(Better) support for random ports

[LordGaav]

De script seems to do an assumption that is should always run on port 41641, which is not the case on setups which use a random port. The script in its current form starts up properly, but because tailscale starts up with the default port, tailgate sees this, configures iptables and exits. In the case of random ports, this results in iptables config that does nothing.

The fix in my case is removing the exit on line 21: https://github.com/fernandoenzo/tailgate/blob/90078e854d06b57f5be5236fd5e4b37a1d4384e2/systemd/tailgate-allow%40.service#L21 . That way tailgate keeps running, and restarts the unit when the port changes, which causes the iptables rules to be reloaded using the new port

[fernandoenzo]

Hey there!

From my observations, when Tailscale fails to start on its default port 41641 —typically due to the port being occupied— it continuously monitors the port and migrates to it as soon as it becomes available. Once this transition occurs, Tailscale stabilizes and ceases further port reassignments. To accommodate this behavior, I included an exit 0 in the script at this stage, ensuring the process terminates cleanly once Tailscale has settled.

[LordGaav]

I understand, but that seems to assume that you always want to run at port 41641, which is not the case when using randomizeClientPort: https://tailscale.com/kb/1181/firewalls#fortinet / https://tailscale.com/kb/1337/policy-syntax#randomizeclientport . In that case, tailscale seems to start with port 41641 and later (within seconds?) switches to the actual port. By that point, ingate will already have exited, unless the line I highlighted is removed.

[fernandoenzo]

Ohh, I see what you're saying now! I hadn't considered that use case before.

Thanks a lot for the clarification and for sharing the documentation link. I've never needed to use that option, so I wasn't familiar with it.

In that case, I'll review the implementation.