Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

os-tailscale: Static routes related to Tailscale don't survive a reboot #4434

Open
3 tasks done
Leseratte10 opened this issue Dec 30, 2024 · 2 comments
Open
3 tasks done

os-tailscale: Static routes related to Tailscale don't survive a reboot #4434

Leseratte10 opened this issue Dec 30, 2024 · 2 comments

Comments

@Leseratte10
Copy link

Leseratte10 commented Dec 30, 2024
edited
Loading

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
If I add a route pointing to a gateway that's within the Tailscale network, OPNsense lets me add that route just fine, and the route works.

After a reboot however, the route is not added to the OS routing table. A "netstat -rn" doesn't show it, while it does still show up in the WebUI under Routes -> Configuration

To Reproduce
Steps to reproduce the behavior:

  1. Setup tailscale plugin
  2. Go to System -> Gateways -> Configuration and add a new gateway with a Tailscale IPv4 or IPv6 (select the Tailscale interface)
  3. Go to System -> Routes -> Configuration and add a new route that routes a random subnet (like 2001:db8::/32 or 10.0.0.0/8) to said gateway.
  4. Notice that the route is created and works properly.
  5. Reboot the system.
  6. Notice that the route no longer works.

Expected behavior
A static route pointing to a host inside the tailnet survives a reboot.

Additional context
I'd assume that maybe the route to the tailscale network itself is set up too late during the boot process so the system can't yet create the static route pointing to the tailscale host as gateway?

Environment

OPNsense 24.7.11_2
os-tailscale 1.0 (I can see that there's an 1.1 in the changelog but I'm unsure on how to install that, the WebUI only shows 1.0. Looking through the changes between 1.0 and 1.1, I'd say 1.1 does not fix this issue).
@sheridans
Copy link
Contributor

Routing is controller by Tailscale, so if you advertise the routes from the remote device tailscale should pick them up?

@Leseratte10
Copy link
Author

Yes, it will probably do that. But that requires me to set up these routes through Tailscale which has security implications.

Say one of the devices in my tailscale network gets hacked (or the Tailscale server itself) then it could start advertising a route for a random subnet and OpnSense would then route that subnet to this device.

I would rather have the source (OpnSense) control which traffic is sent to another node, just like in classic networking. So I can turn "Accept Subnet Routes" off and create my own routes sending traffic through Tailscale. Which does seem to work in its current configuration, it's just that these routes aren't correctly reapplied at reboot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Leseratte10 @sheridans