Zyxel Firewall H Series - Tailscale VPN

Zyxel's USG FLEX H Series firewalls now support integration with Tailscale, a third-party VPN solution that enables secure, encrypted, peer-to-peer connections across devices and networks. This provides users with a flexible and scalable VPN option in addition to Zyxel’s built-in VPN capabilities.

Please note that while the USG FLEX H Series offers compatibility with Tailscale, it does not include a Tailscale license. Users who wish to utilise Tailscale services must obtain a license directly from Tailscale.

What is Tailscale VPN?

Tailscale is a modern, secure, peer-to-peer VPN solution designed to make networking between devices simple and seamless. Unlike traditional VPNS that rely on centralised servers and complicated configurations, Tailscale uses a mesh network architecture to connect your devices directly and securely—no need for static IPS, port forwarding, or complex firewall rules.

At its core, Tailscale is powered by the WireGuard protocol, ensuring fast, encrypted, end-to-end communication between devices—even if they're behind NAT routers.

Getting Started with Tailscale on a Firewall

1. Create an Account
   Visit the Tailscale Knowledge Base to sign up and get started with your Tailscale account.
2. Generate an Authentication Key
   Once signed in, go to Settings → Personal Settings → Keys, and click Generate auth key. This key is used to authenticate your firewall or other devices when joining your Tailscale network.

3. Give a Description Name as you want and disable “Reusable” due to security reason then click “Generate key”.

Copy the key.

4. Login Firewall and navigate to “VPN -> Tailscale”, paste to the “Auth Keys”.

• When you want to change the key, please click Logout.
• You can choose the zone by yourself. We recommend using Tailscale zone for some predefined rules.

5. Go back to the Tailscale admin page. You will see the Firewall device.

Click “Disable key expiry” for all client to prevent lost connection while expire.

Scenario

We have two subnets, 192.168.168.0/24 and 192.168.160.0/24, which are located behind firewalls. Both the firewalls and the Client A are part of the Tailscale VPN network. The objectives are as follows:

Case1: Allow Client A to access the 192.168.168.0/24 and 192.168.160.0/24 subnets
1. Advertised 192.168.168.0/24 in Firewall A.

2. Advertised 192.168.160.0/24 in Firewall B.

3. Ensure Both subnets have been approved from Tailscale portal.

Test the Result
Now, Client A know how to route traffic and able to access 192.168.168.1 and 192.168.160.1.

Case 2: Allow Client A to access internet through Firewall

1. Take Firewall A as example. Enable “Exit Node” and “Default SNAT”.

2. Ensure the Exit-Node have been enabled from Tailscale portal.

3. Client A needs to select Firewall A as exit node.

Test the Result
The internet traffic will send to Firewall A.

Case3: The devices within the 192.168.168.0/24 and 192.168.160.0/24 subnets can communicate with each other
Once you completed the advertised Networks, you can communicate with each other.
Test the Result
The ping test from Firewall A

The ping test from Firewall B