From 327982fa0b5f2a115f2c332ac70243dee2e3a301 Mon Sep 17 00:00:00 2001
From: Sam Sheridan <sheridans@users.noreply.github.com>
Date: Mon, 27 Jan 2025 15:44:53 +0000
Subject: [PATCH] security/tailscale Add option to allow tailscale to manage
 ssh connections (#4493)

---
 security/tailscale/Makefile                        |  2 +-
 security/tailscale/pkg-descr                       |  8 ++++++++
 .../OPNsense/Tailscale/forms/settings.xml          | 14 ++++++++++++++
 .../mvc/app/models/OPNsense/Tailscale/Settings.xml |  8 ++++++++
 .../service/templates/OPNsense/Tailscale/rc.conf.d | 10 ++++++++--
 .../src/opnsense/www/js/widgets/Tailscale.js       |  2 +-
 6 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/security/tailscale/Makefile b/security/tailscale/Makefile
index f762919fb..ed1eeaebb 100644
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@@ -1,5 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.1
+PLUGIN_VERSION=		1.2
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.uk
diff --git a/security/tailscale/pkg-descr b/security/tailscale/pkg-descr
index 8fe3c0ceb..0ab315c61 100644
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@@ -6,6 +6,14 @@ https://tailscale.com/
 Plugin Changelog
 ================
 
+1.2
+
+* add option to allow Tailscale to manage SSH connections
+* add option to disable SNAT routing (experimental)
+* fix dashboard widget always showing exit node as no
+* add login timeout (10s default) for when login server is unavailable
+  causing OPNsense to hang on boot (added by Ben Smithurst)
+
 1.1
 
 * add dashboard widget
diff --git a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
index 4cdef72dc..0b31a1835 100644
--- a/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/controllers/OPNsense/Tailscale/forms/settings.xml
@@ -42,4 +42,18 @@
         <type>checkbox</type>
         <help>Accept subnet routes that other nodes advertise.</help>
     </field>
+    <field>
+        <id>settings.enableSSH</id>
+        <label>Enable SSH</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Allow Tailscale to manage SSH connections in your tailnet.</help>
+    </field>
+    <field>
+        <id>settings.disableSNAT</id>
+        <label>Disable SNAT</label>
+        <advanced>true</advanced>
+        <type>checkbox</type>
+        <help>Disable source NAT to disable subnet routing (experimental).</help>
+    </field>
 </form>
diff --git a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
index 03e8526f1..39975013b 100644
--- a/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
+++ b/security/tailscale/src/opnsense/mvc/app/models/OPNsense/Tailscale/Settings.xml
@@ -28,6 +28,14 @@
             <default>0</default>
             <Required>Y</Required>
         </acceptSubnetRoutes>
+        <enableSSH type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </enableSSH>
+        <disableSNAT type="BooleanField">
+            <default>0</default>
+            <Required>Y</Required>
+        </disableSNAT>
         <subnets>
             <subnet4 type="ArrayField">
                 <subnet type="NetworkField">
diff --git a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
index 18f4fe2a7..e8e9e6393 100644
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@@ -3,9 +3,10 @@
 #
 {%  if not helpers.empty('OPNsense.tailscale.settings.enabled')  %}
 tailscaled_enable="YES"
-# Uncommenting the below breaks being able to access subnets
+{%    if helpers.exists('OPNsense.tailscale.settings.disableSNAT') and OPNsense.tailscale.settings.disableSNAT|default("0") == "1" %}
 # see - https://github.com/tailscale/tailscale/issues/5573#issuecomment-1584695981
-# tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+tailscaled_env="TS_DEBUG_NETSTACK_SUBNETS=0"
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.settings.listenPort') %}
 tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    endif %}
@@ -29,6 +30,11 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    else %}
 {%      do up_args.append("--accept-dns=false") %}
 {%    endif %}
+{%    if helpers.exists('OPNsense.tailscale.settings.enableSSH') and OPNsense.tailscale.settings.enableSSH|default("0") == "1" %}
+{%      do up_args.append("--ssh=true") %}
+{%    else %}
+{%      do up_args.append("--ssh=false") %}
+{%    endif %}
 {%    if helpers.exists('OPNsense.tailscale.authentication.loginServer') %}
 {%      do up_args.append("--login-server=" + OPNsense.tailscale.authentication.loginServer) %}
 {%    endif %}
diff --git a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
index f81dccbdb..c6fd214a6 100644
--- a/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
+++ b/security/tailscale/src/opnsense/www/js/widgets/Tailscale.js
@@ -78,7 +78,7 @@ export default class Tailscale extends BaseTableWidget {
         result['online'] = (data.Self.Online === true) ?
           this.translations.yes : this.translations.no;
 
-        result['exitNode'] = (data.Self.ExitNode === true) ?
+        result['exitNode'] = (data.Self.ExitNodeOption === true) ?
           this.translations.yes : this.translations.no;
 
         result['peerCount'] = Object.keys(data.Peer).length;