FR: Support Ubiquiti gear

[loganb]

Is your feature request related to a problem? Please describe.

I have three locations (one Office, two Retail), each with about 3 subnets routed by an Ubiquiti Edgerouter. Each location has a large number of embedded devices on the network that cannot run arbitrary software. I'd like to be able to easily remotely access them without playing with firewall rules, etc.

Describe the solution you'd like

I'd like to install Tailscale on the Edgerouters and announce routes for the attached subnets. It looks like this is theoretically possible with the available binaries, but also I'm busy with real life and don't want to fiddle with stuff.

Possible solutions in order of desirability from least to most:

• Clear, concise HOWTO on how to install tailscale on an Edgerouter in a way that survives reboots and firmware updates.
• An install/configuration script of some kind
• Integration with Ubiquiti's/Vyatta's configuration GUI

Describe alternatives you've considered

I've considered messing around with just downloading the binaries and trying it out, but having a real life has mostly limited time and inclination to do real work on that front.

Additional context

Not sure how much you consider this as in-scope for your work. I like Tailscale because it feels like you have a gentle enough pricing path that it would be attractive for a small business like mine (I have a small office staff that's entirely non-technical) relative to other VPN options. Plus it's technically more sound.

[bradfitz]

Some keywords for searching: UniFi Dream Machine Pro (UDMP) (from dup bug #894)

[bradfitz]

Reportedly works fine on ER4:

Well I installed the mips package from here on my ER4 by hand.... https://pkgs.tailscale.com/stable/tailscale_1.2.8_mips.tgz It seems to just work. Commands below...

tar xvfz tailscale*.tgz
cd tailscale*_mips
sudo cp tailscaled.service /lib/systemd/system
sudo cp tailscaled.defaults /etc/default/tailscaled
sudo cp tailscale /usr/bin
sudo cp tailscaled /usr/sbin
sudo systemctl start tailscaled
sudo tailscale up

[elsbrock]

To my knowledge this is not permanent though and will likely be removed during system upgrade.

[lg]

thanks @bradfitz, used your post as inspiration to write a quick guide on how to get it to stick around after system upgrades: https://gist.github.com/lg/6f80593bd55ca9c9cf886da169a972c3

[gabefair]

Considering how popular MIPS processors are on routers.
I have followed tailscale's request for an email to let them know that MIPS binaries should be supported directly.

It is also worth making note of the fact that EdgeOS (The OS on Ubiquiti gear and 7.1% of global WLAN market) weakly supports adding Debian packages to the linux machine.
https://help.ui.com/hc/en-us/articles/205202560-EdgeRouter-Add-Debian-Packages-to-EdgeOS

And since Debian supports the 64bit MIPS (little-endian) Architecture this check should be included when following the Debian tailscale install guide.

---

Edit: #1085 was opened regarding providing install instructions for MIPS64 devices like Ubiquiti gear running EdgeOs.

[danderson]

We have both mips and mipsle binaries already: https://pkgs.tailscale.com/stable/#static

Do those not work? Is there a mips sub-architecture we missed?

[sailorfrag]

mips works on my USG4, although permanent installation is obviously still an issue because Ubiquiti doesn't officially support installing 3rd party software so upgrades will delete the customizations

[Alek-Zywot]

Some keywords for searching: UniFi Dream Machine Pro (UDMP) (from dup bug #894)

Ubiquiti's UDMP and UDM have ARM CPUs (Quad ARM Cortex-A57 specifically). Source. I was under the impression that because the architecture is different, a MIPS package wouldn't be compatible.

[DentonGentry]

There are ARM and ARM64 binaries as well: https://pkgs.tailscale.com/stable/#static

[MinisculeGirraffe]

For the UDMP on ARM64 there's a few issues i've seen with getting tailscale up and running.

For one, there's no in kernel wireguard support, or the TUN driver tailscale used. I was able to get around that by using the custom kernel in udm-kernel

# uname -a
Linux UDM-Pro 4.1.37-edge2 #1 SMP Sun Apr 11 20:36:10 UTC 2021 aarch64 GNU/Linux
# ls /dev/net
tun
# dmesg | grep wireguard
[  478.662191] wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.
[  478.662194] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
# ./tailscale netcheck

Report:
	* UDP: true
	* IPv4: yes, 172.11.130.230:36138
	* IPv6: no
	* MappingVariesByDestIP: false
	* HairPinning: false
	* PortMapping: 
	* Nearest DERP: Dallas
	* DERP latency:
		- dfw: 3.6ms   (Dallas)

Notably however the netcheck fails when tailscaled is running, and tailscaled logs show repeated communication failures. Running Tailscaled in usermode networking seems to resolve the connection errors in tailscaled but the netcheck still fails. I'm able to NC the endpoints from a shell so I don't think it's related to any actual network transport issues.

# ./tailscale netcheck

Report:
	* UDP: false
	* IPv4: (no addr found)
	* IPv6: no
	* MappingVariesByDestIP: 
	* HairPinning: 
	* PortMapping: 
	* Nearest DERP: unknown (no response to latency probes)

[MinisculeGirraffe]

Figured i'd follow up on my previous comment. Actually got 1.10.2 working on my UDM-Pro using in-Kernel Wireguard and a Docker container. I'll try and do a write up of all the requirements sometime tonight.

[bradfitz]

You may have in-kernel WireGuard but Tailscale doesn't use it.

[pelowj]

Figured i'd follow up on my previous comment. Actually got 1.10.2 working on my UDM-Pro using in-Kernel Wireguard and a Docker container. I'll try and do a write up of all the requirements sometime tonight.

did you ever make more progress with this?

I stumbled across https://github.com/SierraSoftworks/tailscale-udm , which allowed me to get it installed and connected with no hassle at all, but the routing doesn't seem to work.

[MinisculeGirraffe]

@pelowj

Yup. Have a repo here with my config files and on boot script.

Had the same issue with that repo. been using this config for a while now without any issue.

[pelowj]

FYI Dream Machine 1.11.0-14 Beta released today with wireguard kernel module included by default.

[gabefair]

For anyone trying to install Tailscale on Ubiquiti gear running EdgeOS, this tutorial worked for me.
https://github.com/jamesog/tailscale-edgeos

And for those who want another guide, Robert Jensen was able to get it working as a relay node.

[jamesog]

Thanks for the recommendation @gabefair :-) I've got a WIP branch on that repo that uses the package repo instead of manually moving binaries around. That process seems to work better, but I haven't had time to finish ironing out the wrinkles (esp. when migrating from the current method).

[etrepum]

For anyone using the UDM Pro SE (tested with UniFi OS UDM SE V2.2.12), it seems to be fairly straightforward:

1. SSH in as root (you may need to enable SSH first) and follow the Linux installation instructions for Debian Stretch https://tailscale.com/kb/1042/install-debian-stretch/ (check lsb_release -a if you are running a newer UniFi OS which may have a newer Debian)
2. Edit /etc/default/tailscaled to include the following setting for FLAGS:

# Extra flags you might want to pass to tailscaled.
FLAGS="--tun userspace-networking"

3. Restart tailscaled systemctl restart tailscaled
4. Login tailscale up
5. Restart sshd so that it is listening on the new interface systemctl restart sshd

[guidoiaquinti]

@etrepum do you know if it survives firmware upgrades?

[pelowj]

For anyone using the UDM Pro SE (tested with UniFi OS UDM SE V2.2.12), it seems to be fairly straightforward:
FLAGS="--tun userspace-networking"

Userspace networking (i.e. a http or SOCKS proxy) works fine but it's not really the integration people are hoping for.

-jp

[pelowj]

@etrepum do you know if it survives firmware upgrades?

Doubtful. I find myself having to install iperf everytime I do an upgrade and this would be the same.

[DentonGentry]

Likely relevant for this audience: https://tailscale.com/kb/1207/small-tailscale/

[yankeeinlondon]

Maybe I'm making a silly error but wouldn't it be better to just fire up a Linux container or VM on your network and assign it the responsibility of being a subnet router? This would allow the Unifi router to focus on the local routing and when it goes offsite you create a static route over to the subnet router instance.

This at least is what I am trying to do. I'm no pro on the networking front so feel free to disagree with the above but I'd just be personally nervous getting too involved in the Unifi stack as their releases have enough issues of their own. Now if anyone does agree with my approach ... I could use a little help as I've set it all up without any errors just following the directions but while the subnet routers on my two physical networks are able to share the subnet for client's which are running the Tailscale client (aka, the subnet router is acting as exit point) but my UDM Pro's static route is seemly ignored when sending to the local subnet router.

I believe that something like this is discussed in this thread but in double tragedy my ability to SSH into either of the Dream Machines seems to no longer possible so the configuration which is suggested won't work. I can work with the UI but right now I am unclear how to explicitly have my static route for the ip address range be sent over the tailscale0 interface on the subnet router.

I have the two WAN routes setup to the best of my ability in the UI:

#1 represents the local subnet router which I'm routing through

And then have a static route to point all requests to the subnet router:

#1 again represents the local subnet router which I'm routing through

I accept that this may be a departure from the original issue but if anyone had any reaction to this I'd be very open to it. I've written it up far greater detail here: UDM Pro site-to-site VPN with Tailscale.

[DentonGentry]

Note that generation of MIPS packages was inadvertently broken in Tailscale 1.36 and restored in 1.40.