# Full Guide: Making a Mobile AllStarLink Node Public via Tailscale This guide provides a detailed walkthrough for configuring a mobile AllStarLink node, which is behind a Carrier-Grade NAT (CGNAT) network, to be fully accessible to other users on the public AllStarLink network. --- ### **The Challenge: CGNAT and AllStarLink** Carrier-Grade NAT (CGNAT) is used by mobile carriers to conserve IP addresses. It means your mobile device does not get a unique, public IP address. Instead, it shares one with many other users. For a server application like an AllStar node, this is a major problem: the public AllStar network has no direct address to send incoming connection requests to. Normal port forwarding is impossible. ### **The Solution: The Tailscale Relay Node** We will solve this by creating a **Relay Node** on a cloud server (VPS) that has a stable, public IP address. This Relay Node will act as a special mailbox for your mobile node. Here’s the plan: 1. **The Relay Node (VPS):** This server will have a public IP. It will listen for AllStar traffic from the public internet. 2. **The Mobile Node:** Your device running the AllStar node, connected to the mobile network. 3. **The Tailscale Network:** A secure, private network connecting your Relay Node and your Mobile Node, allowing them to talk directly to each other as if they were on the same Wi-Fi. When another user tries to connect to your node, the connection goes to the Relay Node's public IP. The Relay Node then forwards this traffic securely over the Tailscale network to your mobile device. --- ### **Prerequisites** 1. **A Cloud Server (VPS):** You will need a basic cloud server with a dedicated public IP address. This is **essential**. Providers like DigitalOcean, Linode, Vultr, or Hetzner offer affordable plans (often around $5/month). This guide will use Debian/Ubuntu commands. 2. **Your Mobile Device:** The phone or tablet running your AllStar node. This guide assumes it's a Linux-based device (like a Raspberry Pi tethered to a phone), but the principles apply to other systems. 3. **A Tailscale Account:** A free personal account is sufficient. --- ### **Phase 1: Configure the Cloud Relay Node (VPS)** First, log into your newly created VPS via SSH. #### **Step 1: Install Tailscale and Enable IP Forwarding** ```bash #!/bin/bash # --- Install Tailscale --- echo "Installing Tailscale..." curl -fsSL https://tailscale.com/install.sh | sh # --- Start Tailscale & Authenticate --- # You will need to copy the URL from your terminal into a browser to log in and authorize this machine. echo "Starting Tailscale. Please follow the URL to authenticate..." sudo tailscale up # --- Enable IP Forwarding --- # This allows the VPS to forward network packets from one interface to another (Public Internet <-> Tailscale). echo "Enabling IP forwarding..." echo 'net.ipv4.ip_forward = 1' | sudo tee /etc/sysctl.d/99-tailscale.conf echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf sudo sysctl -p /etc/sysctl.d/99-tailscale.conf echo "---------------------------------------------------------" echo "Cloud Relay Node setup is partially complete." echo "Take note of this machine's Tailscale IP address below." echo "Run 'tailscale ip -4' to see it." echo "---------------------------------------------------------" Run this script on your VPS. After authenticating, your VPS is now on your tailnet. Step 2: Find the Tailscale IP of your Mobile Node (Do this later) You will need the Tailscale IP of your mobile node for the next step. You won't have it yet, so just keep this step in mind. Let's pretend its future Tailscale IP will be 100.X.Y.Z. Step 3: Configure the VPS to Route Traffic to the Mobile Node Run this command on your VPS, replacing 100.X.Y.Z with the actual Tailscale IP of your mobile node once you have it. code Bash download content_copy expand_less IGNORE_WHEN_COPYING_START IGNORE_WHEN_COPYING_END # This command tells the rest of your tailnet that this VPS is the gateway to reach your mobile node. sudo tailscale set --advertise-routes=100.X.Y.Z/32 Phase 2: Configure the Mobile AllStar Node Now, on your mobile device (the Pi or other computer running your node). Step 1: Install and Authenticate Tailscale Run the same installation and authentication commands on your mobile node device. code Bash download content_copy expand_less IGNORE_WHEN_COPYING_START IGNORE_WHEN_COPYING_END # --- Install Tailscale on the Mobile Node --- curl -fsSL https://tailscale.com/install.sh | sh # --- Start Tailscale & Authenticate --- sudo tailscale up Follow the URL to authorize this device. Once complete, run tailscale ip -4 to get its Tailscale IP. This is the 100.X.Y.Z IP you need for Phase 1, Step 3. Go back to your VPS and run that command now. Step 2: Set the Relay Node as the Exit Node This is the key step. We will force all traffic from your mobile node to go through the Relay Node. Run this command on your Mobile Node, replacing RELAY_NODE_TS_IP with the Tailscale IP of your cloud VPS. code Bash download content_copy expand_less IGNORE_WHEN_COPYING_START IGNORE_WHEN_COPYING_END # This command routes all traffic from this mobile node through your cloud relay node. sudo tailscale set --exit-node=RELAY_NODE_TS_IP --exit-node-allow-lan-access=true Phase 3: Approve Routes in the Tailscale Admin Console Tailscale requires manual approval for these advanced networking features as a security measure. Go to the Tailscale Admin Console Machines page. Find your Cloud Relay Node (VPS) in the list. Click the three-dot menu (...) and select Edit route settings.... Approve the subnet route (100.X.Y.Z/32) that you advertised. Find your Mobile Node in the list. You may see a notice that it's using an exit node. Ensure there are no warnings. Phase 4: Configure AllStarLink and Firewall On Your Cloud Relay Node (VPS): Your firewall needs to allow AllStar traffic to come in from the public internet. code Bash download content_copy expand_less IGNORE_WHEN_COPYING_START IGNORE_WHEN_COPYING_END # Using ufw (Uncomplicated Firewall) on the VPS sudo ufw allow 4569/udp # Default AllStar IAX port sudo ufw allow 22/tcp # IMPORTANT: Allow SSH so you don't lock yourself out sudo ufw enable On Your Mobile AllStar Node: You must tell the AllStar registration system to use your VPS's public IP address. Edit your AllStar config file (/etc/asterisk/iax.conf): Find the bindport setting. It should be bindport = 4569. Find the bindaddr setting. It must be bindaddr = 0.0.0.0 to listen on all interfaces (including the Tailscale one). Edit your node settings (/etc/asterisk/rpt.conf): In your node's stanza (e.g., [12345]), you need a line that tells the registration server your public address. This should be the Public IP of your VPS. Example: extip = YOUR_VPS_PUBLIC_IP You can also often set this in the web portals for AllStarLink setup. The key is that AllStar must be told your public-facing IP is that of the VPS, not the mobile device. After making these changes, restart Asterisk on your mobile node: sudo astres.sh. Your node should now register with the network, advertising your VPS's public IP. When someone connects, the traffic will be correctly relayed through the VPS to your mobile device. Important Considerations Cost: While minimal, the VPS is not free. Latency: You are adding an extra "hop" for all your traffic (Mobile -> VPS -> Internet). This will add a small amount of latency, but it is usually not noticeable for voice traffic. Data Usage: All your node's traffic will now be routed through your VPS, which could impact the data costs on both your mobile plan and your VPS plan if it's not unlimited. Battery Life: Constantly transmitting data can drain your mobile device's battery faster. code Code download content_copy expand_less IGNORE_WHEN_COPYING_START IGNORE_WHEN_COPYING_END