I would like to install tailscale on my PIFI, but unfamiliar with OpenWrt. Not asking for GUI support at this time. However, it would be extremely helpful if you could provide a guide with step by step instructions to install tailscale on the PIFI. I am a PIFI kit owner.
Thanks so much.
I’ll set it up on mine then add the steps to the docs and link here
Can I ask if Pi 4 or Pi 5 out of interest?
I’m using a Pi4. Thanks so much! 
This is fantastic! Thanks so much for taking the time to provide this tailscale tutorial. I can’t wait to try this, but before I proceed I do have a question regarding step 3.3:
3.3 Run this command to make the app/LuCI compatible with Tailscale
tailscale up --advertise-routes=10.0.0.0/24,10.0.1.0/24 --accept-routes --advertise-exit-node
My purpose for having tailscale on the Pifi is to replace my vpn connection with the tailscale connection. When I connect to the Pifi from any device whether that is my phone, laptop, tablet, etc, I want each device to have access to my home LAN resources such as NAS, media server, etc and use an existing exit node on my tailnet. The exit node on my tailnet is on my home LAN and routes all outbound wan traffic to my vpn server.
I want to avoid having to install tailscale app on all my devices as they increase battery drain. Rather, I want to join the pifi network which is connected to tailscale and access LAN resources and the internet.
To achieve this functionality, would I replace your command 3.3 with this command?
tailscale up --exit-node=<exit-node-ip|name> --exit-node-allow-lan-access
Thank you!
Update, I did replace your command 3.3 with
tailscale up --exit-node=<exit-node-ip|name> --exit-node-allow-lan-access
When a device is connected to Pifi, I am able to access my LAN resources, but unable to access the internet for Wan traffic through my exit node. All outbound internet traffic is not working. When my phone is connected to Pifi, it says connected, but no internet access.
tailscale down and internet access returns. With tailscale up I lose internet access. It appears to be either firewall, dns or misconfiguration somewhere.
Also, on tailscale dashboard under Pifi node, is this warning:
This machine is running a version with a known security vulnerability. It’s recommended to update to 1.82.5.
/etc/config/network or /etc/config/firewall will show configurations for any potential misconfiguration
You can also restore the default firewall/network for PiFi (sans-tailscale support) by:
cp /etc/sysp/defaults/restoreconfig/network /etc/config;
uci commit network;
cp /etc/sysp/defaults/restoreconfig/firewall /etc/config;
uci commit firewall;
service network reload;
service firewall reload
That will clear any of the changes to firewall and network and should bring online post-misconfiguration
**
Security update
I’ll try and share a script with you tomorrow. I’ll also do a bit more testing as I’ll bring official tailscale support without needing any config as I think this would be a great addition.
Thank you. I 100% agree it would be a great addition to PiFi. Note, GL.iNet travel routers are moving in the same direction, adding official support to many of their routers. Their GUI approach looks impressive. I just don’t like their hardware and would love to see similar functionality eventually come to the PiFi app. In the meantime, I’m happy to add tailscale via the CLI and look forward to receiving your script. Thanks again for your support. Much much appreciated! 
Hi, I understand you’re super busy, but politely checking in on tailscale. Thanks.
Do apologise, slipped my mind
Will send over updated guide today
Great, thanks so much! Looking forward to receiving it.
These updated instructions are working for me at the moment - https://www.pifi.org/tailscale
I’ll continue to test over the weekend and confirm it continues to work
(P.S when I’m confident it’s completely stable - it’ll be added to app/firmware too)
Not sure if you seen my message where it said it wasn’t working, updated guide now has a fix!
Thanks so much for updating the tailscale guide. I used the guide you noted just above.
A few observations from my testing:
Unsure if that can be safely ignored or what’s causing it?
Note, Step 4: Enable Tailscale - I substituted my own tailscale up command as I’m uninterested in using the Pifi router as an exit node. I prefer to use the exit node on my home lan. I used this command: tailscale up --netfilter-mode=off --exit-node=<exitnode> --exit-node-allow-lan-access --accept-routes
With the above aside, from android connected phone it does appear to be working properly. I connect to the Pifi wifi and can access the internet through my exit node. This was not possible with the original guide. I can also successfully connect to my Lan resources/services/app including NAS drive.
I’d follow the guide exactly as I have it - because I did find it finicky and the guide was for an exit note - a warning on firewall can be ignored as is working in testing.
So step 4 when you say <exitnode> is that how you’re writing it. I’d stick with the command on the guide
tailscale up --netfilter-mode=off \
--advertise-routes=192.168.3.0/24,10.0.0.0/24,10.0.1.0/24 \
--advertise-exit-node \
--accept-routes
This tailscale up command sets up the node to advertise access to specific local networks (192.168.3.0/24, 10.0.0.0/24, 10.0.1.0/24), offer itself as an internet exit node, and accept routes from other nodes in the Tailscale network, enabling full mesh routing. The --netfilter-mode=off disables automatic firewall rule management, allowing you to handle firewall rules manually. This makes the node act as a flexible gateway and router within the Tailscale mesh without interfering with your existing Linux firewall setup.
The 192.168.3.14 is the one for the app. Will continue testing - but tried a couple of devices with those exact commands and working as exit node
Sorry for the confusion, but no, I am not using <exitnode> on my command. It’s just a placeholder for the internal tailscale IP of the exit node on my home lan.
I have no need or desire to set the Pifi as an exit node. With tailscale on my Pifi I only want to securely route WAN traffic through an exit node on my home LAN and secure remote access to my private network on my home LAN. You are setting up firewall rules to setup the Pifi as an exit node and it seems a bit overkill for my use case. As such, do I need all those firewall rules or would it make sense to have an alternative set of firewall rules more aligned with my use case?
Interestingly, Gli.Net routers do not allow for setting the router as an exit node. They only offer the ability to select an existing exit node, which mimics my use case. Which I believe makes sense and reflects the most common use case for using tailscale. If you haven’t already, please have a look at how Gli.Net is integrating tailscale into their routers and you will notice it mimics my use case.
Ok, got you know, sorry I misunderstood that PiFi was to act as exit node so that’s more what my guide was.
So it’s working now?
Almost working, but DNS issue. Before I was testing from my home Lan. This time I went to a Starbucks coffee shop nearby to test a real world scenario.
What’s working:
In tailscale dashboard I toggled override DNS and entered my own nameserver. This is what I should see when connected to my tailnet. Instead, I’m seeing random cloudflare DNS servers. (Please see pic) I assume these are default DNS servers in Pifi.
I also have the tailscale app on my phone. I tested same internet connection with the app (not on pifi) and the DNS resolves correctly. I see my DNS nameserver. No cloudflare DNS servers.
This is very close to working. Hopefully the DNS issue can be resolved.
Is this issue perhaps related to this bug? Similar issue with DNS.
So, if you have AdGuard enabled, and Tailscale is still using AdGuard as primary DNS resolver then that’s a feautre, not a bug
You should be able to exit your exit node (which works?) plus have adblocking via AdGuard
However, should you also wish to have your ISP/exit node DNS too - then you’d need to disable AdGuard - my recommendation would probably be to keep it on where possible
At the moment, Tailscale is not fully supported or even present in the firmware, but when it is there will be more options in the UI of the app to select preferences - whether it’s using another devices’ exit node/it is an exit node etc but that’s still to come. We do have updates to both app/firmware in coming weeks and it’ll be on a release build if it’s stable enough
