I started investigating subnet routing. I enabled it on one of the Le Potatos. By default a subnet router does source NAT which is really slick. That way your connection comes through the Wireguard tunnel to your device which then NATs your traffic out its own interface. That way the device you are ultimately connecting to only needs to talk to a device on the same subnet. It does not need to be aware of the Tailscale routes. In fact, it wouldn’t even need to have a default gateway set, so you could use this functionality to do an initial device config remotely.

For example, at work we have various devices like Nokia transport gear and security panels that are configured by setting a static IP on your laptop opening up a web browser and logging into a web gui. This will similarly work to provide out of band IP access to the 2nd and 3rd generation console servers that currently work with in-band connections via management networks. Because I wanted the Tailscale clients used in this capacity to remain entirely out of band, I needed a Raspberry Pi like device that had two Ethernet interfaces.

Enter the Orange Pi R1 Plus LTS

The wan port will connects to direct internet access (cellular, DSL etc) with the lan port connecting to whatever needs OOB IP access. At about the same price point as the Le Potato (plus case and power supply) the Orange Pi trades off extra USB ports and a HDMI output (among other features) for dual Gigabit Ethernet interfaces, newer hardware and a very nice sturdy and heavy aluminum case. With only 1 USB port, it can only directly serve 4 console connections (via the 4 port USB to serial adapter), but that is enough for small offices and large ones will have dedicated console servers that it can provide OOB access to via the lan port.

Compare them here:
Original: Le Potato Console Server
Current: OrangePi Console Server

Unfortunately, the Tailscale plan I was doing a proof of concept with was limited to one subnet router and to continue with the proof of concept by deploying a couple at work, I’d need to switch to a paid for plan which gets fairly expensive if you want to leverage subnet routers. There may be a business case for it, but there is also a legitimately free option that puts you in control of all control and relay traffic.

The next post will be about implementing Headscale.

Share:
whatsapp
pinterest
linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *