pfSense » pfSense Packages

#!/bin/sh

# -----------------------------------------------------------------------------

# FishMon365 Tailscale Fix – Production Installer

# -----------------------------------------------------------------------------

#

# Author:      Per Otto Opstad

# Company:     ITVakta AS / FishMon365

# Website:     https://www.fishmon365.com

# Contact:     per@itvakta.no

#

# Created:     2026-04

# Version:     1.0

#

# Purpose:

#   Workaround for Tailscale instability on pfSense where auth-key is reused

#   on every service start, causing nodes to enter a broken state

#   (e.g. "invalid key", "logged out", "NoState").

#

#   This installer:

#     - Deploys a watchdog script for automatic recovery

#     - Disables repeated use of auth-key in pfSense rc script

#     - Ensures persistent and self-healing Tailscale operation

#

# Usage:

#   cd /tmp && rm -f install_tailscale_fix.sh && \

#   fetch -qo install_tailscale_fix.sh \

#   https://your.domain.xxx/tailscale/install_tailscale_fix.sh && \

#   chmod 700 install_tailscale_fix.sh && \

#   sh ./install_tailscale_fix.sh

#

# Notes:

#   - Safe to run multiple times (idempotent)

#   - Designed specifically for pfSense environments

#   - Requires Tailscale package to be installed

#

# Changelog:

#   1.0 (2026-04)

#     - Initial production version

#     - Added watchdog-based recovery

#     - Added automatic rc-script patching

#

# -----------------------------------------------------------------------------

#

set -eu

# === Variabler ===

WATCHDOG_SCRIPT="/root/tailscale_watchdog.sh"

RCFILE="/usr/local/etc/rc.d/pfsense_tailscaled"

CRON_SCHEDULE="*/5 * * * *"

CRON_LINE="${CRON_SCHEDULE} ${WATCHDOG_SCRIPT}"

TMP_CRON="/tmp/tailscale_watchdog.cron.$$"

LOCKFILE="/tmp/tailscale_watchdog.lock"

cleanup() {

  rm -f "$TMP_CRON" 2>/dev/null || true

}

trap cleanup EXIT INT TERM

require_root() {

  if [ "$(id -u)" -ne 0 ]; then

    echo "ERROR: Dette skriptet må kjøres som root." >&2

    exit 1

  fi

}

check_environment() {

  echo "[1/6] Sjekker miljø..."

  if [ ! -f "$RCFILE" ]; then

    echo "ERROR: Fant ikke rc-script: $RCFILE" >&2

    echo "Er dette riktig pfSense-boks med Tailscale installert?" >&2

    exit 1

  fi

  if [ ! -x /usr/local/bin/tailscale ]; then

    echo "ERROR: Fant ikke /usr/local/bin/tailscale" >&2

    echo "Sørg for at Tailscale-pakken er installert først." >&2

    exit 1

  fi

  if [ ! -x /usr/sbin/service ]; then

    echo "ERROR: Fant ikke /usr/sbin/service" >&2

    exit 1

  fi

  if ! command -v crontab >/dev/null 2>&1; then

    echo "ERROR: Fant ikke crontab-kommandoen." >&2

    exit 1

  fi

}

write_watchdog_script() {

  echo "[2/6] Oppretter/oppdaterer watchdog-script..."

  cat > "$WATCHDOG_SCRIPT" <<'EOF'

#!/bin/sh

LOCKFILE="/tmp/tailscale_watchdog.lock"

RCFILE="/usr/local/etc/rc.d/pfsense_tailscaled"

TS="/usr/local/bin/tailscale"

SERVICE="/usr/sbin/service"

RC_SERVICE="pfsense_tailscaled"

LOGTAG="tailscale-watchdog"

log() {

  logger -t "$LOGTAG" "$1"

}

cleanup() {

  rm -f "$LOCKFILE"

}

trap cleanup EXIT INT TERM

[ -e "$LOCKFILE" ] && exit 0

touch "$LOCKFILE"

get_status() {

  "$TS" status 2>&1 || true

}

is_known_error() {

  echo "$1" | grep -Eiq 'logged out|invalid key|API key does not exist|NoState'

}

is_healthy() {

  "$TS" ip -4 >/dev/null 2>&1

}

patch_rcfile_if_needed() {

  if grep -q '^pfsense_tailscaled_up_flags="--auth-key=' "$RCFILE"; then

    cp "$RCFILE" "${RCFILE}.bak_watchdog" 2>/dev/null || true

    sed -i '' 's/^pfsense_tailscaled_up_flags="--auth-key=/#pfsense_tailscaled_up_flags="--auth-key=/' "$RCFILE"

    log "Patched rc file (disabled auth-key)"

  fi

}

# Enforce patch every run

patch_rcfile_if_needed

STATUS="$(get_status)"

if is_healthy && ! is_known_error "$STATUS"; then

  exit 0

fi

if ! is_known_error "$STATUS"; then

  exit 0

fi

log "Detected known Tailscale error"

log "Restarting $RC_SERVICE"

$SERVICE "$RC_SERVICE" restart >/dev/null 2>&1

sleep 15

STATUS="$(get_status)"

if is_healthy && ! is_known_error "$STATUS"; then

  log "Recovered after restart"

  exit 0

fi

log "Still failing after restart"

exit 1

EOF

  chmod 700 "$WATCHDOG_SCRIPT"

  chown root:wheel "$WATCHDOG_SCRIPT" 2>/dev/null || true

}

install_or_update_cron() {

  echo "[3/6] Oppretter/oppdaterer cron..."

  {

    crontab -l 2>/dev/null | grep -v "$WATCHDOG_SCRIPT" || true

    echo "$CRON_LINE"

  } > "$TMP_CRON"

  crontab "$TMP_CRON"

}

run_fix_now() {

  echo "[4/6] Kjører fix nå..."

  rm -f "$LOCKFILE" 2>/dev/null || true

  "$WATCHDOG_SCRIPT" || true

}

verify_installation() {

  echo "[5/6] Verifiserer..."

  CRON_MATCH="$(crontab -l 2>/dev/null | grep -F "$WATCHDOG_SCRIPT" || true)"

  if [ -n "$CRON_MATCH" ]; then

    echo "OK: Cron-linje funnet:"

    echo "  $CRON_MATCH"

  else

    echo "WARNING: Fant ikke cron-linje for watchdog."

  fi

  echo

  echo "Auth-key linjer i rc-script:"

  grep -n 'auth-key' "$RCFILE" || true

  echo

  echo "Tailscale status (kort):"

  if /usr/local/bin/tailscale ip -4 >/dev/null 2>&1; then

    TSIP="$(/usr/local/bin/tailscale ip -4 | head -n 1)"

    echo "  IPv4: $TSIP"

  else

    echo "  IPv4: utilgjengelig"

  fi

  /usr/local/bin/tailscale status 2>/dev/null | head -n 5 || true

  echo

  echo "Siste watchdog-linjer i system.log:"

  grep 'tailscale-watchdog' /var/log/system.log 2>/dev/null | tail -n 10 || true

}

print_summary() {

  echo "--------------------------------------"

  echo "Installasjon fullført"

  echo "Watchdog:     $WATCHDOG_SCRIPT"

  echo "RC-script:    $RCFILE"

  echo "Cron:         $CRON_SCHEDULE"

  echo

  echo "Nyttige kommandoer:"

  echo "  Sjekk cron:      crontab -l"

  echo "  Kjør manuelt:    $WATCHDOG_SCRIPT"

  echo "  Sjekk status:    tailscale status"

  echo "  Sjekk IP:        tailscale ip -4"

  echo "  Sjekk logg:      grep tailscale-watchdog /var/log/system.log | tail -n 50"

  echo "  Restart TS:      service pfsense_tailscaled restart"

  echo "  Sjekk auth-key:  grep -n auth-key $RCFILE"

}

echo "=== FishMon365 Tailscale Fix Installer ==="

require_root

check_environment

write_watchdog_script

install_or_update_cron

run_fix_now

verify_installation

print_summary