optimize & bump version

2025-05-06 21:55:26 +08:00
parent 56d7f27266
commit 288fcc8d60
11 changed files with 635 additions and 544 deletions
--- a/root/etc/config/tailscale
+++ b/root/etc/config/tailscale
@@ -1,2 +1,43 @@
 config tailscale 'settings'
-	option enabled '0'
+	# Set whether Tailcale is enabled or not
+	option enabled '0'
+	# Set the port to listen on for incoming Tailscale packets (default 41641)
+	option port '41641'
+	# Path to config file
+	option config_path '/etc/tailscale'
+	# Default to using nftables - change below to 'iptables' if still using iptables
+	option fw_mode 'nftables'
+	# Enable stdout log
+	option log_stdout '1'
+	# Enable stderr log
+	option log_stderr '1'
+	# Accept subnet routes that other nodes advertise
+	#option accept_routes '1'
+	# Provide a hostname to use for the device instead of the one provided by the OS
+	#option hostname ''
+	# Accept DNS configuration from the admin console. (default accept)
+	option accept_dns '1'
+	# Offer to be an exit node for outbound internet traffic from the Tailscale network
+	#option advertise_exit_node '1'
+	# Provide a Tailscale IP or machine name to use as an exit node
+	#option exit_node ''
+	# Expose physical subnet routes to your entire Tailscale network (e.g. 10.0.0.0/24)
+	#list advertise_routes ''
+	# Set to '1' to disable subnet route masquerading
+	#option disable_snat_subnet_routes '1'
+	# To connect subnets within your tailnet (e.g. 192.168.1.0/24)
+	# Documentation https://tailscale.com/kb/1214/site-to-site
+	#list subnet_routes ''
+	# Set firewall zone (ts_ac_lan: Tailscale access LAN, ts_ac_wan: Tailscale access WAN:, lan_ac_ts: LAN access Tailscale, wan_ac_ts: WAN access Tailscale)
+	# Documentation https://openwrt.org/docs/guide-user/services/vpn/tailscale/start
+	#list access 'ts_ac_lan'
+	#list access 'ts_ac_wan'
+	#list access 'lan_ac_ts'
+	#list access 'wan_ac_ts'
+	# Set extra flags for enabling settings upon the initiation of Tailscale
+	# Documentation https://tailscale.com/kb/1241/tailscale-up
+	#list flags ''
+	# Provide the base URL of a custom server instead of https://controlplane.tailscale.com
+	#option login_server ''
+	# Set auth Key of custom server
+	#option authkey ''
--- a/root/etc/init.d/tailscale
+++ b/root/etc/init.d/tailscale
@@ -4,7 +4,7 @@ START=90

 USE_PROCD=1

-PROG=/usr/sbin/tailscale
+PROG=/usr/sbin/tailscale_helper
 PROGD=/usr/sbin/tailscaled
 CONFIG_PATH=/var/lib/tailscale

@@ -18,166 +18,60 @@ section_enabled() {
 	[ $enabled -gt 0 ]
 }

-custom_instance() {
+tailscale_helper() {
 	local cfg="$1"
-	local acceptRoutes hostname acceptDNS advertiseExitNode exitNode advertiseRoutes s2s subnetRoutes flags loginServer authkey std_out std_err
-	local ARGS=" up --reset"
+	local accept_routes hostname accept_dns advertise_exit_node exit_node advertise_routes disable_snat_subnet_routes subnet_routes access flags login_server authkey std_out std_err

-	if ! section_enabled "$cfg"; then
-		echo "disabled in config"
-		return 1
-	fi
-
-	config_get_bool acceptRoutes $cfg 'acceptRoutes'
+	config_get_bool accept_routes $cfg 'accept_routes'
 	config_get hostname $cfg 'hostname'
-	config_get_bool acceptDNS $cfg 'acceptDNS'
-	config_get_bool advertiseExitNode $cfg 'advertiseExitNode'
-	config_get exitNode $cfg 'exitNode'
-	config_get advertiseRoutes $cfg 'advertiseRoutes'
-	config_get_bool s2s $cfg 's2s'
+	config_get_bool accept_dns $cfg 'accept_dns'
+	config_get_bool advertise_exit_node $cfg 'advertise_exit_node'
+	config_get exit_node $cfg 'exit_node'
+	config_get advertise_routes $cfg 'advertise_routes'
+	config_get_bool disable_snat_subnet_routes $cfg 'disable_snat_subnet_routes'
+	config_get subnet_routes $cfg 'subnet_routes'
+	config_get access $cfg 'access'
 	config_get flags $cfg 'flags'
-	config_get loginServer $cfg 'loginServer'
+	config_get login_server $cfg 'login_server'
 	config_get authkey $cfg 'authkey'
 	config_get_bool std_out $cfg 'log_stdout'
 	config_get_bool std_err $cfg 'log_stderr'

-	[ "$acceptRoutes" = "1" ] && ARGS="$ARGS --accept-routes=true"
-	[ -n "$hostname" ] && ARGS="$ARGS --hostname=$hostname"
-	[ "$acceptDNS" = "0" ] && ARGS="$ARGS --accept-dns=false"
-	[ "$advertiseExitNode" = "1" ] && ARGS="$ARGS --advertise-exit-node"
-	[ -n "$exitNode" ] && ARGS="$ARGS --exit-node=$exitNode --exit-node-allow-lan-access=true"
-	[ -n "$advertiseRoutes" ] && ARGS="$ARGS --advertise-routes=$(echo $advertiseRoutes | tr ' ' ',')"
-	[ "$s2s" = "1" ] && ARGS="$ARGS --snat-subnet-routes=false"
-	[ -n "$flags" ] && ARGS="$ARGS $flags"
-	[ -n "$loginServer" ] && ARGS="$ARGS --login-server=$loginServer"
-	[ -n "$authkey" ] && ARGS="$ARGS --authkey=$authkey"
-
 	procd_open_instance
-	procd_set_param command $PROG $ARGS
+	procd_set_param command $PROG
+
+	[ "$accept_routes" = "1" ] && procd_append_param command --accept-routes=true
+	[ -n "$hostname" ] && procd_append_param command --hostname="$hostname"
+	[ "$accept_dns" = "0" ] && procd_append_param command --accept-dns=false
+	[ "$advertise_exit_node" = "1" ] && procd_append_param command --advertise-exit-node
+	[ -n "$exit_node" ] && {
+		procd_append_param command --exit-node="$exit_node"
+		procd_append_param command --exit-node-allow-lan-access=true
+	}
+	[ -n "$advertise_routes" ] && procd_append_param command --advertise-routes="$(echo $advertise_routes | tr ' ' ',')"
+	[ "$disable_snat_subnet_routes" = "1" ] && procd_append_param command --snat-subnet-routes=false
+	[ -n "$flags" ] && procd_append_param command $flags
+	[ -n "$login_server" ] && procd_append_param command --login-server="$login_server"
+	[ -n "$authkey" ] && procd_append_param command --authkey="$authkey"
+
+	procd_set_param env \
+		ACCEPT_DNS="$accept_dns" \
+		EXIT_NODE="$exit_node" \
+		SUBNET_ROUTES="$subnet_routes" \
+		ACCESS="$access"
+
+	procd_set_param respawn
 	procd_set_param stdout "$std_out"
 	procd_set_param stderr "$std_err"
 	procd_close_instance
-	(
-		[ -f "/var/run/tailscale.wait.pid" ] && return
-		touch /var/run/tailscale.wait.pid
-		count=0
-		while [ -z "$(ifconfig | grep 'tailscale' | awk '{print $1}')" ] || [ -z "$(tailscale ip -4)" ]
-		do
-			sleep 2
-			let count++
-			[ "${count}" -ge 5 ] && { rm /var/run/tailscale.wait.pid; exit 19; }
-		done
-
-		if [ "$acceptDNS" = "1" ]; then
-			MagicDNSSuffix=$(tailscale status --json | awk -F'"' '/"MagicDNSSuffix"/ {last=$(NF-1)} END {print last}')
-			sed -i '/100.100.100.100/d' /etc/dnsmasq.conf
-			echo "server=/$MagicDNSSuffix/100.100.100.100" >> /etc/dnsmasq.conf
-			/etc/init.d/dnsmasq reload
-		fi
-
-		ts0=$(ifconfig | grep 'tailscale' | awk '{print $1}')
-		if [ -z "$(uci -q get network.tailscale)" ];  then				
-			uci set network.tailscale='interface'
-			if [ "$ts0" = *$'\n'* ]; then
-				uci set network.ts_lan='device'
-				uci set network.ts_lan.type='bridge'
-				uci set network.ts_lan.name='ts-lan'
-				for port in "${ts0}"; do
-					uci add_list network.ts_lan.ports=$port
-				done
-				uci set network.tailscale.proto='none'
-				uci set network.tailscale.device='ts-lan'
-			else
-				ts_ip=$(tailscale ip -4)
-				uci set network.tailscale.proto='static'
-				uci set network.tailscale.ipaddr=$ts_ip
-				uci set network.tailscale.netmask='255.0.0.0'
-				uci set network.tailscale.device=$ts0
-			fi
-		fi
-
-		lan2wan=$(uci show firewall | grep "firewall.@forwarding\[[0-9]\+\]\.src='lan'" -B 1 -A 1 | grep "firewall.@forwarding\[[0-9]\+\]\.dest='wan'" | grep -o '[0-9]\+')
-		if [ -n "$exitNode" ];  then
-			uci set firewall.@defaults[0].forward='REJECT'
-			[ -n $lan2wan ] && uci set firewall.@forwarding[$lan2wan].enabled='0'
-		else
-			uci -q delete firewall.@forwarding[$lan2wan].enabled
-		fi
-
-		config_get subnetRoutes $cfg 'subnetRoutes'
-		if [ -n "$subnetRoutes" ];  then
-			i=1
-			ts_ip=$(tailscale ip -4)
-			for route in $subnetRoutes; do
-				uci set network.ts_subnet$i='route'
-				uci set network.ts_subnet$i.interface='tailscale'
-				uci set network.ts_subnet$i.target=$route
-				uci set network.ts_subnet$i.gateway=$ts_ip
-				let i++
-			done
-		else
-			for route in $(uci show network | grep 'network.ts_subnet[0-9]\+=route' | grep -o 'network.ts_subnet[0-9]\+'); do
-				uci -q delete $route
-			done
-		fi
-
-		config_get access $cfg 'access'
-		if [ -n "$access" ];  then
-			if [ -z "$(uci -q get firewall.tszone)" ];  then
-				uci set firewall.tszone='zone'
-				uci set firewall.tszone.input='ACCEPT'
-				uci set firewall.tszone.output='ACCEPT'
-				uci set firewall.tszone.forward='ACCEPT'
-				uci set firewall.tszone.masq='1'
-				uci set firewall.tszone.mtu_fix='1'
-				uci set firewall.tszone.name='tailscale'
-				uci set firewall.tszone.network='tailscale'
-			fi
-		else
-			uci -q delete firewall.tszone
-		fi
-		if [ "${access//tsfwlan/}" != "$access" ]; then
-			uci set firewall.tsfwlan=forwarding
-			uci set firewall.tsfwlan.dest='lan'
-			uci set firewall.tsfwlan.src='tailscale'
-		else
-			uci -q delete firewall.tsfwlan
-		fi
-		if [ "${access//tsfwwan/}" != "$access" ]; then
-			uci set firewall.tsfwwan=forwarding
-			uci set firewall.tsfwwan.dest='wan'
-			uci set firewall.tsfwwan.src='tailscale'
-		else
-			uci -q delete firewall.tsfwwan
-		fi
-		if [ "${access//lanfwts/}" != "$access" ]; then
-			uci set firewall.lanfwts=forwarding
-			uci set firewall.lanfwts.dest='tailscale'
-			uci set firewall.lanfwts.src='lan'
-		else
-			uci -q delete firewall.lanfwts
-		fi
-		if [ "${access//wanfwts/}" != "$access" ]; then
-			uci set firewall.wanfwts=forwarding
-			uci set firewall.wanfwts.dest='tailscale'
-			uci set firewall.wanfwts.src='wan'
-		else
-			uci -q delete firewall.wanfwts
-		fi
-
-		[ -n "$(uci changes network)" ] && uci commit network && /etc/init.d/network reload
-		[ -n "$(uci changes firewall)" ] && uci commit firewall && /etc/init.d/firewall reload
-		rm /var/run/tailscale.wait.pid
-	) &
 }

 start_instance() {
 	local cfg="$1"
 	local port config_path fw_mode std_out std_err state_file
-	local ARGS=""

 	if ! section_enabled "$cfg"; then
-		echo "disabled in config"
+		echo "disabled in /etc/config/tailscale"
 		return 1
 	fi

@@ -189,38 +83,40 @@ start_instance() {

 	[ -d $config_path ] || mkdir -p $config_path
 	[ -d $CONFIG_PATH ] || mkdir -p $CONFIG_PATH
-	state_file=$config_path/tailscaled.state
+	state_file="$config_path/tailscaled.state"
 	
 	/usr/sbin/tailscaled --cleanup

-	[ -n "$port" ] && ARGS="$ARGS --port $port"
-	[ -n "$state_file" ] && ARGS="$ARGS --state $state_file"
-
 	procd_open_instance
-	procd_set_param command $PROGD $ARGS
+	procd_set_param command $PROGD
+
+	[ -n "$port" ] && procd_append_param command --port "$port"
+	[ -n "$state_file" ] && procd_append_param command --state "$state_file"

 	procd_set_param env TS_DEBUG_FIREWALL_MODE="$fw_mode"
- 	
+	
 	procd_set_param respawn
 	procd_set_param stdout "$std_out"
 	procd_set_param stderr "$std_err"
 	procd_close_instance
+
+	tailscale_helper "$cfg"
 }

 start_service() {
 	config_load 'tailscale'
 	config_foreach start_instance 'tailscale'
-	config_foreach custom_instance 'tailscale'
 }

 stop_instance() {
 	local cfg="$1"
-	/usr/sbin/tailscaled --cleanup

 	# Remove dnsmasq settings
-	sed -i '/100.100.100.100/d' /etc/dnsmasq.conf
-	/etc/init.d/dnsmasq reload
-	
+	MagicDNSSuffix=$(tailscale status --json | awk -F'"' '/"MagicDNSSuffix"/ {last=$(NF-1)} END {print last}')
+	for suffix in $(uci show dhcp | grep -E "address=.*/${MagicDNSSuffix}/" | sed "s/'//g"); do
+		uci -q del_list $suffix
+	done
+ 
 	# Remove network settings
 	uci -q delete network.tailscale
 	uci -q delete network.ts_lan
@@ -229,18 +125,23 @@ stop_instance() {
 	done
 	
 	# Remove firewall settings
-	lan2wan=$(uci show firewall | grep "firewall.@forwarding\[[0-9]\+\]\.src='lan'" -B 1 -A 1 | grep "firewall.@forwarding\[[0-9]\+\]\.dest='wan'" | grep -o '[0-9]\+')
-	uci -q delete firewall.@forwarding[$lan2wan].enabled
+	index=$(uci show firewall | grep "firewall.@forwarding\[[0-9]\+\]\.src='lan'" -B 1 -A 1 | grep "firewall.@forwarding\[[0-9]\+\]\.dest='wan'" | grep -o '[0-9]\+')
+	uci -q delete firewall.@forwarding[$index].enabled
 	uci -q delete firewall.tszone
-	uci -q delete firewall.tsfwlan
-	uci -q delete firewall.tsfwwan
-	uci -q delete firewall.lanfwts
-	uci -q delete firewall.wanfwts
+	uci -q delete firewall.ts_ac_lan
+	uci -q delete firewall.ts_ac_wan
+	uci -q delete firewall.lan_ac_ts
+	uci -q delete firewall.wan_ac_ts
+	
+	# Commit configuration changes and reload service
+	[ -n "$(uci changes dhcp)" ] && uci commit dhcp && /etc/init.d/dnsmasq reload
 	[ -n "$(uci changes network)" ] && uci commit network && /etc/init.d/network reload
 	[ -n "$(uci changes firewall)" ] && uci commit firewall && /etc/init.d/firewall reload

+	/usr/sbin/tailscaled --cleanup
+
 	# Remove existing link or folder
-	rm -rf $CONFIG_PATH
+	rm -rf "$CONFIG_PATH"
 }

 stop_service() {
--- a/root/usr/sbin/tailscale_helper
+++ b/root/usr/sbin/tailscale_helper
@@ -0,0 +1,147 @@
+#!/bin/sh
+
+# Copyright (C) 2025 asvow
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Error handling function
+revert_exit() {
+	logger -p daemon.err -t tailscale_helper "$(date '+%Y/%m/%d %H:%M:%S') $1"
+	uci revert dhcp && uci revert network && uci revert firewall
+	/etc/init.d/tailscale stop
+	exit 1
+}
+
+# Execute tailscale up command
+/usr/sbin/tailscale up --reset "$@" || revert_exit "tailscale up failed."
+
+# Use flock to acquire an exclusive lock
+LOCK_FILE="/var/lock/tailscale.lock"
+exec 9> "$LOCK_FILE"
+flock -xn 9 || { revert_exit "Failed to acquire lock on $LOCK_FILE"; }
+trap 'rm -f "$LOCK_FILE"; exit' INT TERM EXIT
+
+# Wait for Tailscale IPv4 address
+count=0
+while [ -z "$(ifconfig | grep 'tailscale' | awk '{print $1}')" ] || [ -z "$(tailscale ip -4)" ]; do
+	sleep 2
+	count=$((count + 1))
+	[ "${count}" -ge 5 ] && revert_exit "Failed to get Tailscale IPv4 address after 5 attempts."
+done
+
+# Configure Tailscale MagicDNS
+if [ "$ACCEPT_DNS" = "1" ]; then
+	MagicDNSSuffix=$(tailscale status --json | awk -F'"' '/"MagicDNSSuffix"/ {last=$(NF-1)} END {print last}')
+	target_address="/$MagicDNSSuffix/100.100.100.100"
+	index=$(uci show dhcp | grep 'dhcp.@dnsmasq\[[0-9]\+\]=dnsmasq' | grep -o '[0-9]\+')
+	for i in $index; do
+		if ! uci get dhcp.@dnsmasq[$i].address 2>/dev/null | grep -qxF "$target_address"; then
+			uci add_list "dhcp.@dnsmasq[$i].address=$target_address" || revert_exit "Failed to add DNS address."
+		fi
+	done
+fi
+
+# Configure network interface for Tailscale
+ts0=$(ifconfig | grep 'tailscale' | awk '{print $1}')
+if [ -z "$(uci -q get network.tailscale)" ]; then
+	uci set network.tailscale='interface'
+	if [ "$ts0" = *$'\n'* ]; then
+		[ -n "$(uci batch <<-EOF 2>&1
+			set network.ts_lan='device'
+			set network.ts_lan.type='bridge'
+			set network.ts_lan.name='ts-lan'
+			set network.tailscale.proto='none'
+			set network.tailscale.device='ts-lan'
+		EOF
+		)" ] && revert_exit "Failed to configure network interface for Tailscale."
+		for port in "${ts0}"; do
+			uci add_list network.ts_lan.ports=$port || revert_exit "Failed to add port $port."
+		done
+	else
+		ts_ip=$(tailscale ip -4)
+		[ -n "$(uci batch <<-EOF 2>&1
+			set network.tailscale.proto='static'
+			set network.tailscale.ipaddr=$ts_ip
+			set network.tailscale.netmask='255.0.0.0'
+			set network.tailscale.device=$ts0
+		EOF
+		)" ] && revert_exit "Failed to configure network interface for Tailscale."
+	fi
+fi
+
+# Configure exit node firewall rules
+if [ -n "$EXIT_NODE" ]; then
+	uci set firewall.@defaults[0].forward='REJECT' || revert_exit "Failed to set default forward policy to REJECT."
+	# Find the LAN to WAN forwarding rule index
+	index=$(uci show firewall | grep "firewall.@forwarding\[[0-9]\+\]\.src='lan'" -B 1 -A 1 | grep "firewall.@forwarding\[[0-9]\+\]\.dest='wan'" | grep -o '[0-9]\+')
+	[ -n "$index" ] && uci set firewall.@forwarding[$index].enabled='0' || revert_exit "Failed to disable forwarding rule."
+fi
+
+# Configure subnet routes for site to site
+if [ -n "$SUBNET_ROUTES" ]; then
+	i=1
+	ts_ip=$(tailscale ip -4)
+	for route in $SUBNET_ROUTES; do
+		[ -n "$(uci batch <<-EOF 2>&1
+			set network.ts_subnet$i='route'
+			set network.ts_subnet$i.interface='tailscale'
+			set network.ts_subnet$i.target=$route
+			set network.ts_subnet$i.gateway=$ts_ip
+		EOF
+		)" ] && revert_exit "Failed to configure subnet routes for site to site."
+		let i++
+	done
+fi
+
+# Configure firewall zone and rules
+if [ -n "$ACCESS" ]; then
+	[ -n "$(uci batch <<-EOF 2>&1
+		set firewall.tszone='zone'
+		set firewall.tszone.input='ACCEPT'
+		set firewall.tszone.output='ACCEPT'
+		set firewall.tszone.forward='ACCEPT'
+		set firewall.tszone.masq='1'
+		set firewall.tszone.mtu_fix='1'
+		set firewall.tszone.name='tailscale'
+		set firewall.tszone.network='tailscale'
+	EOF
+	)" ] && revert_exit "Failed to create firewall zone and forwarding rules for Tailscale."
+fi
+
+# Configure specific firewall forwarding rules between Tailscale, LAN, and WAN
+if [ "${ACCESS//ts_ac_lan/}" != "$ACCESS" ]; then
+	[ -n "$(uci batch <<-EOF 2>&1
+		set firewall.ts_ac_lan=forwarding
+		set firewall.ts_ac_lan.dest='lan'
+		set firewall.ts_ac_lan.src='tailscale'
+	EOF
+	)" ] && revert_exit "Failed to configure ts_ac_lan firewall forwarding rules."
+fi
+if [ "${ACCESS//ts_ac_wan/}" != "$ACCESS" ]; then
+	[ -n "$(uci batch <<-EOF 2>&1
+		set firewall.ts_ac_wan=forwarding
+		set firewall.ts_ac_wan.dest='wan'
+		set firewall.ts_ac_wan.src='tailscale'
+	EOF
+	)" ] && revert_exit "Failed to configure ts_ac_wan firewall forwarding rules."
+fi
+if [ "${ACCESS//lan_ac_ts/}" != "$ACCESS" ]; then
+	[ -n "$(uci batch <<-EOF 2>&1
+		set firewall.lan_ac_ts=forwarding
+		set firewall.lan_ac_ts.dest='tailscale'
+		set firewall.lan_ac_ts.src='lan'
+	EOF
+	)" ] && revert_exit "Failed to configure lan_ac_ts firewall forwarding rules."
+fi
+if [ "${ACCESS//wan_ac_ts/}" != "$ACCESS" ]; then
+	[ -n "$(uci batch <<-EOF 2>&1
+		set firewall.wan_ac_ts=forwarding
+		set firewall.wan_ac_ts.dest='tailscale'
+		set firewall.wan_ac_ts.src='wan'
+	EOF
+	)" ] && revert_exit "Failed to configure wan_ac_ts firewall forwarding rules."
+fi
+
+# Commit configuration changes and reload service
+[ -n "$(uci changes dhcp)" ] && uci commit dhcp && /etc/init.d/dnsmasq reload
+[ -n "$(uci changes network)" ] && uci commit network && /etc/init.d/network reload
+[ -n "$(uci changes firewall)" ] && uci commit firewall && /etc/init.d/firewall reload
--- a/root/usr/share/rpcd/acl.d/luci-app-tailscale.json
+++ b/root/usr/share/rpcd/acl.d/luci-app-tailscale.json
@@ -3,9 +3,11 @@
 		"description": "Grant access to Tailscale configuration",
 		"read": {
 			"file": {
-				"/sbin/ip": [ "exec" ],
-				"/sbin/logread": [ "exec" ],
-				"/usr/sbin/tailscale": [ "exec" ]
+				"/sbin/ip -s -j ad": [ "exec" ],
+				"/sbin/logread -e tailscale": [ "exec" ],
+				"/usr/sbin/tailscale status --json": [ "exec" ],
+				"/usr/sbin/tailscale login": [ "exec" ],
+				"/usr/sbin/tailscale logout": [ "exec" ]
 			},
 			"ubus": {
 				"service": [ "list" ]