-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tailscale security vulnerability #1
Comments
This must be done by GL.iNet, the update script does not modify the startup scripts. |
GL.iNet does not (and likely will not) provide stable Tailscale support, it'll probably be a century before they update Tailscale, so I thought it would be smarter to report it here. It eluded me for ages today trying to figure out why suddenly everything was broken - hopefully might save someone some time. Thanks for the updater! |
I'll talk to them to adjust the tailscale integration script. |
It's only relevant to the latest version, that flag isn't available in older versions. Tailscale did some server side mitigation too but it's unclear if that will have any effect on older versions, or with mixed client versions. I was also having issues after upgrading my macOS Tailscale version while the router version stayed the same. For now Tailscale are just suggesting everyone upgrade in general. The risk in particular is to Linux and site to site networking. |
Guess it's just Tunnelvision mitigation - which is a risk indeed; but not as bad as people think. I will think about a way to add the parameter to the script somehow. |
The parameter itself is basically disabling their clientside mitigation. Anyway whether or not it is ever actively exploited, the greater issue/frustration/risk is 24 hours of head scratching why suddenly your whole network isn't working properly :) So I think even just a warning/explainer so people stumble via Google to a solution sooner rather than later, is all the help anyone will need! Upgrading might randomly break things and the solution (until now) was a little burried. |
So should it be enabled or disabled by default? Sorry, don't use Tailscale - team Zerotier 😄 |
For things to work as they used to, site-to-site stuff, in combination with an exit node (they support Mullvad natively) or acting as a exit node... it needs to be set. Without it things won't work. A warning or pointer to this fact, for 1.66 and up, is enough. Failing that hopefully this issue indexed on google will provide a solution. :) |
I already found myself googling back to this solution now, as my router rebooted overnight and lost the To run this on startup, is it best to use |
I would assume you need to modify |
A fix was integrated to modify the |
I got a confirmation that it works now. |
With the latest version of Tailscale, you might need to add
--stateful-filtering=false
- especially if you are using an exit node. See the release notes for v1.66.0https://github.com/tailscale/tailscale/releases
I don't have an account to post to the forum.
The text was updated successfully, but these errors were encountered: