Describe the bug After installing Tailscale as a fresh installation on Windows the product will not function. On reboot the error message "Tailscale service is not running. safesocket.Connect dial tcp 127.0.0.1:Port connectex: No connection could be made because the target actively refused it" is popped up.

Obviously this implies the service is somehow not running or accepting connections. Service menu says that the service is actually running. Mousing over the GUI shows "Tailscale: Windows service is not running". Bringing up the context menu also says "Please restart the tailscale service" as the top option.

Going into the services and restarting (and / or 'stopping' then 'starting') the Tailscale IPN has no visible effect on the GUI / function of Tailscale. Windows service status does indicate the service is stopping and starting again. No error messages appear during the start / stop of the service.

Restarting the computer results in the same state, along with the message box popup relating to the failed TCP dial in the first ~10 - 15 seconds of logging in.

To Reproduce Download latest installer from https://tailscale.com/kb/1029/install-files - In my case 0.99.0-0.

Install with no error messages or visible issues.

Attempt to login / connect / user Tailscale.

Expected behavior Tailscale is functional.

Screenshots https://i.imgur.com/lC002Pc.png https://i.imgur.com/GitnW61.png

Version information:

• Device: Desktop PC
• OS: Windows
• OS version: Windows 10 Pro - Version 2004 (OS Build 19041.330)
• Tailscale version: 0.99.0-0

Front conversations

Searches bring up a couple of similar posts which require users to paste bug reports for resolution - so I'm jumping straight to that point.

Symptoms

• • Internet works fine before connecting to exit node
• • No internet functions work while exit node is selected
• • Internet immediately restored once disconnected from exit node

I've got a really simple network - a macOS client and a Linux server:

• macbook - 100.106.79.66
• linux - 100.83.183.74

Everything green in the admin panel, exit node selected and enabled there too.

Bugreport:

BUG-23b73c81b568d9e981010d2c7ba03f24903bf923f0961cf54c49b8b15e8420ee-20210814171751Z-f19c109b201be180

Thanks in advance!

Front conversations

We'd like to be able to distribute automated, unsigned DMG images of the latest macOS client.

But unsigned means no NetworkExtension, which means we need to use cmd/tailscaled as the backend, with its utun device. WireGuard TUN supports that, but we don't have implementations of wgengine/router to do that.

Ignoring the GUI glue, I can log in to tailscaled on a Mac:

$ sudo mkdir -p /Library/tailscaled
$ sudo tailscaled --state=/Library/tailscaled/tailscaled.state --tun=utun4

... and then tailscale up as a regular user to get my login URL & add the machine.

And then I see it form the mesh and do the handshakes, but I don't have routes.

I tried to:

sudo route add -host 100.120.74.110 -interface utun4

But doesn't seem to work:

$ ping taildoc.go4.org
PING taildoc.go4.org (100.120.74.110): 56 data bytes
ping: sendto: Device not configured
ping: sendto: Device not configured
Request timeout for icmp_seq 0
ping: sendto: Device not configured
Request timeout for icmp_seq 1
ping: sendto: Device not configured
Request timeout for icmp_seq 2
ping: sendto: Device not configured
Request timeout for icmp_seq 3

I don't know enough about macOS networking to do this quickly, so I'm at least writing down what I tried & where I got.

Was asked to open this Bug report by BradFitz https://www.reddit.com/r/Tailscale/comments/iukyaf/network_bridging_pfsenseopnsense/

Describe the bug Create Package for use on OPNsense and PFsense systems. Also to allow bridging connections within the application

To Reproduce Steps to reproduce the behavior: No errors

Expected behavior Currently a similar software called Zerotier has a package for OPNsense that allows the router to be a member of the network. Also advanced configuration exists to allow bridging the LAN network with the Zerotier network. Would like a similar solution with Tailscale.

Version information: Latest builds for both systems

Additional context No additional context

Front conversations

Tailscale (the company) runs DERP relays around the world, such that there's always one near users, but various users/organizations have requested the ability to modify the DERP map for their network, either:

• augmenting our DERP map with DERP nodes that they run (using the open source https://pkg.go.dev/tailscale.com/cmd/derper server)
• removing certain DERP servers from our set (e.g. remove some in certain countries, for regulatory reasons), including removing all but certain geos
• some combination of both: like removing all ours, and only using the ones the user supplied.

An easy way to this is to add some fields to the ACL JSON object (which we could rebrand as the "tailnet policy config" or "Tailnet ACL and policy config").

(We've discussed this in various forums, but creating this public tracking bug)

I upgraded from Windows 10 to Windows 11 Insider Preview, version 21H2 build 22000.51.

Hovering over the taskbar icon, I see "Tailscale: Windows service not running". On right-click I see "Please restart the Tailscale Windows Service". The Services console shows the service is running. Restarting the service there doesn't change anything. Reboots don't help either.

I tried reinstalling Tailscale 1.10.0 (stable) and 1.11.24 (unstable).

Please let me know if you need any other info.

Front conversations

Describe the bug On macOS dns resolution order doesn't get prioritized with the dns in the admin panel which means it's essentially ignored.

To Reproduce Steps to reproduce the behavior:

1. Set the DNS in the admin panel
2. scutil --dns should show the config in the scoped queries
3. ping or resolve a host where the dns would have a different ip ie. using an internal VPC dns in aws to get the internal ip vs the external ip.
4. You'll see the public ip returned not the internal ip. nslookup with the admin dns resolves to the internal ip correctly

Expected behavior I'd expect the dns set in the admin to take priority with the vpn is connected, or at least an option per client to decide

Version information:  - Device: macbook pro  - OS: macOS  - OS version: 10.14.6  - Tailscale version: App version: 0.95.208

Additional context I currently have a very specific hardcoded example that works as a work around at https://github.com/pelotech/tailscale-tools/tree/master/resolver it listens to the up/down of the interfaces and adds resolvers for specific domains to be used.

┆Issue is synchronized with this Asana task by Unito

General DNS resolution works but requests are routed to the DHCP announced nameservers. My account has MagicDNS enabled and has an internal nameserver (using a 100.x.x.x address). My other devices work find (none of them are Android).

I'm not sure how to provide more detailed information...

Front conversations

User reports say that tailscale works on openwrt with the static arm binary. The only extra step that's required is opkg install kmod-tun.

(This is complicated by the fact that there's more than one flavor of openwrt.)

Front conversations

We get various bug reports from macOS and Windows users who find that the OS firewall is blocking connections to their Tailscale IP.

One user:

Figured it out, MacOS Firewall was set to 'Block All Incoming Connections'

Another user:

I am able to ping and ssh both ways when I disable windows firewall, but cannot with windows firewall on. I haven’t seen any documents related to what settings might need to be altered in the firewall to allow this to work, actually the whitepaper suggests nothing should have to happen.

And on the front page of tailscale.com we say:

Even when separated by firewalls or subnets, Tailscale just works.

That text is referring to gateway/router firewalls, not OS firewalls, but it's confusing/misleading in any case.

We should be able to update the OS firewall settings on macOS and Windows to allow incoming connections to the user's Tailscale IP from other Tailscale IPs. (The "Shields Up" feature will then be the real firewall)

I'm in favor of doing this unilaterally, but perhaps it'd need to be an option. But at least we could make it prominent when they're toggling Shields Up, warning them that their OS is going to interfere with their choice and "Would you like Tailscale to fix it? [ Yes ] [ No ]", etc.

/cc @apenwarr @danderson @dfcarney @crawshaw

(I previously filed this as tailscale/corp#183, meant as a meta bug, but it was closed when a more specific case was fixed)

We have minimal support for containers, in that a Dockerfile exists. However, that Dockerfile doesn't embed correct version numbers, doesn't support authkey enrollment, and we have the same problem that Kubernetes had with incompatible host vs. container iptables. As such, we don't currently publish official images anywhere.

This is a tracking bug to make the container image good enough that we can support it as an official platform.

What are you trying to do?

We are using tailscale to connect 2 server clusters, and having to rely on a user's auth key is dangerous.

How should we solve this?

allow auth key to be not linked to one user, created and managable by admins.

What is the impact of not solving this?

Not able to use this for servers in production.

Anything else?

No response

What are you trying to do?

I'm writing a webhook handler, and trying to test it using the Test endpoint feature. If my handler fails to process the test event it is resent every hour, and it is not possible to manually resend it. Also there is no UI to show that sending a test event is now failing.

How should we solve this?

I think the test event should not be handled like other webhooks. If it fails maybe it should not be resent. You should immediately be able to request a new test event even if the last one failed.

What is the impact of not solving this?

If a webhook handler is failing, you can only re-test it once per hour.

Anything else?

No response

Goal: one way for users to update Tailscale, downgrade, switch tracks, regardless of platform (Windows, most Linux distros, macOS, Synology).

This is a start.

Updates #755, etc

What is the issue?

Occasionally when Tailscale is enabled I lose the ability to reach the internet. It gets fixed after turning Tailscale off, so my first guess is something to do with the Tailscale config. This has happened to me on Android as well as MacOS Monterey. It is not clear what the trigger is because it does not happen all the time. For e.g. right now as I file this Tailscale is enabled:

Is there anything I can do to debug this a little more?

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

macOS, Android

OS version

Monterey; Android 12

Tailscale version

1.34.1 (app store)

Bug report

BUG-d62ca7b2223acaa6f8def36043fc4ec13f9f2e0e0548594fc9727a72d78676dd-20230104081918Z-53c6c8975c5f5abb

Our Synology downloads are confusing:

https://github.com/tailscale/tailscale/issues/6887#issuecomment-1370441125

Let's reformat.

DSM7 is way more common these days (only 1 in 6 users use DSM6 lately).

So maybe we only list one section with DSM7 first in bold and then DSM6 after smaller or something.

Or a table.

What is the issue?

Trying to connect with ssh to some docker container. Js console closes after auth with vague error message. Logs:

2023/01/04 03:16:49 ssh-conn-20230104T031648-11f5ffdc27: handling conn: 100.100.77.230:28391->[email protected]:22
2023/01/04 03:16:50 ssh-conn-20230104T031648-11f5ffdc27: starting session: sess-20230104T031650-053ff6822d
2023/01/04 03:16:50 ssh-session(sess-20230104T031650-053ff6822d): handling new SSH connection from OwnageIsMagic@github (100.100.77.230) to ssh-user "app"
2023/01/04 03:16:50 ssh-session(sess-20230104T031650-053ff6822d): access granted to OwnageIsMagic@github as ssh-user "app"
2023/01/04 03:16:50 ssh-session(sess-20230104T031650-053ff6822d): starting pty command: [/app/tailscale_1.34.1_amd64/tailscaled be-child ssh --uid=1000 --gid=1000 --groups=1000 --local-user=app --remote-user=OwnageIsMagic@github --remote-ip=100.100.77.230 --has-tty=true --tty-name=pts/1 --shell --login-cmd=/bin/login --cmd=/bin/bash -- -l]
2023/01/04 03:16:50 ssh-session(sess-20230104T031650-053ff6822d): Wait: code=1

Running manually

$ ls -l /bin/login && ls -l /bin/bash
-rwxr-xr-x 1 root root 48128 Mar 26  2019 /bin/login
-rwxr-xr-x 1 root root 1037528 Jul 12  2019 /bin/bash

$ id
uid=1000(app) gid=1000(app) groups=1000(app)

$ tailscale_1.34.1_amd64/tailscaled be-child ssh --uid=1000 --gid=1000 --groups=1000 --local-user=app --remote-user=OwnageIsMagic@github --remote-ip=100.100.77.230 --has-tty=true --tty-name=pts/1 --shell --login-cmd=/bin/login --cmd=/bin/bash -- -l
operation not permitted

Steps to reproduce

No response

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

Ubuntu 16.04.7 LTS

Tailscale version

1.34.1_amd64

Bug report

No response