tailscale: set nftables as default

This changes the default firewall method used by Tailscale to nftables.
The 'autodetection' mode is only supported by arm64 and amd64 for now[1].
This causes mips devices to not do proper detection and incorrectly default back to
iptables.

I added a fw_mode variable to the tailscale.conf file that could be
set to iptables for easy conversion for someone still using iptables.
I was able to test on an older mips device and my current aarch64
without issues.

Also a few readme updates to bring it up to the current status.

1. https://github.com/tailscale/tailscale/blob/dc7aa98b768bf82017aa5cc82a62dd4d685f811d/util/linuxfw/linuxfw_unsupported.go#L4C58-L4C58

Signed-off-by: Tyler Young <git@yfh.addy.io>

diff --git a/net/tailscale/README.md b/net/tailscale/README.md
index eaffa57d7af5655f9b6459acecdce62931816a81..7bad0a3c3ab7d13be6eadf524113ecc71e3cf398 100644 (file)
--- a/net/tailscale/README.md
+++ b/net/tailscale/README.md
@@ -8,6 +8,8 @@ To install them run
 ```
 opkg install tailscale tailscaled
 ```
+> [!NOTE]
+> By default this package will use nftables. If you wish to use iptables, the config file `/etc/config/tailscale` can be modfied, changing the line `fw_mode 'nftables'` to `fw_mode 'iptables'`. You can then run `/etc/init.d/tailscale restart` to restart tailscale using your chosen method
 
 ## First setup
 
@@ -25,9 +27,4 @@ Run command and finish device registration with the given URL.
 tailscale up
 ```
 
-If you are running with nftables, it is not supported by tailscale,
-so disable it and configure firewall by yourself and add argument
---netfilter-mode off
-to tailscale up command to disable iptables use.
-
-After that, you should see your router in tailscale admin page.
+See the [OpenWrt wiki](https://openwrt.org/docs/guide-user/services/vpn/tailscale/start) for more detailed setup instructions

diff --git a/net/tailscale/files/tailscale.conf b/net/tailscale/files/tailscale.conf
index 194d8df4fbd5e50917848f917d045ffeebfd6f06..0261582ac0bc74209f5a22a682653fe4ea1c7088 100644 (file)
--- a/net/tailscale/files/tailscale.conf
+++ b/net/tailscale/files/tailscale.conf
@@ -3,3 +3,5 @@ config settings 'settings'
        option log_stdout '1'
        option port '41641'
        option state_file '/etc/tailscale/tailscaled.state'
+       # default to using nftables - change below to 'iptables' if still using iptables
+       option fw_mode 'nftables'
\ No newline at end of file

diff --git a/net/tailscale/files/tailscale.init b/net/tailscale/files/tailscale.init
index 7d5f52134c344d26bd886d3a73c5e260434bfbd0..5100c7ceed963043cf5fcbd5329bf08d28c46d5c 100644 (file)
--- a/net/tailscale/files/tailscale.init
+++ b/net/tailscale/files/tailscale.init
@@ -17,14 +17,16 @@ start_service() {
   config_get_bool std_err "settings" log_stderr 1
   config_get port "settings" port 41641
   config_get state_file "settings" state_file /etc/tailscale/tailscaled.state
+  config_get fw_mode "settings" fw_mode nftables
 
   /usr/sbin/tailscaled --cleanup
 
   procd_open_instance
   procd_set_param command /usr/sbin/tailscaled
 
-  # starting with v1.48.1 ENV variable is required to enable autodetection of iptables / nftables
-  procd_set_param env TS_DEBUG_FIREWALL_MODE=auto
+  # Starting with v1.48.1 ENV variable is required to enable use of iptables / nftables.
+  # Use nftables by default - can be changed to 'iptables' in tailscale config
+  procd_set_param env TS_DEBUG_FIREWALL_MODE="$fw_mode"
 
   # Set the port to listen on for incoming VPN packets.
   # Remote nodes will automatically be informed about the new port number,