{"id":830,"date":"2022-09-14T13:22:25","date_gmt":"2022-09-14T11:22:25","guid":{"rendered":"http:\/\/cln.io\/blog\/?p=830"},"modified":"2026-04-19T21:09:29","modified_gmt":"2026-04-19T19:09:29","slug":"tailscale-local-network-access","status":"publish","type":"post","link":"https:\/\/cln.io\/blog\/tailscale-local-network-access\/","title":{"rendered":"Access your local network over Tailscale (Home Assistant add-on or Linux CLI)"},"content":{"rendered":"\n

By default, your Tailscale client can reach other Tailscale nodes but not the LAN sitting behind them. To hit 192.168.x.x<\/code> devices (printers, NAS, cameras, whatever) from the road, one node needs to advertise subnet routes<\/a>.<\/p>\n\n\n\n

Two ways to do it: the Home Assistant Tailscale add-on (easiest if you already run HA), or the tailscale up<\/code> CLI on any Linux box.<\/p>\n\n\n\n

Option 1: Home Assistant Tailscale add-on<\/h2>\n\n\n\n

If you already have the official Tailscale add-on installed (a0d7b954_tailscale<\/code>), you don’t need to touch SSH or sysctl<\/code> \u2014 the add-on handles IP forwarding. Head to Settings > Add-ons > Tailscale > Configuration and drop the subnets you want to reach into advertise_routes<\/code>.<\/p>\n\n\n\n

The one thing<\/strong> that will bite you: also set userspace_networking: false<\/code>. In userspace mode the add-on can’t route traffic to other devices on your LAN, so your routes won’t actually work.<\/p>\n\n\n

\n
\"Home
Configuration tab: subnets as chips, Userspace networking mode toggled off<\/figcaption><\/figure>\n<\/div>\n\n\n

Or use the YAML view (menu > Edit in YAML) if you prefer to paste config directly:<\/p>\n\n\n\n

advertise_routes:\n  - 192.168.1.0\/24\n  - 192.168.2.0\/24\n  - 192.168.10.0\/24\n  - 192.168.20.0\/24\nuserspace_networking: false<\/pre>\n\n\n
\n
\"Home
Same thing via Edit in YAML<\/figcaption><\/figure>\n<\/div>\n\n\n
Hit Save, restart the add-on, then approve the routes<\/a> in the Tailscale admin console.<\/p>\n\n\n\n
Approve the routes in the Tailscale admin console<\/h2>\n\n\n\n
Advertising routes isn’t enough on its own \u2014 you also have to approve them. Head over to the route settings of the node you just advertised from:<\/p>\n\n\n
\n
\"\"
“Edit route settings…”<\/figcaption><\/figure>\n<\/div>\n\n
\n
\"\"
and enable the advertised route<\/figcaption><\/figure>\n<\/div>\n\n\n
That’s it \u2014 when you use this node as an exit host (or just target its advertised subnets directly) you can now reach your local network. 🎉<\/p>\n\n\n\n
Option 2: any Linux exit node (CLI)<\/h2>\n\n\n\n
No Home Assistant? Same idea, just done by hand on whatever Linux box you’re running Tailscale on. SSH into it:<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Enable IP forwarding:<\/p>\n\n\n\n
echo 'net.ipv4.ip_forward = 1' | sudo tee -a \/etc\/sysctl.conf\necho 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a \/etc\/sysctl.conf\nsudo sysctl -p \/etc\/sysctl.conf<\/pre>\n\n\n\n
I don’t run firewalld on my local devices so I skipped masquerading. If you do, you’ll need:<\/p>\n\n\n\n
firewall-cmd --permanent --add-masquerade<\/pre>\n\n\n\n
Then advertise the subnet (and optionally make this node an exit node too):<\/p>\n\n\n\n
sudo tailscale up --advertise-routes=192.168.1.0\/24 --advertise-exit-node<\/pre>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
Same approval step as above and you’re done.<\/p>\n\n","protected":false},"excerpt":{"rendered":"
By default, your Tailscale client can reach other Tailscale nodes but not the LAN sitting behind them. To hit 192.168.x.x devices (printers, NAS, cameras, whatever) from the road, one node needs to advertise subnet routes. […]<\/p>\n","protected":false},"author":1,"featured_media":2202,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,37],"tags":[],"class_list":["post-830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it","category-networking"],"_links":{"self":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/comments?post=830"}],"version-history":[{"count":11,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/830\/revisions"}],"predecessor-version":[{"id":2203,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/830\/revisions\/2203"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media\/2202"}],"wp:attachment":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media?parent=830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/categories?post=830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/tags?post=830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}