search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
16.89k stars 1.28k forks source link

No internet connecting through custom DERP relay server #11898

Closed adamk closed 3 weeks ago

adamk commented 3 weeks ago

What is the issue?

Recently renewed my custom DERP relay server's SSL cert and have lost ability to use it. The SSL chain of trust is correct and I receive no errors in the derper.service logs. I'm able to see the DERP server using the subdomain in a web browser.

I use the below ACL and I can see in the Tailscale web admin page that it connects successfully to my Region 901 custom derp relay server. But as soon as I force it to connect through my custom DERP relay server, I can't SSH into it anymore and using the exit node doesn't work anymore.

I previously was able to use this custom DERP server with only ports 80/TCP and 443/TCP forwarded from my Xfinity router to my Pi, but this time I had to add 3478/UDP to get it to at least connect to my DERP server this time. Now just can't get it to pass internet.


// Example/default ACLs for unrestricted connections.
{
    // Declare static groups of users. Use autogroups for all users or users with a specific role.
    // "groups": {
    //      "group:example": ["alice@example.com", "bob@example.com"],
    // },

    // Define the tags which can be applied to devices and by which users.
    //"tagOwners": {
    //  "tag:untrusted": ["autogroup:member"],
    //},

    // Define access control lists for users, groups, autogroups, tags,
    // Tailscale IP addresses, and subnet ranges.
    "acls": [
        // Match absolutely everything.
        // Comment this section out if you want to define specific restrictions.
        {"action": "accept", "src": ["*"], "dst": ["*:*"]},
    ],
    "ssh": [
        // Allow all users to SSH into their own devices in check mode.
        // Comment this section out if you want to define specific restrictions.
        {
            "action": "check",
            "src":    ["autogroup:member"],
            "dst":    ["autogroup:self"],
            "users":  ["autogroup:nonroot", "root"],
        },
    ],
    "derpMap": {
        "OmitDefaultRegions": true,
        "Regions": {
            "901": {
                "RegionID":   901,
                "RegionCode": "my_region_name",
                "Nodes": [
                    {
                        "Name":     "derp",
                        "RegionID": 901,
                        "HostName": "derp.myhostname.com",
                    },
                ],
            },
        },
    },

    // Test access rules every time they're saved.
    // "tests": [
    //      {
    //          "src": "alice@example.com",
    //          "accept": ["tag:example"],
    //          "deny": ["100.101.102.103:443"],
    //      },
    // ],
}

Here's my firewall-cmd --list-all --zone public output

Screen Shot 2024-04-27 at 10 10 51 AM

Steps to reproduce

Updated SSL certs, re-installed derper with latest packages.

Are there any recent changes that introduced the issue?

Renewed SSL cert, tried both ZeroSSL and LetsEncrypt (both work fine).

OS

Linux

OS version

Debian GNU/Linux 11 (bullseye)

Tailscale version

1.64.0

Other software

go 1.22.2

Bug report

No response

adamk commented 3 weeks ago

Fixed. Had to restart my macOS Tailscale client (version 1.64.0)