dolceAlka
commented
2 months ago after some digging it appears the device is also unreachable from the tailscale admin panel, likely because the service phones the coordination server over the non exit node interface, so the best solution would be the option to save configs from controlpanel.tailscale.com from the last valid connection, using that to initiate an exit node tunnel and then all communication with DERP and the coordination server can be handled over that (using an option of course)
What are you trying to do?
Tailscale has recently been blocked by fortiguard under the remote acccess category, which breaks tailscale usage by blocking access to the controlplane. My current workaround is to use my phone to fetch the controlplane and then connect to an exit node. With this I am able to ping and connect to devices that have a direct connection, but not devices behind a DERP server, likely because the domain name for the tailscale derp server is being blocked by fortiguard.
How should we solve this?
Possible fix 1: Communication with control server returns a list of currently valid DERP ip addresses (assuming the reason that domains are used in DERP server is to have the ability to change it) Possible fix 2: Initiating connections to DERP server happens over the exit node. Possible fix 2.5: option to access tailnet devices from the exit node Possible fix 2.6? Use an exit node if the DERP server is unreachable to connect to it.
What is the impact of not solving this?
DERP servers non functional behind a fortiguard firewall
Anything else?
No response