Matthew Dean

Installing Tailscale on Asus RT-AX86U Router for a Free Home VPN

I wanted to be able to:

When I discovered Tailscale, I realized if I could install it on my Asus RT-AX86U router I could achieve both of these goals without paying for a VPN.

Asus does not allow installation of additional software on its routers but I found a third party alternative firmware called Asuswrt-Merlin which enables this. Below I’ve detailed the steps I took to install this firmware and Tailscale on my router.


Setting up the Router

  1. Install Asuswrt-Merlin
  2. SSH into the router
  3. Install Entware - required to install the Tailscale package and configure it launch on boot

Installing Tailscale

Once Entware is installed, use its package manager opkg to install Tailscale:

opkg update
opkg install tailscale

Then create a script which will launch tailscaled, the Tailscale daemon:

cd /jffs/scripts
chmod +x

Edit to have the following source:

exec > /jffs/scripts/start-tailscaled.log 2>&1

sleep 10
# Without the above delay, this script intermittently fails with the error:
# `safesocket.Listen: /opt/var/run/tailscale/tailscaled.sock: address already in use`


echo "Ensuring socket dir exists"
mkdir -p "$SOCKET_DIR"

if [ -f "$SOCKET_FILE" ]; then
    echo "Removing socket file"
    rm "$SOCKET_FILE"
    echo "Socket file does not exist"

echo "Ensuring tailscale state dir exists"

echo "Launching tailscaled in the background"
$TAILSCALE_DIR/tailscaled --statedir="$TAILSCALE_STATE_DIR" --socket="$SOCKET_FILE" --tun=userspace-networking &

MAX_WAIT=30  # Maximum number of seconds to wait

echo "Waiting for tailscaled to become ready..."
while [ ! -S "$SOCKET_FILE" ]; do
    if [ $COUNTER -ge $MAX_WAIT ]; then
        echo "tailscaled did not become ready within $MAX_WAIT seconds."
        exit 1

    echo "Still waiting..."
    sleep 1

echo "Tailscaled is ready. Proceeding with 'tailscale up'."
if ! output=$($TAILSCALE_DIR/tailscale up --advertise-exit-node 2>&1); then
    echo "'tailscale up' failed with error:"                               
    echo "$output"                                                         
    kill $TAILSCALED_PID                                                   
    exit 1                                                                 

echo "Setup complete."

Now run this script:


You will need to open the /jffs/scripts/start-tailscaled.log file and authenticate the node using the web login URL.

Launching Tailscale on boot

To make Tailscale run even after the router restarts, we will modify one of the user scripts that Asuswrt-Merlin provides.

To enable custom scripts, in to your router’s web interface:

  1. Scroll down to Advanced Settings
  2. Click Administration
  3. Switch to the System tab
  4. Toggle Enable JFFS custom scripts and configs to Yes

We have chosen post-mount because it executes after /opt, where Tailscale resides, is available.

echo -e ". /jffs/scripts/\n" >> /jffs/scripts/post-mount

Then restart your router. This will temporarily take down your network.


To check the status of Tailscale:

tailscale --socket=/opt/var/run/tailscale/tailscaled.sock status

Enabling SSH access through Tailscale

If you would like to enable SSH access to your router through Tailscale:

  1. In your router’s web interface, go to Administration > System
  2. Change Enable SSH to WAN & LAN
  3. Click Apply

From the router:

tailscale --socket=/opt/var/run/tailscale/tailscaled.sock set --ssh=true

Now you should be able to SSH into your router from anywhere.

Updating Tailscale

To update from Entware package:

opkg upgrade tailscale

To update directly from Tailscale’s package server:

tailscale update

Resources which helped me along the way:

Stumbling blocks: