/Magisk-Tailscaled

Magisk/KernelSU module for running Tailscale on rooted Android devices.

Primary LanguageShellOtherNOASSERTION

anasfanani - Magisk-Tailscaled Check and Update Tailscale Binary Github All Releases GitHub release issues - Magisk-Tailscaled Static Badge

Magisk Tailscaled

This repository contains a Magisk module for running Tailscale on rooted Android devices.

What is Tailscale?

Tailscale is a networking tool that allows you to connect each of your devices as if they were on the same VPN. For example, an Android phone connected to the Tailscale network can communicate with any other device connected to Tailscale. You can install it on your PC and Android device and then connect them using the Tailscale IP. For more information, check out How Tailscale Works.

Difference between this Magisk module and the Tailscale app on Play Store

The Tailscale app on the Play Store runs with Android's VPN, which means you can't use Tailscale while another VPN is active. This Magisk module, on the other hand, allows you to use both an Android VPN and Tailscale at the same time.

Requirements

  • A basic networking knowledge.
  • An Android device with Magisk root installed.

Quick Start & Installation

  1. Download the latest zip file from the Releases page.
  2. Install the downloaded zip file using Magisk & reboot your phone.
  3. Open the Terminal.
  4. Login with su -c tailscale login
  5. Disable accept-dns su -c tailscale set --accept-dns=false
  6. Run 'tailscale login' to login to your Tailscale account.
  7. Open the URL in a browser to authorize your device.
  8. Run 'tailscale ip' to retrieve your Tailscale IP.
  9. Alternatively, you can open the Tailscale Admin Dashboard to manage your devices.

After installation, the Tailscale daemon (tailscaled) will run automatically on boot.

Limitation

  • This module only support for arm or arm64 architecture, you can download manually for other architecture.
  • Tailscale binary is designed to run in Linux environment, Some feature might not works properly.
  • MagicDNS currently not working.
  • Runs in userspace mode, read more at https://tailscale.com/kb/1112/userspace-networking
  • Subnet routes is manually routed with socks5-tun, you must define your own ip routes to tailscaled.tun.up and tailscaled.tun.down

Usage of this module

This module runs tailscaled with the following command:

tailscaled -tun=userspace-networking -statedir=/data/adb/tailscale/tmp/ -state=/data/adb/tailscale/tmp/tailscaled.state -socket=/data/adb/tailscale/tmp/tailscaled.sock -port=41641

The state file for tailscaled is stored at /data/adb/tailscale/tmp/tailscaled.state, and the log output is written to /data/adb/tailscale/run/tailscaled.log.

Available command

  • tailscale: This command is execute tailscale operation.
  • tailscaled: This command is execute tailscaled daemon operation.
  • tailscaled.service: This command for manage tailscaled service, you can start,stop,restart daemon and view live logs the tailscaled operation.
  • tailscaled.tun: This command is for manage hev-socks5-tunnel.

Example of Using Tailscale

SSH to Termux

You can use Tailscale to connect SSH from Termux on Android to a Windows PC. Here's how:

On your Android device:

  1. Set up SSHD:
apt update && apt upgrade
apt install openssh
passwd

Enter your password when prompted, for example, 123.

  1. Run ssh daemon with command sshd
  2. Get your IP with the command tailscale ip or check your IP in the Tailscale Admin Dashboard.

On your Windows PC:

  1. Download & install Tailscale for Windows
  2. Open app & login to the Tailscale.
  3. Open the terminal & SSH to your Android IP:
ssh <root>@<tailscale_ip> -p 8022

For example:

ssh root@100.95.95.95 -p 8022

SSH access to your Android device

You can also enable SSH access to your Android device using Tailscale SSH. To do this, advertise SSH on the host with the command tailscale up --ssh.

By default, Tailscale's SSH feature may not work on Android because it requires getent, which is part of GNU libc, and relies on glibc-specific features like nsswitch.conf.

To overcome this, I've created a mock getent and placed it in tailscale/bin/. This mock getent is used by Tailscale's userLookupGetent function.

After advertising SSH on the host, you can SSH into your Android device using ssh root@<tailscale_ip>.

ADB over Tailscale

You can run ADB over Tailscale. First, you need to enable ADB over TCP/IP. You can do this with the following commands:

setprop service.adb.tcp.port 5555
stop adbd
start adbd

These commands set the ADB daemon to listen on TCP port 5555 and then restart the ADB daemon to apply the change.

After enabling ADB over TCP/IP, you can connect to your Android device from your Windows machine using the adb connect command followed by your Tailscale IP and the port number:

adb connect <tailscale_ip>:5555

Avalilable command

USAGE
  tailscale [flags] <subcommand> [command flags]

For help on subcommands, add --help after: "tailscale status --help".

This CLI is still under active development. Commands and flags will
change in the future.

SUBCOMMANDS
  up         Connect to Tailscale, logging in if needed
  down       Disconnect from Tailscale
  set        Change specified preferences
  login      Log in to a Tailscale account
  logout     Disconnect from Tailscale and expire current node key
  switch     Switches to a different Tailscale account
  configure  [ALPHA] Configure the host to enable more Tailscale features
  netcheck   Print an analysis of local network conditions
  ip         Show Tailscale IP addresses
  status     Show state of tailscaled and its connections
  ping       Ping a host at the Tailscale layer, see how it routed
  nc         Connect to a port on a host, connected to stdin/stdout
  ssh        SSH to a Tailscale machine
  funnel     Turn on/off Funnel service
  serve      Serve content and local servers
  version    Print Tailscale version
  web        Run a web server for controlling Tailscale
  file       Send or receive files
  bugreport  Print a shareable identifier to help diagnose issues
  cert       Get TLS certs
  lock       Manage tailnet lock
  licenses   Get open source license information
  exit-node

FLAGS
  --socket string
        path to tailscaled socket (default /var/run/tailscale/tailscaled.sock)

For more details about CLI commands, check out the Tailscale CLI documentation.

FAQ & Troubleshooting

Tailscale has manny issues. You can check them out here.

Cannot access other tailnet devices

This module runs the tailscaled binary in userspace-networking mode. To access other devices in the tailnet, you must use a local proxy on port 1099. I've implemented a workaround using hev-socks5-tunnel to tunnel local socks5 on port 1099 and bind it to the interface named tailscale0.

Please note, this tailscale0 interface is different from the original tailscale0 interface on Linux. In Linux, tailscale0 is managed by the tailscaled daemon, whereas in this module, tailscale0 is managed by hev-socks5-tunnel. The default gateway is 100.100.100.100, as defined in the tailscaled.tun.config.yaml file.

This solution should work on most common devices. However, if you encounter problems accessing other tailnet devices, follow these troubleshooting steps:

  1. Verify that tailscaled.service is running. If not, restart it with tailscaled.service restart.

  2. Verify that tailscaled.tun is running. If not, restart it with tailscaled.tun restart.

  3. Check if your device is connected to tailscaled and try a ping connection with tailscale ping <your_tailnet_ip>.

  4. Verify the port you want to access is accessible. You can do this by accessing it with another tailscale device or using the Tailscale Android App.

  5. Check if the local socks5 server is working with curl. Execute the following command:

    curl 1.1.1.1 -vI -x localhost:1099
    

    If it connects, then the local socks5 server is running and working.

  6. Check if the local socks5 server can connect to the tailnet network.

    curl <your_tailnet_ip>:<port> -vI -x localhost:1099
    

    If it connects, then the local socks5 server is functioning correctly.

  7. Finally, check the connection directly with curl <your_tailnet_ip>:<port> -vI.

If the last step fails, the problem likely lies with socks5-tun. Verify there is an interface named tailscale0. If it exists, the problem may be with the iptables route, either due to a conflict with another rule or some other issue. Feel free to explore your own solutions. If you're unable to resolve the issue, contact me on Telegram and I'll see if I can assist you.

My subnet-routes is'nt working

Yes because we need define the routes with iptables in file tailscaled.tun.up and tailscaled.tun.down, you can check this issue reference. I suppose you're already know the iptables works, if dont, there are chatAI to ask. You can copy whole tailscaled.tun.up script to chatAI and send instruction with please add 192.168.1.1/24 to this route, also dont forget tailscaled.tun.down

If you still can't do it by yourself, I'm verry welcome to people who needs help.

Exit nodes

You can check this issue reference.

ipv6

Unfortunately, I'm verry lazy to learn ipv6.

Headscale

Check this. Also explore on the issue first, then you can ask trough telegram.

Other Error & Bugs

You can explore to the issue tab, if there not exists, you can open issue, for help me resolve the problem, you can include fresh log.

  1. Restart tailscaled with tailscaled.service restart
  2. Reproduce what are you doing which has problem.
  3. Get log at /data/adb/tailscale/run/tailscaled.log

Notes

This module is confirmed to be supported for KernelSU, as confirmed by the author of KernelSU. If you encounter any problems, please let me know.

For more information, check out the links below:

Links

Credits

Disclaimer

This module is provided as-is, I'm not employee at official tailscale, not a verry genius people which can resolve all your problem. This module is not affiliated with the official Tailscale. It is a third-party implementation and the author is not responsible for any damage to your device that may occur from its use. Use at your own risk. Any improvements is required, any PR is verry required, not just welcome.

License

Released under BSD 3-Clause License.