如何让 Openwrt 上的 tailscale 可以直连？

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

OpenWrt 是一个专门面向嵌入式设备的 Linux 发行版。你可以将 OpenWrt 支持的型号的嵌入式设备，比如各种路由器上的系统，换成一个有更多可能性可以折腾的 Linux 系统。

OpenWrt 官方网站

这是一个创建于 878 天前的主题，其中的信息可能已经有所发展或是发生改变。

我在 OpenWRT 上安装了 tailscale ，并且开启了 IPV6 ，但是发现还是无法直连，总是通过 DERP 来中继。

我尝试着放行 IPV6 防火墙的 41641/udp ，发现还是一样。

以下是我的防火墙规则 Traffic Rules： enter image description here

root@OpenWrt:~# uci show firewall firewall.@defaults[0]=defaults firewall.@defaults[0].input='ACCEPT' firewall.@defaults[0].output='ACCEPT' firewall.@defaults[0].forward='REJECT' firewall.@defaults[0].synflood_protect='1' firewall.@zone[0]=zone firewall.@zone[0].name='lan' firewall.@zone[0].network='lan' firewall.@zone[0].input='ACCEPT' firewall.@zone[0].output='ACCEPT' firewall.@zone[0].forward='ACCEPT' firewall.@zone[1]=zone firewall.@zone[1].name='wan' firewall.@zone[1].network='wan' 'wan6' firewall.@zone[1].output='ACCEPT' firewall.@zone[1].masq='1' firewall.@zone[1].mtu_fix='1' firewall.@zone[1].input='REJECT' firewall.@zone[1].forward='REJECT' firewall.@forwarding[0]=forwarding firewall.@forwarding[0].src='lan' firewall.@forwarding[0].dest='wan' firewall.@rule[0]=rule firewall.@rule[0].name='Allow-DHCP-Renew' firewall.@rule[0].src='wan' firewall.@rule[0].proto='udp' firewall.@rule[0].dest_port='68' firewall.@rule[0].target='ACCEPT' firewall.@rule[0].family='ipv4' firewall.@rule[1]=rule firewall.@rule[1].name='Allow-Ping' firewall.@rule[1].src='wan' firewall.@rule[1].proto='icmp' firewall.@rule[1].icmp_type='echo-request' firewall.@rule[1].family='ipv4' firewall.@rule[1].target='ACCEPT' firewall.@rule[2]=rule firewall.@rule[2].name='Allow-IGMP' firewall.@rule[2].src='wan' firewall.@rule[2].proto='igmp' firewall.@rule[2].family='ipv4' firewall.@rule[2].target='ACCEPT' firewall.@rule[3]=rule firewall.@rule[3].name='Allow-DHCPv6' firewall.@rule[3].src='wan' firewall.@rule[3].proto='udp' firewall.@rule[3].dest_port='546' firewall.@rule[3].family='ipv6' firewall.@rule[3].target='ACCEPT' firewall.@rule[4]=rule firewall.@rule[4].name='Allow-MLD' firewall.@rule[4].src='wan' firewall.@rule[4].proto='icmp' firewall.@rule[4].src_ip='fe80::/10' firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0' firewall.@rule[4].family='ipv6' firewall.@rule[4].target='ACCEPT' firewall.@rule[5]=rule firewall.@rule[5].name='Allow-ICMPv6-Input' firewall.@rule[5].src='wan' firewall.@rule[5].proto='icmp' firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement' firewall.@rule[5].limit='1000/sec' firewall.@rule[5].family='ipv6' firewall.@rule[5].target='ACCEPT' firewall.@rule[6]=rule firewall.@rule[6].name='Allow-ICMPv6-Forward' firewall.@rule[6].src='wan' firewall.@rule[6].dest='*' firewall.@rule[6].proto='icmp' firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' firewall.@rule[6].limit='1000/sec' firewall.@rule[6].family='ipv6' firewall.@rule[6].target='ACCEPT' firewall.@rule[7]=rule firewall.@rule[7].name='Allow-IPSec-ESP' firewall.@rule[7].src='wan' firewall.@rule[7].dest='lan' firewall.@rule[7].proto='esp' firewall.@rule[7].target='ACCEPT' firewall.@rule[8]=rule firewall.@rule[8].name='Allow-ISAKMP' firewall.@rule[8].src='wan' firewall.@rule[8].dest='lan' firewall.@rule[8].dest_port='500' firewall.@rule[8].proto='udp' firewall.@rule[8].target='ACCEPT' firewall.@rule[9]=rule firewall.@zone[2]=zone firewall.@zone[2].name='tailscale' firewall.@zone[2].input='ACCEPT' firewall.@zone[2].output='ACCEPT' firewall.@zone[2].forward='ACCEPT' firewall.@zone[2].masq='1' firewall.@zone[2].mtu_fix='1' firewall.@zone[2].network='tailscale' firewall.@forwarding[1]=forwarding firewall.@forwarding[1].src='tailscale' firewall.@forwarding[1].dest='lan' firewall.@forwarding[2]=forwarding firewall.@forwarding[2].src='lan' firewall.@forwarding[2].dest='tailscale' firewall.@redirect[0]=redirect firewall.@redirect[0].dest='lan' firewall.@redirect[0].target='DNAT' firewall.@redirect[0].proto='udp' firewall.@redirect[0].src='wan' firewall.@redirect[0].src_dport='41641' firewall.@redirect[0].dest_port='41641' firewall.@redirect[0].name='41641' firewall.@redirect[0].dest_ip='192.168.1.1' firewall.@rule[10]=rule firewall.@rule[10].name='tailscale' firewall.@rule[10].family='ipv6' firewall.@rule[10].proto='udp' firewall.@rule[10].src_port='41641' firewall.@rule[10].dest_port='41641' firewall.@rule[10].target='ACCEPT' firewall.@rule[10].src='wan' firewall.@rule[10].dest='lan'

enter image description here tailscale admin gui

第 1 条附言 2023-08-01 22:57:46 +08:00

已配置完成，使用默认教程安装完其实就会自动直连了。
https://openwrt.org/docs/guide-user/services/vpn/tailscale/start

4 条回复 2023-08-01 16:09:08 +08:00

neroxps

2023-08-01 13:37:50 +08:00

ipv6 放行的话应该是 forward

uci add firewall rule
uci set firewall.@rule[-1].name="tailscale"
uci set firewall.@rule[-1].src="wan"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="::1/-64"
uci set firewall.@rule[-1].family="ipv6"
uci set firewall.@rule[-1].proto="tcpudp"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
/etc/init.d/firewall restart

neroxps

2023-08-01 13:38:29 +08:00

哦漏了写端口。自己加一下把。

qsnow6

2023-08-01 16:04:08 +08:00

@neroxps #2
添加之后，发现能直连，但是不是通过 IPV6 连接的，还是走的 IPV4 NAT 的方式。

```bash
firewall.@rule[10]=rule
firewall.@rule[10].name='tailscale'
firewall.@rule[10].family='ipv6'
firewall.@rule[10].src='wan'
firewall.@rule[10].src_port='41641'
firewall.@rule[10].dest='lan'
firewall.@rule[10].dest_ip='::1/-64'
firewall.@rule[10].dest_port='41641'
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].proto='udp'
```

zed@zeddeMac-mini ~ % tailscale ping 100.122.96.133
pong from openwrt (100.122.96.133) via 183.220.46.122:1561 in 10ms

qsnow6

2023-08-01 16:09:08 +08:00

@neroxps #2 发现其实没必要折腾 IPV6 ，IPV6 必须要双方都要有公网 IPV6 地址。

问一下，如果要在 openwrt 上开放 41641/udp 给 tailscale ，下面这几个功能应该用哪一个。
Port Forwards
Traffic Rules
NAT Rules