Tailscale on GAiA

Bob_Zimmerman · ‎2022-12-13

This is not supported by Check Point in any way. If you try this and it blows up your firewall or management server, restore to a backup which you surely took before running commands some random person you don't know posted.

Tailscale is a sort of "zero-trust" mesh VPN system. At a technical level, it handles key distribution for peer-to-peer Wireguard VPN tunnels which can go through relays operated by Tailscale the company. As long as the endpoints have Internet access, they can establish a VPN with each other and talk through it (subject to rules which you set up in Tailscale). I like a lot of the core decisions they have made in how the product works.

I recently started using it for remote access to some development systems. One of the things I'm developing involves talking via the management API to a Check Point management server, so I decided I would try to get the static build of Tailscale running there for consistency. It works pretty well, and I thought others here might be interested in how I did it.

On the GAiA system, download the latest static build from Tailscale's site. As of this post, that is 1.34.1. If you don't know the processor architecture you should use, 'uname -i' on the GAiA system will tell you. x86 and 386 are the same, and x86_64 and amd64 are the same. Copy the link for the right architecture, and run 'curl_cli -kO <link>' on the Check Point box. The '-k' to skip certificate validation is needed because GAiA doesn't include the CA which Tailscale uses (ISRG) for their website.
Unzip the package. 'tar -zxvf tailscale*' should work.
Move tailscale and tailscaled from the unzipped directory to /usr/sbin.
To authenticate the node, you have to start tailscaled, then run 'tailscale up' like so:

[Expert@DallasSA]# nohup tailscaled -tun "userspace-networking" -state=/etc/tailscaled.state 2>&1 >/tmp/tailscaled.log &
[1] 1019
nohup: ignoring input and redirecting stderr to stdout
[Expert@DallasSA]# tailscale up

To authenticate, visit:

	https://login.tailscale.com/<path>

Copy the link out, visit it in a web browser, and authenticate with the credentials you use for Tailscale. The node will be added to your tailnet. Tailscale is now running, and you can use it to remotely access your management or firewall. Sessions connecting over Tailscale will show as coming from 127.0.0.1:

[Expert@DallasSA]# who
admin    pts/2        Dec 13 22:30 (10.0.3.22)
admin    pts/3        Dec 13 23:13 (127.0.0.1)

It's annoying to have to manually start tailscaled every boot, and manually run 'tailscale up' to connect, though. To deal with that, I wrote a little init script:

#!/bin/sh
#
# tailscale	This shell script takes care of starting and stopping
#		tailscaled.
#
# chkconfig: 3 99 74
# description: tailscale starts the tailscaled service for remote access
# and administration.

# Source function library.
. /etc/init.d/functions

[ -x /usr/sbin/tailscaled ] || exit 0
[ -x /usr/sbin/tailscale ] || exit 0

RETVAL=0
prog="tailscaled"

start() {
	echo -n $"Starting $prog:"
	nohup $prog -tun "userspace-networking" -state=/etc/tailscaled.state >/tmp/tailscale.log 2>&1 &
	tailscale up && success || failure
	echo
}

stop() {
	echo -n $"Stopping $prog:"
	tailscale down
	killproc $prog -TERM
	echo
}

enableAutostart() {
	echo -n $"Setting $prog to start at boot:"
	ln -s /etc/rc.d/init.d/tailscale /etc/rc.d/rc3.d/S99ztailscale \
	&& success || failure
	echo
}

disableAutostart() {
	echo -n $"Removing $prog from bootup sequence:"
	rm /etc/rc.d/rc3.d/S99ztailscale \
	&& success || failure
	echo
}

# See how we were called.
case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	restart|reload)
		stop
		start
		;;
	enable)
		enableAutostart
		start
		;;
	disable)
		stop
		disableAutostart
		;;
	*)
		echo $"Usage: $0 {start|stop|restart|enable|disable}"
		exit 1
esac
exit $RETVAL

Put it in /etc/rc.d/init.d/tailscale, run 'chmod 755 /etc/rc.d/init.d/tailscale' to let the script run, and you can control it like any other service using 'service tailscale':

[Expert@DallasSA]# service tailscale enable
Setting tailscaled to start at boot:                       [  OK  ]
Starting tailscaled:                                       [  OK  ]
[Expert@DallasSA]# service tailscale stop  
Stopping tailscaled:                                       [  OK  ]
[Expert@DallasSA]# service tailscale start
Starting tailscaled:                                       [  OK  ]

If you 'enable' the service, it will start when the system boots, so you get access about when sshd starts up.

the_rock · ‎2022-12-13

Wow, amazing job @Bob_Zimmerman ! I will test it in my lab and report back.

Best,
Andy

_Val_ · ‎2022-12-14

I have to make a very important note.

It is not just the tailscale package that is not supported by Check Point. Installing a not supported not authorized third-party package to a Check Point system renders that system not supported too.

Bob_Zimmerman · ‎2022-12-14

Fortunately, it's trivial to remove Tailscale from a system thanks to the statically linked binaries.

service tailscale disable
rm /usr/sbin/tailscale
rm /usr/sbin/tailscaled
rm /etc/rc.d/init.d/tailscale

And with that, it's totally gone, as if it had never been used at all. It doesn't touch any libraries. Since it has an entire userspace network stack in tailscaled, it also doesn't make any modifications to the system's routes, interfaces, or anything else.

Danny · ‎2022-12-14

Hmm, Tailscale brings additional weaknesses as documented here to any system it is installed on. Also it requires to be modified as documented here to prevent it from local logging in order to hide it from Check Point.

Anyhow, Tailscale officially notes this for use on firewalls: "Your organization may have configured a firewall to protect their network from unsolicited, unnecessary, or malicious traffic. Although the workarounds below may help Tailscale to establish direct connectivity between nodes, these may also make it easier for other traffic to reach your network."

Bob_Zimmerman · ‎2022-12-14

Did you actually read their security bulletins?

TS-2022-005 allows a website to extract some environment variables from the client. GAiA doesn't have a web browser, so not an issue.
TS-2022-004 affects only the Windows client, and involves a web browser, so not an issue for two reasons.
TS-2022-003 is an issue authenticating to the control server. Not an issue on the endpoints.
TS-2022-002 is an issue setting up an account on the control server. Not an issue on the endpoints.
TS-2022-001 is an issue setting up an account on the control server. Not an issue on the endpoints.

Yes, anything which involves network connectivity can potentially introduce vulnerabilities. Tailscale's track record so far on the endpoint software is about on par with OpenSSH's which is enabled by default on every UNIX and Linux distribution I've dealt with in a very long time. tailscaled itself doesn't accept incoming connections, it only makes outgoing ones, so it can only really be exploited by other things already on the system.

As for logging, I'm not sure what you mean "in order to hide it from Check Point". The init script as written above logs to /tmp/tailscale.log. Yes, it logs to their central logging as well by default, but it's easy enough to add '--no-logs-no-support' to all the tailscaled invocations. That's beyond the scope of this post.

If you want zero involvement of Tailscale the company, you can always build tailscale and tailscaled from source, run your own headscale instance, and use that. Even does away with the control server issues above, since there's no more external identity management. That's also beyond the scope of this post.

PhoneBoy · ‎2022-12-14

Curious why would you install it on a Check Point gateway/management and not something else?

the_rock · ‎2022-12-14

Tested it on brand new R81.20, not bad. Mind you, my outputs are bit different, as I used my personal gmail account when I copied the link to authenticate, I assume thats why.

Best,
Andy

Are you a member of CheckMates?

Tailscale on GAiA