Why don't we use --tun=userspace-networking in the first place ?

[mastier]

As in the title. I wonder because I want to create a masquerade to use it as exit node, but I don't know how.

Also wonder about the good reasoning for using --tun=userspace-networking instead regular interface and /dev/net/tun tailscale0 interface.

Similar topic was mentioned here: #61 (comment)

[notheotherben]

The primary reason is that running in kernel level networking mode (i.e. tun tailscale0) has a tendency to make your UDM unreachable over SSH and cause Tailscale to fail to initialize correctly, we've found that running in userspace-networking mode is vastly more reliable and generally reduces the blast radius of a misconfiguration to "tailscale isn't working" instead of "I can't access my UDM at all and my internet is out".

A bunch of this comes down to the default routes that the UDM and Tailscale install in kernel level mode and the resulting connectivity issues between tailscaled and the upstream derp/TS control servers. As you've seen in #61 there are folks who have managed to work around this using a range of different tricks, but given the risk I've avoided bundling it up as a configuration here as I'd far rather ensure this script is safe for the majority of users and optimize for the relatively small number who are looking for kernel level networking support.

[mastier]

Understood. That is a good reasoning. I got better understanding now. Appreciate you comment and detailed description of the culprit with kernel level tailscale. Thank you.

[CapnPicard]

Sorry to bring this old topic.

I run tailscale on UDM SE without problem using the default userspace mode.

Devices in the tailscale network can reach machines in the advertised subnets but not the other way around. Obviously, it's normal since the tailscale routes aren't installed in UDM because it's userspace.

I was going to switch to kernel mode and use tunnel interface and routes but I understand it's not recommended for different reasons.

Now my question is, is there a way to make this work with userspace mode?

Bonus question: when in usersapce, I suppose the UDM source NAT the connections to the machines not running tailscale?