Install and configure the Tailscale VPN service

Install Tailscale on your PC and log in with your account.

Once you create an account in Tailscale, you can generate API keys in the admin console.

Generate the Auth Keys. There are options to:

Generate a key that gets deactivated after authorising one device
Generate a key that can authorise many devices.

Enable 'Reusable' to specify an expiry date.

Note:

Before you begin, ensure the device's time is correct (timedatectl); otherwise, enable ntp sync.

Below is an example script for installation. One can modify the version to be installed, as well as the location where the key is stored, if needed.

https://pkgs.tailscale.com/stable/#staticpkgs.tailscale.com

Note:

Ensure the device has an active internet connection when installing.

#!/bin/bash
set -e

# Enable debugging if DEBUG=1
if [ "${DEBUG:-0}" = "1" ]; then
  set -x
fi

# Tailscale settings
TS_VER="1.90.5"
TS_ARCH="arm64"
TS_TGZ="tailscale_${TS_VER}_${TS_ARCH}.tgz"
TS_URL="https://pkgs.tailscale.com/stable/${TS_TGZ}"
SERIAL_FILE="/home/root/rexusb/serial"

# Standard locations
BIN_DIR="/usr/bin"
STATE_DIR="/var/lib/tailscale"
SOCKET_DIR="/run/tailscale"
SYSTEMD_SERVICE="/etc/systemd/system/tailscaled.service"
DEFAULTS_FILE="/etc/default/tailscaled"

# Hardcoded auth key - replace with your actual key
AUTHKEY="tskey-auth-kDBxyp1FBu11CNT4"

log() { echo "$(date '+%Y-%m-%d %H:%M:%S') $1"; }
fail() { log "? $1"; exit 1; }

log "Creating required directories..."
mkdir -p "$STATE_DIR" "$SOCKET_DIR"

cd /tmp || fail "Could not change to /tmp"

log "Downloading ${TS_TGZ}..."
wget -q "$TS_URL" -O "$TS_TGZ" || fail "Failed to download Tailscale package"

log "Extracting package..."
tar -xzf "$TS_TGZ" || fail "Failed to extract Tailscale package"

TS_EXTRACTED_DIR=$(find . -maxdepth 1 -type d -name "tailscale_*_${TS_ARCH}" | head -n1)
[ -z "$TS_EXTRACTED_DIR" ] && fail "Could not find extracted Tailscale directory"
TS_EXTRACTED_DIR=${TS_EXTRACTED_DIR#./}

log "Installing tailscale binaries to $BIN_DIR..."
cp "$TS_EXTRACTED_DIR/tailscale" "$BIN_DIR/tailscale"
cp "$TS_EXTRACTED_DIR/tailscaled" "$BIN_DIR/tailscaled"
chmod +x "$BIN_DIR/tailscale" "$BIN_DIR/tailscaled"

[ ! -f "$SERIAL_FILE" ] && fail "Serial file not found: $SERIAL_FILE"

HOSTNAME=$(tr -d '\n\r' < "$SERIAL_FILE")
[ -z "$HOSTNAME" ] && fail "Hostname is empty!"

# Sanitize hostname
SANITIZED_HOSTNAME=$(echo "$HOSTNAME" | tr -cd 'a-zA-Z0-9')
[ "$SANITIZED_HOSTNAME" != "$HOSTNAME" ] && log "Sanitized hostname: $SANITIZED_HOSTNAME"
HOSTNAME="$SANITIZED_HOSTNAME"
[ ${#HOSTNAME} -gt 63 ] && HOSTNAME="${HOSTNAME:0:63}"

# Defaults file
log "Creating /etc/default/tailscaled..."
cat <<EOF > "$DEFAULTS_FILE"
# Extra options for tailscaled
#TAILSCALED_OPTS=""
EOF

# Fixed systemd service with CAP_SETGID
log "Creating systemd service at $SYSTEMD_SERVICE..."
cat <<EOF > "$SYSTEMD_SERVICE"
[Unit]
Description=Tailscale node agent
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
EnvironmentFile=-/etc/default/tailscaled
ExecStart=/usr/bin/tailscaled \$TAILSCALED_OPTS --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock
Restart=always
RestartSec=10
StandardOutput=journal
StandardError=journal
KillMode=process
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID

[Install]
WantedBy=multi-user.target
EOF

log "Reloading systemd and starting tailscaled..."
systemctl daemon-reexec || log "daemon-reexec failed, continuing"
systemctl daemon-reload || fail "Failed to reload systemd"
systemctl enable tailscaled.service || fail "Failed to enable service"
systemctl restart tailscaled.service || fail "Failed to start service"

# Wait for socket
MAX_WAIT=30
for i in $(seq 1 $MAX_WAIT); do
  if [ -S /run/tailscale/tailscaled.sock ]; then
    log "✓ Socket ready after $i seconds"
    break
  fi
  log "Waiting for tailscaled to initialize... ($i/$MAX_WAIT)"
  sleep 1
  systemctl is-active --quiet tailscaled.service || fail "tailscaled died"
  [ $i -eq $MAX_WAIT ] && fail "Timeout waiting for tailscaled socket"
done

log "Running tailscale up..."
# Disable Tailscale DNS management so we can use public DNS
tailscale --socket=/run/tailscale/tailscaled.sock up --authkey $AUTHKEY --ssh --hostname $HOSTNAME --accept-dns=false

# --- Permanent DNS fix ---
log "Configuring permanent DNS..."
cat <<EOF > /etc/resolv.conf
# Managed manually to avoid Tailscale overwrite
nameserver 8.8.8.8
nameserver 1.1.1.1
EOF
chmod 644 /etc/resolv.conf
log "DNS configured: $(cat /etc/resolv.conf)"

log "Installation complete!"
log "Check Tailscale status: tailscale --socket=/run/tailscale/tailscaled.sock status"

Example:

PreviousStarting PPP Connection NextInteracting with ReXgen (MIP)

Last updated 1 month ago

#!/bin/bash set -e # Enable debugging if DEBUG=1 if [ "${DEBUG:-0}" = "1" ]; then set -x fi # Tailscale settings TS_VER="1.90.5" TS_ARCH="arm64" TS_TGZ="tailscale_${TS_VER}_${TS_ARCH}.tgz" TS_URL="https://pkgs.tailscale.com/stable/${TS_TGZ}" SERIAL_FILE="/home/root/rexusb/serial" # Standard locations BIN_DIR="/usr/bin" STATE_DIR="/var/lib/tailscale" SOCKET_DIR="/run/tailscale" SYSTEMD_SERVICE="/etc/systemd/system/tailscaled.service" DEFAULTS_FILE="/etc/default/tailscaled" # Hardcoded auth key - replace with your actual key AUTHKEY="tskey-auth-kDBxyp1FBu11CNT4" log() { echo "$(date '+%Y-%m-%d %H:%M:%S') $1"; } fail() { log "? $1"; exit 1; } log "Creating required directories..." mkdir -p "$STATE_DIR" "$SOCKET_DIR" cd /tmp || fail "Could not change to /tmp" log "Downloading ${TS_TGZ}..." wget -q "$TS_URL" -O "$TS_TGZ" || fail "Failed to download Tailscale package" log "Extracting package..." tar -xzf "$TS_TGZ" || fail "Failed to extract Tailscale package" TS_EXTRACTED_DIR=$(find . -maxdepth 1 -type d -name "tailscale_*_${TS_ARCH}" | head -n1) [ -z "$TS_EXTRACTED_DIR" ] && fail "Could not find extracted Tailscale directory" TS_EXTRACTED_DIR=${TS_EXTRACTED_DIR#./} log "Installing tailscale binaries to $BIN_DIR..." cp "$TS_EXTRACTED_DIR/tailscale" "$BIN_DIR/tailscale" cp "$TS_EXTRACTED_DIR/tailscaled" "$BIN_DIR/tailscaled" chmod +x "$BIN_DIR/tailscale" "$BIN_DIR/tailscaled" [ ! -f "$SERIAL_FILE" ] && fail "Serial file not found: $SERIAL_FILE" HOSTNAME=$(tr -d '\n\r' < "$SERIAL_FILE") [ -z "$HOSTNAME" ] && fail "Hostname is empty!" # Sanitize hostname SANITIZED_HOSTNAME=$(echo "$HOSTNAME" | tr -cd 'a-zA-Z0-9') [ "$SANITIZED_HOSTNAME" != "$HOSTNAME" ] && log "Sanitized hostname: $SANITIZED_HOSTNAME" HOSTNAME="$SANITIZED_HOSTNAME" [ ${#HOSTNAME} -gt 63 ] && HOSTNAME="${HOSTNAME:0:63}" # Defaults file log "Creating /etc/default/tailscaled..." cat <<EOF > "$DEFAULTS_FILE" # Extra options for tailscaled #TAILSCALED_OPTS="" EOF # Fixed systemd service with CAP_SETGID log "Creating systemd service at $SYSTEMD_SERVICE..." cat <<EOF > "$SYSTEMD_SERVICE" [Unit] Description=Tailscale node agent After=network-online.target Wants=network-online.target [Service] Type=simple EnvironmentFile=-/etc/default/tailscaled ExecStart=/usr/bin/tailscaled \$TAILSCALED_OPTS --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock Restart=always RestartSec=10 StandardOutput=journal StandardError=journal KillMode=process CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID [Install] WantedBy=multi-user.target EOF log "Reloading systemd and starting tailscaled..." systemctl daemon-reexec || log "daemon-reexec failed, continuing" systemctl daemon-reload || fail "Failed to reload systemd" systemctl enable tailscaled.service || fail "Failed to enable service" systemctl restart tailscaled.service || fail "Failed to start service" # Wait for socket MAX_WAIT=30 for i in $(seq 1 $MAX_WAIT); do if [ -S /run/tailscale/tailscaled.sock ]; then log "✓ Socket ready after $i seconds" break fi log "Waiting for tailscaled to initialize... ($i/$MAX_WAIT)" sleep 1 systemctl is-active --quiet tailscaled.service || fail "tailscaled died" [ $i -eq $MAX_WAIT ] && fail "Timeout waiting for tailscaled socket" done log "Running tailscale up..." # Disable Tailscale DNS management so we can use public DNS tailscale --socket=/run/tailscale/tailscaled.sock up --authkey $AUTHKEY --ssh --hostname $HOSTNAME --accept-dns=false # --- Permanent DNS fix --- log "Configuring permanent DNS..." cat <<EOF > /etc/resolv.conf # Managed manually to avoid Tailscale overwrite nameserver 8.8.8.8 nameserver 1.1.1.1 EOF chmod 644 /etc/resolv.conf log "DNS configured: $(cat /etc/resolv.conf)" log "Installation complete!" log "Check Tailscale status: tailscale --socket=/run/tailscale/tailscaled.sock status"