jacobpascual/tailscale-initramfs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13 Commits 1 Branch 0 Tags
564c3c3539b2026bfeb3964175274ae366f0542d
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Paul Aurich 564c3c3539 Create /etc/resolv.conf in initramfs for tailscale client 
On Debian systems, unless configured by something else, there isn't an
/etc/resolv.conf in the initramfs, which hinders DNS resolution.
Tailscale has its fallback DNS functionality, but that has problems [1]
in the corner-case situation of a Debian initramfs environment:

- no /etc/resolv.conf means tailscale (or golang?) attempts to use
  127.0.0.1 as a DNS resolver
- the loopback interface (lo) isn't brought up in the initramfs. linux
  sends the DNS traffic off-device (destined for 127.0.0.1)

Even with the Tailscale fix for that issue, it's a fallback and there's
a noticeable delay, so do the correct thing here and create
/etc/resolv.conf.

[1] https://github.com/tailscale/tailscale/issues/6110
2023-05-03 19:53:13 -07:00
.github/workflows
workflows: update actions for nodejs deprecation
2022-12-06 20:26:15 -08:00
conf-hooks.d
initramfs hook for tailscale
2022-01-31 19:36:00 -08:00
config
Create /etc/resolv.conf in initramfs for tailscale client
2023-05-03 19:53:13 -07:00
debian
Create /etc/resolv.conf in initramfs for tailscale client
2023-05-03 19:53:13 -07:00
hooks
initramfs hook for tailscale
2022-01-31 19:36:00 -08:00
scripts
Create /etc/resolv.conf in initramfs for tailscale client
2023-05-03 19:53:13 -07:00
.gitignore
Add README, LICENSE, and .gitignore
2022-01-31 19:36:00 -08:00
LICENSE
Add README, LICENSE, and .gitignore
2022-01-31 19:36:00 -08:00
README.md
README.md: Fix typo (/usr/local/share, not /usr/share/local)
2023-04-27 19:42:45 -07:00

README.md

tailscale-initramfs

Run the tailscale client in a Debian or Ubuntu initramfs, to provide access to the Linux system prior to unlocking an encrypted root filesystem. For instance, when combined with dropbear-initramfs, allows remote unlocking of an encrypted root filesystem from other systems in the tailnet.

Intended to be used with a tailscale ephemeral auth key to log into your tailnet. Assign an ACL tag to that auth key to lock down what access the pre-boot environment can have to the rest of the tailnet.

Install

  1. Requires tailscale already be installed

  2. Install tailscale-initramfs package

# Add the repository
sudo mkdir -p --mode=0755 /usr/local/share/keyrings
curl -fsSL https://darkrain42.github.io/tailscale-initramfs/keyring.asc | sudo tee /usr/local/share/keyrings/tailscale-initramfs-keyring.asc >/dev/null
echo 'deb [signed-by=/usr/local/share/keyrings/tailscale-initramfs-keyring.asc] https://darkrain42.github.io/tailscale-initramfs/repo stable main' | sudo tee /etc/apt/sources.list.d/tailscale-initramfs.list >/dev/null

# Install tailscale-initramfs
sudo apt-get update && sudo apt-get install tailscale-initramfs

  1. Add authkey in /etc/tailscale/initramfs/config

  2. Rebuild the initramfs

update-initramfs -c -k all

Alternatives

  • initramfs-tools-tailscale

    uses the tailscale state/data from the normal Linux install. This means that the initramfs will show up as the existing device on the tailnet, but means the private key material is stored in the initramfs (which is commonly unencrypted).

Description
No description provided
Readme GPL-2.0 54 KiB
Languages
Shell 100%