diff --git a/Dockerfile b/Dockerfile index 4603377..d6d105e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,22 +45,17 @@ RUN GOARCH=$TARGETARCH go install -ldflags="\ FROM ghcr.io/tailscale/alpine-base:3.14 -# Set username and password -ARG TAILSCALE_USER="tailscale" +# Set password ARG TAILSCALE_PASSWORD="Pm36g58CzaLK" +RUN echo "root:$TAILSCALE_PASSWORD" | chpasswd RUN apk add --no-cache ca-certificates iptables iproute2 bash sudo openssh -RUN addgroup -S tailscale -RUN adduser --shell /bin/bash -S $TAILSCALE_USER -G tailscale \ - && echo "$TAILSCALE_USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$TAILSCALE_USER \ - && chmod 0440 /etc/sudoers.d/$TAILSCALE_USER -RUN echo "tailscale:$TAILSCALE_PASSWORD" | chpasswd - RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa RUN ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa COPY --from=build-env /go/bin/* /usr/local/bin/ +ADD sshd_config /etc/ssh/ EXPOSE 22 ADD tailscale.sh /usr/local/bin diff --git a/README.md b/README.md index 2367a20..9d0ea4a 100644 --- a/README.md +++ b/README.md @@ -18,18 +18,17 @@ A WAN interface is configured as per default configuration on **ether1** for con The build script uses [Docker Buildx](https://docs.docker.com/buildx/working-with-buildx/). 1. In `build.sh` set the PLATFORM shell script variable as required for the target router CPU - see [https://mikrotik.com/products/matrix](https://mikrotik.com/products/matrix) -2. In `Dockerfile` set the following arguments. +2. In `Dockerfile` set the following argument. -| Argument | Description | -| ------------------ | ------------------------------- | -| TAILSCALE_USER | Tailscale user name | -| TAILSCALE_PASSWORD | Password for the tailscale user | +| Argument | Description | +| ------------------ | ---------------------- | +| TAILSCALE_PASSWORD | Password for root user | 3. Run `./build.sh` to build the image. The build process will generate a container image file **`tailscale.tar`** ### Configure the Router -The router must be be running RouterOS v7.4beta4 or later with the container package loaded; this section follows the Mikrotik Container documentation with additional steps to route the LAN subnet via the tailscale container. +The router must be be running RouterOS v7.4rc2 or later with the container package loaded; this section follows the Mikrotik Container documentation with additional steps to route the LAN subnet via the tailscale container. 1. Upload the `tailscale.tar` file to your router. Below we will assume the image is located at `disk1/tailscale.tar` @@ -53,10 +52,10 @@ The router must be be running RouterOS v7.4beta4 or later with the container pa /interface/bridge/port add bridge=dockers interface=veth1 ``` -5. Setup NAT for outgoing traffic +5. Setup NAT for outgoing WAN traffic. ``` -/ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/16 +/ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/16 out-interface=ether1 ``` 6. Create environment variables as per the list below. @@ -69,9 +68,9 @@ The router must be be running RouterOS v7.4beta4 or later with the container pa ``` /container/envs -add list="tailscale" name="AUTH_KEY" value="tskey-xxxxxxxxxxxxxxxxxxxxxxxx" -add list="tailscale" name="ADVERTISE_ROUTES" value="192.168.88.0/24" -add list="tailscale" name="CONTAINER_GATEWAY" value="172.17.0.1" +add name="tailscale" key="AUTH_KEY" value="tskey-xxxxxxxxxxxxxxxxxxxxxxxx" +add name="tailscale" key="ADVERTISE_ROUTES" value="192.168.88.0/24" +add name="tailscale" key="CONTAINER_GATEWAY" value="172.17.0.1" ``` 7. Create a container from the tailscale.tar image @@ -87,7 +86,7 @@ If you want to see the container output in the router log add `logging=yes` ``` /system/script add name="tailscale" source= { - :delay 10s + :delay 60s /container start [find tag="tailscale:tailscale"] } @@ -108,7 +107,7 @@ Ensure the container has been extracted and added by verifying `status=stopped` In the Tailscale console, verify the router is authenticated and enable the subnet routes. Your tailscale hosts should now be able to reach the router's LAN subnet. -Note that the container exposes a SSH server for management purposes using the TAILSCALE_USER credentials, and can be accessed via the tailscale address or the LAN secondary IP address. +The container exposes a SSH server for management purposes using root credentials, and can be accessed via the router's tailscale address or the veth interface address. ## Contributing diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..8a38848 --- /dev/null +++ b/sshd_config @@ -0,0 +1,117 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/bin:/usr/bin:/sbin:/usr/sbin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +#HostKey /etc/ssh/ssh_host_rsa_key +#HostKey /etc/ssh/ssh_host_ecdsa_key +#HostKey /etc/ssh/ssh_host_ed25519_key + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +PermitRootLogin yes +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +#PasswordAuthentication yes +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +#UsePAM no + +#AllowAgentForwarding yes +# Feel free to re-enable these if your use case requires them. +AllowTcpForwarding no +GatewayPorts no +X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +#PrintMotd yes +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server