auto-detect Tailscale and add iptables rule to prevent routing loop

Paul C · claude · Paul C · commit a99301bba050 · 2026-03-19T14:14:41.000Z
When wolfnet starts and detects tailscaled running, it adds an iptables
OUTPUT rule to block Tailscale WireGuard traffic (port 41641) from being
routed into the wolfnet subnet. This prevents a feedback loop where
Tailscale routes its own tunnel traffic through wolfnet, which sends it
back through Tailscale, causing both to spike to 90%+ CPU.

The rule is idempotent (checks before adding) and only targets Tailscale's
WireGuard port — wolfnet traffic on its own port is unaffected.

Bumps to 0.5.17.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "wolfnet"
-version = "0.5.16"
+version = "0.5.17"
 edition = "2021"
 authors = ["Wolf Software Systems Ltd"]
 description = "Secure private mesh networking over the internet"
diff --git a/src/tun.rs b/src/tun.rs
@@ -126,6 +126,26 @@ impl TunDevice {
             .args(["device", "set", &self.name, "managed", "no"])
             .output();
 
+        // Prevent Tailscale routing loop — if Tailscale is running, its WireGuard
+        // traffic (port 41641) can get routed into wolfnet0 via the subnet route,
+        // creating a feedback loop where Tailscale traffic goes through WolfNet
+        // and back through Tailscale. Block it with an iptables OUTPUT rule.
+        if std::process::Command::new("pidof").arg("tailscaled").output()
+            .map(|o| o.status.success()).unwrap_or(false)
+        {
+            let subnet = format!("{}/{}", address, subnet);
+            // Check if the rule already exists before adding
+            let exists = std::process::Command::new("iptables")
+                .args(["-C", "OUTPUT", "-p", "udp", "--dport", "41641", "-d", &subnet, "-j", "DROP"])
+                .output()
+                .map(|o| o.status.success()).unwrap_or(false);
+            if !exists {
+                let _ = std::process::Command::new("iptables")
+                    .args(["-I", "OUTPUT", "-p", "udp", "--dport", "41641", "-d", &subnet, "-j", "DROP"])
+                    .status();
+            }
+        }
+
         Ok(())
     }
 
