Access your local network over Tailscale (Home Assistant add-on or Linux CLI)

By Category :

By default, your Tailscale client can reach other Tailscale nodes but not the LAN sitting behind them. To hit 192.168.x.x devices (printers, NAS, cameras, whatever) from the road, one node needs to advertise subnet routes.

Two ways to do it: the Home Assistant Tailscale add-on (easiest if you already run HA), or the tailscale up CLI on any Linux box.

Option 1: Home Assistant Tailscale add-on

If you already have the official Tailscale add-on installed (a0d7b954_tailscale), you don’t need to touch SSH or sysctl — the add-on handles IP forwarding. Head to Settings > Add-ons > Tailscale > Configuration and drop the subnets you want to reach into advertise_routes.

The one thing that will bite you: also set userspace_networking: false. In userspace mode the add-on can’t route traffic to other devices on your LAN, so your routes won’t actually work.

Home Assistant Tailscale add-on Configuration tab showing advertised subnet routes and userspace networking mode disabled
Configuration tab: subnets as chips, Userspace networking mode toggled off

Or use the YAML view (menu > Edit in YAML) if you prefer to paste config directly:

advertise_routes:
  - 192.168.1.0/24
  - 192.168.2.0/24
  - 192.168.10.0/24
  - 192.168.20.0/24
userspace_networking: false
Home Assistant Tailscale add-on YAML configuration showing advertise_routes and userspace_networking: false
Same thing via Edit in YAML

Hit Save, restart the add-on, then approve the routes in the Tailscale admin console.

Approve the routes in the Tailscale admin console

Advertising routes isn’t enough on its own — you also have to approve them. Head over to the route settings of the node you just advertised from:

“Edit route settings…”
and enable the advertised route

That’s it — when you use this node as an exit host (or just target its advertised subnets directly) you can now reach your local network. 🎉

Option 2: any Linux exit node (CLI)

No Home Assistant? Same idea, just done by hand on whatever Linux box you’re running Tailscale on. SSH into it:

Enable IP forwarding:

echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

I don’t run firewalld on my local devices so I skipped masquerading. If you do, you’ll need:

firewall-cmd --permanent --add-masquerade

Then advertise the subnet (and optionally make this node an exit node too):

sudo tailscale up --advertise-routes=192.168.1.0/24 --advertise-exit-node

Same approval step as above and you’re done.

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted