tailscale: avoid overlapping IP routes

I think they were making fractal launch hang, between when tailscale is up and when wg-home is reachable; packet gets sent to tailscale instead and hangs
2025-06-02 05:22:19 +00:00
parent 41f0bfde53
commit 2384c3575e
1 changed files with 34 additions and 4 deletions
--- a/hosts/modules/roles/work/tailscale.nix
+++ b/hosts/modules/roles/work/tailscale.nix
@@ -32,6 +32,34 @@ let
  # - provide `--accept-routes`
  # - override the `ip` tool such that tailscale doesn't actually modify the routing table.
  # - explicitly configure the range of routes i actually want.
+  routableSubnets = [
+    # linux routing is "most specific wins".
+    # but overlapping routes are still problematic,
+    # because during interface bringup a packet might temporarily be routed to a place it wouldn't during nominal operations
+    #
+    # tailscale networks seem to mostly use these IPv4 reserved address ranges:
+    # 0.0.0.0/8
+    # 10.0.0.0/8
+    # 100.64.0.0/10
+    #
+    # "10.0.0.0/8"
+    # "10.1.0.0/16"   # - 10.1.255.255
+    "10.2.0.0/15"   # - 10.3.255.255
+    "10.4.0.0/14"   # - 10.7.255.255
+    "10.8.0.0/13"   # - 10.15.255.255
+    "10.16.0.0/12"  # - 10.31.255.255
+    "10.32.0.0/11"  # - 10.63.255.255
+    "10.64.0.0/13"  # - 10.71.255.255
+    "10.72.0.0/14"  # - 10.75.255.255
+    "10.76.0.0/15"  # - 10.77.255.255
+    # XXX: 10.78.0.0 - 10.78.255.255 gap for my home network
+    # "10.79.0.0/16"  # - 10.79.255.255
+    "10.80.0.0/13"  # - 10.87.255.255
+    "10.88.0.0/13"  # - 10.95.255.255
+    "10.96.0.0/11"  # - 10.127.255.255
+    "10.128.0.0/9"  # - 10.255.255.255
+    "100.64.0.0/10"
+  ];
  tailscale = let
    iproute2' = pkgs.callPackage ./tailscale-iproute2 { };
    # tailscale package wraps binaries with `--prefix PATH ${iproute2}/bin`.
@@ -94,13 +122,15 @@ in
          echo "tailscale not ready"
          sleep 2
        done
-        ${ip} route add table main 10.0.0.0/8 dev tailscale0 scope global
-        ${ip} route add table main 100.64.0.0/10 dev tailscale0 scope global
+        for addr in ${lib.concatStringsSep " " routableSubnets}; do
+          ${ip} route add table main "$addr" dev tailscale0 scope global
+        done
      '')
    ];
    systemd.services.tailscaled.preStop = ''
-      ${ip} route del table main 10.0.0.0/8 dev tailscale0 scope global || true
-      ${ip} route del table main 100.64.0.0/10 dev tailscale0 scope global || true
+      for addr in ${lib.concatStringsSep " " routableSubnets}; do
+        ${ip} route del table main "$addr" dev tailscale0 scope global || true
+      done
    '';
    # systemd.network.networks."50-tailscale" = {
    #   # see: `man 5 systemd.network`