startup script for tailscaled

[DrH]

I can successfully run tailscaled in a jail (13.1) using the command tailscaled --tun=userspace-networking followed by tailscale up. The tailscaled command will not start without the --tun=userspace-networking flag. What I want to do is write a script that will start tailscaled when the jail is started, passing the desired flag, and then issuing the tailscale up command. I've played around with trying my own thing as well as a couple of scripts that i've found google-ing, but no success. Anyone have any advice?

 

[Alain De Vos]

In the jail just write a small /usr/local/etc/rc.d/myscript.
In /etc/rc.conf you enable "myscript"

 

[Phishfry]

First check /usr/local/etc/rc.d to make sure there is not already a daemon installed by the port..

You can create a /etc/rc.local script file and run commands on startup.

Do you want a rc.d service daemon running for this program or not.

 

[DrH]

write a small /usr/local/etc/rc.d/myscript

Right on. The one I wrote looked like this, I got it from section 13.2.1 of the FreeBSD handbook and modified it to look like this:

#!/bin/sh
#
# PROVIDE: tailscaled
# REQUIRE: DAEMON
# KEYWORD: shutdown

. /etc/rc.subr

name=tailscaled
rcvar=tailscaled_enable

command="/usr/local/sbin/tailscaled"

load_rc_config $name

#
# DO NOT CHANGE THESE DEFAULT VALUES HERE
# SET THEM IN THE /etc/rc.conf FILE
#
tailscaled_enable=${tailscaled_enable-"NO"}
pidfile=${tailscaled_pidfile-"/var/run/tailscaled.pid"}

run_rc_command "$1"

I'm not sure how to pass the --tun=userspace-networking flag using this script.

I also found this one from here:

#!/bin/sh
#
# PROVIDE: tailscaled tailscale
# REQUIRE: NETWORKING

. /etc/rc.subr

name="tailscaled"
rcvar="${name}_enable"

load_rc_config $name

: ${tailscaled_enable:="NO"}
: ${tailscaled_state:="/var/db/${name}/${name}.state"}

procname="/usr/local/sbin/${name}"
pidfile="/var/run/${name}/${name}.pid"
pidfile_supervisor="/var/run/${name}/${name}_supervisor.pid"
command="/usr/sbin/daemon"
command_args="-c -S -T tailscaled -p $pidfile -P $pidfile_supervisor $procname --state $tailscaled_state $tailscaled_flags"
stop_postcmd="${name}_poststop"

tailscaled_poststop() {
        /sbin/ifconfig tailscale0 destroy
}

run_rc_command "$1"

This script doesn't pass the flags I want either, and I'm not 100% sure how to do that. I have a feeling I need to define "tailscaled_flags" somewhere ...

In /etc/rc.conf you enable "myscript"

Got this in there: tailscaled_enable="YES"

 

[DrH]

First check /usr/local/etc/rc.d to make sure there is not already a daemon installed by the port..

This right here helped me. There IS one there, and I was able to modify this line in the default script:

: ${tailscaled_tun_dev:="tailscale0"}

and change it to this:

: ${tailscaled_tun_dev:="userspace-networking"}

I deleted the ones I wrote.
Great success!
Now, all I have to do is figure out how to make it execute the tailscale up command at start time.

 

[DrH]

Now, all I have to do is figure out how to make it execute the tailscale up command at start time.

No, I don't. It does it automatically! Thank you to Phishfry and Alain De Vos for helpful suggestions!

 

[patmaddox]

If you use VNET networking for your jail, you won't need to use `--tun=userspace-networking`.

One major advantage of this is that tailscale shows up as an interface in your jail. You can bind services to the tailscale IP, you can use PF on it – and most importantly, things will "just work".

See the docs on userspace networking. You have to configure everything to go through a proxy for it to work with tailscale. This means that any software or libraries you use will have to support proxy configuration. Lots do (e.g. `curl` and probably `fetch`). We develop software, and find that many libraries we use don't support proxying out of the box using `ALL_PROXY` or `HTTP_PROXY` environment variables. Best case scenario, they have some configuration setting to provide proxy support. Worst case scenario, we have to modify the library to support proxies – or find a different library.

I encourage you to take the time to use VNET networking in your jails. Tailscale works great in jails this way. Userspace networking is really to support more limited setups where you don't have a tun device.

 

[patmaddox]

TL;DR – don't modify /usr/local/etc/rc.d/tailscaled, you can sysrc tailscaled_tun_dev="userspace-networking" instead.

There IS one there, and I was able to modify this line in the default script:

: ${tailscaled_tun_dev:="tailscale0"}

FYI you don't have to (and imo shouldn't) modify that script directly. If you look at the source code for tailscale.in, you'll see a few things:

# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service:
#
# tailscaled_enable (bool):    Set it to YES to enable tailscaled.
#                Default is "NO".
# ...
# tailscaled_tun_dev (str):    Set the name of the tun interface tailscaled creates.
#                Default is "tailscale0"

Also this syntax : ${tailscaled_tun_dev:="tailscale0"} means "set tailscale_tun_dev if it's not already set".

So you can and should set it in /etc/rc.conf instead.

 

[DrH]

If you use VNET networking for your jail, you won't need to use `--tun=userspace-networking`.

One major advantage of this is that tailscale shows up as an interface in your jail. You can bind services to the tailscale IP, you can use PF on it – and most importantly, things will "just work".

See the docs on userspace networking. You have to configure everything to go through a proxy for it to work with tailscale. This means that any software or libraries you use will have to support proxy configuration. Lots do (e.g. `curl` and probably `fetch`). We develop software, and find that many libraries we use don't support proxying out of the box using `ALL_PROXY` or `HTTP_PROXY` environment variables. Best case scenario, they have some configuration setting to provide proxy support. Worst case scenario, we have to modify the library to support proxies – or find a different library.

I encourage you to take the time to use VNET networking in your jails. Tailscale works great in jails this way. Userspace networking is really to support more limited setups where you don't have a tun device.

Thank you for this - I was not aware of this. Can you look at this and tell me if it would be an adequate guide to implementing this on my jails? I've set them up using ezjail, per the handbook.

TL;DR – don't modify /usr/local/etc/rc.d/tailscaled, you can sysrc tailscaled_tun_dev="userspace-networking" instead.

I have made this change and confirmed that it works. Thanks! Would you still recommend the VNET networking in lieu of setting this?

 

[patmaddox]

I don't use ezjail, but that article looks reasonable to me – it appears to have all the parts that I recognize as necessary for VNET jails.

Yes, I would 100% recommend VNET jails for tailscale over userspace networking. It's a bit more effort to get going, but is worth it because tailscale shows up as an interface in ifconfig (you'll notice that it doesn't when you use userspace networking, you have to configure proxies, etc).