Recently renewed my custom DERP relay server's SSL cert and have lost ability to use it. The SSL chain of trust is correct and I receive no errors in the derper.service logs. I'm able to see the DERP server using the subdomain in a web browser.
I use the below ACL and I can see in the Tailscale web admin page that it connects successfully to my Region 901 custom derp relay server.
But as soon as I force it to connect through my custom DERP relay server, I can't SSH into it anymore and using the exit node doesn't work anymore.
I previously was able to use this custom DERP server with only ports 80/TCP and 443/TCP forwarded from my Xfinity router to my Pi, but this time I had to add 3478/UDP to get it to at least connect to my DERP server this time. Now just can't get it to pass internet.
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
// "groups": {
// "group:example": ["alice@example.com", "bob@example.com"],
// },
// Define the tags which can be applied to devices and by which users.
//"tagOwners": {
// "tag:untrusted": ["autogroup:member"],
//},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Match absolutely everything.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
],
"ssh": [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
],
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {
"901": {
"RegionID": 901,
"RegionCode": "my_region_name",
"Nodes": [
{
"Name": "derp",
"RegionID": 901,
"HostName": "derp.myhostname.com",
},
],
},
},
},
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "alice@example.com",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
}
Here's my firewall-cmd --list-all --zone public output
Steps to reproduce
Updated SSL certs, re-installed derper with latest packages.
Are there any recent changes that introduced the issue?
Renewed SSL cert, tried both ZeroSSL and LetsEncrypt (both work fine).
What is the issue?
Recently renewed my custom DERP relay server's SSL cert and have lost ability to use it. The SSL chain of trust is correct and I receive no errors in the derper.service logs. I'm able to see the DERP server using the subdomain in a web browser.
I use the below ACL and I can see in the Tailscale web admin page that it connects successfully to my Region 901 custom derp relay server. But as soon as I force it to connect through my custom DERP relay server, I can't SSH into it anymore and using the exit node doesn't work anymore.
I previously was able to use this custom DERP server with only ports 80/TCP and 443/TCP forwarded from my Xfinity router to my Pi, but this time I had to add 3478/UDP to get it to at least connect to my DERP server this time. Now just can't get it to pass internet.
Here's my
firewall-cmd --list-all --zone public
outputSteps to reproduce
Updated SSL certs, re-installed derper with latest packages.
Are there any recent changes that introduced the issue?
Renewed SSL cert, tried both ZeroSSL and LetsEncrypt (both work fine).
OS
Linux
OS version
Debian GNU/Linux 11 (bullseye)
Tailscale version
1.64.0
Other software
go 1.22.2
Bug report
No response