This is a short guide for getting Tailscale running on the Ubiquiti EdgeRouter platform. EdgeOS 2.0+ is required to make use of the systemd unit file shipped by Tailscale.
This was originally inspired by lg's gist and joeshaw's suggestion of putting everything under /config/tailscale
rather than directly in /config
, however this guide uses Tailscale's Debian package repository instead of downloading the tarball and manually managing the files.
-
Configure the Tailscale apt repository
configure set system package repository tailscale url '[signed-by=/usr/share/keyrings/tailscale-stretch-stable.gpg] https://pkgs.tailscale.com/stable/debian' set system package repository tailscale distribution stretch set system package repository tailscale components main commit comment "Add Tailscale repository" save; exit
-
Create required directories and download and run firstboot script
Scripts in the
firstboot.d
directory are run after firmware upgrades. This script ensures that the Tailscale daemon's state is symlinked to/config
so it persists across firmware upgrades (otherwise you'll have to set up as a new device on every upgrade) and installs apost-config.d
script to ensure Tailscale is installed after each boot.The
post-config.d
script also copies the Debian package to/config/data/firstboot/install-packages
so the package can be installed duringfirstboot
after a firmware upgrade to ensure the package gets installed and doesn't require downloading it again. This also means the same version will be consistently installed.sudo bash mkdir -p /config/scripts/firstboot.d curl -o /config/scripts/firstboot.d/tailscale.sh https://raw.githubusercontent.com/jamesog/tailscale-edgeos/main/firstboot.d/tailscale.sh chmod 755 /config/scripts/firstboot.d/tailscale.sh /config/scripts/firstboot.d/tailscale.sh /config/scripts/post-config.d/tailscale.sh
-
Log in to Tailscale
The example below enables subnet routing for one subnet, enables use as an exit node (Tailscale 1.6+), and uses a one-off pre-auth key, which can be generated at https://login.tailscale.com/admin/authkeys
⚠️ Remember to change192.0.2.0/24
with the subnet(s) you actually want to expose to the tailnet.tailscale up --advertise-routes 192.0.2.0/24 --advertise-exit-node --authkey tskey-XXX
-
(Optional) If you want
sshd
to explicitly listen on the Tailscale address instead of all addresses:-
Fetch the override unit
curl -o /config/tailscale/systemd/tailscaled.service.d/before-ssh.conf https://raw.githubusercontent.com/jamesog/tailscale-edgeos/main/systemd/tailscaled.service.d/before-ssh.conf systemctl daemon-reload
-
Exit the shell, enter configure mode and set the listen-address
If you don't currently have any listen-address directives, make sure you add any other addresses you want to access the router by, such as a private network IP.
The Tailscale IP can be found in the admin console, or using
tailscale ip
.exit configure set service ssh listen-address <Tailscale IP> commit comment "sshd listen on Tailscale IP"
-
After an EdgeOS upgrade third-party packages are no longer installed, but the
firstboot
script described above ensures Tailscale gets reinstalled.
Note that it will install the Tailscale version from the first time the
post-config.d
script ran. If you had upgraded Tailscale since you will need
to re-upgrade it.
Upgrading is straightforward as the package manager will do everything for you.
Note: DO NOT USE apt-get upgrade
. This is not supported on EdgeOS and may
result in a broken system.
sudo apt-get update
sudo apt-get install tailscale
If you want to install a specific version of Tailscale use:
sudo apt-get install tailscale=X.Y.Z
Where X.Y.Z
is the version you want. This also works for downgrading.
If you consider this version to be "stable" for your use-cases you should think about copying the package to flash memory so it survives firmware upgrades, otherwise an older version may get installed.
First check if old packages are saved:
sudo bash
ls -l /config/data/firstboot/install-packages
If old versions exist delete them, e.g.
rm /config/data/firstboot/install-packages/tailscale_1.6.0_mips.deb
Then copy the latest version:
cp /var/cache/apt/archives/tailscale_*.deb /config/data/firstboot/install-packages
If you still receive an out of space error when upgrading, try cleaning the system's images using:
delete system image
If you have a certificate error when upgrading, unfortunately it is an EdgeOS problem, but to correct it manually you can run the following commands:
sudo -i
sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
update-ca-certificates --fresh
sudo apt-get purge tailscale
sudo rm /config/scripts/firstboot.d/tailscale.sh /config/scripts/post-config.d/tailscale.sh
configure
delete system package repository tailscale
commit comment "Remove Tailscale repository"
save; exit