Hello,

After submitting this issue you made a first implementation very quickly, props for that.

The only thing holding back security in our organisation has been the missing SSH "checkPeriod" option as logging in every time you get disconnected from a server is a no-go for us.
Are you still planning to add the implementation for this feature? If so, do you have an ETA?

Thank you again for creating this project, it has already been very useful for us.

Cheers,
Max

Hello,

The tailscale serve command seems to use a control server endpoint that is not implemented in ionscale.

Can this be added?

Thanks a lot,
Mr. Hax

Hello,
I'm using the 4via6 subnet router functionality like described here: https://tailscale.com/kb/1201/4via6-subnets

I allowed the 4via6 ipv6 CIDR range in my ACL:

"acls": [
    {
      "action": "accept",
      "src": [
        "tag:trusted"
      ],
      "dst": [
        "fd7a:115c:a1e0:b1a::c0a8:100/120:*"
      ]
    },
]

Also advertised the route on the machine. I got the ipv6 subnet using tailscale debug via 1 192.168.1.0/24.

I validated that it works because I made it worked the same way on www.tailscale.com

But unfortunately, it doesn't work with ionscale. I can't reach the ipv6 address.

Here are the logs from tailscaled:

jan 14 23:39:58 pcryzen tailscaled[24447]: Accept: ICMPv6{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:0 > [fd7a:115c:a1e0:b1a::c0a8:101]:0} 104 ok out
jan 14 23:39:59 pcryzen tailscaled[24447]: Accept: ICMPv6{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:0 > [fd7a:115c:a1e0:b1a::c0a8:101]:0} 104 ok out
jan 14 23:40:07 pcryzen tailscaled[24447]: magicsock: disco: node [iNgd5] d:d4d20a6e15dcff25 now using 192.168.1.145:41641 mtu=1360 tx=349b97a7133a
jan 14 23:40:07 pcryzen tailscaled[24447]: Accept: TCP{[fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 > [fd7a:115c:a1e0:b1a::c0a8:101]:80} 80 ok out
jan 14 23:40:12 pcryzen tailscaled[24447]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 => [fd7a:115c:a1e0:b1a::c0a8:101]:80) to node [iNgd5]; online=yes, lastRecv=5s
jan 14 23:40:13 pcryzen tailscaled[24447]: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:6274:49f5]:44410 => [fd7a:115c:a1e0:b1a::c0a8:101]:80) to node [iNgd5]; online=yes, lastRecv=6s

I'm only being able to reach the ipv6 address when manually defining the host in the ACL policy like this:

"hosts": {
    "myrouter": "fd7a:115c:a1e0:b1a::c0a8:101/128",
  },
"acls": [
    {
      "action": "accept",
      "src": [
        "tag:trusted"
      ],
      "dst": [
        "myrouter:*"
      ]
    },
]

Would it be possible to add the support for this functionality in the ACL? Thank you.

Headscale related issues:

• juanfont/headscale#1596
• juanfont/headscale#800
• juanfont/headscale#1305

➜  ~ ionscale genkey
833d03421cf4f5e8ef5ba00cd0605bea022ddd10694a0fb1dacb6484afa5953a
➜  ~ ionscale tailnets list --system-admin-key 833d03421cf4f5e8ef5ba00cd0605bea022ddd10694a0fb1dacb6484afa5953a
Error: unauthenticated: invalid token
➜  ~ export IONSCALE_ADMIN_KEY=833d03421cf4f5e8ef5ba00cd0605bea022ddd10694a0fb1dacb6484afa5953a
➜  ~ ionscale tailnets list
Error: unauthenticated: invalid token

and tried write to /etc/default/ionscale, doesn't work.

Hello,

Can multiple instances of ionscale run at the same time, but only one receive the requests at the same time?

I have been thinking to have a highly available control plane for a self hosted tailscale, but I'm not sure if running multiple ionscale instances with the same database will introduce any race condition or things will start breaking.

Hi jsiebens,

I dont know why ionscale throw this exception, please help me check this out.

Thank you!

Hello, I can start success when dns enable

log:

ionscale_1  | Error: invalid MagicDNS suffix [ion.demo.site], not part of zone [cloudflare zone id]

domain set ion.demo.site or demo.site

dns:
  magic_dns_suffix: "ion.demo.site"
  provider:
    name: "cloudflare"
    zone: "cloudflare zone id"
    subdomain: ""
    config: {}

how to set cloudflare api secret?

Hello,

First of all, this seems like a much more polished project than headscale is in it's current state. Props for that.
My question is if/when the Tailscale SSH feature is planned. This will allow for SSH access as part of ACLs. We would love to use this feature.

Cheers,
Max

Hello,

Tailscale Funnel is a new feature that Tailscale provides on the official control server.

It would be awesome if this can be added to the ionscale server.

The only other tailscale control server project (headscale) doesn't even have https certificate support yet IIRC, so I'm already really happy with ionscale. This would just make it that much better.

Thanks a lot,
Mr. Hax

Hi,
I am trying Ionscale, but after manual install (not Docker), it fails to provision certificate. Can you please point me to some logs so I can figure out what went wrong?

Thank you

Tomas

When no tailnet defined.

请问有api的接口请求使用说明文档吗？
例如：127.0.0.1/ionscale.v1.IonscaleService/GetVersion
这个接口始终都请求不成功，请问为什么呢？是不是还有其他参数需要配置？