I wanted to be able to:

• Access geo-restricted content when in other countries by routing my Internet traffic through my home network
• Remotely access my router to monitor my home network

When I discovered Tailscale, I realized if I could install it on my Asus RT-AX86U router I could achieve both of these goals without paying for a VPN.

Asus does not allow installation of additional software on its routers but I found a third party alternative firmware called Asuswrt-Merlin which enables this. Below I’ve detailed the steps I took to install this firmware and Tailscale on my router.

Requirements

• An Asus router model supported by Asuswrt-Merlin
• A USB drive to persist router configuration

Setting up the Router

1. Install Asuswrt-Merlin
2. SSH into the router
3. Install Entware - required to install the Tailscale package and configure it launch on boot

Installing Tailscale

Once Entware is installed, use its package manager opkg to install Tailscale:

opkg update
opkg install tailscale

Then create a script which will launch tailscaled, the Tailscale daemon:

cd /jffs/scripts
touch start-tailscaled.sh
chmod +x start-tailscaled.sh

Edit start-tailscaled.sh to have the following source:

#!/bin/sh
exec > /jffs/scripts/start-tailscaled.log 2>&1

sleep 10
# Without the above delay, this script intermittently fails with the error:
# `safesocket.Listen: /opt/var/run/tailscale/tailscaled.sock: address already in use`

TAILSCALE_DIR="/opt/bin"
TAILSCALE_STATE_DIR="/opt/var/lib/tailscale"
SOCKET_DIR="/opt/var/run/tailscale"
SOCKET_FILE="$SOCKET_DIR/tailscaled.sock"

echo "Ensuring socket dir exists"
mkdir -p "$SOCKET_DIR"

if [ -f "$SOCKET_FILE" ]; then
    echo "Removing socket file"
    rm "$SOCKET_FILE"
else
    echo "Socket file does not exist"
fi

echo "Ensuring tailscale state dir exists"
mkdir -p "$TAILSCALE_STATE_DIR"

echo "Launching tailscaled in the background"
$TAILSCALE_DIR/tailscaled --statedir="$TAILSCALE_STATE_DIR" --socket="$SOCKET_FILE" --tun=userspace-networking &
TAILSCALED_PID=$!

COUNTER=0
MAX_WAIT=30 # Maximum number of seconds to wait

echo "Waiting for tailscaled to become ready..."
while [ ! -S "$SOCKET_FILE" ]; do
    if [ $COUNTER -ge $MAX_WAIT ]; then
        echo "tailscaled did not become ready within $MAX_WAIT seconds."
        exit 1
    fi

    echo "Still waiting..."
    sleep 1
    COUNTER=$((COUNTER+1))
done

echo "Tailscaled is ready. Proceeding with 'tailscale up'."
if ! output=$($TAILSCALE_DIR/tailscale up --advertise-exit-node 2>&1); then
    echo "'tailscale up' failed with error:"
    echo "$output"
    kill $TAILSCALED_PID
    exit 1
fi

echo "Setup complete."

Now run this script:

/jffs/scripts/start-tailscaled.sh

You will need to open the /jffs/scripts/start-tailscaled.log file and authenticate the node using the web login URL.

Launching Tailscale on boot

To make Tailscale run even after the router restarts, we will modify one of the user scripts that Asuswrt-Merlin provides.

To enable custom scripts, in to your router’s web interface:

1. Scroll down to Advanced Settings
2. Click Administration
3. Switch to the System tab
4. Toggle Enable JFFS custom scripts and configs to Yes

We have chosen post-mount because it executes after /opt, where Tailscale resides, is available.

echo -e ". /jffs/scripts/start-tailscaled.sh\n" >> /jffs/scripts/post-mount

Then restart your router. This will temporarily take down your network.

reboot

To check the status of Tailscale:

tailscale --socket=/opt/var/run/tailscale/tailscaled.sock status

Enabling SSH access through Tailscale

If you would like to enable SSH access to your router through Tailscale, then from the router:

tailscale --socket=/opt/var/run/tailscale/tailscaled.sock set --ssh=true

You will also need to add the -ssh flag to the tailscale up command in start-tailscaled.sh. Then you should be able to SSH into your router from anywhere.

Updating Tailscale

To update from Entware package:

opkg upgrade tailscale

I have found that the Tailscale Opkg package is rarely updated. To update despite this, you can update directly from Tailscale’s package server. Note that Asuswrt-Merlin discourages updating Tailscale in this way as such versions of Tailscale may be incompatible with Asuswrt-Merlin:¹

tailscale update

You will then need to restart tailscaled which can be done by simply rebooting the router:

reboot

If you’d like to set up auto-updates, try the following:

cd /jffs/scripts
echo -e "#!/bin/bash\ntailscale update --yes" > update-tailscale.sh\n/opt/etc/init.d/S06tailscaled stop\n. /jffs/scripts/start-tailscaled.sh"
chmod +x update-tailscale.sh

To test the script (if you execute it without nohup, you’ll kill Tailscale and need to reboot your router):

nohup ./update-tailscale.sh &

Resources which helped me along the way:

• Tailscale’s Docs
• The excellent Asuswrt-merlin wiki
• Tailscale issue #4451 on GitHub

Stumbling blocks:

• Did not realize that I need to prefix most paths with /opt as that’s where Tailscale is installed
• I initially tried launching tailscaled from services-start until I realized that /opt was unavailable at that point

References