Add tailscale to an EdgeRouter and surviving system upgrade

1_AllInOne-TailScale.md

Singular script

Which combines Install, setup & initialization and persists after reboot when stored as /config/scripts/post-config.d/tailscale.sh. Run sudo sh /config/scripts/post-config.d/tailscale.sh and follow the web link to initialize once script created.

#!/bin/sh
# /config/scripts/post-config.d/tailscale.sh

# check latest version against what's installed
VER=$(curl -sL https://api.github.com/repos/tailscale/tailscale/releases/latest |  jq -r ".tag_name" | cut -c 2-)
if [ "$VER" != "$(tailscale version | head -n1)" ]; then
  # download latest version & unpack binaries
  curl "https://pkgs.tailscale.com/stable/tailscale_${VER}_mips.tgz" | tar xvz -C /tmp
  cp /tmp/tailscale_*/* /tmp/tailscale_*/systemd/* /config/
fi

ln -s /config/tailscale /usr/bin/tailscale
ln -s /config/tailscaled /usr/sbin/tailscaled
mkdir -p /var/lib/tailscale/
touch /config/auth/tailscaled.state
chmod 0400 /config/auth/tailscaled.state
ln -s /config/auth/tailscaled.state /var/lib/tailscale/tailscaled.state
sudo tailscaled > /dev/null 2>&1 &
disown
sudo tailscale up

Once registered you can add your network with (see https://tailscale.com/kb/1019/subnets/):

sudo tailscale down
sudo tailscale up --advertise-routes=192.168.123.0/24,10.0.1.0/24

I suggest one avoids using the --accept-routes directive as it causes much route confusion (and outright freezing of the gateway in my case). There is also some config.gateway.json love that should be given to preserve the VPN going out the right interface during a failover event:

{
  "firewall": {
    "modify": {
      "LOAD_BALANCE": {
        "description": "LOAD_BALANCE",
        "rule": {
          "2609": {
            "action": "modify",
            "protocol": "all",
            "destination": {
              "address": "100.64.0.0/10"
            },
            "modify": {
              "table": "9"
            }
          }
        }
      }
    }
  },
  "protocols": {
    "static": {
      "table": {
        "9": {
          "interface-route": {
            "100.64.0.0/10": {
              "next-hop-interface": {
                "tailscale0": "''"
              }
            }
          }
        }
      }
    }
  }
}

Thanks to the scripts gists below as well as unRAID gist for this result.

adding-tailscale-to-edgerouter.md

Adding tailscale to an EdgeRouter (and surviving system upgrades)

I suggest you run sudo bash on all of these so you're the root user.

Installing

1. Download tailscale and put the files in /config/. Find the latest stable or unstable version for your EdgeRouter's processor (ex. ER4 is mips and ERX is mipself)

sudo bash    # if you havent already
curl https://pkgs.tailscale.com/unstable/tailscale_XYZ_mips.tgz | tar xvz -C /tmp
cp /tmp/tailscale_*/* /tmp/tailscale_*/systemd/* /config/

2. Create the /config/scripts/firstboot.d/tailscale.sh file which gets run once every system upgrade. Reminder that /config survives upgrades. Don't forget to set the execute flag on the script inside firstboot.d

cat << EOF > /config/scripts/firstboot.d/tailscale.sh
#!/bin/sh
ln -s /config/tailscaled.service /lib/systemd/system/tailscaled.service
ln -s /config/tailscaled.defaults /etc/default/tailscaled
ln -s /config/tailscale /usr/bin/tailscale
ln -s /config/tailscaled /usr/sbin/tailscaled
mkdir -p /var/lib/tailscale/
touch /config/auth/tailscaled.state
chmod 0400 /config/auth/tailscaled.state
ln -s /config/auth/tailscaled.state /var/lib/tailscale/tailscaled.state
systemctl enable --now tailscaled
EOF
chmod +x /config/scripts/firstboot.d/tailscale.sh

3. And run this script now to get things going (or manually run the commands if you'd like), and then run tailscale up to login. Feel free to use other parameters like tailscale up --advertise-routes=10.0.1.0/24

/config/scripts/firstboot.d/tailscale.sh
tailscale up

4. That's it, you're done! If you found this useful, i'd super appreciate if you could Star up top. Like everyone, I like Internet points too! :)

 

Upgrading to a new version

1. Download the version you want into a folder like /tmp and then copy the binaries over. Perhaps in future versions there may be more/less files or config changes, so make sure you take a look at what's now.

sudo bash    # if you havent already
curl https://pkgs.tailscale.com/unstable/tailscale_XYZ_mips.tgz | tar xvz -C /tmp
systemctl disable --now tailscaled
cp /tmp/tailscale_*/{tailscale,tailscaled} /config/
systemctl enable --now tailscaled

 

Removing

1. Stop the service if its still running

sudo bash    # if you havent already
systemctl disable --now tailscaled

2. Delete all the files tailscale uses

rm /lib/systemd/system/tailscaled.service
rm /etc/default/tailscaled
rm /usr/bin/tailscale
rm /usr/sbin/tailscaled
rm -rf /var/lib/tailscale

3. Remove your configs and persistent files (this includes your tailscaled.state which has your private key)

rm /config/tailscale*
rm /config/auth/tailscaled.state
rm /config/scripts/firstboot.d/tailscale.sh

Adding-tailscale-to-Unifi-USG-and-building-site-to-site-VPN.md

Credits: https://community.ui.com/questions/Adding-tailscale-to-Unifi-USG-and-building-site-to-site-VPN/017fda11-3807-43d7-8efe-9fbfa0315feb?page=1

Recently I had some speed issues with the default IPSec site-to-site VPN between two USGs and decided to change the VPN. You can find in the net instructions on how to install wireguard on USG, but given the flexibility of tailscale, I decided to go with it as well. There are quite good instruction on how to install taliscale on EdeRouter - https://gist.github.com/lg/6f80593bd55ca9c9cf886da169a972c3 by user named lg, which in theory should work for USG as well. However, there is a small issue with directly following the instructions, since USG uses an old way of starting services and does not support systemctl. I spend few hours trying to make it work and start tailscaled as a service, but in the end, I gave up and instead of trying to figure it out, decided to take a different approach. I have modified the script of lg (see link above) to start tailscaled as a background process, which opens the tun and then to initiate tailscale connection. Here is what I did:

Open the web browser and go to www.tailscale.com, create new user if you have not done so. shh to your USG and execute sudo su Install MIPS talscale version following lg’s instructions from the link above (point 1 from his list) create and edit script tailscale.sh by executing vi tailscale.sh script in the home directory (you can create it wherever you whish given you know where it is) and paste the following code in it

#!/bin/sh
ln -s /config/tailscale /usr/bin/tailscale
ln -s /config/tailscaled /usr/sbin/tailscaled
mkdir -p /var/lib/tailscale/
touch /config/auth/tailscaled.state
chmod 0400 /config/auth/tailscaled.state
ln -s /config/auth/tailscaled.state /var/lib/tailscale/tailscaled.state
sudo tailscaled > /dev/null 2>&1 &
disown
sudo tailscale up --advertise-routes=192.168.X.0/24 --accept-routes 

where 192.168.X.0/24 is the internal LAN network behind your USG, which you would like to be accessible by all other tailscale hosts (say you want to see all you computers, like NAS, hubs etc. in your local networks from your phone which is connected to the same tailscale network). You can skip “--advertise-routes=192.168.X.0/24” option if you do not want to expose any internal networks, or you can add multiple subnets/vlans by separating them with commas (for more instructions see https://tailscale.com/kb/1019/subnets)

5. execute chmod +x tailscale.sh to make it executable (presuming you are in the same directory where the script is)

6. execute mkdir /config/scripts/post-config.d to create directory post-config.d (if it does not already exists) and copy the tailscale.sh script in there by executing cp tailscale.sh /config/scripts/post-config.d/. This is necessary since we do not start tailscaled as a service, but as a background process, which needs to be started every time after system reboots/provisions (and it should be surviving system upgrades as well).

7. run the script by “./tailscale.sh” and if this is the first time you connect your USG to tailscale network you will be asked to authenticate , by coping a the link you get in your browser and authenticate with your tailscale credentials (from point 1) . Now you can check if everything is running execute “tailscale status”. If all is good, you should see all hosts in your tialscale network as well information about their IP addresses and networks they expose.

8. Go back to your web browser and open tailscale.com (if closed) and open your admin console. If all is OK you should see your USG as new host, click the 3 dots on the right and disable key expiry and accept subnet routes you are exposing by clicking “review subnet routes” and enable the exposed subnet route(s).

This is all you need to do for a single USG to open a persistent tunnel to your tailscale network, which survives provisions/reboots/upgrades.

If you have two sites managed by USG you can build taiscale/wireguard tunnel between them, by installing tailscale on both USGs following the above instructions for each of the USGs, where the only difference being the internal networks that each USG is exposing, say USG1 exposes 192.168.X1.0/24, while USG2 exposes 192.168.X2.0/24, then you need to modify the last line in the script respectively. Next to it you need to add a static route in each of the USGs telling the rest of the hosts in the respective local networks how they can find hosts in the other network. To do so, for each of the USGs you need to logon in their respective Unifi controller via the web interface, select the site where one of the USG is sitting and go to routing & firewall section. There you need to add a new static route: say you are at USG1 site, then you need to create new static route for 192.168.X2.0/24 network with a next hop being the tailscale IP address of USG1 (which you can see in tailscale admin console). You can do similar thing for USG2, where you add static route for 192.168.X1.0/24 network with next hop being the tailscale IP address of USG2. After your USGs provision, both local networks should be able to see each other as if you have created automatic IPsec site-to-site VPN, with advantage being that the connection will be much faster and secure and that both USGs can reside on two different Unifi controllers.