←back to thread

Porting Tailscale to Plan 9

(tailscale.com)
370 points adriangrigore | 9 comments | 02 Apr 25 15:29 UTC | HN request time: 0.656s | source | bottom
1. bradfitz ◴[02 Apr 25 16:29 UTC] No.43558467[source]
Happy to answer any questions!

A bunch of us are currently in https://meet.google.com/qre-gydb-mkv chatting about this. (Edit: the hour is over; we all left)

The earlier Apr 1st blog post was https://tailscale.com/blog/tailscale-enterprise-plan-9-suppo...

replies(2): >>43558624 #>>43558836 #
2. undersuit ◴[02 Apr 25 16:44 UTC] No.43558624[source]
I've never set up a Plan 9 system... does this allow the distributed systems communications to run through my Tailnet?
replies(2): >>43558657 #>>43559541 #
3. bradfitz ◴[02 Apr 25 16:48 UTC] No.43558657[source]
I think so! Caveat is I've never really used Plan 9 outside of single-user VMs.
4. bradfitz ◴[02 Apr 25 17:06 UTC] No.43558853[source]
We actually have that nowadays... the config file support to tailscaled, as Irbe mentioned on the bug Jan 2024: https://github.com/tailscale/tailscale/issues/1412#issuecomm...
replies(1): >>43566046 #
5. MisterTea ◴[02 Apr 25 18:09 UTC] No.43559541[source]
Yes, you could do something like keep a small root fs or pack everything into the kernels paqfs to boot into a Tailscale VPN and pull root from another 9 machine on the VPN. Then pull resources in from other machines including non 9 systems.

Either way it makes VPN easy between 9 and non 9 machines. Otherwise Plan 9 can do it's own VPN-like over tls or ssh tunnels and bind remote network stacks to a local namespace. But that makes seamless Unix and Windows comms difficult.

replies(1): >>43559657 #
6. bradfitz ◴[02 Apr 25 18:18 UTC] No.43559657{3}[source]
> Otherwise Plan 9 can do it's own VPN-like over tls or ssh tunnels and bind remote network stacks to a local namespace

Note that one of Tailscale's main party tricks is NAT traversal, when both machines are behind different NATs and can't otherwise get a connection open to each other. (And then Tailscale ultimately falls back to a relay server on the internet if it can't get a direct connection for IP packets)

replies(1): >>43559914 #
7. MisterTea ◴[02 Apr 25 18:38 UTC] No.43559914{4}[source]
For situations where you have no control over the NAT then this is indeed the case.

Though, 9front lets you run your own NAT giving you an Internet facing 9 machine you can serve a TLS tunnel from directly. So the server side is solved making the client side NAT a non issue.

replies(1): >>43560055 #
8. bradfitz ◴[02 Apr 25 18:48 UTC] No.43560055{5}[source]
If your 9front machine is in a position on the network whereby it could serve a NAT, you don't have many networking problems at that point. Almost all operating systems can do NAT in such a position.

I'm talking about two machines deep in somebody else's network or where you don't control the router/NAT.

9. INTPenis ◴[03 Apr 25 07:25 UTC] No.43566046{3}[source]
Yeah I did find that in my quest but nowhere is this config file defined. I have no idea what to put into it so it's useless to me.

Also while I have you here, the tailscale container image lacks iptables support, making it useless.