𝔩𝔢𝔩𝕠𝔭𝔢𝔷
Buy Me a Coffee Connect With Me on LinkedIn
Theme

Homelab

Tailscale Migration

Updating Tailscale Routes for Lab VLAN Access

Overview

This article updates the Tailscale subnet router to advertise the Lab VLAN instead of the old Network VLAN routes. After the Talos migration, remote access is broken because Tailscale doesn't know how to reach the new node IPs.

Tip:Having trouble? See v1.2.0 for what your setup should look like after completing this article.

Before You Begin

Prerequisites

What We're Setting Up

ComponentBeforeAfter
Advertised routesIndividual /32s + MetalLB CIDRsSingle /24 subnet
Subnet192.168.1.x192.168.10.0/24

The new configuration advertises the entire Lab VLAN as one route, simplifying management.

Why Advertise the Entire /24?

The old config used specific /32s for nodes and CIDRs for MetalLB - more restrictive but more maintenance1. Since nodes are the high-value targets (cluster admin access), allowing MetalLB services doesn't expand the attack surface meaningfully. Lab is already isolated by firewall (can't reach home network), so Tailscale is just your remote entry point to an already-segmented zone.

Update Tailscale Connector

Connector

k8s/core/tailscale/connector/connector.yaml:

---
apiVersion: tailscale.com/v1alpha1
kind: Connector
metadata:
    name: homelab-subnet
spec:
    replicas: 3
    proxyClass: control-plane
    hostnamePrefix: homelab-subnet
    subnetRouter:
        advertiseRoutes:
            - "192.168.10.0/24"

Commit Changes

git add k8s/core/tailscale/connector/connector.yaml
git commit -m "feat(tailscale): migrate routes to Lab VLAN"
git push

Reconcile Flux

Flux will auto-sync after push. To force immediate reconciliation (requires cluster access):

flux reconcile source git flux-system
flux reconcile kustomization sync

Approve Routes in Tailscale Admin

The new subnet needs approval in the Tailscale admin console:

  1. Go to Tailscale Admin
  2. Find homelab-subnet-0, homelab-subnet-1, homelab-subnet-2
  3. Each should show 192.168.10.0/24 under Subnets
  4. Approve the new routes (disable the old ones if still showing)

Verify Remote Access

Test Connectivity

From a device on Tailscale (not on local network):

ping 192.168.10.30

Expected: Ping succeeds.

Test Cluster Access

kubectl get nodes
talosctl health --nodes 192.168.10.30

Expected: Both commands work over Tailscale.

Next Steps

With remote access restored, update MetalLB to assign service IPs from the Lab VLAN range.

See: MetalLB Migration

Resources

Footnotes

  1. Tailscale, "Subnet routers," tailscale.com. Accessed: Feb. 26, 2026. [Online]. Available: https://tailscale.com/kb/1019/subnets

Previous
Talos Migration
Next
MetalLB Migration