Tailscale Explained: How a Subnet Router Works
This document provides a deeper dive into the "Subnet Router" feature of Tailscale, explaining how it allows you to access your entire home network from anywhere in the world.
The Goal of a Subnet Router
By default, Tailscale creates a secure network connecting only the devices that have the Tailscale client installed and are logged in. This is great, but what about the other devices on your home network that don't run Tailscale, like your NAS, printers, or other servers?
The Subnet Router feature solves this by designating one Tailscale device (in our case, the Raspberry Pi) as a secure gateway for your entire home network.
How We Set It Up
We performed three distinct actions to make this work:
-
The Advertisement (The Command on the Pi)
sudo tailscale up --advertise-routes=192.168.1.0/24This command told the Raspberry Pi to announce to the central Tailscale coordination server: "In addition to being a single device, I can also act as a gateway to the entire
192.168.1.0/24network that I'm physically connected to." -
The Permission (The Linux Kernel Setting)
echo 'net.ipv4.ip_forward=1' | sudo tee /etc/sysctl.d/99-tailscale.confThis gave the Linux kernel on the Raspberry Pi permission to forward network packets. By default, for security, Linux will drop any packet it receives that isn't addressed to itself. This setting tells the kernel: "It's okay to act like a router and forward packets between your network interfaces (i.e., from the Tailscale virtual network to the
eth0physical network)." -
The Authorization (The Admin Console) Finally, you approved the route in the Tailscale Admin Console. This was you, the network administrator, giving the final authorization: "Yes, I trust this Raspberry Pi to handle traffic for my home network. Please tell all other devices on my Tailscale network that this is a valid route."
How It Works: Visualizing the Packet's Journey
Let's follow a single ssh request from your laptop in a German coffee shop to your NAS at home.
+---------------------------------+ +------------------------------------------+
| COFFEE SHOP (Germany) | | YOUR HOME |
| (Public Wi-Fi Network) | | (Private 192.168.1.0/24 Network) |
| | | |
| +---------------------------+ | | +----------------+ +-----------------+ |
| | Your M3 Laptop | | | | Raspberry Pi | | NAS Server | |
| | | | | | (Subnet Router)| | (192.168.1.12) | |
| | Tailscale IP: 100.x.y.z | | | | 192.168.1.13 | +-----------------+ |
| | Local IP: 10.20.30.40 | | | | Tailscale IP: | |
| +---------------------------+ | | | 100.a.b.c | |
| | | | +----------------+ |
+---------------------------------+ +------------------------------------------+
|
1. `ssh user@192.168.1.12`
|
| +-------------------------------------------------------------+
+------>| TAILSCALE (Virtual Overlay Network) |
| |
| PACKET JOURNEY: |
| ---------------- |
| 2. Your laptop's OS checks its routing table. It sees a |
| rule (learned from Tailscale) that says: "To reach |
| `192.168.1.x`, send the packet to the Raspberry Pi." |
| |
| 3. The Tailscale client on your laptop ENCRYPTS the packet |
| for `192.168.1.12` and sends it across the public |
| internet to your Raspberry Pi. |
| |
| + |
| | |
| v |
| 4. The Raspberry Pi receives the encrypted packet. Its |
| Tailscale client DECRYPTS it, revealing the original |
| packet destined for `192.168.1.12`. |
| |
| 5. Because 'IP forwarding' is enabled, the Pi's kernel |
| doesn't drop the packet. It forwards it from the |
| Tailscale virtual interface to its physical `eth0` |
| interface, sending it onto your local home network. |
| |
| + |
| | |
| v |
| 6. The packet arrives at the NAS at `192.168.1.12`. |
| |
+-------------------------------------------------------------+
The entire process happens in reverse for the reply from the NAS. To your laptop, it feels like it has a direct, secure connection, even though the Raspberry Pi is doing all the routing work automatically and securely in the background.