Allow sys-tailscale to provide network to other qubes.

[ben-grande]

Current problem (if any)

Setting prefs provides-network True is easy, but firewall rules have to be set to allow only access to Quad100 port 53, not other ports such as 80 (Device management interface). Although client qubes cannot make any actions without being logged in to the tailscale service, they can still learn informations about the software version, if SSH is enabled and other things of sys-tailscale.

I havent found a way to allow MagicDNS to work from client qubes. Having a tailnet device named test-tail, it can be queried from client qubes via IP address, DNS if DNAT to Quad100 using test-tail.tailnetname.ts.net, but bare MagicDNS test-tail does not work from clients without modifying the client to have in /etc/resolv.conf the line search tailnetname.ts.net. One option is using dnsmasq to redirect queries correctly.

Proposed solution

• Make sys-tailscale provide network to other qubes
• Accept connections coming from vifs to Quad100 port 53 TCP/UDP IPv4/IPv6
• Drop connections coming from vifs to Quad100 TCP/UDP.

The value to a user, and who that user might be

Users can have a qube connecting to the tailnet without having tailscale installed on them.