Simplify Peer-to-Peer Networking with Tailscale VPN

Zyxel_Claudia
Zyxel_Claudia Posts: 164  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector

Zyxel has introduced Tailscale VPN support to its uOS-powered H Series firewalls, offering a peer-to-peer VPN solution as an alternative to traditional IPsec VPNs. This integration brings greater simplicity, reduced latency, and more flexibility to VPN deployments across devices and networks.

What Is Tailscale VPN?

Tailscale VPN is a third-party VPN service built on WireGuard protocol, designed for peer-to-peer communication across distributed networks. It uses UDP hole punching and a central admin console to manage nodes and authentication.

Use Cases

  • Remote workforce access without the need to open ports or configure NAT
  • Secure inter-office connectivity with minimal setup
  • Cross-platform endpoint communication in hybrid network environments

Key Features

Peer-to-Peer Architecture

Tailscale enables direct device-to-device communication, bypassing central gateways to minimize latency and optimize routing.

Tailscale VPN Setup

  1. Generate an authentication key from the Tailscale Admin Console
  2. Enable Tailscale on the Zyxel firewall and enter the key
  3. Configure Other Site Networks (Advertised Network) and Accept RouteUse Advertised Network to share LAN subnets to the Tailscale network and Accept Route to receive and use routes from other Tailscale devices.
  4. Approve routes in the admin console for full communication

Exit Node Support

Configure the Zyxel firewall as an Exit Node, allowing internet-bound traffic from connected clients to route through it. Use cases include:

  • Forcing internet traffic through HQ firewalls
  • Mobile users benefiting from centralized security policies

Enable advanced setting NAT Default Source NAT in Tailscale VPN when Exit Node is active.

Configuration Notes

  • Ensure IP Helper Service is running (Windows) for client operation
  • Port 41641/UDP must be allowed for connection
  • Disable Key Expiry in the console to prevent silent disconnections
  • Replace expired keys by first logging out on the firewall, removing the device from the Admin Console, and then re-adding with a new key

Sample Scenario

A company has:

  • Firewall A at HQ
  • Firewall B at a branch
  • Remote laptop user

They can:

  • Use Tailscale to securely connect all three
  • Let the laptop route internet traffic via HQ (Firewall A) as an Exit Node
  • Achieve site-to-site VPN functionality

Refer to the Tailscale VPN setup above to complete this example configuration.

Management and Monitoring

  • Admin Console tracks device connected status
  • Firewall local GUI tracks device status: Active, Idle, Offline or “-Go to VPN Status > Tailscale VPN
  • Displays assigned Tailscale VPN IPs (e.g., 100.x.x.x)
  • CLI support via debug network-packet explore routing Tailscale for deep analysisusgflex200h> cmd debug network packet-flow-explore routing tailscale-static-route