https://github.com/clr1107/tnetmgr

Tailscale network manager for Linux
https://github.com/clr1107/tnetmgr

go iptables netlink tailscale

Last synced: about 1 month ago
JSON representation

Tailscale network manager for Linux

• Host: GitHub
• URL: https://github.com/clr1107/tnetmgr
• Owner: clr1107
• Created: 2024-04-01T13:08:14.000Z (about 2 years ago)
• Default Branch: master
• Last Pushed: 2024-06-19T12:13:26.000Z (almost 2 years ago)
• Last Synced: 2025-04-09T17:14:42.429Z (about 1 year ago)
• Topics: go, iptables, netlink, tailscale
• Language: Go
• Homepage:
• Size: 22.5 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# tnetmgr

A tailscale interface manager. This daemon listens for a Tailscale interface to come up (not the link itself, but for an address in `100.64.0.0/10`) and will add other IP addresses as well as execute arbitrary commands.

## Use case

It's a bit of a bastardisation of how Tailscale would like people to use the product, in my opinion, but it has its usecases. I use it to add an extra address to the tailscale0 interface, so that I can use that address when it is used as a subnet router. I also use it to control the tailscale0 interface with iptables. My example configuration is below.

```yaml

Iface: tailscale0

Addrs:

  - 172.24.24.1/32

ExecUp:

  - iptables -D ts-input -i tailscale0 -j ACCEPT

  - iptables -N ts-fw

  - iptables -A ts-input -i tailscale0 -j ts-fw

  - iptables -t nat -A POSTROUTING -s 100.64.0.0/10 -o eth0 -j MASQUERADE

ExecDown:

  - iptables -D ts-input -i tailscale0 -j ts-fw

  - iptables -t nat -D postrouting -s 100.64.0.0/10 -o eth0 -j MASQUERADE

```

This configuration adds the address `172.24.24.1/32` to the interface tailscale0 whenever it is connected to Tailscale. I can then use this, for example, with the `--advertise-routes` option. The last command allows this node to be an exit node on the external interface `eth0`.

The iptables commands in ExecUp remove the default accept all rule added by Tailscale every time the interface comes up and replaces it with a new table, called `ts-fw`. This can then be configured. E.g.,

```bash

-I ts-fw -i tailscale0 -p tcp --dport 22 -j ACCEPT

-A ts-fw -i tailscale0 -j DROP

```

This will allow me to connect to SSH via Tailscale and drop all other connections. I use this to allow SSH only from Tailscale.