Installing Tailscale on Asus RT-AX86U Router for a Free Home VPN
I wanted to be able to:
- Access geo-restricted content when in other countries by routing my Internet traffic through my home network
- Remotely access my router to monitor my home network
When I discovered Tailscale, I realized if I could install it on my Asus RT-AX86U router I could achieve both of these goals without paying for a VPN.
Asus does not allow installation of additional software on its routers but I found a third party alternative firmware called Asuswrt-Merlin which enables this. Below I’ve detailed the steps I took to install this firmware and Tailscale on my router.
Requirements
- An Asus router model supported by Asuswrt-Merlin
- A USB drive to persist router configuration
Setting up the Router
- Install Asuswrt-Merlin
- SSH into the router
- Install Entware - required to install the Tailscale package and configure it launch on boot
Installing Tailscale
Once Entware is installed, use its package manager opkg
to install Tailscale:
opkg update
opkg install tailscale
Then create a script which will launch tailscaled
, the Tailscale daemon:
cd /jffs/scripts
touch start-tailscaled.sh
chmod +x start-tailscaled.sh
Edit start-tailscaled.sh
to have the following source:
#!/bin/sh
exec > /jffs/scripts/start-tailscaled.log 2>&1
sleep 10
# Without the above delay, this script intermittently fails with the error:
# `safesocket.Listen: /opt/var/run/tailscale/tailscaled.sock: address already in use`
TAILSCALE_DIR="/opt/bin"
TAILSCALE_STATE_DIR="/opt/var/lib/tailscale"
SOCKET_DIR="/opt/var/run/tailscale"
SOCKET_FILE="$SOCKET_DIR/tailscaled.sock"
echo "Ensuring socket dir exists"
mkdir -p "$SOCKET_DIR"
if [ -f "$SOCKET_FILE" ]; then
echo "Removing socket file"
rm "$SOCKET_FILE"
else
echo "Socket file does not exist"
fi
echo "Ensuring tailscale state dir exists"
mkdir -p "$TAILSCALE_STATE_DIR"
echo "Launching tailscaled in the background"
$TAILSCALE_DIR/tailscaled --statedir="$TAILSCALE_STATE_DIR" --socket="$SOCKET_FILE" --tun=userspace-networking &
TAILSCALED_PID=$!
COUNTER=0
MAX_WAIT=30 # Maximum number of seconds to wait
echo "Waiting for tailscaled to become ready..."
while [ ! -S "$SOCKET_FILE" ]; do
if [ $COUNTER -ge $MAX_WAIT ]; then
echo "tailscaled did not become ready within $MAX_WAIT seconds."
exit 1
fi
echo "Still waiting..."
sleep 1
COUNTER=$((COUNTER+1))
done
echo "Tailscaled is ready. Proceeding with 'tailscale up'."
if ! output=$($TAILSCALE_DIR/tailscale up --advertise-exit-node 2>&1); then
echo "'tailscale up' failed with error:"
echo "$output"
kill $TAILSCALED_PID
exit 1
fi
echo "Setup complete."
Now run this script:
/jffs/scripts/start-tailscaled.sh
You will need to open the /jffs/scripts/start-tailscaled.log
file and authenticate the node using the web login URL.
Launching Tailscale on boot
To make Tailscale run even after the router restarts, we will modify one of the user scripts that Asuswrt-Merlin provides.
To enable custom scripts, in to your router’s web interface:
- Scroll down to
Advanced Settings
- Click
Administration
- Switch to the
System
tab - Toggle
Enable JFFS custom scripts and configs
toYes
We have chosen post-mount
because it executes after /opt
, where Tailscale resides, is available.
echo -e ". /jffs/scripts/start-tailscaled.sh\n" >> /jffs/scripts/post-mount
Then restart your router. This will temporarily take down your network.
reboot
To check the status of Tailscale:
tailscale --socket=/opt/var/run/tailscale/tailscaled.sock status
Enabling SSH access through Tailscale
If you would like to enable SSH access to your router through Tailscale, then from the router:
tailscale --socket=/opt/var/run/tailscale/tailscaled.sock set --ssh=true
Now you should be able to SSH into your router from anywhere.
Updating Tailscale
To update from Entware package:
opkg upgrade tailscale
I have found that the Tailscale Opkg package is rarely updated. To update despite this, I update directly from Tailscale’s package server:
tailscale update
You will then need to restart tailscaled
which can be done by simply rebooting the router:
reboot
Resources which helped me along the way:
Stumbling blocks:
- Did not realize that I need to prefix most paths with
/opt
as that’s where Tailscale is installed - I initially tried launching tailscaled from
services-start
until I realized that/opt
was unavailable at that point