search

MinisculeGirraffe / Tailscale-UDMPro

Guide to running Tailscale on a UDM(Pro)
21 stars 0 forks source link

Combine with split-tunnel script? #1

Open midzelis opened 2 years ago

midzelis commented 2 years ago

I haven’t tried this yet, but it seems that the split tunnel script should work with these scripts.

https://github.com/peacey/split-vpn

Would it be possible for an integration between these two scripts be documented? Maybe example config file(s)

MinisculeGirraffe commented 2 years ago

The script/this repo was primarily written with the intent of exposing the local network of the UDM as a subnet router.

I suppose it would also be possible in theory to have it nat traffic to the container, which is configured to send traffic to an exit node somewhere else. I don't see any reason why it wouldn't work, but I also haven't looked through how the split-vpn repo operates to know how it would integrate.

I just updated my tailscale version on my router today so I wrote in some quick updates to the script. I'm planning on spending some time this weekend to write some better docs on setting it up.

I'll see if I can get it to work and include it in there.

If you run into trouble getting the setup to work in the mean time, feel free to drop me a note.

MinisculeGirraffe commented 2 years ago

Some initial impressions after playing with it for a little bit.

My feeling is you might want to run two containers if you want to both run a subnet router for a typical site to site vpn, and then an exit node for a VPN in the traditional "hide my ip" fashion. The routes that split-vpn sets up are likely going to conflict with the routes that are needed for running a subnet router.

The container is pretty light so running multiple doesn't seem like it would be a big deal. You would just want to make sure their state files were contained in separate directories so they wouldn't conflict. This would just be specifying a unique directory for /var/lib in the command creating the container

-v /mnt/data/docker/tailscale-exit:/var/lib 
-v /mnt/data/docker/tailscale-subnet:/var/lib

You would also want to setup two network.conflist files. The template provided in the repo,tailscale.conflist, can be re-used with a local ip on your network, probably in a dedicated vlan.

You would end up placing a tailscale-exit.conflist and a tailscale-subnet.conflist in /mnt/data/podman/cni then modifying the command creating the container to point to the matching one 

--network=tailscale-exit 
--network=tailscale-subnet

The full command to create an exit container would look something like this:

docker run -d --name=tailscaled-exit \
--cap-add=NET_ADMIN \
--cap-add=SYS_MODULE \
-v /mnt/data/docker/tailscale-exit:/var/lib \
-v /dev/net/tun:/dev/net/tun \
--network=tailscale-exit \
--privileged \
tailscale/tailscale tailscaled

IMO the main point on running TS on a router would be to use it as a subnet router. If you need an exit node, most of the time it would make more sense to configure it on the actual client itself. That being said split-vpn does do the vast majority of the work in configuring the routes and interfaces, which means most of the script included in this repo would be redundant.

As for setting up the container on boot. All you really need to do is bring up the interface, and let split-vpn configure all the route settings. Any traffic from the container will be routed out the exit node.

VLAN=0
#The IPv4 address of the tailscale container.
IPV4_IP="<ADDR>"
IPV4_GW="<ADDR>/<CIDR>"

#The IPv6 address of the tailscale container.
IPV6_IP="<ADDRv6>"
IPV6_GW="<ADDRv6>/<CIDR>"

# set VLAN bridge promiscuous
ip link set br${VLAN} promisc on

# create macvlan bridge and add IPv4 IP
ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge
ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute
ip -6 addr add ${IPV6_GW} dev br${VLAN}.mac noprefixroute

# set macvlan bridge promiscuous and bring it up
ip link set br${VLAN}.mac promisc on
ip link set br${VLAN}.mac up

docker exec tailscaled-exit sysctl -w net.ipv4.ip_forward=1
docker exec tailscaled-exit sysctl -w net.ipv6.conf.all.forwarding=1
docker exec tailscaled-exit tailscale up --hostname=UDM-Pro-Exit --exit-node=<exit-node-ip>

From the split VPN side, they support "next hop" which we would want to set to our exit node container IP's created in the tailscale-exit.conflist. That should pass the traffic to the container configured as an exit node, where the container will know how to route it through the TS network to an exit node.

VPN_PROVIDER="nexthop"
VPN_ENDPOINT_IPV4="<exit container ip>"
VPN_ENDPOINT_IPV6="<exit container ipv6>"

TL:DR:

The split-vpn script knows how to dynamically route stuff to your container, and the container knows how to route stuff through tailscale.