Install Tailscale on OpenWRT TP-Link ER605 Router

Setting up a VPN server at home can be frustrating. You usually need a public static IP address, a domain name, and have to deal with port forwarding. But what if your internet provider only gives you a private IP (behind CGNAT) — meaning you’re not even directly accessible from the outside? In that case, traditional VPN setups simply won’t work without extra services. That’s where Tailscale comes in. It removes all the hassle and lets you access your home network securely from anywhere — no static IP, no port forwarding, and no headaches.

What You’ll Learn

In this guide, I’ll show you how to install and configure Tailscale on your OpenWRT ER605 router. You’ll learn how to create the right network interfaces, adjust firewall settings, test remote access from your phone, and set up features like route sharing and exit nodes — all in a way that works even if your ISP only gives you a private IP.

Install Tailscale on OpenWRT ER605 Router

1. Prerequisites

Make sure your router is powered on and connected to the internet.
Log in to your OpenWRT web interface.

2. Install Tailscale

Go to System > Software.
Click Update Lists (optional but recommended).
Search for and install tailscale package.

Configure Interfaces

3. Add Tailscale Interface

Go to Network > Interfaces > Add New Interface.
Name: tailscale
- Protocol: Unmanaged
- Device: tailscale0
Go to Firewall Settings tab.
- Type tailscale in the Custom firewall zone box.
Click Save

4. Add Dummy Interface (Optional: Isolate LAN from Tailscale)

Go to Network > Interfaces > Add New Interface.
Name: tlan
- Protocol: Unmanaged
- Device: leave it blank
In Firewall Settings, type tlan in the custom zone box.
Click Save and Save & Apply.

Configure Firewall

5. Set Up Firewall Zones

`tailscale` Zone:

Input: accept
Output: accept
Intra-zone Forwarding: reject
Check: Masquerading, MSS Clamping
Allow forward to destination zones: wan
Allow forward from source zones: tlan
Click Save

`tlan` Zone:

Input: accept
Output: accept
Intra-zone Forwarding: accept
Masquerading & MSS Clamping: unchecked
Allow forward to destination zones: tailscale
Allow forward from source zones: unspecified
Click Save

`wan` Zone:

Input: reject
Output: accept
Intra-zone Forwarding: reject
Check: Masquerading, MSS Clamping
Allow forward to destination zones: unspecified
Allow forward from source zones: lan, tailscale
Click Save & Apply.

Set Up Tailscale

6. Start Tailscale

SSH into your router and run:

tailscale up

A login URL will be printed. Open it in your browser to authenticate.
If it’s your first time, register on the Tailscale website.

Test Tailscale Connection from Mobile

7. Verify Connection

Install and open the Tailscale app on your phone.
Turn off Wi-Fi and use mobile data.
Log in and connect.
Copy your OpenWRT Tailscale IP from the app.
Paste it into your mobile browser — you should see the OpenWRT web interface.

Advertise Routes

What are advertised routes? This allows your OpenWRT router to route traffic to devices on your LAN via Tailscale.

8. Enable Advertised Routes

run:

tailscale up --advertise-routes=192.168.30.0/24 --accept-routes
service tailscale restart

Visit the Tailscale admin panel and approve the advertised route.

9. Test from Mobile

Reconnect to Tailscale on your phone.
Visit your router’s local IP (e.g., 192.168.30.1) in the browser.
You should see the OpenWRT interface.

Set Up Exit Node

What is an exit node? This allows your device to send all its internet traffic through your OpenWRT router — acting like a full VPN tunnel.

10. Enable Exit Node

run:

tailscale up --reset
tailscale up --advertise-routes=192.168.30.0/24 --accept-routes --advertise-exit-node
service tailscale restart

Approve the exit node on the Tailscale admin panel.

11. Test Exit Node

On your mobile, reconnect to Tailscale and enable the exit node.
Open a browser and search for “what is my IP”.
Your IP should now be your router’s broadband IP.
Disable the exit node and refresh the page — your IP should now reflect your mobile network.
This confirms full tunnel VPN is working.

Install Tailscale on OpenWRT TP-Link ER605 Router

Install Tailscale on OpenWRT ER605 Router

1. Prerequisites

2. Install Tailscale

Configure Interfaces

3. Add Tailscale Interface

4. Add Dummy Interface (Optional: Isolate LAN from Tailscale)

Configure Firewall

5. Set Up Firewall Zones

`tailscale` Zone:

`tlan` Zone:

`wan` Zone:

Set Up Tailscale

6. Start Tailscale

Test Tailscale Connection from Mobile

7. Verify Connection

Advertise Routes

8. Enable Advertised Routes

9. Test from Mobile

Set Up Exit Node

10. Enable Exit Node

11. Test Exit Node

1 thought on “Install Tailscale on OpenWRT TP-Link ER605 Router”

Leave a Comment Cancel Reply

Install Tailscale on OpenWRT ER605 Router

1. Prerequisites

2. Install Tailscale

Configure Interfaces

3. Add Tailscale Interface

4. Add Dummy Interface (Optional: Isolate LAN from Tailscale)

Configure Firewall

5. Set Up Firewall Zones

tailscale Zone:

tlan Zone:

wan Zone:

Set Up Tailscale

6. Start Tailscale

Test Tailscale Connection from Mobile

7. Verify Connection

Advertise Routes

8. Enable Advertised Routes

9. Test from Mobile

Set Up Exit Node

10. Enable Exit Node

11. Test Exit Node

1 thought on “Install Tailscale on OpenWRT TP-Link ER605 Router”

Leave a Comment Cancel Reply

`tailscale` Zone:

`tlan` Zone:

`wan` Zone: