I have a fully working Tailscale network with 16 devices already added and several IoT devices that can be reached from the Tailnet via subnet routing.
I installed Tailscale addon (actually tried several addons one by one) to my HA to start monitoring IoT devices on remote site via Tailnet.
The problem:
It seems that all the Tailscale AddOns I tried with my HA, none of them is able to “see” the Teilnet IP’s.
After some frantic Googling and Homeassistant forum reading I decided to ask help.
I do not understand why HA does not see the Tailnet devices - see as in “ping tailnetdeviceip” → 100% packet loss.
Are there anyone who have had similar problem with the HA, networking seems to be somehow limited what comes to Tailscale AddOn’s.
HA’s local network and devices in the same local network are reachable, can be configured and used with HA without limitation.
My system:
Raspberry Pi 3B
The latest HA OS
Home Assistant 2023.1.6
Supervisor 2022.12.1
Operating System 9.4
Frontend 20230110.0 - latest
Network connection:
Using ethernet cable directly from home router to HA RaspberryPi.
Indeed traceroute could give some more detailed information. While waiting someone to answer I read a lot of documentation. If I have understood correctly every addon runs in an separate container insulated from the main HA core. The networking between these containers can be tricky.
Traceroute gave me some data, but not in an way I can understand. To me it seems, that HA saw the Tailnet network, but for some reason still tried to continue the route using local gateway (?). I must admit that I am not that familiar how linux systems do networking in this level.
I’m not aware of anykind of route restrictions or firewall - which would be possible in docker environments.
I run:
Supervisor 2022.12.1
Operating System 9.4
and can ping all devices from HAOS terminal (core_ssh addon) in the network. Do you have HAOS in some kind of guest network? Some routers do prohibit outgoing connections to local networks from guest/dmz/vlan/(what ever marketing name vendors invent).
Some of these configurations also restrict outgoing traffik to certain ports (80/TCP,443/TCP are mostly allowed afaik), can you try wget -O - https://google.com or curl https://google.com.
It seems to be stopping inside the gateway router, not translating to a public IP address of the WAN from what I can see. From what I see you LAN is 192.168.2.X, Your IoT is 172.30.32.X and the ISP is giving you 192.168.1.1 for the WAN - Is that correct? So your ISP is handing out private IP addresses (which translates to a Double NAT condition).
That is all a guess because you didn’t say what (to or from) or which way your running the traceroute, therefore I assume from a local computer on out.
From the screenshot provided he is trying to traceroute his router / default gateway (normally the internet connecting router is the default gateway, if not some advanced setup is used and not described here) from within an docker container (core_ssh addon) of his HAOS.
Normaly that must work, otherwise the device (HAOS) couldn’t reach the network or could be reached from network. Which is obviously the case as he connects from his computer (or what ever device) to HA UI / HA core_ssh SSH server.
As I see it there 2 reasons for that, atleast these are the most likely (in my opinion):
ICMP is blocked and therefore ping / traceroute isn’t possible at all in his network. See here or here for example. In my humble opinion blocking ICMP is a bad idea, as long as you don’t know what you are doing. However, this is often done (afaik) using “consumer friendly” network seperations - see my post above.
Network traffic to the internet is only allowed on certain ports, this is also sometimes done as it could mitigate connections to P2P networks for example. Thats why it is more reliable to check if a website can be accessed (curl / wget or what ever other tool you prefer to access a webserver from shell).
If access to a webserver works you can test other ports, curl does and wget should support this.
If your needed port is not supported by either netcat (nc) can definitly provide information on port accessability, or (even more powerfull) nmap but it’s more complicated to use.
Perhaps I need to clear some details, as replies seems to be about “normal” network configuration/routing that is working.
The problem in my case is, that the Tailscale Zero-Config VPN/IPN network is not available after installing Tailscale AddOn (any of the available AddOns). Locally everything goes well, but the VPN network (Tailnet) is not available.
The configuration is:
192.168.1.0/24 ← HA’s LOCAL home network ← Everything O.K.
192.168.2.0/24 ← REMOTE subnet that is available via Tailnet (Tailscale) Zero-VPN
As said in the original post, I already have fully working Tailnet with 16 nodes and subnet routing that is working 100%. For some reason when I add HA to this same Tailnet with the available AddOns I am not able to reach any of the IP’s inside the Tailnet VPN network or subnet IP’s available via it.
I did an test and took brand new Raspberry Pi 4 with fresh HA OS and installed only the SSH & Console AddOn and Tailscale AddOn to be sure there is no differense in the image of the HA OS between RPI3 and RPI4.
Same happened, none of the nodes or IP devices in the Tailscale network or subnet’s via it are not available from the HA OS itself so no IP cameras, temperature sensors or other IP-IoT devices are available to my HA via Tailscale.
I’d like to say that something in HA is causing this as I have not been able to reproduce this problem with anything else, RaspberryOS included, I have several RPi’s, NUC’s, tablets and laptops communicating via Tailscale Tailnet VPN without any problems.
And as a quite newbie with Linux-docker-container world I am totally lost with this now
Ahh now I understand whats your problem. Based on your traceroute screenshot you’re trying to reach your default gateway of 192.168.2.0/24.
To me then it seems like the Tailnet Addon does not inject a suitable route into the base system. Sadly I can’t tell you how to access a HA OS base system shell. If you could PeterRage’s suggestion would tell you. My best suggestion is then to ask the addon maintainers - may one come across here.
As I have no clue what tailnet does / works I can’t help you further. Good luck
I think I’m seeing something similar.
Currently I have HA on the LAN and use cloudflare add-on to access remotely through a privately registered domain.
Tailscale add-on is installed and it’s used as a backup in case there’s an issue with the cloudflare addon or problems where HA loses its IP and needs to be reconfigured.
On our LAN we have a couple of PiHole which also use Tailscale so that we have ad/tracker blocking on mobile devices when out n about, but my #2 PiHole which runs in docker will often fail to start Tailscale automatically.
So I had a thought that I could use the UptimeKuma addon to monitor it and notify f the #2 PiHole was disconnected from the Tailscale network.
This is how I ended up on this thread.
We can access HA from any other node in Tailscale no problem, but the HA instance doesn’t seem to be able to see out to the Tailscale network.
Could it be that when an Exit node is defined that this makes it one-way traffic?
Home Assistant with the Tailscale add-on can’t connect to Tailnet devices, even though other Tailscale machines can successfully connect to the same Tailnet devices.
I managed to solve this by accident. First, install the " Home Assistant Custom Add-on: Tailscale with features". No tricky options here, just the basic installation.
After the first start and login to the TailNet open the configuration, turn the “Userspace networking mode” ON, re-start the add-on, go again to the configuration and turn OFF the same “Userspace networking mode” option → re-start the add-on.
This triggers add-on to actually modify the Tailscale networking and after this you are able to connect devices over the TailNet on other subnets.
I do not know why this needs to be done, a bug perhaps in the add-on or just “it is like this”. Anyhow, this solved my problems and I am able to e.g. add security IP cameras to my local HA over the TailNet from the remote subnet.
Thank You, Big Thank You!
I was pulling hairs out with this issue…
Finally clients on both sites can talk to each other, before it only worked one way…
Now only thing left is to setup static routes on udm to be able access remote lan from main lan.
Oh man, thanks!!
You saved me headaches.
I first tried to use Twin Gate, but regardless of what I tried, I couldn’t connect to my HA.
So I started with Tail Scale and did run in the exact same problem like you.
I was so frustrated. After activating this option, I finally have external access to the companion app.
