Installing Tailscale on immutable Linux distros

Matthew Scharley — Mon, 18 Nov 2024 00:08:47 +0000

Recently I've been testing OpenSUSE Kalpa, one of the recent batch of immutable operating systems. One of the first things I wanted to setup was Tailscale so that the laptop could connect back into my home network. For anyone unfamiliar, Tailscale is a really cool product for doing mesh VPNs.

The following instructions should work on any system with distrobox available, but it's especially useful for Kalpa and other immutable operating systems.

There's no official instructions for getting things going with distrobox, but thankfully it takes basically no extra effort.

Installing Tailscale

First, you need to create a new root distrobox with init system support:

sudo mkdir /var/run/tailscale
distrobox create --root --name tailscale --image registry.opensuse.org/opensuse/tumbleweed:latest --volume /var/run/tailscale:/var/run/tailscale:rw --image registry.opensuse.org/opensuse/tumbleweed:latest --init --additional-packages "systemd"
distrobox enter --root tailscale

Since this is a root distrobox, you'll be asked for a password for access to the distrobox. Once you're fully inside the distrobox, follow the normal installation instructions.

sudo rpm --import https://pkgs.tailscale.com/stable/opensuse/tumbleweed/repo.gpg
sudo zypper ar -g -r https://pkgs.tailscale.com/stable/opensuse/tumbleweed/tailscale.repo
sudo zypper ref
sudo zypper in tailscale
sudo systemctl enable --now tailscaled
# Allow using tailscale without two passwords
sudo tailscale set --operator $USER
# Expose the binaries to the host system
distrobox-export --bin /bin/tailscale

Now you can drop back out of the distrobox container and use tailscale as normal, eg. tailscale up to login and get setup.

Start on boot

This setup will not start on boot, but will start when the distrobox starts. If you want it to start automatically on boot then you can start distrobox at login using a systemd service.

First, create a small shell script which will start the container. I use /root/bin/start-tailscale.sh for this.

#!/usr/bin/env bash

# Precreate the volume that distrobox expects
mkdir -p /run/tailscale
# Start the container manually
podman start tailscale

Make sure to set this as executable with chmod a+x /root/bin/start-tailscale.sh. After this, create a new systemd service file in /etc/systemd/system/tailscale.service:

[Unit]
Description=Tailscale VPN
After=network.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/root/bin/start-tailscale.sh

[Install]
WantedBy=multi-user.target

Once this file is created, you can use the following commands to test the new service:

# Tell systemd to load the new service file
systemd daemon-reload
# Do a test start
systemd start tailscale
# Enable on next boot
systemd enable tailscale

Caveats

`sudo tailscale`

Anywhere you see sudo tailscale in the documentation, you can just use tailscale instead. Distrobox will install the binary stub into your local user account and deal with sudo for you. If you try to use sudo yourself, then it's likely that it won't be able to find the tailscale stub since it's installed into your home folder and won't be on the sudo $PATH.

The client socket

The setup above will map the client socket to the host machine correctly, but in my testing unless you also setup the on-boot startup then flatpaks will not be able to access the socket correctly. I haven't managed to fully identify why this happens, but it's working for me properly now. Without the systemd service, Trayscale would simply time out while trying to connect to the unix socket.

MagicDNS

I haven't fully tested MagicDNS yet, but I suspect it doesn't work properly with this setup as tailscale status will complain about not being able to manage resolve.conf.

DEV Community: Matthew Scharley