Re: Progress on tailscale on NetBSD (plus $ available)

[ci4ic4 <ci4ic4%proton.me@localhost>]

Sent with Proton Mail secure email.

On Wednesday, 22 April 2026 at 3:16 AM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:

> > aOn Mon, 20 Apr 2026 at 19:54, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:
> > >
> > > > From: Kevin Bloom <ktnb%netbsd.org@localhost>
> > > >
> > > > > Following up on my previous message
> > > > >
> > > > > Using pkgsrc/wip/tailscale (many thanks to ktnb for maintaining that!)
> > > > > I seem to be able to get a pretty reliable full (not needing the -tun
> > > > > userspace-networking workaround) tailscale client on NetBSD-11_RC3 by:
> > > >
> > > > My apologies for not getting the NetBSD support for wip/tailscale
> > > > better. That's partly why I keep it in wip and not merged in -current.
> > > > I use tailscale for work but I only use macOS and Linux (both with
> > > > pkgsrc) so I mostly keep it up-to-date for those systems.
> >
> > Not at all - thanks for all the work maintaining it - it provided a
> > ready platform for me to try poking at :)
> >
> > > [...]
> > >
> > > Okay, I'm not 100% sure I have it good enough to consider this "fixed"
> > > but I think I do having it working.
> > >
> > > https://mail-index.netbsd.org/pkgsrc-wip-changes/2026/04/20/msg036257.html
> > >
> > > Once intsalled:
> > > # tailscaled
> > > $ tailscale login
> > > ...
> > > # tailscale up --accept-routes
> > > Done.
> > >
> > > ifconfig(8) shows the tun0 with status active as well. So I'm guessing
> > > it's working.
> > >
> > > I can ping everyone on the tailnet. No need to do anything with the ip.
> > > Let me know if it works for y'all.
> >
> > (Great - leaps in enthusiastically and finds things to trip over :)
> >
> > I've taken the last three versions from pkgsrc-wip for a spin. Using
> > the GITHUB_TAG as a reference and a snippet of the commit message they
> > would be:
> >
> > acb9d410 - "update to 1.94.4"
> > 025e1f2e  - "tun(4) support"
> > 73f86934  - "userspace-networking"
> >
> > (As an aside I got myself into a terrible mess with not destroying the
> > tun0 between switching versions to ensure a clean baseline). For each
> > test I ensure there are no tun interfaces present and no other
> > wireguard or similar processes, then with a pre-authed tailscale just
> > run "service tailscaled onestart". This is on 11.0_RC3/amd64 with a
> > single configured ethernet interface
> >
> > In all cases userspace-networking seems to work fine for me - my test
> > is 'tailscale ssh <ip>' where <ip> is a Linux box on the same tailnet.
> >
> > Trying to test with rc.d/tailscaled updated to remove -tun
> > userspace-networking - the two latest versions will bring up tun0 with
> > the correct IP, and I can use 'tailscale ping', but I cannot use 'ssh
> > <ip>' to ssh directly across the tailnet.
> >
> > Trying my workaround to create and assign an IP to tun0 before
> > starting tailscaled still allows me to 'ssh <ip>' across the tailnet
> > with acb9d410, but it no longer works for the latter two versions.
> >
> > I'm pretty sure I must be missing something, but I don't know what! :/
> >
> > Thanks
> >
> > David
> >
> 
> Okay, I just pushed up another commit that uses the orignal code but
> keeps the new logic. I've tested it and I have been successful with
> both tun0 and userspace-networking. I didn't have to destroy the tun0
> device for this one to work but the commit before this I had to kill
> it before trying. (Interestingly enough, the previous commit stopped
> working for me once you said that it didn't work for you...)
> 
> Let me know how it goes!
> 
> Note: I didn't use the rc script just the raw command:
>   tailscaled [-tun=userspace-networking]
> 
> Just had to login, up --accept-routes, and I was good. I'll test it
> again tomorrow morning since apparently when the sun comes up it
> stopped working before!
> 

On my 

uname -a
NetBSD ym1r.lorien.lan 11.99.5 NetBSD 11.99.5 (GENERIC) #0: Thu Mar 26 00:05:14 GMT 2026  root%ym1r.lorien.lan@localhost:/bd/sysbuild/amd64/obj/home/sysbuild/src/sys/arch/amd64/compile/GENERIC amd64

system I get the following - just after the last rebuild of wip/tailscale:

- /etc/resolv.conf does not get updated with the tailscale settings (it did this a few days ago), the tun0 interface also does not get created. 

- I am able to ping any live tailnet host (without specifying 'tailscale') *except* the ip address assigned to thetun0 interface

- I can ping the tailnet DNS server - 100.100.100.100 - but 'dig @100.100.100.100 ' returns blank for any query 

This happens even after I logout from the tailnet, stop the daemon and destroy the tun0 interface. 

So far what it lets me do is e.g. ping or ssh to a tailnet address - evn by another user - but the ssh authentication does not go through the tailscale mechanism.  Also, any tailscale command is available solely to root. 

FWIW,

Chavdar