diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index f762919fb..ed1eeaebb 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,5 @@
PLUGIN_NAME= tailscale
-PLUGIN_VERSION= 1.1
+PLUGIN_VERSION= 1.2
PLUGIN_COMMENT= VPN mesh securely connecting clients using WireGuard
PLUGIN_DEPENDS= tailscale
PLUGIN_MAINTAINER= sam@sheridan.uk
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 8fe3c0ceb..54639ddb9 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -6,6 +6,14 @@ https://tailscale.com/
Plugin Changelog
================
+1.2
+
+* add option to allow Tailscale to manage SSH connections
+* add option to disable SNAT routing (experimental)
+* add login timeout (10s default) for when login server is unavailable causing OPNsense to hang on boot (contributed by Ben Smithurst)
+* add exit node option (contributed by Ben Smithurst)
+* fix dashboard widget always showing exit node as no
+
1.1
* add dashboard widget
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index 38d929de3..0b31a1835 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -5,10 +5,17 @@
checkbox
This will activate the Tailscale service.
+
+ settings.loginTimeout
+
+ text
+ true
+ Maximum time to wait for successful login, in seconds. Set to 0 to wait indefinitely, however this may prevent OPNsense booting completely if the Tailscale control plane is unavailable. Default is 10 seconds.
+
settings.listenPort
- text
+ text
UDP port to listen on for WireGuard and peer-to-peer traffic.
@@ -23,10 +30,30 @@
checkbox
Offer to be an exit node for outbound internet traffic from the Tailscale network.
+
+ settings.useExitNode
+
+ dropdown
+ Route traffic to the specified exit node. Note that this only affects traffic routed into your Tailscale interface, which you will have to configure separately using firewall rules and hybrid outbound NAT rules.
+
settings.acceptSubnetRoutes
checkbox
Accept subnet routes that other nodes advertise.
+
+ settings.enableSSH
+
+ true
+ checkbox
+ Allow Tailscale to manage SSH connections in your tailnet.
+
+
+ settings.disableSNAT
+
+ true
+ checkbox
+ Disable source NAT to disable subnet routing (experimental).
+
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php
new file mode 100644
index 000000000..f886f6069
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php
@@ -0,0 +1,31 @@
+configdRun('tailscale tailscale-status')), true);
+ $exitNodes = ['' => gettext('None')];
+
+ if (is_array($response) && array_key_exists('Peer', $response) && is_array($response['Peer'])) {
+ foreach ($response['Peer'] as $peer) {
+ if ($peer['ExitNodeOption']) {
+ $exitNodes[$peer['TailscaleIPs'][0]] = $peer['HostName'];
+ }
+ }
+ }
+
+ self::$internalCacheOptionList = $exitNodes;
+ }
+ $this->internalOptionList = self::$internalCacheOptionList;
+ }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index e23c5d4a6..39975013b 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -1,11 +1,16 @@
//OPNsense/tailscale/settings
Tailscale general settings
+ 1.0.0
0
Y
+
+ 10
+ Y
+
41641
Y
@@ -18,10 +23,19 @@
0
Y
+
0
Y
+
+ 0
+ Y
+
+
+ 0
+ Y
+
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
index aee1bd69f..e5141b0fc 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
@@ -1,6 +1,7 @@