From 1d9a73628323ad361e5820d862440b6bb1a63733 Mon Sep 17 00:00:00 2001 From: Justin Phelps Date: Thu, 14 Sep 2023 09:52:51 -0600 Subject: [PATCH 1/2] Allow the configuration of an exit node and lan access. --- README.md | 2 ++ root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run | 10 ++++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index aa8477a..41fa116 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ use to configure it. | `TAILSCALE_SERVE_PORT` | The port number that you want to expose on your tailnet. This will be the port of your DokuWiki, Transmission, or other container. | `80` | | `TAILSCALE_SERVE_MODE` | The mode you want to run Tailscale serving in. This should be `https` in most cases, but there may be times when you need to enable `tls-terminated-tcp` to deal with some weird edge cases like HTTP long-poll connections. See [here](https://tailscale.com/kb/1242/tailscale-serve/) for more information. | `https` | | `TAILSCALE_FUNNEL` | Set this to `true`, `1`, or `t` to enable [funnel](https://tailscale.com/kb/1243/funnel/). For more information about the accepted syntax, please read the [strconv.ParseBool documentation](https://pkg.go.dev/strconv#ParseBool) in the Go standard library. | `on` | +| `TAILSCALE_USE_EXIT_NODE` | Set the exit node you'd like to use for the container. | `my-exit-node` or `100.101.165.3` | +| `TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS` | Optionally, set this to true to allow direct access to your local network when traffic is routed via an exit node. | `true` | Something important to keep in mind is that you really should set up a separate volume for Tailscale state. Here is how to do that with the diff --git a/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run b/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run index b66a70a..c8a29e5 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run @@ -22,6 +22,16 @@ if [ -v TAILSCALE_BE_EXIT_NODE ]; then FLAGS="${FLAGS} --advertise-exit-node=${TS_BE_EXIT_NODE}" fi +if [ -v TAILSCALE_USE_EXIT_NODE ]; then + echo "[!] using ${TAILSCALE_USE_EXIT_NODE} as an exit node." + FLAGS="${FLAGS} --exit-node=${TAILSCALE_USE_EXIT_NODE}" + + if [ -v TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS ]; then + echo '[!] allowing exit node LAN access.' + FLAGS="${FLAGS} --exit-node-allow-lan-access=${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" + fi +fi + tailscale up $FLAGS # configure serve From 7c5cfca39fbc127483dfffef45e35d79af9e8c62 Mon Sep 17 00:00:00 2001 From: Justin Phelps Date: Thu, 2 Nov 2023 12:15:12 -0600 Subject: [PATCH 2/2] Renaming TAILSCALE_USE_EXIT_NODE to TAILSCALE_EXIT_NODE Explicit checking on LAN ACCESS being true or false --- README.md | 2 +- .../etc/s6-overlay/s6-rc.d/svc-tailscale-up/run | 17 ++++++++--------- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 41fa116..52312da 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ use to configure it. | `TAILSCALE_SERVE_PORT` | The port number that you want to expose on your tailnet. This will be the port of your DokuWiki, Transmission, or other container. | `80` | | `TAILSCALE_SERVE_MODE` | The mode you want to run Tailscale serving in. This should be `https` in most cases, but there may be times when you need to enable `tls-terminated-tcp` to deal with some weird edge cases like HTTP long-poll connections. See [here](https://tailscale.com/kb/1242/tailscale-serve/) for more information. | `https` | | `TAILSCALE_FUNNEL` | Set this to `true`, `1`, or `t` to enable [funnel](https://tailscale.com/kb/1243/funnel/). For more information about the accepted syntax, please read the [strconv.ParseBool documentation](https://pkg.go.dev/strconv#ParseBool) in the Go standard library. | `on` | -| `TAILSCALE_USE_EXIT_NODE` | Set the exit node you'd like to use for the container. | `my-exit-node` or `100.101.165.3` | +| `TAILSCALE_EXIT_NODE` | Set the exit node you'd like to use for the container. | `my-exit-node` or `100.101.165.3` | | `TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS` | Optionally, set this to true to allow direct access to your local network when traffic is routed via an exit node. | `true` | Something important to keep in mind is that you really should set up a diff --git a/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run b/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run index c8a29e5..8245149 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run @@ -22,13 +22,16 @@ if [ -v TAILSCALE_BE_EXIT_NODE ]; then FLAGS="${FLAGS} --advertise-exit-node=${TS_BE_EXIT_NODE}" fi -if [ -v TAILSCALE_USE_EXIT_NODE ]; then - echo "[!] using ${TAILSCALE_USE_EXIT_NODE} as an exit node." - FLAGS="${FLAGS} --exit-node=${TAILSCALE_USE_EXIT_NODE}" +if [ -v TAILSCALE_EXIT_NODE ]; then + echo "[!] using ${TAILSCALE_EXIT_NODE} as an exit node." + FLAGS="${FLAGS} --exit-node=${TAILSCALE_EXIT_NODE}" - if [ -v TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS ]; then - echo '[!] allowing exit node LAN access.' + if [ "${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" = "true" ] || + [ "${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" = "false" ]; then + echo "[!] configuring exit node LAN access to ${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" FLAGS="${FLAGS} --exit-node-allow-lan-access=${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" + else + echo '[!] TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS is not set to true or false. Skipping this setting.' fi fi @@ -47,7 +50,3 @@ fi if [ -v TAILSCALE_FUNNEL ]; then tailscale funnel 443 on fi - - - -