![image](https://private-user-images.githubusercontent.com/37549748/317116677-cbd99b74-c830-41cb-a8ee-754ff6eab65d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk4OTg3OTcsIm5iZiI6MTcxOTg5ODQ5NywicGF0aCI6Ii8zNzU0OTc0OC8zMTcxMTY2NzctY2JkOTliNzQtYzgzMC00MWNiLWE4ZWUtNzU0ZmY2ZWFiNjVkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzAyVDA1MzQ1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWYwZmUwOTZjZmM4MDNiNzg4NzE4YWNhZDE5Y2M5NjU5YTIyODExNzI5ZWM0MmZlN2U5NTlhYTQ5ZWM2ODk5ODImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.wdXluMLAhb87g5Fbia2jAi3OKGdVj-Nw5Mu56vBVXXM)
Integrate Tailscale with SPR. It provides connectivity between Tailscale and SPR devices using SPR's Microsegmentation.
![image](https://private-user-images.githubusercontent.com/37549748/317113698-5fc95691-41f2-49f5-ae06-594dd5b41e3c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTk4OTg3OTcsIm5iZiI6MTcxOTg5ODQ5NywicGF0aCI6Ii8zNzU0OTc0OC8zMTcxMTM2OTgtNWZjOTU2OTEtNDFmMi00OWY1LWFlMDYtNTk0ZGQ1YjQxZTNjLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MDIlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzAyVDA1MzQ1N1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTQ2NDQ5NDk4MDBmNGQ3NWFhYmY1OWEyOGU3Y2E0YmJlNGJlNjVhNmFkNDY2YWIyOWUwMmQ5N2VhNDUyMjJiZTEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.ltM0wD7bFbIuC8K-reDHC3p0uHiou8KZIzFCtCGqQkc)
The plugin runs a container with Tailscale for routing between SPR and Tailscale peers. It provides connectivity in several ways.
- Users can now assign SPR Devices to the
tailnet
group to get access to all Tailscale peers - Assign a Tailscale peer to a SPR Group, to give selective access from that peer to the SPR Device. It advertises a route but the firewall only allows a specific IP.
- Configure the container as an exit node for Tailscale. This allows Tailscale peers to access the SPR API as well as the internet via the container.
- This runs in a container with a custom interface bridge, 'spr-tailscale'
- The interface bridge is configured in the container firewall rules to have 'api', 'dns', and 'wan' access. By default it does not see other SPR devices
- Make sure to visit the Tailscale UI to accept peer routes also, after configuring a Peer with a custom group.
-
Under plugins, add
https://github.com/spr-networks/spr-tailscale
. -
After the installation has finished, navigate to the bottom of the left hand menu and look for 'spr-tailscale'
-
Generate a tailscale auth key, and copy it into the UI presented
-
All done, now configure Tailscale Peers as needed
-
If you want to grant a SPR device to all Tailscale peers, add it to the
tailnet
group.
- go to the SUPER directory under the plugins/ folder and clone this repository
cd /home/spr/super/plugins/
git clone https://github.com/spr-networks/spr-tailscale
cd spr-tailscale
-
Generate an API token in the SPR API (under Auth), and a tailscale auth key
-
Run the install script
./install.sh
To share all tailscale access with SPR devices, add the SPR devices to the 'tailnet' group.
To update custom groups for tailscale peers, edit the config.json in configs/. See the TailscalePeer struct
type TailscalePeer struct {
NodeKey string
IP string
Policies []string
Groups []string
Tags []string //unused for now
}
type Config struct {
TailscaleAuthKey string
APIToken string
AdvertiseExitNode bool
Peers []TailscalePeer
}