From f45767b6a6dd476b4f262b2bd5734deae8fbcc98 Mon Sep 17 00:00:00 2001
From: Ben Smithurst <low.dusk0860@hdme.uk>
Date: Mon, 27 Jan 2025 15:33:29 +0000
Subject: [PATCH 1/6] security/tailscale: make login timeout (tailscale up
 --timeout parameter) configurable (#4490)

---
 .../controllers/OPNsense/Tailscale/forms/settings.xml    | 9 ++++++++-
 .../mvc/app/models/OPNsense/Tailscale/Settings.xml       | 4 ++++
 .../service/templates/OPNsense/Tailscale/rc.conf.d       | 1 +
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index 38d929de3..e2e14c102 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -5,10 +5,17 @@
         <type>checkbox</type>
         <help>This will activate the Tailscale service.</help>
     </field>
+    <field>
+        <id>settings.loginTimeout</id>
+        <label>Login timeout</label>
+        <type>text</type>
+        <advanced>true</advanced>
+        <help>Maximum time to wait for successful login, in seconds. Set to 0 to wait indefinitely, however this may prevent OPNsense booting completely if the Tailscale control plane is unavailable. Default is 10 seconds.</help>
+    </field>
     <field>
         <id>settings.listenPort</id>
         <label>Listen Port</label>
-	<type>text</type>
+        <type>text</type>
         <help>UDP port to listen on for WireGuard and peer-to-peer traffic.</help>
     </field>
     <field>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index e23c5d4a6..82bd86a96 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -6,6 +6,10 @@
             <default>0</default>
             <Required>Y</Required>
         </enabled>
+        <loginTimeout type="IntegerField">
+            <default>10</default>
+            <Required>Y</Required>
+        </loginTimeout>
         <listenPort type="PortField">
             <default>41641</default>
             <Required>Y</Required>
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 500a34c52..6d1632304 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -10,6 +10,7 @@ tailscaled_enable="YES"
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
 {%    set up_args = [] %}
+{%      do up_args.append("--timeout=" + OPNsense.tailscale.settings.loginTimeout + "s") %}
 {%    if helpers.exists('OPNsense.tailscale.settings.advertiseExitNode') and OPNsense.tailscale.settings.advertiseExitNode|default("0") == "1" %}
 {%      do up_args.append("--advertise-exit-node") %}
 {%    else %}

From 4dce2f33d91660dd218bd4c2d34e53ca4266fd51 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Jan 2025 16:34:42 +0100
Subject: [PATCH 2/6] security/tailscale: add a version (and bump it)

---
 .../src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 82bd86a96..2ca43451b 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -1,6 +1,7 @@
 <model>
     <mount>//OPNsense/tailscale/settings</mount>
     <description>Tailscale general settings</description>
+    <version>1.0.1</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>

From 068f22ce541fc010ef96405434c1689295dc08b1 Mon Sep 17 00:00:00 2001
From: Ben Smithurst <low.dusk0860@hdme.uk>
Date: Mon, 27 Jan 2025 15:39:36 +0000
Subject: [PATCH 3/6] security/tailscale: Allow use of an exit node (#4438)

---
 .../OPNsense/Tailscale/forms/settings.xml     |  6 ++++
 .../Tailscale/FieldTypes/ExitNodeField.php    | 31 +++++++++++++++++++
 .../models/OPNsense/Tailscale/Settings.xml    |  1 +
 .../views/OPNsense/Tailscale/settings.volt    |  1 +
 .../app/views/OPNsense/Tailscale/status.volt  | 10 ++++++
 .../templates/OPNsense/Tailscale/rc.conf.d    |  3 ++
 6 files changed, 52 insertions(+)
 create mode 100644 security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php

diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index e2e14c102..4cdef72dc 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -30,6 +30,12 @@
         <type>checkbox</type>
         <help>Offer to be an exit node for outbound internet traffic from the Tailscale network.</help>
     </field>
+    <field>
+        <id>settings.useExitNode</id>
+        <label>Use Exit Node</label>
+        <type>dropdown</type>
+        <help>Route traffic to the specified exit node. Note that this only affects traffic routed into your Tailscale interface, which you will have to configure separately using firewall rules and hybrid outbound NAT rules.</help>
+    </field>
     <field>
         <id>settings.acceptSubnetRoutes</id>
         <label>Accept Subnet Routes</label>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php
new file mode 100644
index 000000000..f886f6069
--- /dev/null
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/FieldTypes/ExitNodeField.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace OPNsense\Tailscale\FieldTypes;
+
+use OPNsense\Base\FieldTypes\BaseListField;
+use OPNsense\Core\Backend;
+
+class ExitNodeField extends BaseListField
+{
+    private static array $internalCacheOptionList = [];
+    protected $internalIsContainer = false;
+
+    protected function actionPostLoadingEvent()
+    {
+        if (empty(self::$internalCacheOptionList)) {
+            $response = json_decode(trim((new Backend())->configdRun('tailscale tailscale-status')), true);
+            $exitNodes = ['' => gettext('None')];
+
+            if (is_array($response) && array_key_exists('Peer', $response) && is_array($response['Peer'])) {
+                foreach ($response['Peer'] as $peer) {
+                    if ($peer['ExitNodeOption']) {
+                        $exitNodes[$peer['TailscaleIPs'][0]] = $peer['HostName'];
+                    }
+                }
+            }
+
+            self::$internalCacheOptionList = $exitNodes;
+        }
+        $this->internalOptionList = self::$internalCacheOptionList;
+    }
+}
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 2ca43451b..e6d8f962e 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -23,6 +23,7 @@
             <default>0</default>
             <Required>Y</Required>
         </advertiseExitNode>
+        <useExitNode type=".\ExitNodeField"/>
         <acceptSubnetRoutes type="BooleanField">
             <default>0</default>
             <Required>Y</Required>
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
index aee1bd69f..e5141b0fc 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/settings.volt
@@ -1,6 +1,7 @@
 <script type="text/javascript">
     $( document ).ready(function() {
         mapDataToFormUI({'frmSettings':"/api/tailscale/settings/get"}).done(function(data) {
+            $('.selectpicker').selectpicker('refresh');
             updateServiceControlUI('tailscale');
         });
 
diff --git a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
index 3ff2c208b..636606322 100644
--- a/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
+++ b/security/tailscale/src/opnsense/mvc/app/views/OPNsense/Tailscale/status.volt
@@ -76,6 +76,16 @@
                                 return true;
                             }
 
+                            if (key == 'ExitNodeStatus') {
+                                var newValue = value.TailscaleIPs[0];
+                                if (value.Online) {
+                                    newValue += ' (online)';
+                                } else {
+                                    newValue += ' (offline)';
+                                }
+                                value = newValue;
+                            }
+
                             $('#statusList > tbody').append('<tr><td>' + key + '</td>' +
                             '<td>' + value + '</td></tr>');
                         });
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 6d1632304..18f4fe2a7 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -16,6 +16,9 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    else %}
 {%      do up_args.append("--advertise-exit-node=false") %}
 {%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.useExitNode') %}
+{%      do up_args.append("--exit-node=" + OPNsense.tailscale.settings.useExitNode) %}
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.settings.acceptSubnetRoutes') and OPNsense.tailscale.settings.acceptSubnetRoutes|default("0") == "1" %}
 {%      do up_args.append("--accept-routes") %}
 {%    else %}

From d17828a2ced2f959e17d866b2d0bce3ef5c23f6e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Jan 2025 16:43:21 +0100
Subject: [PATCH 4/6] security/tailscale: the default seems 0.0.0 so we can use
 1.0.0

---
 .../src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index e6d8f962e..03e8526f1 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/tailscale/settings</mount>
     <description>Tailscale general settings</description>
-    <version>1.0.1</version>
+    <version>1.0.0</version>
     <items>
         <enabled type="BooleanField">
             <default>0</default>

From 327982fa0b5f2a115f2c332ac70243dee2e3a301 Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Mon, 27 Jan 2025 15:44:53 +0000
Subject: [PATCH 5/6] security/tailscale Add option to allow tailscale to
 manage ssh connections (#4493)

---
 security/tailscale/Makefile                        |  2 +-
 security/tailscale/pkg-descr                       |  8 ++++++++
 .../OPNsense/Tailscale/forms/settings.xml          | 14 ++++++++++++++
 .../mvc/app/models/OPNsense/Tailscale/Settings.xml |  8 ++++++++
 .../service/templates/OPNsense/Tailscale/rc.conf.d | 10 ++++++++--
 .../src/opnsense/www/js/widgets/Tailscale.js       |  2 +-
 6 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index f762919fb..ed1eeaebb 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.uk
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 8fe3c0ceb..0ab315c61 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -6,6 +6,14 @@ https://tailscale.com/
 Plugin Changelog
 ================
 
+1.2
+
+* add option to allow Tailscale to manage SSH connections
+* add option to disable SNAT routing (experimental)
+* fix dashboard widget always showing exit node as no
+* add login timeout (10s default) for when login server is unavailable
+  causing OPNsense to hang on boot (added by Ben Smithurst)
+
 1.1
 
 * add dashboard widget
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index 4cdef72dc..0b31a1835 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -42,4 +42,18 @@
         <type>checkbox</type>
         <help>Accept subnet routes that other nodes advertise.</help>
     </field>
+    <field>
+        <id>settings.enableSSH</id>
+        <label>Enable SSH</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Allow Tailscale to manage SSH connections in your tailnet.</help>
+    </field>
+    <field>
+        <id>settings.disableSNAT</id>
+        <label>Disable SNAT</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Disable source NAT to disable subnet routing (experimental).</help>
+    </field>
 </form>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 03e8526f1..39975013b 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -28,6 +28,14 @@
             <default>0</default>
             <Required>Y</Required>
         </acceptSubnetRoutes>
+        <enableSSH type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enableSSH>
+        <disableSNAT type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </disableSNAT>
         <subnets>
             <subnet4 type="ArrayField">
                 <subnet type="NetworkField">
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 18f4fe2a7..e8e9e6393 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -3,9 +3,10 @@
 #
 {%  if not helpers.empty('OPNsense.tailscale.settings.enabled')  %}
 tailscaled_enable="YES"
-# Uncommenting the below breaks being able to access subnets
+{%    if helpers.exists('OPNsense.tailscale.settings.disableSNAT') and OPNsense.tailscale.settings.disableSNAT|default("0") == "1" %}
 # see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981
-# tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.settings.listenPort') %}
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
@@ -29,6 +30,11 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    else %}
 {%      do up_args.append("--accept-dns=false") %}
 {%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.enableSSH') and OPNsense.tailscale.settings.enableSSH|default("0") == "1" %}
+{%      do up_args.append("--ssh=true") %}
+{%    else %}
+{%      do up_args.append("--ssh=false") %}
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.authentication.loginServer') %}
 {%      do up_args.append("--login-server=" + OPNsense.tailscale.authentication.loginServer) %}
 {%    endif %}
diff --git a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
index f81dccbdb..c6fd214a6 100644
--- a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
+++ b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
@@ -78,7 +78,7 @@ export default class Tailscale extends BaseTableWidget {
         result['online'] = (data.Self.Online === true) ?
           this.translations.yes : this.translations.no;
 
-        result['exitNode'] = (data.Self.ExitNode === true) ?
+        result['exitNode'] = (data.Self.ExitNodeOption === true) ?
           this.translations.yes : this.translations.no;
 
         result['peerCount'] = Object.keys(data.Peer).length;

From 232fd8b20ca16e1c5a6d8b08a20827fcfb3a22f0 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 27 Jan 2025 16:46:29 +0100
Subject: [PATCH 6/6] security/tailscale: change changelog

---
 security/tailscale/pkg-descr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 0ab315c61..54639ddb9 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -10,9 +10,9 @@ Plugin Changelog
 
 * add option to allow Tailscale to manage SSH connections
 * add option to disable SNAT routing (experimental)
+* add login timeout (10s default) for when login server is unavailable causing OPNsense to hang on boot (contributed by Ben Smithurst)
+* add exit node option (contributed by Ben Smithurst)
 * fix dashboard widget always showing exit node as no
-* add login timeout (10s default) for when login server is unavailable
-  causing OPNsense to hang on boot (added by Ben Smithurst)
 
 1.1