FR: Windows (Host) Tailscale Daemon; Listen on IP of WSL2 VM virtual network

[dhermes]

What are you trying to do?

Access the Windows (Host) Tailscale Daemon from within WSL2

How should we solve this?

At a high-level there are 3 discrete things you could do to make this work:

• (1) Listen on the "vEthernet (WSL)" IP when running the Windows (Host) Tailscale Daemon; e.g. 172.27.64.1:41112. (Right now the daemon only binds to localhost:41112.)
• (2) Auto-detect WSL2 environments in tailscale subcommands and then point at the host address (e.g. 172.27.64.1:41112) instead of the /var/run/tailscale/tailscaled.sock UDS
• (3) Add the minimal required firewall rule to allow "remote" TCP traffic into the port exposed on the "vEthernet (WSL)" IP; can / should lock it down to the WSL2 subnet, e.g. 172.27.64.0/20. This is only necessary due to (1).

---

Some snippets for autodetecting "I'm in WSL2 Linux" in tailscale subcommands

func isWSL() (bool, error) {
	if runtime.GOOS != "linux" {
		return false, nil
	}

	utsname := syscall.Utsname{}
	err := syscall.Uname(&utsname)
	if err != nil {
		return false, err
	}

	release := toString(utsname.Release[:])
	fmt.Printf("release = %q\n", release)
	return strings.HasSuffix(release, "-microsoft-standard-WSL2"), nil
}

func toString(s []int8) string {
	b := make([]byte, 0, len(s))
	for _, c := range s {
		if c == 0 {
			break
		}
		b = append(b, byte(c))
	}
	return string(b)
}

This code won't actually compile with GOOS=windows or GOOS=darwin so you need some build tags to safely implement isWSL(). I'm also not sure if strings.HasSuffix(release, "-microsoft-standard-WSL2") is comprehensive enough.

I realize this may cause some refactoring to allow tailscale --socket to support a TCP socket on Linux in addition to a UDS. You could work around it by running a UDS as a proxy for the host address (e.g. 172.27.64.1:41112), but without systemd in WSL2 this is probably more trouble than it's worth. (I am out of my depth here though, I'm not sure what the full set of options are.)

---

Some snippets for getting "vEthernet (WSL)" info:

PS C:\Users\dhermes> ipconfig

Windows IP Configuration


Unknown adapter Tailscale:

   Connection-specific DNS Suffix  . : dhermes.github.beta.tailscale.net
   IPv6 Address. . . . . . . . . . . : fd7a:115c:a1e0:ab12:4843:cd96:6270:f073
   Link-local IPv6 Address . . . . . : fe80::99d0:ec2d:b2e7:536b%7
   IPv4 Address. . . . . . . . . . . : 100.112.240.115
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

Ethernet adapter vEthernet (WSL):

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::ed6d:71c5:2607:3ce6%22
   IPv4 Address. . . . . . . . . . . : 172.27.64.1
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . :

Wireless LAN adapter Local Area Connection* 1:
...

The following Go code will just spit out 172.27.64.1:

func getIPv4ForInterface(name string) (*net.IP, error) {
	interface_, err := net.InterfaceByName(name)
	if err != nil {
		return nil, err
	}

	addrs, err := interface_.Addrs()
	if err != nil {
		return nil, err
	}

	found := []*net.IP{}
	for _, addr := range addrs {
		maskedIP, ok := addr.(*net.IPNet)
		if !ok {
			continue
		}
		if maskedIP.IP.To4() == nil {
			continue
		}
		found = append(found, &maskedIP.IP)
	}

	if len(found) == 1 {
		return found[0], nil
	}

	return nil, fmt.Errorf("expected exactly one match, got %d", len(found))
}

func getIPv4ForWSL() (*net.IP, error) {
	return getIPv4ForInterface("vEthernet (WSL)")
}

What is the impact of not solving this?

I am manually running a 172.27.64.1:41113 -> localhost:41112 proxy on the Windows host and a /var/run/tailscale/tailscaled.sock -> 172.27.64.1:41113 proxy on WSL2 Linux.

See: https://github.com/dhermes/tailscale-wsl2

Anything else?

No response

[bradfitz]

There's precedent for (2). On macOS we have 5 different strategies for connecting to the Tailscale daemon:

• unsandboxed tailscale binary to unsandboxed tailscaled (classic Unix/Linux way)
• unsandboxed tailscale binary to sandboxed Network Extension
• unsandboxed tailscale binary to sandboxed System Extension
• sandboxed (GUI/App Store) tailscale binary to sandboxed Network Extension
• sandboxed (GUI/macsys) tailscale binary to sandboxed System Extension

(@josharian was just horrified to learn about that matrix)

So we could probably make the WSL tailscale CLI tool as a fallback connect to the Windows host.

But maybe it should be opt-in. A number of people run two Tailscale daemons on Windows, as I understood it: one in Windows and one in WSL. (Is that true, @crawshaw, @apenwarr?)

[DentonGentry]

A number of people run two Tailscale daemons on Windows, as I understood it: one in Windows and one in WSL.

A number of users have followed Scott Hanselman's instructions on how to install tailscaled within WSL2: https://www.hanselman.com/blog/using-tailscale-on-windows-to-network-more-easily-with-wsl2-and-visual-studio-code

[crawshaw]

FWIW I believe the tailscale.exe binary, if executed from inside WSL2, will find the windows host service. Mine does, and I don't believe I've done anything exotic to it.

Exporting the socket to WSL and teaching the linux tailscale binary to detect it and use it if no local default state file exists seems fine.

[dhermes]

@DentonGentry Yes that's certainly do-able, and it's even possible to cobble together something that acts like a systemd unit (Scott alludes to this in his post:"there are ways run commands on startup in the Windows Subsystem for Linux"). However, there are lots of reasons for running the (very fancy and polished) Tailscale Windows app.

---

@crawshaw TIL! Thanks for the pointer:

$ sudo ls -alFG /var/run/tailscale/
total 0
drwxr-xr-x 2 root  40 Dec  7 18:12 ./
drwxr-xr-x 8 root 220 Dec  4 13:07 ../
$
$ sudo ls -alFG /var/run/tailscale/tailscaled.sock
ls: cannot access '/var/run/tailscale/tailscaled.sock': No such file or directory
$
$ tailscale ip -4
Failed to connect to local Tailscale daemon for /localapi/v0/status; not running? Error: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory
$
$ /mnt/c/Program\ Files\ \(x86\)/Tailscale\ IPN/tailscale.exe ip -4
100.112.240.115

where the tailscale on my ${PATH} is

$ dpkg-query -S $(/usr/bin/which tailscale)
tailscale: /usr/bin/tailscale
$ dpkg -s tailscale
Package: tailscale
Status: install ok installed
Priority: extra
Section: net
Installed-Size: 30739
Maintainer: Tailscale Inc <info@tailscale.com>
Architecture: amd64
Version: 1.18.0
Replaces: tailscale-relay
Depends: iptables, iproute2
Conflicts: tailscale-relay
Conffiles:
 /etc/default/tailscaled 540a659ece227eb3035d1ee3ba1ec902
Description: The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO
Homepage: https://www.tailscale.com

---

@bradfitz RE:

A number of people run two Tailscale daemons on Windows, as I understood it: one in Windows and one in WSL

Any idea why they do this? Is it because of this host-VM barrier issue I am describing here, or for other reasons?

But maybe it should be opt-in.

Yeah I'd be OK with that. Starts to tickle spidey sense around having a ~/.tailscaleconfig file where I could opt-in in a persistent way (vs. e.g. have to make a shell alias that always tacks on an extra flag).

UPDATE: Going in the realm of shell aliases, given @crawshaw's comment, the simplest one that makes sense is alias tailscale="/mnt/c/Program\ Files\ \(x86\)/Tailscale\ IPN/tailscale.exe".

[dhermes]

It's also worth noting that I ended up going down this line of inquiry because I noticed the Windows Tailscale app makes modifications to /etc/resolv.conf in the WSL2 VM to support magic DNS:

-rw-r--r-- 1 root 177 Dec  7 09:20 /etc/resolv.conf
-rw-r--r-- 1 root 197 Dec  5 21:28 /etc/resolv.pre-tailscale-backup.conf

and even undoes this magic when Tailscale is disconnected. (Via e.g. https://github.com/tailscale/tailscale/blob/v1.18.1/net/dns/wsl_windows.go#L95.)

[dhermes]

Also, this whole discussion is relevant to using applications built on top of https://pkg.go.dev/tailscale.com@v1.18.1/client/tailscale inside of WSL2.

Since TailscaledDialer is a var it is possible for applications to detect they are running in WSL2 and then escalate to the Windows host as need be. However the "invoke "/mnt/c/Program Files (x86)/Tailscale IPN/tailscale.exe" trick won't really work there and there is no actual port to dial since host localhost:41112 isn't reachable from WSL2.

---

UPDATE: I didn't grok the "magic" of running /mnt/c/Program Files (x86)/Tailscale IPN/tailscale.exe but the TL;DR is that the WSL2 sandbox is only a sandbox if you're running Linux / ELF binaries. I can "break out" of the sandbox by just cross-compiling with GOOS=windows:

$ GOOS=linux go run ./plain-http/main.go
Get "http://localhost:41112/localapi/v0/prefs": dial tcp 127.0.0.1:41112: connect: connection refused
exit status 1
$
$ GOOS=windows go run ./plain-http/main.go
{
        "ControlURL": "https://controlplane.tailscale.com",
        "RouteAll": true,
        "AllowSingleHosts": true,
        "ExitNodeID": "",
        "ExitNodeIP": "",
        "ExitNodeAllowLANAccess": false,
        "CorpDNS": true,
        "WantRunning": true,
        "LoggedOut": false,
        "ShieldsUp": false,
        "AdvertiseTags": null,
        "Hostname": "",
        "NotepadURLs": false,
        "AdvertiseRoutes": null,
        "NoSNAT": false,
        "NetfilterMode": 2,
        "Config": {
                "PrivateMachineKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
                "PrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
                "OldPrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
                "Provider": "github",
                "LoginName": "dhermes"
        }
}

./plain-http/main.go source

package main

import (
        "fmt"
        "io"
        "net/http"
        "os"
)

func run() error {
        resp, err := http.Get("http://localhost:41112/localapi/v0/prefs")
        if err != nil {
                return err
        }
        defer resp.Body.Close()
        if resp.StatusCode != http.StatusOK {
                return fmt.Errorf("non-200 status: %d", resp.StatusCode)
        }

        body, err := io.ReadAll(resp.Body)
        if err != nil {
                return err
        }
        fmt.Print(string(body))
        return nil
}

func main() {
        err := run()
        if err != nil {
                fmt.Fprintf(os.Stderr, "%v\n", err)
                os.Exit(1)
        }
}

$ GOOS=linux go run ./tailscale-client/main.go
Failed to connect to local Tailscale daemon for /localapi/v0/prefs; not running? Error: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory
exit status 1
$
$ GOOS=windows go run ./tailscale-client/main.go
{
    "ControlURL": "https://controlplane.tailscale.com",
    "RouteAll": true,
    "AllowSingleHosts": true,
    "ExitNodeID": "",
    "ExitNodeIP": "",
    "ExitNodeAllowLANAccess": false,
    "CorpDNS": true,
    "WantRunning": true,
    "LoggedOut": false,
    "ShieldsUp": false,
    "AdvertiseTags": null,
    "Hostname": "",
    "NotepadURLs": false,
    "AdvertiseRoutes": null,
    "NoSNAT": false,
    "NetfilterMode": 2,
    "Config": {
        "PrivateMachineKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
        "PrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
        "OldPrivateNodeKey": "privkey:0000000000000000000000000000000000000000000000000000000000000000",
        "Provider": "github",
        "LoginName": "dhermes"
    }
}

./tailscale-client/main.go source

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"tailscale.com/client/tailscale"
)

func run() error {
	ctx := context.Background()
	prefs, err := tailscale.GetPrefs(ctx)
	if err != nil {
		return err
	}
	asJSON, err := json.MarshalIndent(prefs, "", "    ")
	if err != nil {
		return err
	}
	fmt.Println(string(asJSON))
	return nil
}

func main() {
	err := run()
	if err != nil {
		fmt.Fprintf(os.Stderr, "%v\n", err)
		os.Exit(1)
	}
}

[byF]

@dhermes I run the two daemons in Win&WSL2; I wasn't able to make it work with just the one installed in Windows. It's inconvenient as I have to always run tailscaled manually (because of systemd/Ubuntu 21.04/WSL2 issue). I set it up pre 1.18, so maybe it's not necessary anymore?

[dhermes]

I wasn't able to make it work with just the one installed in Windows

What was the problem @byF? Since posting this I just apt purge tailscale and did

cp \
  /mnt/c/Program\ Files\ \(x86\)/Tailscale\ IPN/tailscale.exe \
  /usr/local/bin/tailscale