[Tailscale-native] wireguard private VPN (AppCentral 01/19/2023)

Who doesn't love third-party apps? Get together and talk about them here.

Moderator: Lillian.W@AST

Post Reply
User avatar
father.mande
Posts: 1808
youtube meble na wymiar Warszawa
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

[Tailscale-native] wireguard private VPN (AppCentral 01/19/2023)

Post by father.mande »

Hi,

==== please read next messages for any update of the APKG or tailscale ...

I am please to present you APKG for tailscale :
Tailscale makes networking easy
Tailscale lets you easily manage access to private resources, quickly SSH into devices on your network, and work securely from anywhere in the world.


THIS APKG is for the native version NO docker NO container nothing breaking the security you can expect for a VPN

tailscale-native is fully configurable
tailscale-native have an internal update mechanism in case tailscale require a quick update (so no need to wait for a new APKG)
tailscale-native can be debugged easily (using a virtual screen for launch, so with full immediate trace)
tailscale-native offer the web interface for attaching NAS to your tailscale network (login to tailscale MUST be done before)
tailscale-native support free and paid tailscale offer
tailscale-native support routing to existing network and full gateway to the world (not by default it's a private VPN)

[VERSION]
Actual : 2.0.3 in review for update in AppCentral

WIREGUARD :
EVEN tailscale seem to integrate only the GO (user space) network link creation (T.B.C.)
==== SO having wireguard kernel modules is not mandatory at this time, but perhaps in the future =====
... best in term of security and performance is : kernel source tree modules
... second is the COMPAT mode ... kernel external module
... the one with a little less performance but more portability is : wireguard-go (port in go of the network link creation tool)
NAS status :
x86_64 with ADM 4.1+ can used wireguard KERNEL SOURCE TREE modules (4.1.0 before and after RLQ1)
x86_64 with ADM 4.0+ can used wireguard-go so need only existing networks modules

Arm64 with ADM 4.1 kernel 4.9.119 (AS11, AS33 for ex. can used wireguard COMPAT kernel module (4.1.0 before and after RLQ1)
Amr64 with ADM 4.0+ other kennel than 4.9.119 can used wireguard-go so need only existing networks modules

armhf with ADM 4.0+ can used wireguard-go so need only existing networks modules

IF you want to use wireguard-go network link for your own usage (outside tailscale) ... it is provide in Entware APKG

Tailscale requirement :
... require extra modules including iptables extension ... this is provided by the APKG for all platform.
... Tailscale require an account with S.S.O. all my test will run with Google account ...

PLEASE READ INFORMATION at : https://tailscale.com/ before starting ...

Tested on :
AS5002T
AS5202T
AS6602T
AS4002T
AS1002T

Best practice :
... use browser to create an account at tailscale.com
... ADD other windows, mac, android client (up to 20 in free version)
... install APKG
... use the web interface (in web admin) to login to tailscale (with same account as before)
... the NAS is added and can be used immediately ... add other NAS
... TAKE ATTENTION key expire after 180 days max ... so for server a good idea is to select (tailscale.com admin page) DISABLE KEYEXPIRY to prevent to login you again.
... NAS/APKG keep config and run automatically (up) after a boot / reboot

Command :
... tailscale ... the tool to manage tailscaled (daemon)
... taiilscale_mngt ... the tool to manage the APKG

Donwload :
2.0.4
x86_64 : https://www.father-mande.ovh/A/apkg/tai ... x86-64.apk
arm64 : https://www.father-mande.ovh/A/apkg/tai ... _arm64.apk
armhf : https://www.father-mande.ovh/A/apkg/tai ... .4_arm.apk

Next post : screenshot, debug, customization ... etc.
Philippe.
NB try to send it to Asustor to add in AppCentral.
Last edited by father.mande on Thu Jan 19, 2023 10:35 pm, edited 14 times in total.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1808
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

[Tailscale-native] wireguard private VPN update

Post by father.mande »

Hi,

Please update will be available ... 1.32.3 to 1.32.3.1
... tailscale unchanged
... SOLVE bug bad modules netfilder loaded (so restrict possibility) ... true for arm64 & x86_64
... ADD option to be able to run tailscale up with subnet
... ... --advertise-routes=10.0.0.0/24,10.0.1.0/24 (change network to your own) and --accept-routes
... ... or : --advertise-exit-node and --accept-routes
it's via command : tailscale_mngt set_t_up_options
after it's interactive ... multiple options are possible ...
... add restart argument for tailscale_mngt

Download :
use NEW link in Download section of first post.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1808
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

[Tailscale-native] wireguard private VPN (update 12/26/2022)

Post by father.mande »

Hi,

Please find new version of the : tailscale-native APKG v 2.0
... APKG now have it's own version number (2.0) independent of the tailscale version (due to internal update mechanism for tailscale itself)

New :
... delivery with tailscale v1.34.1 tailscale BUT IT IS NOT UPDATE if version is equal or superior (internal update done before)
... add missing iptables modules for all platform supported (arm, arm64, x86_64) to be able to use full functionality
... add possibility to select STABLE or UNSTABLE canal for internal update
... add check of current version (stable or unstable) to see if an update can be done (reflect ad in tailscale.com user admin page.
... add more control to update_tailscale.sh (but always usable in batch mode or in crontab)
... add tailscale version in tailscale.conf

New tests done :
... validate subnet routing
... ... for Linux (so NAS) be sure to do a : tailscale up --accept-routes ... to be able to join any system in subnet out of tailscale, this must be done one time ... it's keep in tailscale.state encoded tailscale file.
... validate use of MagicDNS to add accessibility in tailnet using name (full qualified or just name)
... ... A good idea id to change the tailscale NAS name to avoid conflict or misunderstanding on route used VPN or not ... default for tailscale is to used same hostname.
... ... changing name affect only tailnet and have no effect of "normal" NAS usage. (for my own I just add "t-" as prefix of my NAS hostname)
... more systems tests had be done with Android, Mac, router supporting Entware in complement of first tests with Windows and Linux.
... validate adding cron (root crontab) to update (if necessary) tailscale during night (to be sure it's not in used)

Download :
In first post in this topics.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1808
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: [Tailscale-native] wireguard private VPN (update 12/30/2022)

Post by father.mande »

Hi,

After arrival of the new A.D.M. version 4.0.6 for x86_64 NAS not able to update to 4.1
... some kernel modules (for a full used of all Tailscale functionalities) are broken

Update to Tailscale-native 2.0.1 solve this (recompiled with new kernel source 5.4.x)

SO TARGET IS : x86_64 only MANDATORY for NAS using A.D.M. 4.0.5 or 4.0.6 (new kernel) and optional (nothing changed) for other x86_64 NAS with A.D.M. 4.1 & 4.2

Download link is in first post of this topic.

Philippe .
Happy new year, for you, your family and all your friends.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1808
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: [Tailscale-native] wireguard private VPN (AppCentral 01/13/2023)

Post by father.mande »

Hi,

Tailscale-native 2.0.2 are available (for fresh install or update) in AppCentral

IF you use tailscale docker, please disable it before install or run ... (reverse also)

2.0.2
... bug correction release
... support ADM 4.0 up to 4.0.6 and ADM 4.1 and 4.2
... include missing kernel modules for x86_64, arm and arm64 series.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1808
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: [Tailscale-native] wireguard private VPN (AppCentral 01/13/2023)

Post by father.mande »

Hi,

Tailscale-native 2.0.3 is now available (soon as an update in AppCentral)

change :
V2.0.3
... add cron for auotupdate (to be set)
... solve PATH error in auto-update for ARM family
... solve typo error loading missing iptables for 4.0 and 4.0.6
... add backup of tailscale config & credentials
... prepare support for WebUI based on script-server APKG
... solve minor bugs and typo.

NEW options in tailscale_mngt :

Code: Select all

# tailscale_mngt
Usage
/usr/local/bin/tailscale_mngt start|stop|restart ... start, stop, or restart tailscaled
/usr/local/bin/tailscale_mngt status
/usr/local/bin/tailscale_mngt set_update_canal {STABLE|UNSTABLE} ... set tailscale update canal
/usr/local/bin/tailscale_mngt update_cmp_version ... check actual and current (tailscale.com/CANAL) version to know if update is require
/usr/local/bin/tailscale_mngt update ... update tailscale (if new version) this stop (but breakable) tailscale then restart it
/usr/local/bin/tailscale_mngt force_update ... update even oldest or same version ... ATTENTION you must know what you do
/usr/local/bin/tailscale_mngt set_cron_update ... set cron to auto update (if require) default at 4 A.M. based on tailscale.conf CRON_DATE field
/usr/local/bin/tailscale_mngt unset_cron_update ... delete cron task ... do it yourself
/usr/local/bin/tailscale_mngt set_t_up_options ... interactive set option for tailscale up
/usr/local/bin/tailscale_mngt list_myip ... list all IP of your vpn
/usr/local/bin/tailscale_mngt set_version ... used only if you update version manually outside any shell script provide based on real tailscale version
/usr/local/bin/tailscale_mngt backup_tailnet ... save conf, credentails etc. in folder /share/Public/Backup_tailscale_HOSTNAME_DATE/
If you want to solve quickly some problem here before download it directly (first post) without waiting for AppCentral availability.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1808
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: [Tailscale-native] wireguard private VPN (AppCentral 01/17/2023)

Post by father.mande »

Hi,

Please DON'T upgrade ... to 2.0.3 for the moment ... due to an error on some NAS (configuration not saved)

IF YOU HAVE upgraded :
... go to tailscale web site administrators page (connected using your account)
... remove the node corresponding to the NAS upgraded to 2.0.3
then
... open a terminal (ssh) as root/your_admin_password
cd /usr/local/AppCentral/tailscale-native/bin
mv tailscale.delivery tailscale
mv tailscaled.delivery tailscaled
tailscale_mngt restart

... now you have to follow the link generated using the "tailsclae 1.34+" in NAS Web admin OR run : tailscale status that display the link to register the "new" node

Now used it or redo extra configuration (change name, routes, etc.)

Lot of apologize for this :cry: ... I will check as soon as possible where are the error.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
User avatar
father.mande
Posts: 1808
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: [Tailscale-native] wireguard private VPN (AppCentral 01/17/2023)

Post by father.mande »

Hi,

Update to 2.0.4 for tailscale-native
tailscale-native is against or in conflict with tailscale-docker ... docker APKG is build by team member BUT inside not, so without the missing modules and adapted to Asustor NAS multi-architecture. Having the two is for me to avoid extra risk due to docker and package and highest insecure approach compare to native portage (especially for V.P.N.). But all is the master in its castle ... so do what you want :D .

:evil: The problem with 2.0.3 was : I create a temporary folder in /usr/local suffixed with .save ... unfortunately A.D.M; AppCentral remove it between pre-install shell (saving context before update) and post-install shell (executed after install but before running the new version.
It's not documented ... modifying the folder name solve the problem.

2.0.3 do an incomplete (even working) state when you upgrade NOT when it's a fresh install.

IMPORTANT :
In 2.0.4 you can through tailscale_mngt command ... position a cron shell (executed at 4 A.M. by default), to verify and auto-update tailscale if necessary. (NO NEED TO wait for a new APKG)
THIS PERMIT TO KEEP ALL THE TIME tailscale UP TO DATE automatically (channel used is STABLE or UNSTABLE based on your choice in tailscale.conf ... STABLE is the default) .

2.0.4 can be used for fresh install or upgrade (of the APKG, if actual tailscale is at the same or highest level than delivery).

Due to Chinese new year holidays ... AppCentral will be updated after the 30 of January .
Download link are updated in the first post of this topic.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
Post Reply

Return to “Developer's Corner”