Skip to content

Fix #565: Tailscale autostart on WSL2 with sudo#630

Merged
joelteply merged 1 commit into
mainfrom
fix/tailscale-autostart
Mar 30, 2026
Merged

Fix #565: Tailscale autostart on WSL2 with sudo#630
joelteply merged 1 commit into
mainfrom
fix/tailscale-autostart

Conversation

@joelteply
Copy link
Copy Markdown
Contributor

@joelteply joelteply commented Mar 30, 2026

Boot script uses sudo for tailscaled. Falls back with clear instructions. One-time: add passwordless sudo for tailscale commands.

@joelteply
Fix #565: Tailscale autostart with sudo on WSL2
4c6e9a0 
Boot script now uses sudo for tailscaled (required on WSL2).
Falls back gracefully with clear instructions if passwordless sudo
not configured. One-time setup documented in comments.
Copilot AI review requested due to automatic review settings March 30, 2026 14:22
@joelteply joelteply merged commit a7c4ef2 into main Mar 30, 2026
@joelteply joelteply deleted the fix/tailscale-autostart branch March 30, 2026 14:22
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the WSL2 boot script to start tailscaled via sudo and log fallback instructions when non-interactive sudo isn’t available, aiming to make Tailscale autostart work reliably under WSL2 boot conditions.

Changes:

  • Adds prerequisite instructions for configuring passwordless sudo for tailscale/tailscaled.
  • Wraps tailscaled startup with a non-interactive sudo check and logs warnings/instructions on failure.
  • Attempts tailscale up with sudo first and falls back to non-sudo invocation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/scripts/wsl-boot.sh
Comment on lines +46 to +54
# Start daemon if not running (needs sudo on WSL2)
if ! pgrep -x tailscaled &>/dev/null; then
tailscaled --state=/var/lib/tailscale/tailscaled.state &
sleep 5
if sudo -n true 2>/dev/null; then
sudo tailscaled --state=/var/lib/tailscale/tailscaled.state &
sleep 5
else
echo "$(date): WARNING: tailscaled needs sudo but no passwordless sudo configured" >> "$LOG"
echo "$(date): Run: echo '\$USER ALL=(ALL) NOPASSWD: /usr/bin/tailscale, /usr/bin/tailscaled' | sudo tee /etc/sudoers.d/tailscale" >> "$LOG"
fi
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The daemon start is currently gated on sudo -n true. Since this script runs as root, sudo may be unnecessary (and may even fail if sudo isn’t installed/configured), causing tailscaled to never start at boot. Suggest branching on id -u: if already root, run tailscaled directly; otherwise check for sudo and use sudo -n (or log and exit) so unattended boot can’t be blocked by sudo configuration.

Copilot uses AI. Check for mistakes.
Comment thread src/scripts/wsl-boot.sh
Comment on lines +57 to +59
sudo tailscale up --ssh --accept-routes 2>>"$LOG" || tailscale up --ssh --accept-routes 2>>"$LOG"
TAILSCALE_IP=$(tailscale ip -4 2>/dev/null || echo "unknown")
echo "$(date): Tailscale up ($TAILSCALE_IP)" >> "$LOG"
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sudo tailscale up ... || tailscale up ... can still prompt/block at boot if sudo requires a password (no -n), and the script logs "Tailscale up" even if both commands fail. Recommend avoiding sudo when already root, or using sudo -n and only writing the success log after a successful tailscale up (otherwise log a warning/error).

Suggested change
sudo tailscale up --ssh --accept-routes 2>>"$LOG" || tailscale up --ssh --accept-routes 2>>"$LOG"
TAILSCALE_IP=$(tailscale ip -4 2>/dev/null || echo "unknown")
echo "$(date): Tailscale up ($TAILSCALE_IP)" >> "$LOG"
# Bring Tailscale up without blocking for sudo password; prefer direct call when root.
if [ "$(id -u)" -eq 0 ]; then
tailscale up --ssh --accept-routes 2>>"$LOG"
TS_STATUS=$?
else
if sudo -n true 2>/dev/null; then
sudo -n tailscale up --ssh --accept-routes 2>>"$LOG"
TS_STATUS=$?
else
echo "$(date): WARNING: tailscale up requires sudo but no passwordless sudo configured" >> "$LOG"
TS_STATUS=1
fi
fi
if [ "${TS_STATUS:-1}" -eq 0 ]; then
TAILSCALE_IP=$(tailscale ip -4 2>/dev/null || echo "unknown")
echo "$(date): Tailscale up ($TAILSCALE_IP)" >> "$LOG"
else
echo "$(date): WARNING: tailscale up failed; see previous log entries for details" >> "$LOG"
fi

Copilot uses AI. Check for mistakes.
Comment thread src/scripts/wsl-boot.sh
Comment on lines +42 to +44
# PREREQUISITE (one-time, run manually at the tower):
# echo "$USER ALL=(ALL) NOPASSWD: /usr/bin/tailscale, /usr/bin/tailscaled" | sudo tee /etc/sudoers.d/tailscale
# sudo systemctl enable tailscaled
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This script is executed as root (see header comment and the Windows Scheduled Task uses wsl.exe -u root). Requiring a one-time passwordless sudo setup here is misleading and unnecessary for unattended boot; it also suggests systemctl enable tailscaled, which won’t apply on WSL instances without systemd. Suggest updating these prerequisite instructions to match the actual execution context (root, no interactive sudo) or removing them entirely.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joelteply