linux

Tailscale Custom Live Linux

Jaakko Koistinen

02 Jun 2024 — 2 min read

What is Tailscale? Tailscale is a service that can build Mesh-VPN networks using the WireGuard protocol. It can create so-called SDNs (Software Defined Networks), connecting users, devices and services.

What is Live Linux? It is an operating system that does not have to be installed on the hard drive of a computer. It can be run either from a USB memory stick or a CD, or be loaded directly in to RAM.

I wanted to combine these two technologies, and you can see the result in the videos embedded below:

0:00

/2:44

Tailscale Admin Interface, VM and a WSL instance.

0:00

/0:39

NoVNC between NODE1 and NODE2

What I wanted was basically a Kali Linux Live environment that can be remotely controlled as soon as the device detects or is configured for network connectivity.

What Tailscale provides here is an overlay network, and it also the different types of functionality such as the 'subnet router' or 'exit node' functionality in your 'tailnet'.

I'm using tailscale ephemeral keys here. They are intended for short-lived nodes such as CI/CD containers or, in my case Live operating systems and are automatically cleaned up after being disconnected for a period of time or if the 'tailscale logout' command is used.

About the customization of the live OS, these are the basic services that are now enabled by default:

Tailscaled
SSH
NoVNC

With some minor modifications to enable the kali 'undercover' mode by default, this image can be run entirely from RAM by appending the 'toram' directive to GRUB at boot time.

I made most of my changes to the /config and /kali-config/common configuration, such as:

Custom repository for Tailscaled daemon
Bootloaders (BIOS + UEFI mode)
Live Hooks
includes.chroot systemd services (startup/shutdown of tailscale client)
IP Forwarding
And more ...

Adding more services to the image should most likely use Ansible as soon as the image boots up.

Check the Tailscale documentation on how you should use an 'OAuth client' instead of regular 'auth keys' (https://tailscale.com/kb/1215/oauth-clients#registering-new-nodes-using-oauth-credentials)

Using OAuth, you can have keys that never expire.

The recipe can be found at: https://bitbucket.org/scriptnet/kali-live-tailscale/src/master/

Export your OSX Keychain

This post will show you how to 'easily' migrate everything in your 'macOS Keychain Access application' over to a standardized format (CSV) that can be handled in other password managers. N.B From macOS Monterey and on there is now an export function that does all

Working with huge CSV files

I was working with 'Efficient IP IPAM' and needed to verify some data for a certain subnet and the host entries contained therein. I decided to try and export the data somehow from the system to be able to work with it locally. Working directly on the Web

Cloudflare tunnels in Python

Cloudflare provides a way to proxy traffic from the Cloudflare network to your origin servers, for more information see: https://github.com/cloudflare/cloudflared Instead of using the cloudflared binary directly to set up the tunnel i decided to use the Cloudflare API. Some example python code to use the

Integrating Mulesoft and OAuth2

This post will show you how you can create your own custom Anypoint platform API policy. This policy will be used to verify authentication tokens from an OAuth2 provider, such as Microsoft or Google. With minor modification/extension to the application code this API policy can be adjusted to any

Read more

Export your OSX Keychain

Working with huge CSV files

Cloudflare tunnels in Python

Integrating Mulesoft and OAuth2