I’m using Tailscale as a VPN service on every device in my fleet (RPi CM4). I use the subnet routing feature to expose machines in the local network to the internet in a controlled way. I automated the setup process and it almost works.
The one missing element is that this setup requires that ipv4 and ipv6 IP forwarding are enabled in the kernel. For ipv4 this can be done from the host OS with sysctl -w net.ipv4.ip_forward=1 or echoing a 1 into /proc/sys/net/ipv4/ip_forwarding (similar for ipv6). But it requires kernel privileges to execute this command. It only needs to be set once and the setting would never have to be touched again.
My options to set the kernel flags would be:
Run a container in privileged mode (tested it and it works, for security reasons I prefer to avoid this)
Bake the flags into the OS with Yocto (but I’d rather keep using the native RPi CM4 Balena OS and not be running builds myself)
Run some script on startup of the host OS to do this? (Not sure how you would do this)
Do you have any suggestions on what would be the way to go?
Thanks in advance!
Hi, in the mean time I found another solution that does not require any container privileges. But I guess a dedicated startup container would do the trick indeed. Thanks!
Tailscale offers two running modes: kernel mode and userspace mode. The kernel mode has some advantages, such as a dedicated network interface for the VPN with automatic advanced routing rules, DNS, etc. We don’t really need this in our application (we don’t initiate outbound connections over the VPN), so we now run it in userspace mode as a non-root user, eliminating the need for any special privileges. Tailscale advertises this mode specifically for use with Docker containers to avoid the need for privileged setups.