site-to-site                                            
** 2/17/25   Tailscale        
  Ver   site-to-site        
  2/17/25                                            
   
  Home Site-to-site networking 192.168.0.0/24 Site-to-site networking (also known as layer 3 (L3) routing) creates a bridge between two or more distinct networks, 
  Misc 192.168.3.0/24  letting devices in different subnets communicate with each other without a direct connection. 
  subnetting 192.168.7.0/24 You can create a site-to-site connection using Tailscale subnet routers, 
  site-to-site which lets you connect entire networks (such as different physical locations or cloud environments) together securely
  Troubleshooting  through your Tailscale network (known as a tailnet).
  Visual Policy Ed Requirements and limitations
  Glossary > The subnets must not have identical CIDR ranges
    > Both subnet routers must use a Linux-based operating system.
   
    Create a site-to-site connection
   
    1 Select a subnet router The first step is to select a device within the subnet to act as the designated subnet router. 
   
    2 Configure the subnet router
    IP address forwarding if /etc/sysctl.d  then      ---> echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf  
    echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf  
    sudo sysctl -p /etc/sysctl.d/99-tailscale.conf        
   
    Subnet router configuration options # tailscale up --advertise-routes=192.168.0.0/24 --snat-subnet-routes=false --accept-routes mdh LAN
    # tailscale up --advertise-routes=192.168.3.0/24 --snat-subnet-routes=false --accept-routes Hoppe LAN
    # tailscale up --advertise-routes=192.168.7.0/24 --snat-subnet-routes=false --accept-routes Net Cam LAN
   
    Clamp the MSS to the MTU # iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
   
    3 Approve the subnet router tailscale dashboard  >  (subnets badge) … (menu) > Edit route settings >  X (Approve the device)
    tailscale dashboard  >  (subnets badge) … (menu) > disable key expiry
   
    4 Update tailnet Access Controls (dashboard) JSON editor  or  Visual editor You must update the access control policies for your tailnet to allow communication 
    between the subnets by creating access rules (grants) to permit the subnets to connect.
   
    via the JSON editor via the Visual editor
    1 a Open the Access controls page of the admin console.
    { b Select the Visual editor tab.
      "grants": [ c Select Add rule.
        { d In the Source field, enter the CIDR range of the first subnet.
          "src": [ <first-subnet-CIDR> ], e In the Destination field, enter the CIDR range of the second subnet.
          "dst": [ <second-subnet-CIDR> ], f In the Port and protocol field, select All ports and protocols.
          "ip": ["*"] g (Optional) Add a descriptive note to the access rule to help you identify it later.
        }, h Select Save grant.
        {
          "src": [ <second-subnet-CIDR> ], 2 a Open the Access controls page of the admin console.
          "dst": [ <first-subnet-CIDR> ], b Select the Visual editor tab.
          "ip": ["*"] c Select Add rule.
        } d In the Source field, enter the CIDR range of the second subnet.
      ] e In the Destination field, enter the CIDR range of the first subnet.
    } f In the Port and protocol field, select All ports and protocols.
    g (Optional) Add a descriptive note to the access rule to help you identify it later.
    h Select Save grant.
   
    This creates two access rules using the grants syntax. They apply immediately as soon as you save them.
   
    5 Configure the other subnet devices After configuring and approving the subnet router, make sure the devices in the subnet use the designated subnet router for the correct routes.
    The best way to configure the devices in the subnet depends on your infrastructure. 
     For example, if the subnet devices already use the subnet router as the default gateway, you don't need to configure them
    because they will automatically use the subnet router for all traffic (unless a more specific route applies).
    If the subnet devices don't use the subnet router as the default gateway, you must configure them to use the subnet router for the correct routes.
   
    For example, on Linux devices, you can use the ip route command. 
    You don't need to configure the subnet devices if the subnet router you selected for the subnet is already the default gateway for the subnet.
   
    # ip route add <first-subnet-CIDR> via <first-subnet-router-IP-address>
    # ip route add <second-subnet-CIDR> via <second-subnet-router-IP-address>
   
    ie ip route add 192.168.0.0/24 via 192.168.0.XX
    ie ip route add 192.168.3.0/24 via 192.168.3.XX XX = IP address of subnet router
    ie ip route add 192.168.7.0/24 via 192.168.7.XX
   
    The ip route commands do not persist after rebooting. You must run them again after each reboot.
    Depending on your setup, you can make the route settings persistent by adding them to your network manager or netplan configuration.
    Alternatively, you can manage route settings with a DHCP server on your network.
   
    If the subnet is in a cloud environment, such as AWS, you can usually update the cloud provider's routing tables instead of configuring each device directly.
   
   
    Test the connectivity between subnet A and subnet B: Now a device in subnet A can connect to a device in subnet B (and vice versa) without either needing to install the Tailscale client.
    You can test the connection by running the ping command from a subnet A device to a subnet B device.
   
    # ping 192.168.7.100 from 192.168.3.100 For example, ping 192.168.7.xx from 192.168.3.xx
    #