Make subnet source NAT configurable (#223)

Co-authored-by: Franck Nijhof <[email protected]>
hassio-addons · Oct 15, 2023 · 296d6b7 · 296d6b7
1 parent 5b9e70c
commit 296d6b7
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 0 deletions.
diff --git a/tailscale/DOCS.md b/tailscale/DOCS.md
@@ -69,6 +69,7 @@ advertise_routes:
 log_level: info
 login_server: "https://controlplane.tailscale.com"
 proxy: true
+snat_subnet_routes: true
 tags:
   - tag:example
   - tag:homeassistant
@@ -271,6 +272,17 @@ More information: [Enabling HTTPS][tailscale_info_https]
 previously to access Home Assistant. Tailscale Proxy works on the default HTTPS
 port 443._
 
+### Option: `snat_subnet_routes`
+
+This option allows subnet devices to see the traffic originating from the subnet
+router, and this simplifies routing configuration.
+
+When not set, this option is enabled by default.
+
+To support advanced [Site-to-site networking][tailscale_info_site_to_site] (eg.
+to traverse multiple networks), you can disable this functionality. But do it
+only when you really understand why you need this.
+
 ### Option: `tags`
 
 This option allows you to specify specific ACL tags for this Tailscale

diff --git a/tailscale/config.yaml b/tailscale/config.yaml
@@ -37,6 +37,7 @@ schema:
   log_level: list(trace|debug|info|notice|warning|error|fatal)?
   login_server: url?
   proxy: bool?
+  snat_subnet_routes: bool?
   tags: ["match(^tag:[a-zA-Z0-9]-?[a-zA-Z0-9]+$)?"]
   taildrop: bool?
   userspace_networking: bool?
diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
@@ -49,6 +49,15 @@ then
   options+=(--login-server="${login_server}")
 fi
 
+# Support advanced site-to-site networking, disable source addresses NAT
+if ! bashio::config.has_value "snat_subnet_routes" || \
+  bashio::config.true "snat_subnet_routes";
+then
+  options+=(--snat-subnet-routes)
+else
+  options+=(--snat-subnet-routes=false)
+fi
+
 # Get configured tags
 tags=$(bashio::config "tags//[] | join(\",\")" "")
 options+=(--advertise-tags="${tags}")

diff --git a/tailscale/translations/en.yaml b/tailscale/translations/en.yaml
@@ -50,6 +50,14 @@ configuration:
       This option allows you to enable Tailscale's Proxy feature to present your
       Home Assistant instance on your tailnet with a valid certificate.
       When not set, this option is enabled by default.
+  snat_subnet_routes:
+    name: Source NAT subnet routes
+    description: >-
+      This option allows subnet devices to see the traffic originating from the
+      subnet router, and this simplifies routing configuration.
+      To support advanced Site-to-site networking (eg. to traverse multiple
+      networks), you can disable this functionality.
+      When not set, this option is enabled by default.
   tags:
     name: Tags
     description: >-