Skip to content

Allow the configuration of an exit node and lan access. #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Allow the configuration of an exit node and lan access. #8

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d9a736
Allow the configuration of an exit node and lan access.
Linuturk Sep 14, 2023
7c5cfca
Renaming TAILSCALE_USE_EXIT_NODE to TAILSCALE_EXIT_NODE
Linuturk Nov 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ use to configure it.
| `TAILSCALE_SERVE_PORT` | The port number that you want to expose on your tailnet. This will be the port of your DokuWiki, Transmission, or other container. | `80` |
| `TAILSCALE_SERVE_MODE` | The mode you want to run Tailscale serving in. This should be `https` in most cases, but there may be times when you need to enable `tls-terminated-tcp` to deal with some weird edge cases like HTTP long-poll connections. See [here](https://tailscale.com/kb/1242/tailscale-serve/) for more information. | `https` |
| `TAILSCALE_FUNNEL` | Set this to `true`, `1`, or `t` to enable [funnel](https://tailscale.com/kb/1243/funnel/). For more information about the accepted syntax, please read the [strconv.ParseBool documentation](https://pkg.go.dev/strconv#ParseBool) in the Go standard library. | `on` |
| `TAILSCALE_USE_EXIT_NODE` | Set the exit node you'd like to use for the container. | `my-exit-node` or `100.101.165.3` |
| `TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS` | Optionally, set this to true to allow direct access to your local network when traffic is routed via an exit node. | `true` |

Something important to keep in mind is that you really should set up a
separate volume for Tailscale state. Here is how to do that with the
Expand Down
10 changes: 10 additions & 0 deletions root/etc/s6-overlay/s6-rc.d/svc-tailscale-up/run
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,16 @@ if [ -v TAILSCALE_BE_EXIT_NODE ]; then
FLAGS="${FLAGS} --advertise-exit-node=${TS_BE_EXIT_NODE}"
fi

if [ -v TAILSCALE_USE_EXIT_NODE ]; then
echo "[!] using ${TAILSCALE_USE_EXIT_NODE} as an exit node."
FLAGS="${FLAGS} --exit-node=${TAILSCALE_USE_EXIT_NODE}"

if [ -v TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS ]; then
echo '[!] allowing exit node LAN access.'
FLAGS="${FLAGS} --exit-node-allow-lan-access=${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}"
fi
fi
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of checking that the env is set, we should also ensure its value is true

Something like:

if [ "${TAILSCALE_USE_EXIT_NODE}" = "true" ]; then
    echo "[!] using exit node."
    FLAGS="${FLAGS} --exit-node"

    if [ "${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" = "true" ] || \
       [ "${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" = "false" ]; then
        echo '[!] configuring exit node LAN access.'
        FLAGS="${FLAGS} --exit-node-allow-lan-access=${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}"
    else
        echo '[!] TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS is not set to true or false. Skipping this setting.'
    fi
else
    echo "[!] TAILSCALE_USE_EXIT_NODE is not set to true. Skipping exit node configuration."
fi

Copy link
Author

@Linuturk Linuturk Nov 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In your example, wouldn't [ "${TAILSCALE_EXIT_NODE_ALLOW_LAN_ACCESS}" = "false" ] never be true, given we are checking for true before executing that branch?

EDIT: Nevermind, my brain didn't read the full variable. Fixing up.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, --exit-node isn't a true/false flag, it's a setting with a string argument containing the IP address or name of the exit node to use. This change wouldn't make sense in that context.
https://tailscale.com/kb/1103/exit-nodes/#step-4-use-the-exit-node

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, good catch. Let's use -n check for non-empty.

Copy link
Contributor

@tylersmalley tylersmalley Nov 2, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And change TAILSCALE_USE_EXIT_NODE to TAILSCALE_EXIT_NODE. The name made me think it was a boolean.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An empty value is valid and is used to disable the feature in the configuration. If we check for empty values we wouldn't be able to turn off the feature.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was under the impression that up required the complete set of desired settings, so omitting it should clear it out. If we were using set that would not be the case. But I tested this and checked tailscale debug prefs between and you're correct we need to set it to an empty value to disable it.

We could change it for both of the settings to provide the default value if they are unset, or maybe a better solution would be to supply --reset and only pass the desired settings.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like transparently passing whatever option the user configures is the best way versus trying to catch all the edge cases. Maybe there's room for another change to provide a --reset option, but I feel like that's out of scope for this specific PR. Thoughts?


tailscale up $FLAGS

# configure serve
Expand Down