Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started
Login
© 2024

Site-to-site networking

You can use site-to-site layer 3 (L3) networking to securely connect two or more subnets in your tailnet.

To create a site-to-site connection between two or more subnets:

  1. Select a device within each subnet to act as the subnet router.
  2. Configure the subnet routers:
    1. Install the Tailscale client.
    2. Enable IP forwarding.
    3. Start the Tailscale client.
      With the appropriate configuration options, such as disabling SNAT
  3. Approve the subnet routers.
  4. Configure the other devices on each subnet.
  5. Test the connection between the subnets.

Site-to-site networking only works if:

  • The subnets don’t have overlapping CIDR ranges.
  • Each subnet has a Linux subnet router.
  • The subnets don’t use 4via6 subnet routing.

Example scenario

The following example walks you through connecting two subnets within a tailnet: subnet A and subnet B. Both subnets use subnet routers running Ubuntu 22.04 x64.

SubnetSubnet ASubnet B
Subnet CIDR range192.0.2.0/24198.51.100.0/24
Subnet router IP address192.0.2.2198.51.100.2

Configure the subnet routers

The first step in connecting subnets within a tailnet is to configure a subnet router within each subnet. This example connects two subnets and requires two devices to serve as subnet routers (one in each subnet). Subnet A will use the device at 192.0.2.2, and subnet B will use the device at 198.51.100.2.

Set up both Linux subnet routers (192.0.2.2 and 198.51.100.2) with the following steps:

  1. Install the Tailscale client.

    You can install the Tailscale client on Linux using the following curl command:

    curl -sSL https://tailscale.com/install.sh | sh

  2. Enable IP forwarding.

    If your Linux system has a /etc/sysctl.d directory, use:

    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

    Otherwise, use:

    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

  3. Start the Tailscale client using the tailscale up command with flags to advertise the correct subnet routes, disable SNAT, and enable accepting routes.

    Make sure to replace <CIDR> with the correct subnet routes. For the 192.0.2.2 subnet router, use 192.0.2.0/24. For the 198.51.100.2 subnet router, use 198.51.100.0/24.

    tailscale up --advertise-routes=<CIDR> --snat-subnet-routes=false --accept-routes
    • The --advertise-routes flag lists which addresses should be exposed to the Tailscale network. Who/what can access those addresses is controlled by Tailscale ACLs in the admin console.
    • The --snat-subnet-routes=false flag disables source NAT. By default, a device behind a subnet router sees traffic as originating from the subnet router. This simplifies routing but prevents traversing multiple networks. By disabling source NAT, the end device sees the IP address of the originating device as the source, which might be a Tailscale IP address or an address behind another subnet router.
    • The --accept-routes flag accepts the advertised routes of all other subnet routers in the tailnet.

  4. Configure iptables on each subnet router to clamp the maximum segment size (MSS) to the maximum transmission unit (MTU).

    iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Approve the subnet routes

After configuring the subnet routers within each subnet, you must enable subnet routes from the Tailscale admin console.

You don’t need to approve the subnet routers if you use autoApprovers.

  1. Open the Machines page of the admin console.
  2. Locate the subnet router devices by locating the Subnets badge or using the property:subnet filter. In this example, the subnet routers are 192.0.2.2 and 198.51.100.2.
  3. For each subnet router:
    1. Select the ellipsis icon menu > Edit route settings.
    2. Approve the device.

You might prefer to disable key expiry on your subnet nodes to avoid having to periodically reauthenticate. If you are using tags, key expiry is disabled by default.

Configure subnet devices

You don't need to configure the subnet devices if the default gateway is also the Tailnet subnet router.

After enabling subnet routes, configure the devices within each subnet. These devices don’t need to run Tailscale. However, you do need to add a static route to each device to tell it to use the designated subnet router.

  1. For each device in the 192.0.2.0/24 subnet (except the subnet router), run the following commands:

    ip route add 100.64.0.0/10 via 192.0.2.2
ip route add 198.51.100.0/24 via 192.0.2.2

  2. For each device in the 198.51.100.0/24 subnet (except the subnet router), run the following commands:

    ip route add 100.64.0.0/10 via 198.51.100.2
ip route add 192.0.2.0/24 via 198.51.100.2

The ip route commands do not persist after rebooting—you must run them again if you reboot the device. Depending on your setup, you can make the route settings persistent by adding them to your network manager or netplan configuration. Alternatively, you can manage route settings with a DHCP server on your network.

Test the connection between the subnets

Now a device in subnet A can connect to a device in subnet B (and vice versa) without either needing to install the Tailscale client. You can test the connection by running the ping command from a subnet A device to a subnet B device.

For example, ping 198.51.100.3 from 198.0.2.3:

ping 198.51.100.3

PING 198.51.100.3 (198.51.100.3) 56(84) bytes of data.
64 bytes from 198.51.100.3: icmp_seq=1 ttl=64 time=9.34 ms
64 bytes from 198.51.100.3: icmp_seq=2 ttl=64 time=3.85 ms

Last updated Nov 14, 2024