Categorygithub.com/clr1107/tnetmgr
repository
0.0.0-20240619121259-9ebb65f10907
Repository: https://github.com/clr1107/tnetmgr.git
Documentation: pkg.go.dev

# Packages

No description provided by the author
No description provided by the author

# README

tnetmgr

A tailscale interface manager. This daemon listens for a Tailscale interface to come up (not the link itself, but for an address in 100.64.0.0/10) and will add other IP addresses as well as execute arbitrary commands.

Use case

It's a bit of a bastardisation of how Tailscale would like people to use the product, in my opinion, but it has its usecases. I use it to add an extra address to the tailscale0 interface, so that I can use that address when it is used as a subnet router. I also use it to control the tailscale0 interface with iptables. My example configuration is below.

Iface: tailscale0
Addrs:
  - 172.24.24.1/32
ExecUp:
  - iptables -D ts-input -i tailscale0 -j ACCEPT
  - iptables -N ts-fw
  - iptables -A ts-input -i tailscale0 -j ts-fw
  - iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o eth0 -j MASQUERADE
ExecDown:
  - iptables -D ts-input -i tailscale0 -j ts-fw
  - iptables -t nat -D postrouting -s 100.64.0.0/10 -o eth0 -j MASQUERADE

This configuration adds the address 172.24.24.1/32 to the interface tailscale0 whenever it is connected to Tailscale. I can then use this, for example, with the --advertise-routes option. The last command allows this node to be an exit node on the external interface eth0.

The iptables commands in ExecUp remove the default accept all rule added by Tailscale every time the interface comes up and replaces it with a new table, called ts-fw. This can then be configured. E.g.,

-I ts-fw -i tailscale0 -p tcp --dport 22 -j ACCEPT
-A ts-fw -i tailscale0 -j DROP

This will allow me to connect to SSH via Tailscale and drop all other connections. I use this to allow SSH only from Tailscale.