Re: Progress on tailscale on NetBSD (plus $ available)

[Kevin Bloom <ktnb%netbsd.org@localhost>]

> Sent with Proton Mail secure email.
>
> On Wednesday, 22 April 2026 at 3:16 AM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote=
> :
>
> > > aOn Mon, 20 Apr 2026 at 19:54, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:
> > > >
> > > > > From: Kevin Bloom <ktnb%netbsd.org@localhost>
> > > > >
> > > > > > Following up on my previous message
> > > > > >
> > > > > > Using pkgsrc/wip/tailscale (many thanks to ktnb for maintaining t=
> hat!)
> > > > > > I seem to be able to get a pretty reliable full (not needing the =
> -tun
> > > > > > userspace-networking workaround) tailscale client on NetBSD-11_RC=
> 3 by:
> > > > >
> > > > > My apologies for not getting the NetBSD support for wip/tailscale
> > > > > better. That's partly why I keep it in wip and not merged in -curre=
> nt.
> > > > > I use tailscale for work but I only use macOS and Linux (both with
> > > > > pkgsrc) so I mostly keep it up-to-date for those systems.
> > >
> > > Not at all - thanks for all the work maintaining it - it provided a
> > > ready platform for me to try poking at :)
> > >
> > > > [...]
> > > >
> > > > Okay, I'm not 100% sure I have it good enough to consider this "fixed=
> "
> > > > but I think I do having it working.
> > > >
> > > > https://mail-index.netbsd.org/pkgsrc-wip-changes/2026/04/20/msg036257=
> .html
> > > >
> > > > Once intsalled:
> > > > # tailscaled
> > > > $ tailscale login
> > > > ...
> > > > # tailscale up --accept-routes
> > > > Done.
> > > >
> > > > ifconfig(8) shows the tun0 with status active as well. So I'm guessin=
> g
> > > > it's working.
> > > >
> > > > I can ping everyone on the tailnet. No need to do anything with the i=
> p.
> > > > Let me know if it works for y'all.
> > >
> > > (Great - leaps in enthusiastically and finds things to trip over :)
> > >
> > > I've taken the last three versions from pkgsrc-wip for a spin. Using
> > > the GITHUB_TAG as a reference and a snippet of the commit message they
> > > would be:
> > >
> > > acb9d410 - "update to 1.94.4"
> > > 025e1f2e  - "tun(4) support"
> > > 73f86934  - "userspace-networking"
> > >
> > > (As an aside I got myself into a terrible mess with not destroying the
> > > tun0 between switching versions to ensure a clean baseline). For each
> > > test I ensure there are no tun interfaces present and no other
> > > wireguard or similar processes, then with a pre-authed tailscale just
> > > run "service tailscaled onestart". This is on 11.0_RC3/amd64 with a
> > > single configured ethernet interface
> > >
> > > In all cases userspace-networking seems to work fine for me - my test
> > > is 'tailscale ssh <ip>' where <ip> is a Linux box on the same tailnet.
> > >
> > > Trying to test with rc.d/tailscaled updated to remove -tun
> > > userspace-networking - the two latest versions will bring up tun0 with
> > > the correct IP, and I can use 'tailscale ping', but I cannot use 'ssh
> > > <ip>' to ssh directly across the tailnet.
> > >
> > > Trying my workaround to create and assign an IP to tun0 before
> > > starting tailscaled still allows me to 'ssh <ip>' across the tailnet
> > > with acb9d410, but it no longer works for the latter two versions.
> > >
> > > I'm pretty sure I must be missing something, but I don't know what! :/
> > >
> > > Thanks
> > >
> > > David
> > >
> >=20
> > Okay, I just pushed up another commit that uses the orignal code but
> > keeps the new logic. I've tested it and I have been successful with
> > both tun0 and userspace-networking. I didn't have to destroy the tun0
> > device for this one to work but the commit before this I had to kill
> > it before trying. (Interestingly enough, the previous commit stopped
> > working for me once you said that it didn't work for you...)
> >=20
> > Let me know how it goes!
> >=20
> > Note: I didn't use the rc script just the raw command:
> >   tailscaled [-tun=3Duserspace-networking]
> >=20
> > Just had to login, up --accept-routes, and I was good. I'll test it
> > again tomorrow morning since apparently when the sun comes up it
> > stopped working before!
> >=20
>
> On my=20
>
> uname -a
> NetBSD ym1r.lorien.lan 11.99.5 NetBSD 11.99.5 (GENERIC) #0: Thu Mar 26 00:0=
> 5:14 GMT 2026  root%ym1r.lorien.lan@localhost:/bd/sysbuild/amd64/obj/home/sysbuild/sr=
> c/sys/arch/amd64/compile/GENERIC amd64
>
> system I get the following - just after the last rebuild of wip/tailscale:
>
> - /etc/resolv.conf does not get updated with the tailscale settings (it did=
>  this a few days ago), the tun0 interface also does not get created.=20
>

Hmm, mine appears to have the right stuff and I never touched that file.
How are you firing up tailscale?

> - I am able to ping any live tailnet host (without specifying 'tailscale') =
> *except* the ip address assigned to thetun0 interface
>

Yeah, I can't ping that one either. Isn't that kinda of like the loopback
address or whatever? Do we need that to work?

> - I can ping the tailnet DNS server - 100.100.100.100 - but 'dig @100.100.1=
> 00.100 ' returns blank for any query=20
>
> This happens even after I logout from the tailnet, stop the daemon and dest=
> roy the tun0 interface.=20
>

Hmm, very odd. When I try dig @100.100.100.100, it appears works and have a
similar output to the macOS version.

> So far what it lets me do is e.g. ping or ssh to a tailnet address - evn by=
>  another user - but the ssh authentication does not go through the tailscal=
> e mechanism.  Also, any tailscale command is available solely to root.=20
>

Maybe we do things differently at my company but ssh seems to work the same
as the macOS version. I could be missing something as I'm not a tailscale
expert. Could you explain more by "ssh auth...through the tailscale mech"

Yes, the tailscale commands are root only right now. Still working that
out...

> FWIW,
>
> Chavdar
>