search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
19.39k stars 1.52k forks source link

IP conflict with Alibaba Cloud CGNAT #7472

Open d960124 opened 1 year ago

d960124 commented 1 year ago

What is the issue?

Alibaba Cloud cannot update the software after installing the client

By default, Tailscale uses CGNAT (100.64.0.0/10) network segment as the internal address allocation network segment. At present, Tailscale only allows its own interface to use this network segment. Unfortunately, Alibaba Cloud's DNS, Apt source, etc. also use this network segment This will lead to the unavailability of DNS and Apt after Alibaba Cloud server installs the client. At present, the solution can only modify the source code, delete these two DROP rules and recompile them

code: args = [ ]string {"!","-i",r.tunname,"-s", tsaddr.CGNATRange().String(),"-j","DROP"} if err := r.ipt4.Append("filter","ts-input",args...);err !=nil { return fmt.Errorf("adding #{args} in v4/filter/ts-input: #{err}") }

阿里云安装客户端后无法更新软件 Tailscale 默认使用 CGNAT(100.64.0.0/10) 网段作为内部地址分配网段, 目前 Tailscale 仅允许自己的接口使用此网段, 不巧的是阿里云的 DNS、Apt 源等也采用此网段. 这会导致阿里云服务器安装客户端后 DNS、Apt 等不可用, 解决方案目前只能修改源码删除掉这两个 DROP 规则并重新编译.

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

No response

Tailscale version

No response

Other software

No response

Bug report

No response

d960124 commented 1 year ago

有类似问题,可以尝试新增加一条优先级高的规则: sudo iptables -t filter -I ts-input 1 -i !tailscale0 -s 100.64.0.0/10 -j ACCEPT

注意在 -i 选项前的感叹号 (!),这表示规则将匹配所有不是 "tailscale0" 的接口。

这条命令将在 "ts-input" 链的开头插入一条新规则,确保源 IP 地址属于阿里云内网环境(100.64.0.0/10)范围的数据包在非 "tailscale0" 接口上不被 DROP。由于它位于链的开头,优先级高于后面的规则。

DentonGentry commented 1 year ago

有类似问题,可以尝试新增加一条优先级高的规则: sudo iptables -t filter -I ts-input 1 -i !tailscale0 -s 100.64.0.0/10 -j ACCEPT

注意在 -i 选项前的感叹号 (!),这表示规则将匹配所有不是 "tailscale0" 的接口。

这条命令将在 "ts-input" 链的开头插入一条新规则,确保源 IP 地址属于阿里云内网环境(100.64.0.0/10)范围的数据包在非 "tailscale0" 接口上不被 DROP。由于它位于链的开头,优先级高于后面的规则。

If you have a similar problem, you can try to add a new rule with a higher priority: sudo iptables -t filter -I ts-input 1 -i !tailscale0 -s 100.64.0.0/10 -j ACCEPT

Note the exclamation point (!) before the -i option, which means that the rule will match all interfaces that are not "tailscale0".

This command will insert a new rule at the beginning of the "ts-input" chain to ensure that packets whose source IP addresses belong to the range of the Alibaba Cloud intranet environment (100.64.0.0/10) will not be DROPed on non-"tailscale0" interfaces. Since it is at the beginning of the chain, it takes precedence over subsequent rules.

rmrf commented 1 year ago

This does not work.