security/tailscale: fix to prevent use of pre-auth key in startup after auth (#5047)

2026-02-03 20:40:37 -05:00 · 2025-11-27 16:40:17 +00:00 · 2025-11-27 16:40:17 +00:00 · 351090da19
commit 351090da19
parent c77c3c0cca
3 changed files with 27 additions and 18 deletions
--- a/security/tailscale/Makefile
+++ b/security/tailscale/Makefile
@ -1,5 +1,5 @@
 PLUGIN_NAME=		tailscale
-PLUGIN_VERSION=		1.2
+PLUGIN_VERSION=		1.3
 PLUGIN_COMMENT=		VPN mesh securely connecting clients using WireGuard
 PLUGIN_DEPENDS=		tailscale
 PLUGIN_MAINTAINER=	sam@sheridan.uk
--- a/security/tailscale/pkg-descr
+++ b/security/tailscale/pkg-descr
@ -6,6 +6,10 @@ https://tailscale.com/
 Plugin Changelog
 ================

+1.3
+
+* modify rc script to prevent re-using auth key if already authenticated
+
 1.2

 * add option to allow Tailscale to manage SSH connections
--- a/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
+++ b/security/tailscale/src/opnsense/service/templates/OPNsense/Tailscale/rc.conf.d
@ -38,23 +38,28 @@ tailscaled_port="{{ OPNsense.tailscale.settings.listenPort }}"
 {%    if helpers.exists('OPNsense.tailscale.authentication.loginServer') %}
 {%      do up_args.append("--login-server=" + OPNsense.tailscale.authentication.loginServer) %}
 {%    endif %}
-{%    if helpers.exists('OPNsense.tailscale.authentication.preAuthKey') %}
-{%      do up_args.append("--auth-key=" + OPNsense.tailscale.authentication.preAuthKey) %}
-{%    else %}
-{%      do up_args.append("--auth-key=non-specified") %}
-{%    endif %}
-{#  loop through subnets to build list #}
-{%    if helpers.exists('OPNsense.tailscale.settings.subnets.subnet4') %}
-{%      set subnets = [] %}
-{%      for subnet_list in helpers.toList('OPNsense.tailscale.settings.subnets.subnet4') %}
-{%        do subnets.append(subnet_list.subnet) %}
-{%      endfor %}
-{%      set subnetString = subnets|join(',') %}
-{%      do up_args.append("--advertise-routes=" + subnetString) %}
-{%    else %}
-{%      do up_args.append("--advertise-routes=") %}
-{%    endif %}
+{#    loop through subnets to build list #}
+{%      if helpers.exists('OPNsense.tailscale.settings.subnets.subnet4') %}
+{%        set subnets = [] %}
+{%        for subnet_list in helpers.toList('OPNsense.tailscale.settings.subnets.subnet4') %}
+{%          do subnets.append(subnet_list.subnet) %}
+{%        endfor %}
+{%        set subnetString = subnets|join(',') %}
+{%        do up_args.append("--advertise-routes=" + subnetString) %}
+{%      else %}
+{%        do up_args.append("--advertise-routes=") %}
+{%      endif %}
+{%      if helpers.exists('OPNsense.tailscale.authentication.preAuthKey') %}
+# Conditionally add auth-key only if not already authenticated
+if [ -f /var/db/tailscale/tailscaled.state ] && grep -q '"_current-profile"' /var/db/tailscale/tailscaled.state 2>/dev/null; 
+then
+    tailscaled_up_args="{{ up_args|join(' ') }}"
+else
+    tailscaled_up_args="{{ up_args|join(' ') }} --auth-key={{ OPNsense.tailscale.authentication.preAuthKey }}"
+fi
+{%      else %}
 tailscaled_up_args="{{ up_args|join(' ') }}"
+{%      endif %}
 {%  else %}
-tailscaled_enable=NO
+tailscaled_enable="NO"
 {%  endif %}