markpash / tailscale-sidecar Goto Github PK

A TCP proxy used to expose services onto a tailscale network without root. Ideal for container environments.

License: MIT License

Go 100.00%

tailscale-sidecar's Introduction

tailscale-sidecar

This program is designed to expose services onto a tailscale network without needing root. Using the tsnet package provided by tailscale, we can listen on a port on a tailscale IP and then proxy the stream to a destination. The use-case for me was running this as a sidecar container in nomad to expose services onto my tailscale network, without needing root or routing.

Currently this only supports tcp because right now because that's all I care about. I may try to make UDP work in the future.

Docker image available:

docker pull ghcr.io/markpash/tailscale-sidecar:latest

Versions of this software track the versions of upstream tailscale. Any features added to this software will be released when the next version of tailscale is released.

Usage

To use this program, it needs to be executed with a few environment variables. They are as follows:

TS_AUTHKEY
TS_SIDECAR_STATEDIR
TS_SIDECAR_NAME
TS_SIDECAR_BINDINGS

TS_AUTHKEY is now enabled for this project. You can provide this variable with a key, consult the tailscale documentation to determine the appropriate key to use. The old TS_LOGIN method still works, but it's not advised and it's not very convenient either.

TS_SIDECAR_STATEDIR is the location where the persistent data for the sidecar will be stored. This is used to not need to re-authorise the instance. In a container setup, you'll want to have this persisted. The default is ./tsstate, which will result in Tailscale using home/nonroot/tsstate in the Docker container.

⚠ Tailscale will not use the specified state directory to store the TLS certificates. When using the Docker container, you should mount home/nonroot/.local/share/tailscale.

TS_SIDECAR_NAME is the name that you wish this program to use to present itself to the tailscale servers, this is what you will see in your panel.

TS_SIDECAR_BINDINGS is the path to the bindings file, which should be a JSON file which has contents much like what's below. The default path for bindings is /etc/ts-sidecar/bindings.json.

Configuration

Configuration should look like this:

[
    {
        "from": 443,
        "to": "127.0.0.1:8000",
        "tls": true
    }
]

Disclaimer

THIS IS NOT OFFICIALLY ENDORSED BY TAILSCALE.

I thought I should put that there just in case someone thought it may be a tailscale product. I'm also not responsible for any of the bad things that might happen as a result of using this software. It works for me but maybe not for you.

tailscale-sidecar's People

Contributors

Stargazers

Watchers

Forkers

sinegar hollie arbal eric thinker007 hilli seanhood 4310v343k vvstubbs

tailscale-sidecar's Issues

Suggest tailscale ephemeral authkeys instead of URL-based login

Cool project!

I see the instructions suggest setting a LOGIN environment variable to emit an authkey so you can do a login process the first time, then removing it after that. Instead, you might want to try ephemeral keys: https://tailscale.com/kb/1111/ephemeral-nodes/ which are often better when spinning up connections programmatically.

Hope that helps!

Investigate TCP proxy from non-tailnet to tailnet

A little while ago, the tsnet package incorporated the ability to Dial into the tailnet. This unlocks a whole new set of features to be implemented.

One of these features is the ability to listen on non-tailnet interfaces/addresses and proxy all accepted connections to an address:port on the tailnet.

I'm not sure how I would implement this in our bindings structure, so I'm thinking I'll have to redo the structure of the configuration file.

Raspberry Pi (arm/v7) build

It would be great to get a docker container that can work on the Raspberry Pi.

tsnet: open tsstate/tailscaled.state: permission denied

For some reason tsnet can't create files in the default state folder: tsnet: open tsstate/tailscaled.state.tmp1170394514: permission denied
It still panics with both named volumes and a local binding
However, if you try to use the home folder for the state (TS_SIDECAR_STATEDIR: . & - tsstate:/home/nonroot), it works nicely

A part of the docker-compose.yml

  sidecar:
    image: "ghcr.io/markpash/tailscale-sidecar"
    environment:
      TS_AUTHKEY: tskey-ke9WLg5CNTRL-jdE98Dyg8KiRrrBjnzLQZR
      TS_SIDECAR_NAME: proxima-main
    volumes:
      - ./bindings.json:/etc/ts-sidecar/bindings.json
      # both these don't work
      #- tsstate:/home/nonroot/tsstate
      #- ./state:/home/nonroot/tsstate

Logs

tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) tun device
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) OS network configurator
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] using fake (no-op) DNS configurator
tgs-sidecar-1 | 2022/09/30 15:48:28 dns: using dns.noopManager
tgs-sidecar-1 | 2022/09/30 15:48:28 link state: interfaces.State{defaultRoute=eth0 ifs={eth0:[172.19.0.2/16]} v4=true v6=false}
tgs-sidecar-1 | 2022/09/30 15:48:28 magicsock: disco key = d:86b7c08b46a052b2
tgs-sidecar-1 | 2022/09/30 15:48:28 Creating wireguard device...
tgs-sidecar-1 | 2022/09/30 15:48:28 Bringing wireguard device up...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] UDP bind has been updated
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Interface state was Down, requested Up, now Up
tgs-sidecar-1 | 2022/09/30 15:48:28 Bringing router up...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] warning: fakeRouter.Up: not implemented.
tgs-sidecar-1 | 2022/09/30 15:48:28 Clearing router settings...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming v4 - started
tgs-sidecar-1 | 2022/09/30 15:48:28 [v1] warning: fakeRouter.Set: not implemented.
tgs-sidecar-1 | 2022/09/30 15:48:28 Starting link monitor...
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming v6 - started
tgs-sidecar-1 | 2022/09/30 15:48:28 Engine created.
tgs-sidecar-1 | 2022/09/30 15:48:28 [v2] Routine: receive incoming receiveDERP - started
tgs-sidecar-1 | 2022/09/30 15:48:28 tsnet: open tsstate/tailscaled.state.tmp23198575: permission denied
tgs-sidecar-1 exited with code 0

Add ability to start a http_proxy/socks5 proxy

Now that tnset gives us the ability to Dial and the tailscaled codebase itself already containing code to create these proxies, it should simply be a case of copying the code and making it work in the sidecar.
(We need to copy because the code that does this is unexported in cmd/tailscaled

I created a proof-of-concept to see if it works with tsnet and everything worked well with both proxy kinds.

Just need to make sure that the copied code is properly attributed, contains the copyright notices and comes with the license.

markpash / tailscale-sidecar Goto Github PK

tailscale-sidecar's Introduction

tailscale-sidecar

Usage

Configuration

Disclaimer

tailscale-sidecar's People

Contributors

Stargazers

Watchers

Forkers

tailscale-sidecar's Issues

Suggest tailscale ephemeral authkeys instead of URL-based login

Investigate TCP proxy from non-tailnet to tailnet

Raspberry Pi (arm/v7) build

tsnet: open tsstate/tailscaled.state: permission denied

Add ability to start a http_proxy/socks5 proxy

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent