diff --git a/net/tailscale/Makefile b/net/tailscale/Makefile index c9818871..b543b61e 100644 --- a/net/tailscale/Makefile +++ b/net/tailscale/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tailscale -PKG_VERSION:=1.44.3 +PKG_VERSION:=1.64.2 PKG_RELEASE:=1 -PKG_SOURCE:=tailscale-$(PKG_VERSION).tar.gz +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=9d0cdccf103d3613ea4671e7092a18e9b7a471f30b4d92defb001510262e48d5 +PKG_HASH:=e5e46f6b6b716b2c4696dce0b92dc2e36f02b06b7ad9f055042a820ad61b2a47 PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=BSD-3-Clause @@ -25,33 +25,22 @@ PKG_BUILD_PARALLEL:=1 PKG_USE_MIPS16:=0 GO_PKG:=\ - tailscale.com/cmd/tailscale \ tailscale.com/cmd/tailscaled -GO_PKG_LDFLAGS:=-X 'tailscale.com/version.Long=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' -GO_PKG_LDFLAGS_X:=tailscale.com/version.Short=$(PKG_VERSION) +GO_PKG_LDFLAGS:=-X 'tailscale.com/version.longStamp=$(PKG_VERSION)-$(PKG_RELEASE) (OpenWrt)' +GO_PKG_LDFLAGS_X:=tailscale.com/version.shortStamp=$(PKG_VERSION) +GO_PKG_TAGS:=ts_include_cli include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk -define Package/tailscale/Default +define Package/tailscale SECTION:=net CATEGORY:=Network SUBMENU:=VPN TITLE:=Zero config VPN URL:=https://tailscale.com - DEPENDS:=$(GO_ARCH_DEPENDS) -endef - -define Package/tailscaled - $(call Package/tailscale/Default) - TITLE+= (daemon) - DEPENDS+= +ca-bundle +kmod-tun -endef - -define Package/tailscale - $(call Package/tailscale/Default) - TITLE+= (utility) - DEPENDS+= +tailscaled + DEPENDS:=$(GO_ARCH_DEPENDS) +ca-bundle +kmod-tun + PROVIDES:=tailscaled endef define Package/tailscale/description @@ -59,45 +48,17 @@ define Package/tailscale/description and cloud instances. Even when separated by firewalls or subnets. endef -Package/tailscaled/description:=$(Package/tailscale/description) - -define Package/tailscaled/conffiles +define Package/tailscale/conffiles /etc/config/tailscale -endef - -GO_IPTABLES_VERSION:=0.6.0 -GO_IPTABLES_FILE:=$(PKG_NAME)-go-iptables-$(GO_IPTABLES_VERSION).tar.gz - -define Download/go-iptables - URL:=https://codeload.github.com/coreos/go-iptables/tar.gz/v$(GO_IPTABLES_VERSION)? - URL_FILE:=$(GO_IPTABLES_FILE) - FILE:=$(GO_IPTABLES_FILE) - HASH:=a784cc17fcb17879f073eae47bc4c2e899f59f6906dac5a0aa7a9cc9f95ea66d -endef - -define Build/Prepare - $(PKG_UNPACK) - [ ! -d ./src/ ] || $(CP) ./src/. $(PKG_BUILD_DIR) - $(eval $(call Download,go-iptables)) - ( \ - mkdir -p $(PKG_BUILD_DIR)/patched/ ; \ - gzip -dc $(DL_DIR)/$(GO_IPTABLES_FILE) | $(HOST_TAR) -C $(PKG_BUILD_DIR)/patched $(TAR_OPTIONS) ; \ - mv $(PKG_BUILD_DIR)/patched/go-iptables-$(GO_IPTABLES_VERSION) $(PKG_BUILD_DIR)/patched/go-iptables ; \ - ) - $(Build/Patch) +/etc/tailscale/ endef define Package/tailscale/install - $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscale $(1)/usr/sbin -endef - -define Package/tailscaled/install $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/init.d $(1)/etc/config $(INSTALL_BIN) $(GO_PKG_BUILD_BIN_DIR)/tailscaled $(1)/usr/sbin - $(INSTALL_BIN) ./files/tailscale.init $(1)/etc/init.d/tailscale - $(INSTALL_DATA) ./files/tailscale.conf $(1)/etc/config/tailscale + $(LN) tailscaled $(1)/usr/sbin/tailscale + $(INSTALL_BIN) ./files//tailscale.init $(1)/etc/init.d/tailscale + $(INSTALL_DATA) ./files//tailscale.conf $(1)/etc/config/tailscale endef $(eval $(call BuildPackage,tailscale)) -$(eval $(call BuildPackage,tailscaled)) diff --git a/net/tailscale/README.md b/net/tailscale/README.md index eaffa57d..7bad0a3c 100644 --- a/net/tailscale/README.md +++ b/net/tailscale/README.md @@ -8,6 +8,8 @@ To install them run ``` opkg install tailscale tailscaled ``` +> [!NOTE] +> By default this package will use nftables. If you wish to use iptables, the config file `/etc/config/tailscale` can be modfied, changing the line `fw_mode 'nftables'` to `fw_mode 'iptables'`. You can then run `/etc/init.d/tailscale restart` to restart tailscale using your chosen method ## First setup @@ -25,9 +27,4 @@ Run command and finish device registration with the given URL. tailscale up ``` -If you are running with nftables, it is not supported by tailscale, -so disable it and configure firewall by yourself and add argument ---netfilter-mode off -to tailscale up command to disable iptables use. - -After that, you should see your router in tailscale admin page. +See the [OpenWrt wiki](https://openwrt.org/docs/guide-user/services/vpn/tailscale/start) for more detailed setup instructions diff --git a/net/tailscale/files/tailscale.conf b/net/tailscale/files/tailscale.conf index 194d8df4..10e0316e 100644 --- a/net/tailscale/files/tailscale.conf +++ b/net/tailscale/files/tailscale.conf @@ -3,3 +3,5 @@ config settings 'settings' option log_stdout '1' option port '41641' option state_file '/etc/tailscale/tailscaled.state' + # default to using nftables - change below to 'iptables' if still using iptables + option fw_mode 'iptables' diff --git a/net/tailscale/files/tailscale.init b/net/tailscale/files/tailscale.init index 6548fa22..4495ad50 100644 --- a/net/tailscale/files/tailscale.init +++ b/net/tailscale/files/tailscale.init @@ -17,12 +17,17 @@ start_service() { config_get_bool std_err "settings" log_stderr 1 config_get port "settings" port 41641 config_get state_file "settings" state_file /etc/tailscale/tailscaled.state + config_get fw_mode "settings" fw_mode iptables /usr/sbin/tailscaled --cleanup procd_open_instance procd_set_param command /usr/sbin/tailscaled + # Starting with v1.48.1 ENV variable is required to enable use of iptables / nftables. + # Use nftables by default - can be changed to 'iptables' in tailscale config + procd_set_param env TS_DEBUG_FIREWALL_MODE="$fw_mode" + # Set the port to listen on for incoming VPN packets. # Remote nodes will automatically be informed about the new port number, # but you might want to configure this in order to set external firewall diff --git a/net/tailscale/patches/010-fake_iptables.patch b/net/tailscale/patches/010-fake_iptables.patch deleted file mode 100644 index 07e14fbf..00000000 --- a/net/tailscale/patches/010-fake_iptables.patch +++ /dev/null @@ -1,53 +0,0 @@ ---- a/go.mod -+++ b/go.mod -@@ -2,6 +2,8 @@ module tailscale.com - - go 1.19 - -+replace github.com/coreos/go-iptables => ./patched/go-iptables -+ - require ( - filippo.io/mkcert v1.4.3 - github.com/Microsoft/go-winio v0.6.0 ---- a/patched/go-iptables/iptables/iptables.go -+++ b/patched/go-iptables/iptables/iptables.go -@@ -149,12 +149,39 @@ func New(opts ...option) (*IPTables, err - return ipt, nil - } - -+func NewFake(opts ...option) (*IPTables, error) { -+ -+ ipt := &IPTables{ -+ path: "/bin/false", -+ proto: ProtocolIPv4, -+ hasCheck: false, -+ hasWait: false, -+ waitSupportSecond: false, -+ hasRandomFully: false, -+ v1: 0, -+ v2: 0, -+ v3: 0, -+ mode: "legacy", -+ timeout: 0, -+ } -+ -+ for _, opt := range opts { -+ opt(ipt) -+ } -+ -+ return ipt, nil -+} -+ - // New creates a new IPTables for the given proto. - // The proto will determine which command is used, either "iptables" or "ip6tables". - func NewWithProtocol(proto Protocol) (*IPTables, error) { - return New(IPFamily(proto), Timeout(0)) - } - -+func NewFakeWithProtocol(proto Protocol) (*IPTables, error) { -+ return NewFake(IPFamily(proto), Timeout(0)) -+} -+ - // Proto returns the protocol used by this IPTables. - func (ipt *IPTables) Proto() Protocol { - return ipt.proto diff --git a/net/tailscale/patches/020-tailscaled_fake_iptables.patch b/net/tailscale/patches/020-tailscaled_fake_iptables.patch deleted file mode 100644 index 5e59ec15..00000000 --- a/net/tailscale/patches/020-tailscaled_fake_iptables.patch +++ /dev/null @@ -1,32 +0,0 @@ ---- a/wgengine/router/router_linux.go -+++ b/wgengine/router/router_linux.go -@@ -129,7 +129,7 @@ func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Moni - - ipt4, err := iptables.NewWithProtocol(iptables.ProtocolIPv4) - if err != nil { -- return nil, err -+ ipt4, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv4) - } - - v6err := checkIPv6(logf) -@@ -148,7 +148,7 @@ func newUserspaceRouter(logf logger.Logf, tunDev tun.Device, netMon *netmon.Moni - // if unavailable. We want that to be a non-fatal error. - ipt6, err = iptables.NewWithProtocol(iptables.ProtocolIPv6) - if err != nil { -- return nil, err -+ ipt6, err = iptables.NewFakeWithProtocol(iptables.ProtocolIPv6) - } - } - -@@ -1676,11 +1676,6 @@ func checkIPv6(logf logger.Logf) error { - return fmt.Errorf("kernel doesn't support IPv6 policy routing: %w", err) - } - -- // Some distros ship ip6tables separately from iptables. -- if _, err := exec.LookPath("ip6tables"); err != nil { -- return err -- } -- - return nil - } - diff --git a/net/tailscale/patches/030-default_to_netfilter_off.patch b/net/tailscale/patches/030-default_to_netfilter_off.patch deleted file mode 100644 index 1edd0022..00000000 --- a/net/tailscale/patches/030-default_to_netfilter_off.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/cmd/tailscale/cli/up.go -+++ b/cmd/tailscale/cli/up.go -@@ -147,7 +147,7 @@ func defaultNetfilterMode() string { - if distro.Get() == distro.Synology { - return "off" - } -- return "on" -+ return "off" - } - - type upArgsT struct {