Skip to content

Archlinux's mkinitcpio hook to run Tailscale daemon during early userspace (aka initramfs)

Notifications You must be signed in to change notification settings

dangra/mkinitcpio-tailscale

Repository files navigation

mkinitcpio-tailscale

Provide a mkinitcpio hook to connect to a Tailscale network at boot, from within the initramfs also known as the early userspace environment, just before handing over the control to the final rootfs.

This hook is extremely handy for remote unlocking systems with an encrypted root filesystem. Read the Archlinux Wiki on how to configure mkinitcpio to decrypt the rootfs on boot and how to add a ssh server to remotely unlock it.

Combine that with Tailscale and you get a secure VPN to access your locked server from anywhere, without having to open a firewall hole to ssh from outside your home.

Installation

Install mkinitcpio-tailscale package from AUR using your preferred helper, i.e.:

yay -S mkinitcpio-tailscale

Configure

Run setup-initcpio-tailscale and follow the instructions. It will register a tailscale node with a hostname derived from the host system, let say the host is named homeserver, the tailscale node will be registered as homeserver-initrd; that makes it easier to later identify the node in Tailscale panel.

Edit /etc/mkinitcpio.conf and add tailscale to HOOKS array.

For systemd based initramfs, the insertion order of the tailscale hook doesn't matter as long as it is after systemd hook itself.

For busybox based initramfs, it is recommended to place it after any network related hook and before any blocking hook like encrypt or encryptssh

Tailscale SSH server

The Tailscale daemon can run a builtin SSH server, if enabled, installing dropbear or tinyssh isn't required to access the node remotely.

To enable it pass --ssh option like in: setup-initcpio-tailscale --ssh

The main difference of the builtin SSH server to something like dropbear or tinyssh is that the former is only accessible over the tailnet, the node won't respond to local connections unless the client is also connected to the tailscale network. It is a good thing though.

Security Considerations

The Tailscale node key will be stored in plain text inside the initramfs. Even if the root filesystem is encrypted, remember that the initramfs isn't. Someone with physical access to the node could steal the tailscale keys and attempt to log into the tailscale network impersonating the node the keys were created for.

To minimize the attack surface, we can limit the initramfs tailscale node to only accept incoming connections by addding the following Tailscale ACL and tag clients, servers and initrd nodes accordinglly using the Tailscale Machines panel.

{
	"tagOwners": {
		"tag:initrd": ["autogroup:admin"],
		"tag:client": ["autogroup:admin"],
		"tag:server": ["autogroup:admin"],
    },

	"acls": [
		{"action": "accept", "src": ["tag:client"], "dst": ["*:*"]},
		{"action": "accept", "src": ["tag:server"], "dst": ["tag:server:*"]},
	],
}

Even if the attacker manages to get the node keys, it won't be able to escalate into your tailscale network and all other nodes will be unreacheable.

Prior work and big thanks

About

Archlinux's mkinitcpio hook to run Tailscale daemon during early userspace (aka initramfs)

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published