security/tailscale Add option to allow tailscale to manage ssh connections (#4493)

security/tailscale/Makefile

@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.uk

security/tailscale/pkg-descr

@@ -6,6 +6,14 @@ https://tailscale.com/
 Plugin Changelog
 ================
 
+1.2
+
+* add option to allow Tailscale to manage SSH connections
+* add option to disable SNAT routing (experimental)
+* fix dashboard widget always showing exit node as no
+* add login timeout (10s default) for when login server is unavailable
+  causing OPNsense to hang on boot (added by Ben Smithurst)
+
 1.1
 
 * add dashboard widget

security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml

@@ -42,4 +42,18 @@
         <type>checkbox</type>
         <help>Accept subnet routes that other nodes advertise.</help>
     </field>
+    <field>
+        <id>settings.enableSSH</id>
+        <label>Enable SSH</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Allow Tailscale to manage SSH connections in your tailnet.</help>
+    </field>
+    <field>
+        <id>settings.disableSNAT</id>
+        <label>Disable SNAT</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Disable source NAT to disable subnet routing (experimental).</help>
+    </field>
 </form>

security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml

@@ -28,6 +28,14 @@
             <default>0</default>
             <Required>Y</Required>
         </acceptSubnetRoutes>
+        <enableSSH type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enableSSH>
+        <disableSNAT type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </disableSNAT>
         <subnets>
             <subnet4 type="ArrayField">
                 <subnet type="NetworkField">

security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d

@@ -3,9 +3,10 @@
 #
 {%  if not helpers.empty('OPNsense.tailscale.settings.enabled')  %}
 tailscaled_enable="YES"
-# Uncommenting the below breaks being able to access subnets
+{%    if helpers.exists('OPNsense.tailscale.settings.disableSNAT') and OPNsense.tailscale.settings.disableSNAT|default("0") == "1" %}
 # see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981
-# tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.settings.listenPort') %}
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
@@ -29,6 +30,11 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    else %}
 {%      do up_args.append("--accept-dns=false") %}
 {%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.enableSSH') and OPNsense.tailscale.settings.enableSSH|default("0") == "1" %}
+{%      do up_args.append("--ssh=true") %}
+{%    else %}
+{%      do up_args.append("--ssh=false") %}
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.authentication.loginServer') %}
 {%      do up_args.append("--login-server=" + OPNsense.tailscale.authentication.loginServer) %}
 {%    endif %}

security/tailscale/src/opnsense/www/js/widgets/Tailscale.js

@@ -78,7 +78,7 @@ export default class Tailscale extends BaseTableWidget {
         result['online'] = (data.Self.Online === true) ?
           this.translations.yes : this.translations.no;
 
-        result['exitNode'] = (data.Self.ExitNode === true) ?
+        result['exitNode'] = (data.Self.ExitNodeOption === true) ?
           this.translations.yes : this.translations.no;
 
         result['peerCount'] = Object.keys(data.Peer).length;