Who rated this post

This is not supported by Check Point in any way. If you try this and it blows up your firewall or management server, restore to a backup which you surely took before running commands some random person you don't know posted.

Tailscale is a sort of "zero-trust" mesh VPN system. At a technical level, it handles key distribution for peer-to-peer Wireguard VPN tunnels which can go through relays operated by Tailscale the company. As long as the endpoints have Internet access, they can establish a VPN with each other and talk through it (subject to rules which you set up in Tailscale). I like a lot of the core decisions they have made in how the product works.

I recently started using it for remote access to some development systems. One of the things I'm developing involves talking via the management API to a Check Point management server, so I decided I would try to get the static build of Tailscale running there for consistency. It works pretty well, and I thought others here might be interested in how I did it.

1. On the GAiA system, download the latest static build from Tailscale's site. As of this post, that is 1.34.1. If you don't know the processor architecture you should use, 'uname -i' on the GAiA system will tell you. x86 and 386 are the same, and x86_64 and amd64 are the same. Copy the link for the right architecture, and run 'curl_cli -kO <link>' on the Check Point box. The '-k' to skip certificate validation is needed because GAiA doesn't include the CA which Tailscale uses (ISRG) for their website.
2. Unzip the package. 'tar -zxvf tailscale*' should work.
3. Move tailscale and tailscaled from the unzipped directory to /usr/sbin.
4. To authenticate the node, you have to start tailscaled, then run 'tailscale up' like so:

[Expert@DallasSA]# nohup tailscaled -tun "userspace-networking" -state=/etc/tailscaled.state 2>&1 >/tmp/tailscaled.log &
[1] 1019
nohup: ignoring input and redirecting stderr to stdout
[Expert@DallasSA]# tailscale up

To authenticate, visit:

	https://login.tailscale.com/<path>

Copy the link out, visit it in a web browser, and authenticate with the credentials you use for Tailscale. The node will be added to your tailnet. Tailscale is now running, and you can use it to remotely access your management or firewall. Sessions connecting over Tailscale will show as coming from 127.0.0.1:

[Expert@DallasSA]# who
admin    pts/2        Dec 13 22:30 (10.0.3.22)
admin    pts/3        Dec 13 23:13 (127.0.0.1)

It's annoying to have to manually start tailscaled every boot, and manually run 'tailscale up' to connect, though. To deal with that, I wrote a little init script:

#!/bin/sh
#
# tailscale	This shell script takes care of starting and stopping
#		tailscaled.
#
# chkconfig: 3 99 74
# description: tailscale starts the tailscaled service for remote access
# and administration.

# Source function library.
. /etc/init.d/functions

[ -x /usr/sbin/tailscaled ] || exit 0
[ -x /usr/sbin/tailscale ] || exit 0

RETVAL=0
prog="tailscaled"

start() {
	echo -n $"Starting $prog:"
	nohup $prog -tun "userspace-networking" -state=/etc/tailscaled.state >/tmp/tailscale.log 2>&1 &
	tailscale up && success || failure
	echo
}

stop() {
	echo -n $"Stopping $prog:"
	tailscale down
	killproc $prog -TERM
	echo
}

enableAutostart() {
	echo -n $"Setting $prog to start at boot:"
	ln -s /etc/rc.d/init.d/tailscale /etc/rc.d/rc3.d/S99ztailscale \
	&& success || failure
	echo
}

disableAutostart() {
	echo -n $"Removing $prog from bootup sequence:"
	rm /etc/rc.d/rc3.d/S99ztailscale \
	&& success || failure
	echo
}

# See how we were called.
case "$1" in
	start)
		start
		;;
	stop)
		stop
		;;
	restart|reload)
		stop
		start
		;;
	enable)
		enableAutostart
		start
		;;
	disable)
		stop
		disableAutostart
		;;
	*)
		echo $"Usage: $0 {start|stop|restart|enable|disable}"
		exit 1
esac
exit $RETVAL

Put it in /etc/rc.d/init.d/tailscale, run 'chmod 755 /etc/rc.d/init.d/tailscale' to let the script run, and you can control it like any other service using 'service tailscale':

[Expert@DallasSA]# service tailscale enable
Setting tailscaled to start at boot:                       [  OK  ]
Starting tailscaled:                                       [  OK  ]
[Expert@DallasSA]# service tailscale stop  
Stopping tailscaled:                                       [  OK  ]
[Expert@DallasSA]# service tailscale start
Starting tailscaled:                                       [  OK  ]

If you 'enable' the service, it will start when the system boots, so you get access about when sshd starts up.