Hi,
I’m using Tailscale as a VPN service on every device in my fleet (RPi CM4). I use the subnet routing feature to expose machines in the local network to the internet in a controlled way. I automated the setup process and it almost works.
The one missing element is that this setup requires that ipv4 and ipv6 IP forwarding are enabled in the kernel. For ipv4 this can be done from the host OS with sysctl -w net.ipv4.ip_forward=1 or echoing a 1 into /proc/sys/net/ipv4/ip_forwarding (similar for ipv6). But it requires kernel privileges to execute this command. It only needs to be set once and the setting would never have to be touched again.
My options to set the kernel flags would be:
- Run a container in privileged mode (tested it and it works, for security reasons I prefer to avoid this)
- Bake the flags into the OS with Yocto (but I’d rather keep using the native RPi CM4 Balena OS and not be running builds myself)
- Run some script on startup of the host OS to do this? (Not sure how you would do this)
Do you have any suggestions on what would be the way to go?
Thanks in advance!