Merge pull request #11130 from chewitt/tailscale

tailscale: add initial service add-on

Author: heitbaum

packages/addons/service/tailscale/changelog.txt

@@ -0,0 +1 @@
+initial release

packages/addons/service/tailscale/icon/icon.png

@@ -0,0 +1,51 @@
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (C) 2026-present Team LibreELEC (https://libreelec.tv)
+
+PKG_NAME="tailscale"
+PKG_VERSION="1.96.4"
+PKG_REV="0"
+PKG_ARCH="any"
+PKG_LICENSE="BSD-3-Clause"
+PKG_SITE="https://tailscale.com"
+PKG_DEPENDS_TARGET="toolchain"
+PKG_SECTION="service"
+PKG_SHORTDESC="Tailscale: private WireGuard made easy"
+PKG_LONGDESC="Tailscale (${PKG_VERSION}) creates a secure network between your devices using WireGuard. Connect to your tailnet, use exit nodes, and access local subnets."
+PKG_TOOLCHAIN="manual"
+
+PKG_IS_ADDON="yes"
+PKG_ADDON_NAME="Tailscale"
+PKG_ADDON_TYPE="xbmc.service"
+PKG_MAINTAINER="LibreELEC"
+
+case "${ARCH}" in
+  x86_64)
+    TAILSCALE_ARCH="amd64"
+    PKG_SHA256="a1cba18826b1f91cb25ef7f5b8259b5258339b42db7867af9269e21829ea78cc"
+    ;;
+  arm)
+    TAILSCALE_ARCH="arm"
+    PKG_SHA256="6c8731f096147aaf9e187b39f892692fb2bd56dc2eb1fb8fd06982164f339869"
+    ;;
+  aarch64)
+    TAILSCALE_ARCH="arm64"
+    PKG_SHA256="a27249bc70d7b37a68f8be7f5c4507ea5f354e592dce43cb5d4f3e742b313c3c"
+    ;;
+esac
+
+PKG_URL="https://pkgs.tailscale.com/stable/tailscale_${PKG_VERSION}_${TAILSCALE_ARCH}.tgz"
+
+unpack() {
+  mkdir -p ${PKG_BUILD}
+    tar xzf ${SOURCES}/${PKG_NAME}/${PKG_NAME}-${PKG_VERSION}.tgz -C ${PKG_BUILD} --strip-components=1
+}
+
+make_target() {
+  :
+}
+
+addon() {
+  mkdir -p ${ADDON_BUILD}/${PKG_ADDON_ID}/bin
+    cp ${PKG_BUILD}/tailscale ${ADDON_BUILD}/${PKG_ADDON_ID}/bin
+    cp ${PKG_BUILD}/tailscaled ${ADDON_BUILD}/${PKG_ADDON_ID}/bin
+}

packages/addons/service/tailscale/package.mk

@@ -0,0 +1,93 @@
+#!/bin/sh
+
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (C) 2026-present Team LibreELEC (https://libreelec.tv)
+
+. /etc/profile
+oe_setup_addon service.tailscale
+
+TAILSCALED="$ADDON_DIR/bin/tailscaled"
+TAILSCALE="$ADDON_DIR/bin/tailscale"
+STATE_DIR="/storage/.cache/tailscale"
+SOCKET="/run/tailscale/tailscaled.sock"
+
+mkdir -p "$STATE_DIR" "$(dirname $SOCKET)"
+
+# Enable IP forwarding (required for exit node and subnet routing)
+if [ "$ts_exit_node" = "true" ] || [ "$ts_subnet_routes" = "true" ]; then
+  echo 1 > /proc/sys/net/ipv4/ip_forward
+  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+fi
+
+# Ensure LAN traffic is not misrouted through tailscale's routing table.
+# tailscaled adds "from all lookup 52" ip rules that catch all traffic.
+# With --netfilter-mode=off no fwmark rules exist to bypass table 52,
+# so add high-priority rules to keep private subnet traffic in the main
+# routing table before tailscaled starts.
+for subnet in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12; do
+  ip rule add to $subnet priority 100 lookup main 2>/dev/null
+done
+
+# Start tailscaled daemon in the background
+$TAILSCALED -state "$STATE_DIR/tailscaled.state" -socket "$SOCKET" &
+TAILSCALED_PID=$!
+
+# Wait for the socket to become available
+for i in $(seq 1 30); do
+  [ -S "$SOCKET" ] && break
+  sleep 1
+done
+
+if [ ! -S "$SOCKET" ]; then
+  echo "Error: tailscaled socket not available after 30s"
+  kill $TAILSCALED_PID 2>/dev/null
+  exit 1
+fi
+
+# Build tailscale up arguments - always specify all flags via --reset
+# to avoid "re-run with --reset" errors when changing settings.
+# Use --netfilter-mode=off to preserve LAN access (SSH, Kodi, etc.)
+TS_ARGS="--reset --netfilter-mode=off"
+
+# Set node hostname
+if [ "$ts_auto_hostname" != "true" ] && [ -n "$ts_hostname" ]; then
+  TS_ARGS="$TS_ARGS --hostname=$ts_hostname"
+fi
+
+# Accept subnet routes from other nodes
+if [ "$ts_accept_routes" = "true" ]; then
+  TS_ARGS="$TS_ARGS --accept-routes"
+fi
+
+# Advertise as exit node and use exit node are mutually exclusive
+if [ "$ts_exit_node" = "true" ] && [ "$ts_use_exit_node" != "true" ]; then
+  TS_ARGS="$TS_ARGS --advertise-exit-node"
+elif [ "$ts_use_exit_node" = "true" ] && [ "$ts_exit_node" != "true" ] && [ -n "$ts_exit_node_host" ]; then
+  TS_ARGS="$TS_ARGS --exit-node=$ts_exit_node_host"
+  if [ "$ts_exit_node_allow_lan" = "true" ]; then
+    TS_ARGS="$TS_ARGS --exit-node-allow-lan-access"
+  fi
+fi
+
+# Advertise local subnet routes (independent of exit node)
+if [ "$ts_subnet_routes" = "true" ] && [ -n "$ts_subnets" ]; then
+  TS_ARGS="$TS_ARGS --advertise-routes=$ts_subnets"
+fi
+
+# Connect or disconnect based on settings
+if [ "$ts_connect" = "true" ]; then
+  $TAILSCALE --socket="$SOCKET" up $TS_ARGS
+
+  # With --netfilter-mode=off tailscale creates no iptables rules.
+  # Exit node and subnet routing need manual NAT and forwarding rules.
+  if [ "$ts_exit_node" = "true" ] || [ "$ts_subnet_routes" = "true" ]; then
+    iptables -A FORWARD -i tailscale0 -j ACCEPT 2>/dev/null
+    iptables -A FORWARD -o tailscale0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null
+    iptables -t nat -A POSTROUTING -s 100.64.0.0/10 ! -o tailscale0 -j MASQUERADE 2>/dev/null
+  fi
+else
+  $TAILSCALE --socket="$SOCKET" down 2>/dev/null
+fi
+
+# Wait for tailscaled to exit
+wait $TAILSCALED_PID

packages/addons/service/tailscale/source/bin/tailscale.start

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (C) 2026-present Team LibreELEC (https://libreelec.tv)
+
+SOCKET="/run/tailscale/tailscaled.sock"
+TAILSCALE="/storage/.kodi/addons/service.tailscale/bin/tailscale"
+
+if [ -S "$SOCKET" ]; then
+  $TAILSCALE --socket="$SOCKET" down 2>/dev/null
+fi
+
+# Clean up manual NAT and forwarding rules
+iptables -D FORWARD -i tailscale0 -j ACCEPT 2>/dev/null
+iptables -D FORWARD -o tailscale0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null
+iptables -t nat -D POSTROUTING -s 100.64.0.0/10 ! -o tailscale0 -j MASQUERADE 2>/dev/null
+
+# Clean up LAN routing rules
+for subnet in 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12; do
+  ip rule del to $subnet priority 100 lookup main 2>/dev/null
+done
+
+# tailscaled will be stopped by systemd SIGTERM

packages/addons/service/tailscale/source/bin/tailscale.stop

@@ -0,0 +1,66 @@
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (C) 2026-present Team LibreELEC (https://libreelec.tv)
+
+import json
+import subprocess
+import sys
+import xbmc
+import xbmcaddon
+import xbmcgui
+
+SOCKET = '/run/tailscale/tailscaled.sock'
+
+
+def select_exit_node():
+    addon = xbmcaddon.Addon()
+    tailscale = addon.getAddonInfo('path') + '/bin/tailscale'
+    strings = addon.getLocalizedString
+
+    try:
+        result = subprocess.check_output(
+            [tailscale, '--socket', SOCKET, 'status', '--json'],
+            stderr=subprocess.STDOUT
+        )
+        data = json.loads(result)
+    except Exception:
+        xbmcgui.Dialog().ok('Tailscale', strings(30023))
+        return
+
+    peers = []
+    for peer in data.get('Peer', {}).values():
+        if peer.get('ExitNodeOption') and peer.get('Online'):
+            dns_name = peer.get('DNSName', '').rstrip('.')
+            machine_name = dns_name.split('.')[0] if dns_name else ''
+            ips = peer.get('TailscaleIPs', [])
+            ip = ips[0] if ips else ''
+            if machine_name and ip:
+                peers.append((machine_name, ip))
+
+    if not peers:
+        xbmcgui.Dialog().ok('Tailscale', strings(30024))
+        return
+
+    labels = [name for name, ip in peers]
+    sel = xbmcgui.Dialog().select(strings(30025), labels)
+    if sel >= 0:
+        addon.setSetting('ts_exit_node_host', peers[sel][1])
+
+
+class Monitor(xbmc.Monitor):
+
+    def __init__(self, *args, **kwargs):
+        xbmc.Monitor.__init__(self)
+        self.addon = xbmcaddon.Addon()
+        self.id = self.addon.getAddonInfo('id')
+
+    def onSettingsChanged(self):
+        strings = self.addon.getLocalizedString
+        if xbmcgui.Dialog().yesno('Tailscale', strings(30026)):
+            subprocess.call(['systemctl', 'restart', self.id])
+
+
+if __name__ == '__main__':
+    if len(sys.argv) > 1 and sys.argv[1] == 'select_exit_node':
+        select_exit_node()
+    else:
+        Monitor().waitForAbort()

packages/addons/service/tailscale/source/default.py

@@ -0,0 +1,114 @@
+# Kodi Media Center language file
+# Addon Name: Tailscale
+# Addon id: service.tailscale
+# Addon Provider: Team LibreELEC
+msgid ""
+msgstr ""
+
+msgctxt "#30000"
+msgid "Tailscale"
+msgstr ""
+
+msgctxt "#30001"
+msgid "Enable"
+msgstr ""
+
+msgctxt "#30002"
+msgid "Connect this node to your tailnet. Initial authentication must be completed via SSH using: tailscale up"
+msgstr ""
+
+msgctxt "#30003"
+msgid "Auto-generate name from OS hostname"
+msgstr ""
+
+msgctxt "#30004"
+msgid "Use the system hostname as the node name on your tailnet."
+msgstr ""
+
+msgctxt "#30005"
+msgid "Node name"
+msgstr ""
+
+msgctxt "#30006"
+msgid "Custom name for this node on your tailnet."
+msgstr ""
+
+msgctxt "#30007"
+msgid "Accept routes"
+msgstr ""
+
+msgctxt "#30008"
+msgid "Accept subnet routes advertised by other nodes on your tailnet."
+msgstr ""
+
+msgctxt "#30009"
+msgid "Advertise exit node"
+msgstr ""
+
+msgctxt "#30010"
+msgid "Offer this device as an exit node, allowing other tailnet devices to route their internet traffic through it. Requires approval in the admin console."
+msgstr ""
+
+msgctxt "#30011"
+msgid "Advertise local subnets"
+msgstr ""
+
+msgctxt "#30012"
+msgid "Share local network subnets with your tailnet, allowing other devices to access them through this node. Requires approval in the admin console."
+msgstr ""
+
+msgctxt "#30013"
+msgid "Subnets"
+msgstr ""
+
+msgctxt "#30014"
+msgid "Comma-separated CIDR ranges to advertise (e.g. 192.168.1.0/24,10.0.0.0/8)."
+msgstr ""
+
+msgctxt "#30015"
+msgid "Use exit node"
+msgstr ""
+
+msgctxt "#30016"
+msgid "Route all internet traffic from this device through another tailnet node that is offering exit node access."
+msgstr ""
+
+msgctxt "#30017"
+msgid "Select exit node"
+msgstr ""
+
+msgctxt "#30018"
+msgid "Choose an exit node from active tailnet peers offering exit node access."
+msgstr ""
+
+msgctxt "#30019"
+msgid "Allow LAN access"
+msgstr ""
+
+msgctxt "#30020"
+msgid "Retain direct access to the local network while routing internet traffic through the exit node."
+msgstr ""
+
+msgctxt "#30021"
+msgid "Exit node address"
+msgstr ""
+
+msgctxt "#30022"
+msgid "Enter the IP address of the exit node, e.g. 100.x.y.z."
+msgstr ""
+
+msgctxt "#30023"
+msgid "Unable to query tailscale. Is the service running?"
+msgstr ""
+
+msgctxt "#30024"
+msgid "No exit nodes available on your tailnet."
+msgstr ""
+
+msgctxt "#30025"
+msgid "Select exit node"
+msgstr ""
+
+msgctxt "#30026"
+msgid "Settings have changed. Restart the Tailscale service now?"
+msgstr ""