{"id":17643,"date":"2023-07-03T23:23:30","date_gmt":"2023-07-03T20:23:30","guid":{"rendered":"https:\/\/kifarunix.com\/?p=17643"},"modified":"2024-03-10T10:34:59","modified_gmt":"2024-03-10T07:34:59","slug":"how-to-install-and-setup-tailscale-vpn-on-debian","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-install-and-setup-tailscale-vpn-on-debian\/","title":{"rendered":"How to Install and Setup Tailscale VPN on Debian 12"},"content":{"rendered":"\n<p>Can I setup Tailscale on Linux systems? Yes, this guide will take you though how to install and setup Tailscale VPN on Debian 12. What is <a href=\"https:\/\/tailscale.com\/kb\/1151\/what-is-tailscale\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tailscale<\/a>? According to the documentation page, &#8220;<em>Tailscale is a VPN service that makes the devices and applications you own accessible anywhere in the world, securely and effortlessly. It enables encrypted point-to-point connections using the open source&nbsp;WireGuard&nbsp;protocol, which means only devices on your private network can communicate with each other.<\/em>&#8220;<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#installing-tailscale-vpn-on-debian-12\">Installing Tailscale VPN on Debian 12<\/a><ul><li><a href=\"#tailscale-plans-and-pricing\">Tailscale Plans and Pricing<\/a><\/li><li><a href=\"#signup-for-tailscale-account\">Signup for Tailscale Account<\/a><\/li><li><a href=\"#install-tailscale-on-debian-12\">Install Tailscale on Debian 12<\/a><\/li><li><a href=\"#start-using-tailscale-on-debian-12\">Start using Tailscale on Debian 12<\/a><ul><li><a href=\"#tailscale-command-line-usage\">Tailscale command line usage<\/a><\/li><li><a href=\"#connect-first-device-debian-12-to-tailscale-network\">Connect First Device (Debian 12) to Tailscale Network<\/a><\/li><li><a href=\"#add-second-device-to-tailscale-network\">Add Second Device to Tailscale Network<\/a><\/li><li><a href=\"#test-connection-between-devices\">Test Connection Between Devices<\/a><\/li><\/ul><\/li><li><a href=\"#managing-devices-from-tailscale-dashboard\">Managing Devices from Tailscale Dashboard<\/a><\/li><li><a href=\"#configure-tailscale-subnet-router\">Configure Tailscale Subnet Router<\/a><ul><li><a href=\"#install-tailscale-on-subnet-router\">Install Tailscale on Subnet Router<\/a><\/li><li><a href=\"#enable-ip-forwarding-on-subnet-router\">Enable IP Forwarding on Subnet Router<\/a><\/li><li><a href=\"#enable-ip-masquerade-on-subnet-router\">Enable IP Masquerade on Subnet Router<\/a><\/li><li><a href=\"#start-restart-tailscale-on-subnet-router\">Start\/Restart Tailscale on Subnet Router<\/a><\/li><li><a href=\"#approve-advertised-subnets-on-subnet-router\">Approve Advertised Subnets on Subnet Router<\/a><\/li><li><a href=\"#install-the-tailscale-routes-to-local-subnets\">Install the Tailscale Routes to Local Subnets<\/a><\/li><li><a href=\"#test-connection-between-remote-systems\">Test Connection Between Remote Systems<\/a><\/li><\/ul><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"installing-tailscale-vpn-on-debian-12\">Installing Tailscale VPN on Debian 12<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"tailscale-plans-and-pricing\">Tailscale Plans and Pricing<\/h3>\n\n\n\n<p>Tailscale is available on various plans and pricing. In this guide, we will be using a free version of Tailscale for demonstration purposes. Read more about <a href=\"https:\/\/tailscale.com\/pricing\/\" target=\"_blank\" rel=\"noreferrer noopener\">Tailscale plans and pricing<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"signup-for-tailscale-account\">Signup for Tailscale Account<\/h3>\n\n\n\n<p>In order to be able to use Tailscale, you need to create an account for it. It supports <a href=\"https:\/\/tailscale.com\/kb\/1013\/sso-providers\/\" target=\"_blank\" rel=\"noreferrer noopener\">various SSO providers<\/a> including Gmail, Apple, Microsoft, Okta, OneLogin e.t.c. So, if you already have an account with the supported providers, you can simply just navigate to <a href=\"https:\/\/login.tailscale.com\/start\" target=\"_blank\" rel=\"noreferrer noopener\">login page<\/a> and login using your preferred SSO provider. We use Gmail account in this setup.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1436\" height=\"884\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-account-dashboard.png\" alt=\"\" class=\"wp-image-17645\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-account-dashboard.png?v=1688400497 1436w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-account-dashboard-768x473.png?v=1688400497 768w\" sizes=\"(max-width: 1436px) 100vw, 1436px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-tailscale-on-debian-12\">Install Tailscale on Debian 12<\/h3>\n\n\n\n<p>Next, installation of Tailscale on Debian 12 is as easy as just copying and executing the installation command on the Tailscale web dashboard as shown above;<\/p>\n\n\n\n<p>For example, see command below. Note that <strong>sh<\/strong> is prefixed with sudo since am running it as standard user with sudo rights.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install curl<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -fsSL https:\/\/tailscale.com\/install.sh | sudo sh<\/code><\/pre>\n\n\n\n<p>Sample installation command output;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\nInstalling Tailscale for debian bookworm, using method apt\n+ mkdir -p --mode=0755 \/usr\/share\/keyrings\n+ + tee \/usr\/share\/keyrings\/tailscale-archive-keyring.gpg\ncurl -fsSL https:\/\/pkgs.tailscale.com\/stable\/debian\/bookworm.noarmor.gpg\n+ + tee \/etc\/apt\/sources.list.d\/tailscale.list\ncurl -fsSL https:\/\/pkgs.tailscale.com\/stable\/debian\/bookworm.tailscale-keyring.list\n# Tailscale packages for debian bookworm\ndeb [signed-by=\/usr\/share\/keyrings\/tailscale-archive-keyring.gpg] https:\/\/pkgs.tailscale.com\/stable\/debian bookworm main\n+ apt-get update\nGet:1 https:\/\/dl.google.com\/linux\/chrome\/deb stable InRelease [1,825 B]\nGet:2 https:\/\/linux.teamviewer.com\/deb stable InRelease [11.9 kB]                                                                                                          \nGet:3 https:\/\/dl.google.com\/linux\/chrome\/deb stable\/main amd64 Packages [1,078 B]                                                                                          \nHit:4 http:\/\/deb.debian.org\/debian bookworm InRelease                                                                              \nGet:5 http:\/\/security.debian.org\/debian-security bookworm-security InRelease [48.0 kB]\nGet:6 https:\/\/linux.teamviewer.com\/deb stable\/main amd64 Packages [5,079 B]                           \nGet:7 http:\/\/deb.debian.org\/debian bookworm-updates InRelease [52.1 kB]                                \nGet:8 https:\/\/pkgs.tailscale.com\/stable\/debian bookworm InRelease                          \nGet:9 http:\/\/security.debian.org\/debian-security bookworm-security\/main Sources [17.4 kB]\nGet:10 https:\/\/pkgs.tailscale.com\/stable\/debian bookworm\/main all Packages [354 B]\nGet:11 http:\/\/security.debian.org\/debian-security bookworm-security\/main amd64 Packages [41.3 kB]\nGet:12 http:\/\/security.debian.org\/debian-security bookworm-security\/main Translation-en [17.2 kB]\nGet:13 https:\/\/pkgs.tailscale.com\/stable\/debian bookworm\/main amd64 Packages [8,434 B]\nFetched 211 kB in 2s (129 kB\/s)                                    \nReading package lists... Done\n+ apt-get install -y tailscale tailscale-archive-keyring\nReading package lists... Done\nBuilding dependency tree... Done\nReading state information... Done\nThe following NEW packages will be installed:\n  tailscale tailscale-archive-keyring\n0 upgraded, 2 newly installed, 0 to remove and 29 not upgraded.\nNeed to get 23.7 MB of archives.\nAfter this operation, 44.0 MB of additional disk space will be used.\nGet:1 https:\/\/pkgs.tailscale.com\/stable\/debian bookworm\/main amd64 tailscale amd64 1.44.0 [23.7 MB]\nGet:2 https:\/\/pkgs.tailscale.com\/stable\/debian bookworm\/main all tailscale-archive-keyring all 1.35.181 [3,082 B]                                                          \nFetched 23.7 MB in 17s (1,430 kB\/s)                                                                                                                                        \nSelecting previously unselected package tailscale.\n(Reading database ... 205670 files and directories currently installed.)\nPreparing to unpack ...\/tailscale_1.44.0_amd64.deb ...\nUnpacking tailscale (1.44.0) ...\nSelecting previously unselected package tailscale-archive-keyring.\nPreparing to unpack ...\/tailscale-archive-keyring_1.35.181_all.deb ...\nUnpacking tailscale-archive-keyring (1.35.181) ...\nSetting up tailscale-archive-keyring (1.35.181) ...\nSetting up tailscale (1.44.0) ...\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/tailscaled.service \u2192 \/lib\/systemd\/system\/tailscaled.service.\n+ [ false = true ]\n+ set +x\nInstallation complete! Log in to start using Tailscale by running:\n\ntailscale up\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"start-using-tailscale-on-debian-12\">Start using Tailscale on Debian 12<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"tailscale-command-line-usage\">Tailscale command line usage<\/h4>\n\n\n\n<p>The above commands installs a command line utility that you can use to control your Tailscale network.<\/p>\n\n\n\n<p>To see basic usage of the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tailscale --help<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nUSAGE\n  tailscale [flags] <subcommand> [command flags]\n\nFor help on subcommands, add --help after: \"tailscale status --help\".\n\nThis CLI is still under active development. Commands and flags will\nchange in the future.\n\nSUBCOMMANDS\n  up         Connect to Tailscale, logging in if needed\n  down       Disconnect from Tailscale\n  set        Change specified preferences\n  login      Log in to a Tailscale account\n  logout     Disconnect from Tailscale and expire current node key\n  switch     Switches to a different Tailscale account\n  configure  [ALPHA] Configure the host to enable more Tailscale features\n  netcheck   Print an analysis of local network conditions\n  ip         Show Tailscale IP addresses\n  status     Show state of tailscaled and its connections\n  ping       Ping a host at the Tailscale layer, see how it routed\n  nc         Connect to a port on a host, connected to stdin\/stdout\n  ssh        SSH to a Tailscale machine\n  funnel     Turn on\/off Funnel service\n  serve      Serve content and local servers\n  version    Print Tailscale version\n  web        Run a web server for controlling Tailscale\n  file       Send or receive files\n  bugreport  Print a shareable identifier to help diagnose issues\n  cert       Get TLS certs\n  lock       Manage tailnet lock\n  licenses   Get open source license information\n\nFLAGS\n  --socket string\n    \tpath to tailscaled socket (default \/var\/run\/tailscale\/tailscaled.sock)\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"connect-first-device-debian-12-to-tailscale-network\">Connect First Device (Debian 12) to Tailscale Network<\/h4>\n\n\n\n<p>One the installation command completes, you are given a command, <strong><code>tailscale up<\/code><\/strong>, that you need to execute to start Tailscale so you can start using it.<\/p>\n\n\n\n<p>Thus, execute the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tailscale up<\/code><\/pre>\n\n\n\n<p>Sample output;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>To authenticate, visit:\n\n\thttps:&#47;&#47;login.tailscale.com\/a\/abe7be8a71B7<\/code><\/pre>\n\n\n\n<p>So, copy the URL above and paste the browser to login to Tailscale dashboard. Note you can copy the URL and login from any other device. It doesn&#8217;t have to be on the same device on which you installed\/executed <strong><code>tailscale up<\/code><\/strong> command.<\/p>\n\n\n\n<p>Confirm that you want to connect the device to tailscale network!<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1144\" height=\"572\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/connect-device-to-tailscale.png\" alt=\"\" class=\"wp-image-17647\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/connect-device-to-tailscale.png?v=1688401490 1144w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/connect-device-to-tailscale-768x384.png?v=1688401490 768w\" sizes=\"(max-width: 1144px) 100vw, 1144px\" \/><\/figure>\n\n\n\n<p>When you successfully logged in using the url above, you should see Success both on the browser and on the command line where you executed the tailscale up command.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"372\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/device-login-sucessful.png\" alt=\"\" class=\"wp-image-17650\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/device-login-sucessful.png?v=1688402583 997w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/device-login-sucessful-768x287.png?v=1688402583 768w\" sizes=\"(max-width: 997px) 100vw, 997px\" \/><\/figure>\n\n\n\n<p>on command line<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\nTo authenticate, visit:\n\n\thttps:&#47;&#47;login.tailscale.com\/a\/abe7be8a71d7\n\nSuccess.<\/code><\/pre>\n\n\n\n<p>On the dashboard, you should see your device;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1194\" height=\"703\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-network-first-device-added.png\" alt=\"Install and Setup Tailscale VPN on Debian 12\" class=\"wp-image-17651\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-network-first-device-added.png?v=1688403603 1194w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-network-first-device-added-768x452.png?v=1688403603 768w\" sizes=\"(max-width: 1194px) 100vw, 1194px\" \/><\/figure>\n\n\n\n<p>This will also create a tailscale interface on your server and assign a Tailscale IP address;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip a<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n6: tailscale0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 500\n    link\/none \n    inet 100.101.4.108\/32 scope global tailscale0\n       valid_lft forever preferred_lft forever\n    inet6 fd7a:115c:a1e0:ab12:4843:cd96:6265:46c\/128 scope global \n       valid_lft forever preferred_lft forever\n    inet6 fe80::3f83:6676:7959:32d3\/64 scope link stable-privacy \n       valid_lft forever preferred_lft forever\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"add-second-device-to-tailscale-network\">Add Second Device to Tailscale Network<\/h4>\n\n\n\n<p><em>Tailscale connects multiple devices together, so you\u2019ll need it installed on more than one device.&nbsp;<\/em>Thus, from the dashboard, choose any other device from the available list and download Tailscale installer.<\/p>\n\n\n\n<p>In my case, my second device is a Linux system, (Debian 12 headless server). So, I will go ahead and copy and execute the Linux installer.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install curl<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>curl -fsSL https:\/\/tailscale.com\/install.sh | sudo sh<\/code><\/pre>\n\n\n\n<p>Similarly, when the installation is done, you need to start Tailscale;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tailscale up<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>\nTo authenticate, visit:\n\n\thttps:&#47;&#47;login.tailscale.com\/a\/5a05ecb0d374<\/code><\/pre>\n\n\n\n<p>Similarly, get the login url and login to tailscale dashboard to connect your device.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1023\" height=\"682\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/connect-another-device-to-tailscale.png\" alt=\"Install and Setup Tailscale VPN on Debian 12\" class=\"wp-image-17648\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/connect-another-device-to-tailscale.png?v=1688402471 1023w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/connect-another-device-to-tailscale-768x512.png?v=1688402471 768w\" sizes=\"(max-width: 1023px) 100vw, 1023px\" \/><\/figure>\n\n\n\n<p>Upon successful login to Tailscale dashboard, you should now see your second device added.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1441\" height=\"781\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-network-second-device-added.png\" alt=\"\" class=\"wp-image-17652\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-network-second-device-added.png?v=1688403728 1441w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-network-second-device-added-768x416.png?v=1688403728 768w\" sizes=\"(max-width: 1441px) 100vw, 1441px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"test-connection-between-devices\">Test Connection Between Devices<\/h4>\n\n\n\n<p class=\"has-base-3-background-color has-background\">You can run a ping test between two devices to confirm reach-ability. For example from the first device (<strong>bookworm<\/strong>), ping your second device (<strong>debian12-server<\/strong>);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ping 100.108.209.132 -c 4<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nPING 100.108.209.132 (100.108.209.132) 56(84) bytes of data.\n64 bytes from 100.108.209.132: icmp_seq=1 ttl=64 time=35.7 ms\n64 bytes from 100.108.209.132: icmp_seq=2 ttl=64 time=4.14 ms\n64 bytes from 100.108.209.132: icmp_seq=3 ttl=64 time=2.17 ms\n64 bytes from 100.108.209.132: icmp_seq=4 ttl=64 time=0.632 ms\n\n--- 100.108.209.132 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3006ms\nrtt min\/avg\/max\/mdev = 0.632\/10.668\/35.732\/14.523 ms\n<\/code><\/pre>\n\n\n\n<p>Similarly, run ping test from the second device (<strong>debian12-server<\/strong>) to your first device (<strong>bookworm<\/strong>);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ping 100.101.4.108 -c 4<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nPING 100.101.4.108 (100.101.4.108) 56(84) bytes of data.\n64 bytes from 100.101.4.108: icmp_seq=1 ttl=64 time=5.99 ms\n64 bytes from 100.101.4.108: icmp_seq=2 ttl=64 time=2.92 ms\n64 bytes from 100.101.4.108: icmp_seq=3 ttl=64 time=2.33 ms\n64 bytes from 100.101.4.108: icmp_seq=4 ttl=64 time=2.86 ms\n\n--- 100.101.4.108 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3004ms\nrtt min\/avg\/max\/mdev = 2.331\/3.527\/5.994\/1.442 ms\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"managing-devices-from-tailscale-dashboard\">Managing Devices from Tailscale Dashboard<\/h3>\n\n\n\n<p>From the device connection test page above, you can simply click <strong>Success, it works!<\/strong> button to confirm the connection and go to, <strong>What is next page<\/strong>;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1471\" height=\"821\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/confirm-connection-between-tailscale-devices.png\" alt=\"\" class=\"wp-image-17654\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/confirm-connection-between-tailscale-devices.png?v=1688404585 1471w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/confirm-connection-between-tailscale-devices-768x429.png?v=1688404585 768w\" sizes=\"(max-width: 1471px) 100vw, 1471px\" \/><\/figure>\n\n\n\n<p>Click <strong>Go to admin console<\/strong> page to manage your devices;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1217\" height=\"564\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-vpn-devices.png\" alt=\"Install and Setup Tailscale VPN on Debian 12\" class=\"wp-image-17655\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-vpn-devices.png?v=1688407045 1217w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/tailscale-vpn-devices-768x356.png?v=1688407045 768w\" sizes=\"(max-width: 1217px) 100vw, 1217px\" \/><\/figure>\n\n\n\n<p>Click on the three dots to check more device settings.<\/p>\n\n\n\n<p><em>If the device you added is a server or remotely-accessed device, you may want to consider&nbsp;disabling key expiry&nbsp;to prevent the need to periodically re-authenticate.<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-tailscale-subnet-router\">Configure Tailscale Subnet Router<\/h3>\n\n\n\n<p>What if you have multiple devices including network devices such as switches, printers that it becomes impractical to install Tailscale on each of them?<\/p>\n\n\n\n<p>Well, Tailscale provides the ability to setup a subnet router as an alternative. With subnet router, one of the machines that access to your other LAN networks can be configured to act as a <strong>gateway<\/strong>, relaying traffic from your Tailscale network onto your physical subnet.<\/p>\n\n\n\n<p>Consider our network below;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1193\" height=\"636\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router-and-LAN-subnet.png\" alt=\"\" class=\"wp-image-17658\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router-and-LAN-subnet.png?v=1688412383 1193w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router-and-LAN-subnet-768x409.png?v=1688412383 768w\" sizes=\"(max-width: 1193px) 100vw, 1193px\" \/><\/figure>\n\n\n\n<p>So, in this setup, we have a Linux server which will act as a subnet router to connect to internal networks, 192.168.10,20,30.0\/24. We also have a remote desktop to use to connect to remote LAN.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-tailscale-on-subnet-router\">Install Tailscale on Subnet Router<\/h4>\n\n\n\n<p>In this setup, we will install Tailscale only on the subnet router and on the remote desktop, 192.168.57.67 using the same installation methods above.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1198\" height=\"573\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router.png\" alt=\"Install and Setup Tailscale VPN on Debian 12\" class=\"wp-image-17659\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router.png?v=1688412453 1198w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router-768x367.png?v=1688412453 768w\" sizes=\"(max-width: 1198px) 100vw, 1198px\" \/><\/figure>\n\n\n\n<p>So, how can we configure the subnet router so as to allow our FXT desktop to communicate with remote LAN?<\/p>\n\n\n\n<p>You need to configure that system to be able to route traffic as shown below;<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"enable-ip-forwarding-on-subnet-router\">Enable IP Forwarding on Subnet Router<\/h4>\n\n\n\n<p>Enable IP Forwarding on Subnet Router;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>echo 'net.ipv4.ip_forward = 1' | sudo tee -a \/etc\/sysctl.d\/99-tailscale.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a \/etc\/sysctl.d\/99-tailscale.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo sysctl -p \/etc\/sysctl.d\/99-tailscale.conf<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"enable-ip-masquerade-on-subnet-router\">Enable IP Masquerade on Subnet Router<\/h4>\n\n\n\n<p>Enable IP masquerading (we are using iptables here);<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo apt install iptables<\/code><\/pre>\n\n\n\n<p>Get default gateway interface;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ip route | grep default<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>default via 192.168.100.1 dev <strong>enp0s3<\/strong><\/code><\/pre>\n\n\n\n<p>Enable IP masquerading in NAT table of iptables to allowing packets from the internal network to be masqueraded with the IP address of the interface default gateway;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -o &lt;default-gw-interface&gt; -j MASQUERADE<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables-save &gt; \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\n<p>Read more on how to <a href=\"https:\/\/kifarunix.com\/configure-ubuntu-20-04-as-linux-router\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Ubuntu as Linux Router<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"start-restart-tailscale-on-subnet-router\">Start\/Restart Tailscale on Subnet Router<\/h4>\n\n\n\n<p>Restart Tailscale  on Subnet router and advertise the remote subnets;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tailscale up --advertise-routes=192.168.10.0\/24,192.168.20.0\/24,192.168.30.0\/24<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"approve-advertised-subnets-on-subnet-router\">Approve Advertised Subnets on Subnet Router<\/h4>\n\n\n\n<p>Next, login to Tailscale dashboard and approve the advertised subnets.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1339\" height=\"509\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/approve-advertised-subnets.png\" alt=\"\" class=\"wp-image-17662\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/approve-advertised-subnets.png?v=1688413517 1339w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/approve-advertised-subnets-768x292.png?v=1688413517 768w\" sizes=\"(max-width: 1339px) 100vw, 1339px\" \/><\/figure>\n\n\n\n<p>Approved;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1207\" height=\"651\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/advertised-network-approved.png\" alt=\"\" class=\"wp-image-17663\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/advertised-network-approved.png?v=1688413627 1207w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/advertised-network-approved-768x414.png?v=1688413627 768w\" sizes=\"(max-width: 1207px) 100vw, 1207px\" \/><\/figure>\n\n\n\n<p>You can disable key expiry to ensure continuous connectivity.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1331\" height=\"632\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router-disable-key-expiry.png\" alt=\"\" class=\"wp-image-17665\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router-disable-key-expiry.png?v=1688413806 1331w, https:\/\/kifarunix.com\/wp-content\/uploads\/2023\/07\/subnet-router-disable-key-expiry-768x365.png?v=1688413806 768w\" sizes=\"(max-width: 1331px) 100vw, 1331px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-the-tailscale-routes-to-local-subnets\">Install the Tailscale Routes to Local Subnets<\/h4>\n\n\n\n<p>On the remote desktop you are using to connect to remote local LAN, you need to accept the Tailscale routes if you are using Linux system. <em>Clients on Windows, macOS, iOS, and Android will automatically pick up your new subnet routes<\/em>.<\/p>\n\n\n\n<p>Thus, on my desktop FXT, this is the command to accept the routes;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo tailscale up --accept-routes<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"test-connection-between-remote-systems\">Test Connection Between Remote Systems<\/h4>\n\n\n\n<p>Everything should now be okay, but just confirm the connection between the remote systems.<\/p>\n\n\n\n<p>From desktop fxt, let&#8217;s ping the remote networks;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tailscale ping 192.168.10.100<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pong from bookworm (100.101.4.108) via 192.168.100.153:41641 in 1ms<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>tailscale ping 192.168.20.100<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pong from bookworm (100.101.4.108) via 192.168.100.153:41641 in 1ms<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>tailscale ping 192.168.30.100<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>pong from bookworm (100.101.4.108) via 192.168.100.153:41641 in 1ms<\/code><\/pre>\n\n\n\n<p>Looks good. You can also just us usual ping command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ping 192.168.10.100 -c 4 -R<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nPING 192.168.10.100 (192.168.10.100) 56(124) bytes of data.\n64 bytes from 192.168.10.100: icmp_seq=1 ttl=63 time=1.37 ms\nRR: \t100.74.211.114\n\t192.168.10.1\n\t192.168.10.100\n\t192.168.10.100\n\t100.101.4.108\n\t100.74.211.114\n\n64 bytes from 192.168.10.100: icmp_seq=2 ttl=63 time=1.46 ms\t(same route)\n64 bytes from 192.168.10.100: icmp_seq=3 ttl=63 time=1.47 ms\t(same route)\n64 bytes from 192.168.10.100: icmp_seq=4 ttl=63 time=1.25 ms\t(same route)\n\n--- 192.168.10.100 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3007ms\nrtt min\/avg\/max\/mdev = 1.245\/1.385\/1.466\/0.089 ms\n<\/code><\/pre>\n\n\n\n<p>Try SSH into remote host;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh kifarunix@192.168.30.100<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nThe authenticity of host '192.168.30.100 (192.168.30.100)' can't be established.\nED25519 key fingerprint is SHA256:Ubdu4hNBMf4EAtBHxIsjTT8Qz2V6E+0g972wXGVYXTY.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.30.100' (ED25519) to the list of known hosts.\nkifarunix@192.168.30.100's password: \nWelcome to Ubuntu 22.04 LTS (GNU\/Linux 5.15.0-72-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Mon Jul  3 08:12:27 PM UTC 2023\n\n  System load:  0.18798828125      Processes:               121\n  Usage of \/:   27.3% of 36.59GB   Users logged in:         1\n  Memory usage: 14%                IPv4 address for enp0s3: 192.168.30.100\n  Swap usage:   0%\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n   just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n   https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\n102 updates can be applied immediately.\nTo see these additional updates run: apt list --upgradable\n\n\nThe list of available updates is more than a week old.\nTo check for new updates run: sudo apt update\nFailed to connect to https:\/\/changelogs.ubuntu.com\/meta-release-lts. Check your Internet connection or proxy settings\n\n\nLast login: Mon Jul  3 19:03:24 2023\nkifarunix@node03:~$ w\n 20:12:43 up  1:46,  3 users,  load average: 0.15, 0.17, 0.12\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nkifaruni tty1     -                19:03    1:09m  0.13s  0.02s -bash\nkifaruni pts\/0    -                19:03    1:08m  0.04s  0.06s sudo su -\n<strong>kifaruni pts\/1    192.168.30.1     20:12    1.00s  0.03s  0.01s w<\/strong>\n<\/code><\/pre>\n\n\n\n<p>From the remote subnets, then you can access the FXT desktop via the Tailscale IP.<\/p>\n\n\n\n<p>And that is just about it. There is a lot more about Tailscale, except that we can discuss everything in a single guide.<\/p>\n\n\n\n<p>Refer to the documentation for more information.<\/p>\n\n\n\n<p>That completes our guide on how to install and setup Tailscale VPN on Debian 12.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-ipsec-site-to-site-vpn-tunnel-on-pfsense\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup IPSec Site-to-Site VPN Tunnel on pfSense<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-setup-openvpn-server-on-ubuntu-22-04\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Setup OpenVPN Server on Ubuntu 22.04<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Can I setup Tailscale on Linux systems? Yes, this guide will take you though how to install and setup Tailscale VPN on Debian 12. What<\/p>\n","protected":false},"author":1,"featured_media":17711,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,321],"tags":[6984,6988,6983,6985,6987,6986],"class_list":["post-17643","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-vpn","tag-debian-12-tailscale-vpn","tag-install-tailscale-on-linux","tag-install-tailscale-vpn-debian","tag-linux-tailscale-vpn","tag-setup-tailscale-on-linux","tag-setup-tailscale-subnet-router-von","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17643"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=17643"}],"version-history":[{"count":10,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17643\/revisions"}],"predecessor-version":[{"id":20830,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/17643\/revisions\/20830"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/17711"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=17643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=17643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=17643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}