OpenWrt安装配置Tailscale

1. 下载软件
下载地址：https://github.com/adyanth/openwrt-tailscale-enabler/releases

wget https://github.com/adyanth/openwrt-tailscale-enabler/releases/download/v1.60.0-e428948-autoupdate/openwrt-tailscale-enabler-v1.60.0-e428948-autoupdate.tgz

1	wget https://github.com/adyanth/openwrt-tailscale-enabler/releases/download/v1.60.0-e428948-autoupdate/openwrt-tailscale-enabler-v1.60.0-e428948-autoupdate.tgz

2. 解压软件包

tar x -zvC / -f openwrt-tailscale-enabler-v1.60.0-e428948-autoupdate.tgz

1	tar x -zvC / -f openwrt-tailscale-enabler-v1.60.0-e428948-autoupdate.tgz

3. 安装依赖包

opkg update
opkg install libustream-openssl ca-bundle kmod-tun

1 2	opkg update opkg install libustream-openssl ca-bundle kmod-tun

4. 设置开机启动，验证开机启动

/etc/init.d/tailscale enable
ls /etc/rc.d/S*tailscale*

1 2	/etc/init.d/tailscale enable ls /etc/rc.d/Stailscale

5. 启动tailscale

/etc/init.d/tailscale start

1	/etc/init.d/tailscale start

6. 获取登录链接并配置路由

tailscale up

1	tailscale up

然后复制地址，在浏览器登录验证加入。

注意：查看软件包安装了哪些文件

opkg files tailscale

1	opkg files tailscale

如果没有包含一个标准的 /etc/init.d/ 启动脚本，你需要手动为 tailscaled 创建一个启动脚本。
创建 init.d 脚本文件：

vi /etc/init.d/tailscaled

1	vi /etc/init.d/tailscaled

粘贴以下脚本内容：
按 i 进入 vi 的插入模式，然后粘贴以下内容：

#!/bin/sh /etc/rc.common

USE_PROCD=1
START=95 # 启动优先级
STOP=10  # 关闭优先级

# Tailscale 将状态存储在 /var/lib/tailscale/tailscaled.state
# 确保 /var/lib/tailscale 目录存在
STATEDIR=/var/lib/tailscale
# SOCKETDIR=/var/run/tailscale # procd 会自动创建 /var/run 下的目录

start_service() {
    # 确保状态目录存在
    mkdir -p "$STATEDIR"
    # 确保socket的父目录存在 (procd通常会处理，但明确一下无妨)
    # mkdir -p "$SOCKETDIR"

    procd_open_instance
    procd_set_param command /usr/sbin/tailscaled \
        --state="${STATEDIR}/tailscaled.state" \
        --socket="/var/run/tailscale/tailscaled.sock" \
        --port=41641
    # 记录到系统日志 (syslog/logd)
    procd_set_param stdout 1
    procd_set_param stderr 1
    # 如果进程崩溃，自动重启
    procd_set_param respawn
    procd_close_instance
}

# stop_service() 和 reload_service() 由 procd 自动处理，通常不需要定义
# service_triggers() {
#    procd_add_reload_trigger "firewall"
# }

#!/bin/sh /etc/rc.common

USE_PROCD=1

START=95 # 启动优先级

STOP=10 # 关闭优先级

# Tailscale 将状态存储在 /var/lib/tailscale/tailscaled.state

# 确保 /var/lib/tailscale 目录存在

STATEDIR=/var/lib/tailscale

# SOCKETDIR=/var/run/tailscale # procd 会自动创建 /var/run 下的目录

start_service() {

# 确保状态目录存在

mkdir -p "$STATEDIR"

# 确保socket的父目录存在 (procd通常会处理，但明确一下无妨)

# mkdir -p "$SOCKETDIR"

procd_open_instance

procd_set_param command /usr/sbin/tailscaled \

--state="${STATEDIR}/tailscaled.state" \

--socket="/var/run/tailscale/tailscaled.sock" \

--port=41641

# 记录到系统日志 (syslog/logd)

procd_set_param stdout 1

procd_set_param stderr 1

# 如果进程崩溃，自动重启

procd_set_param respawn

procd_close_instance

}

# stop_service() 和 reload_service() 由 procd 自动处理，通常不需要定义

# service_triggers() {

# procd_add_reload_trigger "firewall"

# }

赋予脚本执行权限：

chmod +x /etc/init.d/tailscaled

1	chmod +x /etc/init.d/tailscaled

启用并启动服务：
现在你可以使用标准的服务命令了：

/etc/init.d/tailscaled enable  # 设置开机自启
/etc/init.d/tailscaled start   # 启动服务

1 2	/etc/init.d/tailscaled enable # 设置开机自启 /etc/init.d/tailscaled start # 启动服务

注意：
如果报错：

failed to connect to local tailscaled (which appears to be running as tailscaled, pid 20900). Got error: Failed to connect to local Tailscale daemon for /localapi/v0/status; not running? Error: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory

1	failed to connect to local tailscaled (which appears to be running as tailscaled, pid 20900). Got error: Failed to connect to local Tailscale daemon for /localapi/v0/status; not running? Error: dial unix /var/run/tailscale/tailscaled.sock: connect: no such file or directory

按照下面修改：

# ... (脚本的其他部分) ...

STATEDIR=/var/lib/tailscale
SOCKETDIR=/var/run/tailscale # 新增或取消注释这一行

start_service() {
    # 确保状态目录存在
    mkdir -p "$STATEDIR"
    # 确保 socket 目录存在  <-- 重要修改！
    mkdir -p "$SOCKETDIR"

    procd_open_instance
    procd_set_param command /usr/sbin/tailscaled \
        --state="${STATEDIR}/tailscaled.state" \
        --socket="${SOCKETDIR}/tailscaled.sock" \ # 使用变量
        --port=41641
    # 记录到系统日志 (syslog/logd)
    procd_set_param stdout 1
    procd_set_param stderr 1
    # 如果进程崩溃，自动重启
    procd_set_param respawn
    procd_close_instance
}

# ... (脚本的其他部分) ...

# ... (脚本的其他部分) ...

STATEDIR=/var/lib/tailscale

SOCKETDIR=/var/run/tailscale # 新增或取消注释这一行

start_service() {

# 确保状态目录存在

mkdir -p "$STATEDIR"

# 确保 socket 目录存在 <-- 重要修改！

mkdir -p "$SOCKETDIR"

procd_open_instance

procd_set_param command /usr/sbin/tailscaled \

--state="${STATEDIR}/tailscaled.state" \

--socket="${SOCKETDIR}/tailscaled.sock" \ # 使用变量

--port=41641

# 记录到系统日志 (syslog/logd)

procd_set_param stdout 1

procd_set_param stderr 1

# 如果进程崩溃，自动重启

procd_set_param respawn

procd_close_instance

}

# ... (脚本的其他部分) ...

然后重启：

/etc/init.d/tailscaled restart

1	/etc/init.d/tailscaled restart

防火墙添加规则：

iptables -I INPUT -i tailscale0 -j ACCEPT
iptables -I FORWARD -i tailscale0 -j ACCEPT
iptables -I FORWARD -o tailscale0 -j ACCEPT

iptables -I INPUT -i tailscale0 -j ACCEPT

iptables -I FORWARD -i tailscale0 -j ACCEPT

iptables -I FORWARD -o tailscale0 -j ACCEPT

命令行添加：
# 规则1：接受来自 tailscale0 的输入包

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Input-Tailscale0'
uci set firewall.@rule[-1].src='*'                
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].in_device='tailscale0'

uci add firewall rule

uci set firewall.@rule[-1].name='Allow-Input-Tailscale0'

uci set firewall.@rule[-1].src='*'

uci set firewall.@rule[-1].proto='all'

uci set firewall.@rule[-1].target='ACCEPT'

uci set firewall.@rule[-1].in_device='tailscale0'

# 规则2：接受通过 tailscale0 接口进来的转发包（FORWARD INPUT_CHAIN）

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Forward-In-Tailscale0'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].in_device='tailscale0'
uci set firewall.@rule[-1].family='ipv4'   # 可根据需要设置

uci add firewall rule

uci set firewall.@rule[-1].name='Allow-Forward-In-Tailscale0'

uci set firewall.@rule[-1].src='*'

uci set firewall.@rule[-1].target='ACCEPT'

uci set firewall.@rule[-1].proto='all'

uci set firewall.@rule[-1].in_device='tailscale0'

uci set firewall.@rule[-1].family='ipv4' # 可根据需要设置

# 规则3：接受通过 tailscale0 接口出去的转发包（FORWARD OUTPUT_CHAIN）

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Forward-Out-Tailscale0'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].out_device='tailscale0'
uci set firewall.@rule[-1].family='ipv4'

uci add firewall rule

uci set firewall.@rule[-1].name='Allow-Forward-Out-Tailscale0'

uci set firewall.@rule[-1].src='*'

uci set firewall.@rule[-1].target='ACCEPT'

uci set firewall.@rule[-1].proto='all'

uci set firewall.@rule[-1].out_device='tailscale0'

uci set firewall.@rule[-1].family='ipv4'

# 规则4：添加防火墙允许 SSH 来自 tailscale0 的流量

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-SSH-Tailscale0'
uci set firewall.@rule[-1].src='*'
uci set firewall.@rule[-1].in_device='tailscale0'
uci set firewall.@rule[-1].dest_port='22'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].family='ipv4'

uci add firewall rule

uci set firewall.@rule[-1].name='Allow-SSH-Tailscale0'

uci set firewall.@rule[-1].src='*'

uci set firewall.@rule[-1].in_device='tailscale0'

uci set firewall.@rule[-1].dest_port='22'

uci set firewall.@rule[-1].proto='tcp'

uci set firewall.@rule[-1].target='ACCEPT'

uci set firewall.@rule[-1].family='ipv4'

# 保存并应用规则

uci commit firewall
/etc/init.d/firewall restart

1 2	uci commit firewall /etc/init.d/firewall restart

修改 Dropbear 配置监听所有接口（0.0.0.0）
编辑

vim /etc/config/dropbear

1	vim /etc/config/dropbear

，找到类似以下内容：

config dropbear 'dropbear'
    option Interface 'lan'
    # 可能还有其他接口定义

config dropbear 'dropbear'

option Interface 'lan'

# 可能还有其他接口定义

确保没有限制 Interface，或者改成监听所有（注释或删除该条）：

config dropbear 'dropbear'
    # option Interface 'lan'  # 注释或删除此行，让其监听所有接口

1 2	config dropbear 'dropbear' # option Interface 'lan' # 注释或删除此行，让其监听所有接口

保存后，重启 Dropbear：

/etc/init.d/dropbear restart

1	/etc/init.d/dropbear restart

OpenWrt安装配置Tailscale

文章评论