Simplify Peer-to-Peer Networking with Tailscale VPN






Zyxel has introduced Tailscale VPN support to its uOS-powered H Series firewalls, offering a peer-to-peer VPN solution as an alternative to traditional IPsec VPNs. This integration brings greater simplicity, reduced latency, and more flexibility to VPN deployments across devices and networks.
What Is Tailscale VPN?
Tailscale VPN is a third-party VPN service built on WireGuard protocol, designed for peer-to-peer communication across distributed networks. It uses UDP hole punching and a central admin console to manage nodes and authentication.
Use Cases
- Remote workforce access without the need to open ports or configure NAT
- Secure inter-office connectivity with minimal setup
- Cross-platform endpoint communication in hybrid network environments
Key Features
Peer-to-Peer Architecture
Tailscale enables direct device-to-device communication, bypassing central gateways to minimize latency and optimize routing.
Tailscale VPN Setup
- Generate an authentication key from the Tailscale Admin Console
- Enable Tailscale on the Zyxel firewall and enter the key
- Configure Other Site Networks (Advertised Network) and Accept RouteUse Advertised Network to share LAN subnets to the Tailscale network and Accept Route to receive and use routes from other Tailscale devices.
- Approve routes in the admin console for full communication
Exit Node Support
Configure the Zyxel firewall as an Exit Node, allowing internet-bound traffic from connected clients to route through it. Use cases include:
- Forcing internet traffic through HQ firewalls
- Mobile users benefiting from centralized security policies
Enable advanced setting NAT Default Source NAT in Tailscale VPN when Exit Node is active.
Configuration Notes
- Ensure IP Helper Service is running (Windows) for client operation
- Port 41641/UDP must be allowed for connection
- Disable Key Expiry in the console to prevent silent disconnections
- Replace expired keys by first logging out on the firewall, removing the device from the Admin Console, and then re-adding with a new key
Sample Scenario
A company has:
- Firewall A at HQ
- Firewall B at a branch
- Remote laptop user
They can:
- Use Tailscale to securely connect all three
- Let the laptop route internet traffic via HQ (Firewall A) as an Exit Node
- Achieve site-to-site VPN functionality
Refer to the Tailscale VPN setup above to complete this example configuration.
Management and Monitoring
- Admin Console tracks device connected status
- Firewall local GUI tracks device status: Active, Idle, Offline or “-“Go to VPN Status > Tailscale VPN
- Displays assigned Tailscale VPN IPs (e.g., 100.x.x.x)
- CLI support via debug network-packet explore routing Tailscale for deep analysisusgflex200h> cmd debug network packet-flow-explore routing tailscale-static-route
Categories
- All Categories
- 431 Beta Program
- 2.6K Nebula
- 164 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 362 USG FLEX H Series
- 292 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 263 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 84 Security Highlight