Re: Progress on tailscale on NetBSD (plus $ available)

[Kevin Bloom <ktnb%netbsd.org@localhost>]

> Sent with Proton Mail secure email.
>
> On Wednesday, 22 April 2026 at 3:16 AM, Kevin Bloom <ktnb%netbsd.org@localhost> wrote=
> :
>
> > > aOn Mon, 20 Apr 2026 at 19:54, Kevin Bloom <ktnb%netbsd.org@localhost> wrote:
> > > >
> > > > > From: Kevin Bloom <ktnb%netbsd.org@localhost>
> > > > >
> > > > > > Following up on my previous message
> > > > > >
> > > > > > Using pkgsrc/wip/tailscale (many thanks to ktnb for maintaining t=
> hat!)
> > > > > > I seem to be able to get a pretty reliable full (not needing the =
> -tun
> > > > > > userspace-networking workaround) tailscale client on NetBSD-11_RC=
> 3 by:
> > > > >
> > > > > My apologies for not getting the NetBSD support for wip/tailscale
> > > > > better. That's partly why I keep it in wip and not merged in -curre=
> nt.
> > > > > I use tailscale for work but I only use macOS and Linux (both with
> > > > > pkgsrc) so I mostly keep it up-to-date for those systems.
> > >
> > > Not at all - thanks for all the work maintaining it - it provided a
> > > ready platform for me to try poking at :)
> > >
> > > > [...]
> > > >
> > > > Okay, I'm not 100% sure I have it good enough to consider this "fixed=
> "
> > > > but I think I do having it working.
> > > >
> > > > https://mail-index.netbsd.org/pkgsrc-wip-changes/2026/04/20/msg036257=
> .html
> > > >
> > > > Once intsalled:
> > > > # tailscaled
> > > > $ tailscale login
> > > > ...
> > > > # tailscale up --accept-routes
> > > > Done.
> > > >
> > > > ifconfig(8) shows the tun0 with status active as well. So I'm guessin=
> g
> > > > it's working.
> > > >
> > > > I can ping everyone on the tailnet. No need to do anything with the i=
> p.
> > > > Let me know if it works for y'all.
> > >
> > > (Great - leaps in enthusiastically and finds things to trip over :)
> > >
> > > I've taken the last three versions from pkgsrc-wip for a spin. Using
> > > the GITHUB_TAG as a reference and a snippet of the commit message they
> > > would be:
> > >
> > > acb9d410 - "update to 1.94.4"
> > > 025e1f2e  - "tun(4) support"
> > > 73f86934  - "userspace-networking"
> > >
> > > (As an aside I got myself into a terrible mess with not destroying the
> > > tun0 between switching versions to ensure a clean baseline). For each
> > > test I ensure there are no tun interfaces present and no other
> > > wireguard or similar processes, then with a pre-authed tailscale just
> > > run "service tailscaled onestart". This is on 11.0_RC3/amd64 with a
> > > single configured ethernet interface
> > >
> > > In all cases userspace-networking seems to work fine for me - my test
> > > is 'tailscale ssh <ip>' where <ip> is a Linux box on the same tailnet.
> > >
> > > Trying to test with rc.d/tailscaled updated to remove -tun
> > > userspace-networking - the two latest versions will bring up tun0 with
> > > the correct IP, and I can use 'tailscale ping', but I cannot use 'ssh
> > > <ip>' to ssh directly across the tailnet.
> > >
> > > Trying my workaround to create and assign an IP to tun0 before
> > > starting tailscaled still allows me to 'ssh <ip>' across the tailnet
> > > with acb9d410, but it no longer works for the latter two versions.
> > >
> > > I'm pretty sure I must be missing something, but I don't know what! :/
> > >
> > > Thanks
> > >
> > > David
> > >
> >=20
> > Okay, I just pushed up another commit that uses the orignal code but
> > keeps the new logic. I've tested it and I have been successful with
> > both tun0 and userspace-networking. I didn't have to destroy the tun0
> > device for this one to work but the commit before this I had to kill
> > it before trying. (Interestingly enough, the previous commit stopped
> > working for me once you said that it didn't work for you...)
> >=20
> > Let me know how it goes!
> >=20
> > Note: I didn't use the rc script just the raw command:
> >   tailscaled [-tun=3Duserspace-networking]
> >=20
> > Just had to login, up --accept-routes, and I was good. I'll test it
> > again tomorrow morning since apparently when the sun comes up it
> > stopped working before!
> >=20
>
> On my=20
>
> uname -a
> NetBSD ym1r.lorien.lan 11.99.5 NetBSD 11.99.5 (GENERIC) #0: Thu Mar 26 00:0=
> 5:14 GMT 2026  root%ym1r.lorien.lan@localhost:/bd/sysbuild/amd64/obj/home/sysbuild/sr=
> c/sys/arch/amd64/compile/GENERIC amd64
>
> system I get the following - just after the last rebuild of wip/tailscale:
>
> - /etc/resolv.conf does not get updated with the tailscale settings (it did=
>  this a few days ago), the tun0 interface also does not get created.=20
>
> - I am able to ping any live tailnet host (without specifying 'tailscale') =
> *except* the ip address assigned to thetun0 interface
>
> - I can ping the tailnet DNS server - 100.100.100.100 - but 'dig @100.100.1=
> 00.100 ' returns blank for any query=20
>
> This happens even after I logout from the tailnet, stop the daemon and dest=
> roy the tun0 interface.=20
>
> So far what it lets me do is e.g. ping or ssh to a tailnet address - evn by=
>  another user - but the ssh authentication does not go through the tailscal=
> e mechanism.  Also, any tailscale command is available solely to root.=20
>
> FWIW,
>
> Chavdar
>

I've committed another update that fixes the unprivileged user issue, the
pining of loopback issue, and the health check error (not sure if anyone
saw that one or not). Please give it a go and let me know how it works!