addpkg(root/tailscale): 1.78.3

[TomJo2000]

closes #10166

This PR adds a package for tailscale.
The build script is mostly adapted from Arch Linux's tailscale package.
https://gitlab.archlinux.org/archlinux/packaging/packages/tailscale/-/blob/main/PKGBUILD
And the service script is adapted from Void Linux.
https://github.com/void-linux/void-packages/blob/d833c349beda6e8a00f84cec7c4e447b226c4eee/srcpkgs/tailscale/files/tailscaled/run

I also used some tricks from gh to generate the completions at build time.

termux-packages/packages/gh/build.sh

Lines 15 to 19 in 1561c12

	(
	unset GOOS GOARCH CGO_LDFLAGS
	unset CC CXX CFLAGS CXXFLAGS LDFLAGS
	go run ./cmd/gen-docs --man-page --doc-path $TERMUX_PREFIX/share/man/man1/
	)

[truboxl]

Commit message probably need to be clear as root

[TomJo2000]

Commit message probably need to be clear as root

Yep I noticed that after I did the initial push, it's been moved to the root-packages channel.
I just forgot to update the commit message.

[TomJo2000]

On the topic of needing root.
There is a "userspace networking" mode.
It mostly seems to be intended for containers.
https://tailscale.com/kb/1112/userspace-networking

A userspace implementation of wireguard, such as wireguard-go may also work.
https://github.com/WireGuard/wireguard-go
Though it would need to be packaged for Termux first.

[TomJo2000]

Help with testing this package would be appreciated.
I can't do any function testing as I do not have a rooted device.
I will leave testing instructions below.

---

^{(This is a pre-written, saved reply.)}
If you want to test this PR please download the appropriate DEB package(s)
from the build artifacts of the associated PR's latest CI run.

After downloading the build artifact, make sure to unzip and un-tar it.

Detailed instructions, if needed.

# finding out what architecture you need
# architecture is just below the TERMUX_VERSION
termux-info

# e.g.
# [...]
# TERMUX_MAIN_PACKAGE_FORMAT=debian
# TERMUX_VERSION=0.118.0
# TERMUX__USER_ID=0
# Packages CPU architecture:
# aarch64
# [...]

# =======================

# make sure `unzip` and `tar` are installed using
pkg install unzip tar

# unzip the artifact (if you have a different architecture this might be arm, i686 or x86_64 instead)
unzip debs-aarch64-*.zip

# untar the artifact
tar xf debs-aarch64-*.tar

# You should now have a debs/ directory in your current working directory
# Install the packages from the local source using
pkg install -- ./debs/*.deb

# to clean up, you can remove the debs/ directory, .tar file and .zip file
rm -rfi debs debs-aarch64-*.zip debs-aarch64-*.tar

[robertkirkman]

I have a successfully functioning glibc-based Tailscale network that has 3 rooted GNU/Linux nodes, one of which is an esoteric distro on an aarch64 device, that has glibc 2.27 installed in /opt and has kernel 4.19, and which only works while the --tun=userspace-networking argument is passed to tailscaled, and the other two of which are more popular and generic distros, that both have glibc 2.40, installed in /usr, on x86_64 devices, and which both have kernel 6.12, and both work without using the --tun argument.

That is the configuration of the network I attempted to add a bionic-libc device to using this package. To test this package, I installed it on Termux on a device I have that has a self-built ROM of rooted LineageOS 21 Android 14 aarch64, with this termux-info:

termux-info

Termux Variables:
TERMUX_APK_RELEASE=F_DROID
TERMUX_APP_PACKAGE_MANAGER=apt
TERMUX_APP_PID=10389
TERMUX_IS_DEBUGGABLE_BUILD=0
TERMUX_MAIN_PACKAGE_FORMAT=debian
TERMUX_VERSION=0.118.1
TERMUX_X11_XSTARTUP=xfce4-session
TERMUX__USER_ID=0
Packages CPU architecture:
aarch64
Subscribed repositories:
# sources.list
deb https://packages.termux.dev/apt/termux-main stable main
# root-repo (sources.list.d/root.list)
deb https://packages.termux.dev/apt/termux-root root stable
# tur-repo (sources.list.d/tur.list)
deb https://tur.kcubeterm.com tur-packages tur tur-on-device tur-continuous
# x11-repo (sources.list.d/x11.list)
deb https://packages.termux.dev/apt/termux-x11 x11 main
Updatable packages:
All packages up to date
termux-tools version:
1.44.6
Android version:
14
Kernel build information:
Linux localhost 4.4.302-ge001f28c408d #1 SMP PREEMPT Mon Jun 24 11:02:29 CDT 2024 aarch64 Android
Device manufacturer:
samsung
Device model:
SM-G955F
LD Variables:
LD_LIBRARY_PATH=
LD_PRELOAD=/data/data/com.termux/files/usr/lib/libtermux-exec.so
Installed termux plugins:
com.termux.x11 versionCode:15

Because I built the ROM in use myself, if I am directed to do so, it would probably be possible for me to attempt to increase the chances of this device having compatibility with Tailscale by recompiling and reinstalling the entire ROM and/or kernel, if any settings should be found for those that could be necessary. Currently the customizations I have installed in this ROM at build-time are minimal and purely graphics-related, with no specific changes to its networking configuration on top of the LineageOS port I forked.

My root app is a fully persistent installation of Magisk 27.0, and I obtained root shells within the Termux environment using the tsu command, before attempting to run any Tailscale commands.

Here are the results I have observed so far:

• sv up tailscaled

fail: tailscaled: unable to change to service directory: file does not exist

• tailscaled

logtail started
Program starting: v1.78.3, Go 1.23.5: []string{"tailscaled"}
LogID: bbce5af07317077b5f446519ffb4f34f519cf8c0778942b323c83c29a37f92a4
logpolicy: using UserCacheDir, "/data/data/com.termux/files/home/.suroot/.cache/Tailscale"
dns: [rc=missing ret=direct]
dns: using "direct" mode
dns: using *dns.directManager
dns: inotify addwatch: context canceled
linuxfw: clear iptables: multiple errors:
	deleting [-j ts-input] in filter/INPUT: running [/system/bin/iptables -t filter -D INPUT -j ts-input --wait]: exit status 2: iptables v1.8.10 (legacy): Couldn't find target `ts-input'

Try `iptables -h' or 'iptables --help' for more information.

	deleting [-j ts-forward] in filter/FORWARD: running [/system/bin/iptables -t filter -D FORWARD -j ts-forward --wait]: exit status 2: iptables v1.8.10 (legacy): Couldn't find target `ts-forward'

Try `iptables -h' or 'iptables --help' for more information.

	deleting [-j ts-postrouting] in nat/POSTROUTING: running [/system/bin/iptables -t nat -D POSTROUTING -j ts-postrouting --wait]: exit status 2: iptables v1.8.10 (legacy): Couldn't find target `ts-postrouting'

Try `iptables -h' or 'iptables --help' for more information.
linuxfw: clear ip6tables: multiple errors:
	deleting [-j ts-input] in filter/INPUT: running [/system/bin/ip6tables -t filter -D INPUT -j ts-input --wait]: exit status 2: ip6tables v1.8.10 (legacy): Couldn't find target `ts-input'

Try `ip6tables -h' or 'ip6tables --help' for more information.

	deleting [-j ts-forward] in filter/FORWARD: running [/system/bin/ip6tables -t filter -D FORWARD -j ts-forward --wait]: exit status 2: ip6tables v1.8.10 (legacy): Couldn't find target `ts-forward'

Try `ip6tables -h' or 'ip6tables --help' for more information.

	deleting [-j ts-postrouting] in nat/POSTROUTING: running [/system/bin/ip6tables -t nat -D POSTROUTING -j ts-postrouting --wait]: exit status 2: ip6tables v1.8.10 (legacy): Couldn't find target `ts-postrouting'

Try `ip6tables -h' or 'ip6tables --help' for more information.
cleanup: list tables: netlink receive: invalid argument
--statedir (or at least --state) is required

• tailscaled --tun=userspace-networking --statedir=$PREFIX/var/lib/tailscale

logtail started
Program starting: v1.78.3, Go 1.23.5: []string{"/data/data/com.termux/files/usr/bin/tailscaled", "--tun=userspace-networking", "--statedir=/data/data/com.termux/files/usr/var/lib/tailscale"}
LogID: bbce5af07317077b5f446519ffb4f34f519cf8c0778942b323c83c29a37f92a4
logpolicy: using UserCacheDir, "/data/data/com.termux/files/home/.suroot/.cache/Tailscale"
dns: [rc=missing ret=direct]
dns: using "direct" mode
dns: using *dns.directManager
wgengine.NewUserspaceEngine(tun "userspace-networking") ...
dns: using dns.noopManager
link state: interfaces.State{defaultRoute= ifs={wlan0:[192.168.43.63/24 2600:380:7833:6699:6024:1fd:ab99:d63c/64 2600:380:7833:6699:d4d8:70fa:843e:1fef/64 llu6]} v4=true v6=true}
onPortUpdate(port=42300, network=udp6)
onPortUpdate(port=52234, network=udp4)
magicsock: disco key = d:0ff6acb7adc84073
Creating WireGuard device...
Bringing WireGuard device up...
Bringing router up...
Clearing router settings...
Starting network monitor...
Engine created.
pm: migrating "ipn-android" profile to new format
logpolicy: using UserCacheDir, "/data/data/com.termux/files/home/.suroot/.cache/Tailscale"
got LocalBackend in 16ms
Start
Backend: logs: be:bbce5af07317077b5f446519ffb4f34f519cf8c0778942b323c83c29a37f92a4 fe:
Switching ipn state NoState -> NeedsLogin (WantRunning=false, nm=false)
blockEngineUpdates(true)
health(warnable=wantrunning-false): error: Tailscale is stopped.
wgengine: Reconfig: configuring userspace WireGuard config (with 0/0 peers)
wgengine: Reconfig: configuring router
wgengine: Reconfig: configuring DNS
dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0}
dns: Resolvercfg: {Routes:{} Hosts:0 LocalDomains:[]}
dns: OScfg: {}
LinkChange: major, rebinding. New state: interfaces.State{defaultRoute= ifs={wlan0:[192.168.12.252/24 llu6]} v4=true v6=false}
dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0}
dns: Resolvercfg: {Routes:{} Hosts:0 LocalDomains:[]}
dns: OScfg: {}
wgengine: set DNS config again after major link change
onPortUpdate(port=42300, network=udp6)
onPortUpdate(port=52234, network=udp4)
Rebind; defIf="", ips=[]
magicsock: 0 active derp conns

• tailscale up --login-server=http://[my headscale node external domain name that all the glibc-based nodes described before are currently successfully connected to]:8080

failed to connect to local tailscaled (which appears to be running as tailscaled, pid 22090). Got error: Failed to connect to local Tailscale daemon for /localapi/v0/status; not running? Error: dial unix tailscaled.sock: connect: no such file or directory

[robertkirkman]

I made a little bit more progress in connection with this combination of commands:

tailscaled --tun=userspace-networking --statedir=$PREFIX/var/lib/tailscale --socket=$PREFIX/var/run/tailscale/tailscaled.sock &
tailscale --socket $PREFIX/var/run/tailscale/tailscaled.sock up --login-server=http://[headscale external domain name]:8080 --accept-routes

That printed this,

logtail started
Program starting: v1.78.3, Go 1.23.5: []string{"tailscaled", "--tun=userspace-networking", "--statedir=/data/data/com.termux/files/usr/var/lib/tailscale", "--socket=/data/data/com.termux/files/usr/var/run/tailscale/tailscaled.sock"}
LogID: bbce5af07317077b5f446519ffb4f34f519cf8c0778942b323c83c29a37f92a4
logpolicy: using UserCacheDir, "/data/data/com.termux/files/home/.suroot/.cache/Tailscale"
dns: [rc=missing ret=direct]
dns: using "direct" mode
dns: using *dns.directManager
wgengine.NewUserspaceEngine(tun "userspace-networking") ...
dns: inotify addwatch: context canceled
dns: using dns.noopManager
link state: interfaces.State{defaultRoute= ifs={wlan0:[192.168.43.63/24 2600:380:7854:d123:3090:f72:ec4b:6cc2/64 2600:380:7854:d123:6024:1fd:ab99:d63c/64 llu6]} v4=true v6=true}
onPortUpdate(port=40302, network=udp6)
onPortUpdate(port=46564, network=udp4)
magicsock: disco key = d:257f9da7ba02df28
Creating WireGuard device...
Bringing WireGuard device up...
Bringing router up...
Clearing router settings...
Starting network monitor...
Engine created.
pm: using backend prefs for "profile-a121": Prefs{ra=true dns=true want=true statefulFiltering=false url="http://[headscale external domain name]:8080" update=check Persist{lm=, o=, n=[1tweX] u="[headscale user account name]"}}
logpolicy: using UserCacheDir, "/data/data/com.termux/files/home/.suroot/.cache/Tailscale"
got LocalBackend in 14ms
Start
Backend: logs: be:bbce5af07317077b5f446519ffb4f34f519cf8c0778942b323c83c29a37f92a4 fe:
control: client.Login(0)
health(warnable=warming-up): error: Tailscale is starting. Please wait.
control: doLogin(regen=false, hasUrl=false)
control: control server key from http://[headscale external domain name]:8080: ts2021=[6wzH6], legacy=
control: RegisterReq: onode= node=[1tweX] fup=false nks=false
control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=true; authURL=false
health(warnable=not-in-map-poll): ok
active login: [headscale user account name]
Switching ipn state NoState -> Starting (WantRunning=true, nm=true)
magicsock: SetPrivateKey called (init)
wgengine: Reconfig: configuring userspace WireGuard config (with 1/2 peers)
wgengine: Reconfig: configuring router
router: consolidated 6 routes down to 5
wgengine: Reconfig: configuring DNS
dns: Set: {DefaultResolvers:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001] Routes:{headscale user account name].:[]}+65arpa SearchDomains:[headscale user account name].] Hosts:3}
dns: Resolvercfg: {Routes:{.:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001]} Hosts:3 LocalDomains:[[headscale user account name].com.]+65arpa}
dns: OScfg: {Nameservers:[100.100.100.100] SearchDomains:[[headscale user account name].com.] }
peerapi: serving on http://100.64.0.6:1
peerapi: serving on http://[fd7a:115c:a1e0::6]:1
netcheck: DetectCaptivePortal(found=false)
magicsock: home DERP changing from derp-0 [0ms] to derp-9 [78ms]
magicsock: home is now derp-9 (dfw)
magicsock: adding connection to derp-9 for home-keep-alive
magicsock: 1 active derp conns: derp-9=cr0s,wr0s
control: NetInfo: NetInfo{varies=true hairpin= ipv6=true ipv6os=true udp=true icmpv4=false derp=#9 portmap= link="" firewallmode=""}
derphttp.Client.Connect: connecting to derp-9 (dfw)
health(warnable=warming-up): ok
Switching ipn state Starting -> Running (WantRunning=true, nm=true)
health(warnable=no-derp-connection): ok
magicsock: endpoints changed: 107.107.186.145:29541 (stun), 107.107.186.145:44417 (stun), [2600:380:7854:d123:6024:1fd:ab99:d63c]:40302 (stun), 192.168.43.63:46564 (local), [2600:380:7854:d123:3090:f72:ec4b:6cc2]:46564 (local), [2600:380:7854:d123:6024:1fd:ab99:d63c]:46564 (local)
health(warnable=no-derp-connection): ok
health(warnable=no-derp-connection): ok
[RATELIMIT] format("health(warnable=%s): ok")
magicsock: derp-9 connected; connGen=1

My Headscale server detected the connection request, and when I authorized it using this command

# on headscale server
sudo headscale nodes register --user [headscale user account name] --key mkey:[key printed by tailscale client]

then used

# on headscale server
sudo headscale nodes list

I see this:

ID | Hostname          | Name              | MachineKey | NodeKey | User  | IP addresses                  | Ephemeral | Last seen           | Expiration          | Connected | Expired
2  | [other node] | [other node] | [0XQei]    | [K74rI] | [headscale user account name] | 100.64.0.4, fd7a:115c:a1e0::4 | false     | 2025-01-23 13:05:14 | 0001-01-01 00:00:00 | online    | no
3  | localhost         | localhost         | [mhq9U]    | [1tweX] | [headscale user account name]  | 100.64.0.6, fd7a:115c:a1e0::6 | false     | 2025-01-23 15:44:33 | 0001-01-01 00:00:00 | online    | no

Where the Android device running this tailscale package appeared with the name "localhost" , and with the local IP address "100.64.0.6",

and, the tailscale ping is working, both to and from other nodes, like this

# Termux
tailscale --socket $PREFIX/var/run/tailscale/tailscaled.sock ping 100.64.0.4

# 100.64.0.4 node
tailscale ping 100.64.0.6

however, the normal ping 100.64.0.4 command is not working, and, since one of my nodes had tailscale launched with the --advertise-routes=192.168.120.0/24, all other nodes that had --accept-routes specified are able to receive responses from ping 192.168.120.21 which is one of the devices in the same subnet as the node that used --advertise-routes, but the Termux tailscale node is not receiving a response from that even though I used --accept-routes with it.

[TomJo2000]

So in short, the service script is currently broken and needs some fixing?

[robertkirkman]

So in short, the service script is currently broken and needs some fixing?

Yes I am sorry for taking so long to edit the comment, which happened because I connected to many different devices that do not share clipboards, so I pasted logs from one device, then saved the comment, then navigated to another device, copied more logs, and edited the comment, then pasted them in the comment, then saved the comment, then navigated to another device, then copied more logs, then edited the comment and pasted them in the comment, and then saved the comment, et cetera. Now it is completely posted.

I would summarize what happened like this:

• to some degree this tailscale package is definitely working on the rooted device, and other nodes in the network are able to detect it with tailscale ping
• however, yes, something was wrong with sv up tailscaled, and,
• --tun=userspace-networking argument was required, and without it, "iptables" errors occurred, which might be a similar situation to the situation described in the FreddieOliveira tutorial for the root/docker package, which talks about a "nonstandard iptables rules policy",
• --accept-routes argument does not seem to be doing anything, unlike on other nodes in the same Headscale network, which are able to interact with devices that are in the same subnet as the advertizing node, without those devices themselves also running Tailscale.
• Other nodes' normal ping commands are able to receive responses from each other, but oddly, using the ping command from Termux on any of the other nodes is not working, such as ping 100.64.0.4 from Termux, only tailscale... ping is working, but according to the Tailscale document linked above, it is implied that is expected in at least some situations. Maybe it is caused in some way by the different implementation of the ping command.
• explicitly specifying the --socket argument correctly for every command run seems to be necessary, maybe because the default Socket it falls back to is not set to the desired value, I am not yet sure whether it would be convenient to patch that.

[TomJo2000]

Don't worry about giving me "too much information", I don't have a way to do this testing myself unfortunately, so anything you can tell me about what issues you are seeing is helpful to solve it.

This does sound to me like we'll need to modify the service script to work with Android's non-standard iptables implementation, and I'm guessing the other flags you mentioned might need patching.

First things first, I think we should probably extract the service into a standalone script in the package directory.

If you have any specific recommendations or fixes please feel free to leave them here as review comments, or feel free to open up a separate PR.

[robertkirkman]

I think one of the reasons why the sv up tailscaled command doesn't seem to be working either as root or as unprivileged user, might be because the other root-packages that have services follow a unique pattern that isn't here yet:

• "exec su -c" present in TERMUX_PKG_SERVICE_SCRIPT

• custom finish script containing "su -c pkill"

• root/docker

• root/frida

• root/vnstat

On the other hand, --accept-routes is definitely not fully working and I do not know why, since, where 192.168.120.130 is the local ip address of a web server that is on the same subnet as the 100.64.0.4 --advertise-routes node, but which is not running Tailscale,

• GNU/Linux nodes that used --accept-routes with tailscale up:

  • receive a correct response (pong from 100.64.0.4) from tailscale ping 192.168.120.130
  • receive a correct response (64 bytes from 192.168.120.130) from ping 192.168.120.130
  • receive a correct response (HTML page) from curl 192.168.120.130

• but, when --accept-routes is used with the Termux node, it:

  • receives a correct response (pong from 100.64.0.4) from tailscale ping 192.168.120.130
  • does not receive a response (100% packet loss) from ping 192.168.120.130
  • does not receive a response (curl: (28) Failed to connect to 192.168.120.21 port 80 after 127257 ms: Could not connect to server) from curl 192.168.120.130