Subnet routing to AWS VPC doen't appear to work

Question

I'm trying to set up a Tailscale node as a relay to my AWS VPC. I've followed the instructions here to the letter, multiple times. Unfortunately, I just cannot seem to ssh to the second (non-Tailscale) instance. My process, briefly:

• Set up an AWS VPC with the VPC wizard

• create an instance tailscale-relay on the VPC, on the public subnet, with SSH enabled, and my private key. Assign it a new Security Group called sg-tailscale-relay

• ssh to tailscale-relay, install tailscale

• enable IP forwarding (per docs here)

• sudo tailscale up --advertise-routes=10.0.0.0/24, where 10.0.0.0/24 is the range specified in the private subnet (and equivalently in the public subnet, see photo at bottom)

• disable key expiry and authorize subnet routes for this node in the Tailscale console

• close off ssh access to tailscale-relay in its Security Group, then verify that I can ssh to it with it's Tailscale IP (annoyingly, still requiring my .pem key)

• create another instance, test-tailscale, assign it to the same VPC but to the private subnet. Do NOT give it a public IP. Allow all inbound traffic from the sg-tailscale-relay subnet, but not from anywhere else

• Then, from my local machine, SSH to the private IP of test-tailscale times out.

• I can ping test-tailscale from tailscale-relay (but not tailscale ping, obviously)

What gives? I don't understand what I'm doing wrong.

• Bonus: Can I ssh without the private key?

private subnet route table

Answer 1

One possibility is in the non-AWS Tailscale node which you're using to send the ping, if it is a Linux system. Linux was the first client developed, and the one most often used as a subnet router itself.

All of the other clients accept subnet routes by default, but Linux by default does not and needs tailscale up --accept-routes=true to be specified.