dcreager.net

Disable IP forwarding through Tailscale

I have Tailscale installed on a couple of routers, allowing me to SSH into them from the Internet. Works great. But by default, when using systemd-networkd to configure the “router” part of the router, it will forward and NAT traffic from the local traffic through the tailscale interface just like it does the WAN interface. This happens because systemd sets the global net.ipv4.conf.all.forwarding sysctl.

There used to be an ‘IPForward=kernel’ systemd option that would tell it to honor the sysctl settings you set elsewhere. But these days that option doesn't exist, because systemd wants full control over the interfaces that it manages. Fair enough!

Luckily, the tailscale interface is not managed by systemd! So we can set the interface-specific sysctls, and systemd won't override them. Easiest way to do that is via a oneshot systemd unit that runs after tailscaled is up and running:

$ cat disable-tailscale-forwarding.service 
[Unit]
Description=Disable IP forwarding through tailscale interface
After=tailscaled.service

[Service]
Type=oneshot
ExecStart=/usr/bin/sysctl net.ipv4.conf.tailscale0.forwarding=0
ExecStart=/usr/bin/sysctl net.ipv6.conf.tailscale0.forwarding=0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

$ sudo systemctl daemon-reload
$ sudo systemctl enable --now disable-tailscale-forwarding.service

This page is also available via Gemini at gemini://dcreager.net/linux/disable-tailscale-forwarding.gmi