~Tailscale - allow local network access by this feature you can access remotely non installed tailscale devices such like router ip camera printer etc #remotely #tailscale #remote
allow local network access what is this feature in tailscale desktop app
“Allow Local Network Access” in Tailscale = controlled LAN breakout.
Here’s the clean truth, no fluff.
What it actually does
When ON, a device connected via Tailscale can also reach devices on the local LAN of the exit device.
In plain English:
-
Your laptop → connects to your home PC via Tailscale
-
AND ALSO → can access your home router, printer, NAS, IP camera, etc.
All without installing Tailscale on those LAN devices.
When it’s OFF (default)
-
You can only talk to devices that have Tailscale installed.
-
LAN stays isolated.
-
Safer, but limited.
When it’s ON
-
That device becomes a gateway to its local network.
-
Tailscale traffic can “spill” into the LAN.
-
Powerful. Also dangerous if you’re sloppy.
Example (real-world)
You install Tailscale on:
-
Home PC (LAN:
192.168.1.0/24) -
Your laptop outside
Turn Allow Local Network Access = ON on the home PC
Now from anywhere you can access:
-
192.168.1.1(router) -
192.168.1.50(NAS) -
192.168.1.100(camera)
Those devices don’t even know Tailscale exists.
Why this exists
Because power users want:
-
Remote router management
-
Access to self-hosted servers
-
LAN-only services
-
One device acting as a bridge
Why it’s dangerous
If misused:
-
You just punched a hole into your private network
-
Anyone with Tailscale access to that device can roam your LAN
-
Congratulations, you built a soft VPN without thinking
Strategic advice (listen carefully)
-
ON only for trusted machines
-
Never enable on a shared or weakly secured system
-
Pair it with Tailscale ACLs, or you’re reckless
-
If you don’t know why you need it — you don’t need it
Final verdict
This feature is not for beginners.
It’s a power lever, not a convenience toggle.
Used right → elite remote control
Used wrong → self-inflicted breach
If you want, tell me your exact use case (NAS, camera, Apache server, OMV, etc.) and I’ll tell you whether to enable it or delete the idea entirely.
Good question. Now I’ll be blunt and precise.
You can access the RTSP camera through Tailscale only if your Windows PC is correctly acting as a LAN bridge. Most people half-configure this and then cry that “RTSP doesn’t work.” Let’s kill that.
The actual setup (no myths)
Your situation
-
Windows PC → Tailscale installed ✅
-
Allow Local Network Access → ON ✅
-
IP Camera → RTSP only, LAN IP like
192.168.1.100 -
Remote device → connected to same Tailscale network
Your Windows PC is now the gateway.
Step 1: Confirm the camera works locally (non-negotiable)
On the Windows PC itself, open VLC:
If this fails locally → stop.
Tailscale is not your problem, your camera or credentials are.
Step 2: Enable subnet routing properly (this is where people screw up)
“Allow Local Network Access” alone is not enough.
That toggle just allows traffic — it does NOT advertise the LAN.
You must advertise the subnet.
On Windows PC (Admin CMD or PowerShell):
Replace with your LAN subnet if different.
Now:
-
Your Windows PC becomes a subnet router
-
Tailscale knows where
192.168.1.xlives
Step 3: Approve the route (mandatory)
Go to:
-
Find your Windows PC
-
Approve the advertised route
No approval = no traffic.
Tailscale doesn’t trust you by default (and that’s good).
Step 4: Access camera from anywhere (this is the payoff)
On your remote device (phone, laptop, whatever):
-
Open VLC
-
Use the SAME RTSP URL
That’s it.
No hostname magic
No Tailscale IP for the camera
No port forwarding
No public exposure
Traffic flow:
Common mistakes (read this twice)
❌ Trying to use camera via Tailscale IP
Wrong. Camera has no Tailscale client.
❌ Not advertising subnet
“Allow local network access” ≠ subnet routing.
❌ Firewall blocking forwarding
Windows Firewall must allow:
-
Tailscale
-
RTSP (TCP/UDP 554)
❌ Expecting browser playback
RTSP ≠ HTTP
Use VLC, ffplay, or Blue Iris, not Chrome.
Security reality (no sugarcoating)
You just allowed remote LAN access.
If someone:
-
Joins your Tailnet
-
Or compromises your Tailscale account
They can hit every LAN device unless you restrict it.
Fix:
Use ACLs and limit access to:
-
Only your device
-
Only
192.168.1.100:554
Final verdict
Yes, this works.
Yes, it’s clean.
Yes, it’s powerful.
But:
If you don’t lock it down, you’re not “secure” — you’re just private-by-accident.
If you want, tell me:
-
Your camera model
-
Whether you want web viewing
-
Whether you want multiple cameras
I’ll tell you the best architecture, not the lazy one.
Alright. This is simple — but Tailscale hides it like a smug chess move. Follow exactly.
How to Approve Advertised Routes in Tailscale (no guessing)
Step 1: Open the admin panel
Go to
👉 login.tailscale.com
Log in with the same account you used on the Windows PC.
Step 2: Go to Machines
Top menu → Machines
You’ll see a list of all devices in your Tailnet.
Step 3: Find your Windows PC
Look for:
-
Device name = your PC hostname
-
OS = Windows
-
Status = Online
Click on that machine.
Step 4: Open the route settings (this is the hidden part)
Inside the machine details page:
-
Scroll down
-
Find a section called “Subnet routes” or “Advertised routes”
You’ll see something like:
Step 5: Approve it
-
Click Approve (or toggle the switch ON)
-
It will immediately change to Approved
No restart needed. No waiting.
Step 6: Verify it worked (don’t assume)
On your Windows PC, run:
You should see the subnet listed without warnings.
If you DON’T see “Advertised routes”
Then one of these is true (pick your failure):
❌ You didn’t advertise it
Re-run:
❌ You’re logged into the wrong Tailscale account
Yes, people do this more than they admit.
❌ Old UI cache
Hard refresh the admin page or reopen it.
Quick mental model (so you don’t forget)
-
Advertise = “I can route this subnet”
-
Approve = “I allow this device to route it”
Both are required. Miss one → dead traffic.
Final check (RTSP test)
From a remote device on Tailscale:
If it plays → you won.
If it doesn’t → firewall or wrong subnet.
If you want, tell me:
-
Your LAN IP range
-
Your Windows firewall status
I’ll tell you exactly what to open and what to keep shut.
Yes. Absolutely yes.
And if you get this wrong, nothing works — period.
Now let’s do it properly, not by guessing.
What that IP range actually means
192.168.1.0/24 =
“Route all devices from 192.168.1.1 to 192.168.1.254 through this PC.”
So it MUST match your router’s LAN subnet.
Step 1: Find your router’s LAN IP range (Windows)
On the Windows PC that has Tailscale:
Open Command Prompt and run:
Look for:
-
IPv4 Address → e.g.
192.168.0.23 -
Subnet Mask → e.g.
255.255.255.0 -
Default Gateway → e.g.
192.168.0.1
Step 2: Translate that into CIDR (this is the part people mess up)
Common cases
| Router range | Subnet mask | What you advertise |
|---|---|---|
| 192.168.1.x | 255.255.255.0 | 192.168.1.0/24 |
| 192.168.0.x | 255.255.255.0 | 192.168.0.0/24 |
| 10.0.0.x | 255.255.255.0 | 10.0.0.0/24 |
| 172.16.x.x | 255.255.0.0 | 172.16.0.0/16 |
If your IPv4 starts with 192.168.0, then 192.168.1.0/24 is wrong.
Step 3: Run the correct command
Example: if your PC IP is 192.168.0.45:
That’s it.
Step 4: Approve it in Admin Console
(You already know this, but repetition saves time)
-
login.tailscale.com
-
Machines → your Windows PC
-
Approve the route
No approval = useless command.
Step 5: Test logically (not emotionally)
From a remote Tailscale device:
-
Try pinging the router
If this works, RTSP will work too.
Then:
Strategic warning (listen carefully)
Do NOT advertise:
-
Wi-Fi guest networks
-
Public or shared LANs
-
Anything you don’t fully control
Subnet routing is a trust declaration.
Bottom line
-
Yes, you must change the IP range
-
It must exactly match your LAN
-
Guessing = failure
-
Once correct, RTSP works cleanly
If you want, tell me:
-
Your
ipconfigoutput (IPv4 + subnet mask only) -
Camera IP
I’ll give you the exact command, no trial and error.
Short answer: Yes — what you described is exactly how it’s supposed to work.
Long answer: let’s dissect why it works, when it breaks, and where people delude themselves.
What you actually built (whether you realized it or not)
Your laptop with Tailscale is now a subnet router.
Topology:
That second PC doesn’t need Tailscale.
It just thinks your laptop is another LAN peer.
So yes — remote Samba access is 100% valid.
Why Samba works but many other things “mysteriously” don’t
Samba (SMB) works because:
-
It’s IP-based
-
Uses TCP (445)
-
Doesn’t rely on broadcast discovery once you know the IP
You accessed it like a grown adult:
Not:
That’s the key.
What will NOT work unless you understand networking
❌ NetBIOS discovery
-
“Network” folder in Windows
-
Auto-discovery
-
Broadcast-based junk
Broadcasts do not cross subnets.
Tailscale is not magic; it’s routing.
The power you unlocked (and the risk)
You now have:
-
Remote file access
-
Remote RTSP cameras
-
Remote printers
-
Remote routers
-
Remote admin panels
Without:
-
Port forwarding
-
Public IP
-
UPnP stupidity
But also:
-
If someone gets Tailnet access → they get LAN access
Power ≠ safety.
How to do this properly (not like a hobbyist)
1. Always access by IP, not hostname
Correct:
Wrong:
2. Lock it down with ACLs (non-optional if you’re serious)
In Tailscale Admin → ACLs:
-
Allow only your devices
-
Allow only SMB ports
-
Allow only specific IPs
Otherwise, your LAN is a free buffet.
Sanity check: did you configure it right?
If ALL of these are true, you’re solid:
-
✅
tailscale up --advertise-routes=LAN/xx -
✅ Route approved in admin
-
✅ “Allow local network access” ON
-
✅ Firewall allows SMB
-
✅ Access via IP
Then yes — this is correct, intended, and clean.
Final verdict
You didn’t hack anything.
You used Tailscale as designed.
Most people never reach this level because they panic at “routing.”
You didn’t.
If you want next-level:
-
Map Samba drives permanently
-
Expose only one PC, not whole LAN
-
Or turn that laptop into a controlled bastion
Say the word — I’ll tell you how to do it without opening stupid doors.
Comments
Post a Comment