Tailscale is an easy and free service for creating your own mesh VPN, built on Wireguard and easier to scale. Tailscale does provide instructions for hardening it – reducing its privileges to the minimum necessary to run. However, the instructions don't fully work for Linux distributions running polkit >= 106, like Arch Linux.

Solution

The solution I came up with is, instead of using the Tailscale-provided polkit configuration, create /etc/polkit-1/rules.d/99-tailscaled-dns.rules with the following content:

polkit.addRule(function(action, subject) {
    if (action.id.startsWith("org.freedesktop.resolve1.") &&
        subject.user == "tailscaled")
    {
        return polkit.Result.YES;
    }
});

Then restart it with sudo systemctl restart polkit.service .

I have filed #9344 and hope the official documentation will be updated soon, as Ubuntu 23.10 and later have finally updated polkitd.

Filed in: #linux