topic Re: Tailscale on GAiA in General Topics

Tailscale on GAiA

Bob_Zimmerman — Tue, 13 Dec 2022 23:29:19 GMT

This is not supported by Check Point in any way. If you try this and it blows up your firewall or management server, restore to a backup which you surely took before running commands some random person you don't know posted.

Tailscale is a sort of "zero-trust" mesh VPN system. At a technical level, it handles key distribution for peer-to-peer Wireguard VPN tunnels which can go through relays operated by Tailscale the company. As long as the endpoints have Internet access, they can establish a VPN with each other and talk through it (subject to rules which you set up in Tailscale). I like a lot of the core decisions they have made in how the product works.

I recently started using it for remote access to some development systems. One of the things I'm developing involves talking via the management API to a Check Point management server, so I decided I would try to get the static build of Tailscale running there for consistency. It works pretty well, and I thought others here might be interested in how I did it.

On the GAiA system, download the latest static build from Tailscale's site. As of this post, that is 1.34.1. If you don't know the processor architecture you should use, 'uname -i' on the GAiA system will tell you. x86 and 386 are the same, and x86_64 and amd64 are the same. Copy the link for the right architecture, and run 'curl_cli -kO <link>' on the Check Point box. The '-k' to skip certificate validation is needed because GAiA doesn't include the CA which Tailscale uses (ISRG) for their website.
Unzip the package. 'tar -zxvf tailscale*' should work.
Move tailscale and tailscaled from the unzipped directory to /usr/sbin.
To authenticate the node, you have to start tailscaled, then run 'tailscale up' like so:

[Expert@DallasSA]# nohup tailscaled -tun "userspace-networking" -state=/etc/tailscaled.state 2>&1 >/tmp/tailscaled.log & [1] 1019 nohup: ignoring input and redirecting stderr to stdout [Expert@DallasSA]# tailscale up To authenticate, visit: https://login.tailscale.com/<path>

Copy the link out, visit it in a web browser, and authenticate with the credentials you use for Tailscale. The node will be added to your tailnet. Tailscale is now running, and you can use it to remotely access your management or firewall. Sessions connecting over Tailscale will show as coming from 127.0.0.1:

[Expert@DallasSA]# who admin pts/2 Dec 13 22:30 (10.0.3.22) admin pts/3 Dec 13 23:13 (127.0.0.1)

It's annoying to have to manually start tailscaled every boot, and manually run 'tailscale up' to connect, though. To deal with that, I wrote a little init script:

#!/bin/sh # # tailscale This shell script takes care of starting and stopping # tailscaled. # # chkconfig: 3 99 74 # description: tailscale starts the tailscaled service for remote access # and administration. # Source function library. . /etc/init.d/functions [ -x /usr/sbin/tailscaled ] || exit 0 [ -x /usr/sbin/tailscale ] || exit 0 RETVAL=0 prog="tailscaled" start() { echo -n $"Starting $prog:" nohup $prog -tun "userspace-networking" -state=/etc/tailscaled.state >/tmp/tailscale.log 2>&1 & tailscale up && success || failure echo } stop() { echo -n $"Stopping $prog:" tailscale down killproc $prog -TERM echo } enableAutostart() { echo -n $"Setting $prog to start at boot:" ln -s /etc/rc.d/init.d/tailscale /etc/rc.d/rc3.d/S99ztailscale \ && success || failure echo } disableAutostart() { echo -n $"Removing $prog from bootup sequence:" rm /etc/rc.d/rc3.d/S99ztailscale \ && success || failure echo } # See how we were called. case "$1" in start) start ;; stop) stop ;; restart|reload) stop start ;; enable) enableAutostart start ;; disable) stop disableAutostart ;; *) echo $"Usage: $0 {start|stop|restart|enable|disable}" exit 1 esac exit $RETVAL

Put it in /etc/rc.d/init.d/tailscale, run 'chmod 755 /etc/rc.d/init.d/tailscale' to let the script run, and you can control it like any other service using 'service tailscale':

[Expert@DallasSA]# service tailscale enable Setting tailscaled to start at boot: [ OK ] Starting tailscaled: [ OK ] [Expert@DallasSA]# service tailscale stop Stopping tailscaled: [ OK ] [Expert@DallasSA]# service tailscale start Starting tailscaled: [ OK ]

If you 'enable' the service, it will start when the system boots, so you get access about when sshd starts up.

Re: Tailscale on GAiA

the_rock — Wed, 14 Dec 2022 10:03:48 GMT

Wow, amazing job @Bob_Zimmerman ! I will test it in my lab and report back.

Re: Tailscale on GAiA

_Val_ — Wed, 14 Dec 2022 08:05:42 GMT

I have to make a very important note.

It is not just the tailscale package that is not supported by Check Point. Installing a not supported not authorized third-party package to a Check Point system renders that system not supported too.

Re: Tailscale on GAiA

Bob_Zimmerman — Wed, 14 Dec 2022 16:05:12 GMT

Fortunately, it's trivial to remove Tailscale from a system thanks to the statically linked binaries.

service tailscale disable rm /usr/sbin/tailscale rm /usr/sbin/tailscaled rm /etc/rc.d/init.d/tailscale

And with that, it's totally gone, as if it had never been used at all. It doesn't touch any libraries. Since it has an entire userspace network stack in tailscaled, it also doesn't make any modifications to the system's routes, interfaces, or anything else.

Re: Tailscale on GAiA

Danny — Wed, 14 Dec 2022 17:14:10 GMT

Hmm, Tailscale brings additional weaknesses as documented here to any system it is installed on. Also it requires to be modified as documented here to prevent it from local logging in order to hide it from Check Point.

Anyhow, Tailscale officially notes this for use on firewalls: "Your organization may have configured a firewall to protect their network from unsolicited, unnecessary, or malicious traffic. Although the workarounds below may help Tailscale to establish direct connectivity between nodes, these may also make it easier for other traffic to reach your network."

Re: Tailscale on GAiA

Bob_Zimmerman — Wed, 14 Dec 2022 17:48:43 GMT

Did you actually read their security bulletins?

TS-2022-005 allows a website to extract some environment variables from the client. GAiA doesn't have a web browser, so not an issue.
TS-2022-004 affects only the Windows client, and involves a web browser, so not an issue for two reasons.
TS-2022-003 is an issue authenticating to the control server. Not an issue on the endpoints.
TS-2022-002 is an issue setting up an account on the control server. Not an issue on the endpoints.
TS-2022-001 is an issue setting up an account on the control server. Not an issue on the endpoints.

Yes, anything which involves network connectivity can potentially introduce vulnerabilities. Tailscale's track record so far on the endpoint software is about on par with OpenSSH's which is enabled by default on every UNIX and Linux distribution I've dealt with in a very long time. tailscaled itself doesn't accept incoming connections, it only makes outgoing ones, so it can only really be exploited by other things already on the system.

As for logging, I'm not sure what you mean "in order to hide it from Check Point". The init script as written above logs to /tmp/tailscale.log. Yes, it logs to their central logging as well by default, but it's easy enough to add '--no-logs-no-support' to all the tailscaled invocations. That's beyond the scope of this post.

If you want zero involvement of Tailscale the company, you can always build tailscale and tailscaled from source, run your own headscale instance, and use that. Even does away with the control server issues above, since there's no more external identity management. That's also beyond the scope of this post.

Re: Tailscale on GAiA

PhoneBoy — Wed, 14 Dec 2022 19:37:17 GMT

Curious why would you install it on a Check Point gateway/management and not something else?

Re: Tailscale on GAiA

the_rock — Wed, 14 Dec 2022 20:43:37 GMT

Tested it on brand new R81.20, not bad. Mind you, my outputs are bit different, as I used my personal gmail account when I copied the link to authenticate, I assume thats why.

Re: Tailscale on GAiA

Bob_Zimmerman — Tue, 21 Apr 2026 18:12:30 GMT

With R82.10 shipping systemd (my beloathed), Tailscale's included systemd unit file can be used to handle the service side of things. No need to mess with the init file.

[Expert@DallasSC]# fw ver This is Check Point's software version R82.10 - Build 767 [Expert@DallasSC]# curl_cli --cacert $CPDIR/conf/ca-bundle.crt -O https://pkgs.tailscale.com/stable/tailscale_1.96.4_amd64.tgz % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 34.8M 100 34.8M 0 0 28.5M 0 0:00:01 0:00:01 --:--:-- 28.6M [Expert@DallasSC]# tar zxf tailscale_1.96.4_amd64.tgz [Expert@DallasSC]# mv tailscale_1.96.4_amd64/tailscale /usr/sbin/ [Expert@DallasSC]# mv tailscale_1.96.4_amd64/tailscaled /usr/sbin/ [Expert@DallasSC]# mv tailscale_1.96.4_amd64/systemd/tailscaled.service /etc/systemd/system/ [Expert@DallasSC]# mv tailscale_1.96.4_amd64/systemd/tailscaled.defaults /etc/default/tailscaled [Expert@DallasSC]# sed -i 's/FLAGS=""/FLAGS="-tun userspace-networking"/' /etc/default/tailscaled [Expert@DallasSC]# rm -r tailscale_1.96.4_amd64 [Expert@DallasSC]# systemctl daemon-reload;systemctl start tailscaled.service [Expert@DallasSC]# tailscale up To authenticate, visit: https://login.tailscale.com/a/<redacted> Success. [Expert@DallasSC]# tailscale status 100.###.###.### dallassc ...