Open hugopeixoto opened 1 month ago
with the Android set to "block connections without VPN"
The Block connections without VPN option only works if you are always using an exit node. If you're not using an exit node, having that option enabled is going to break your Internet connectivity. Are you using an exit node?
with the Android set to "block connections without VPN"
The Block connections without VPN option only works if you are always using an exit node. If you're not using an exit node, having that option enabled is going to break your Internet connectivity. Are you using an exit node?
I am using an exit node, yes (see "Steps to reproduce"). I'm using tailscale to tunnel my mobile traffic through my a server in my home connection.
I'm seeing this in your logs which could be the root cause of the issue:
10.1M/254.2M authReconfig: ra=true dns=true 0x02: No virtual method excludeRoute(Landroid/net/IpPrefix;)Landroid/net/VpnService$Builder; in class Landroid/net/VpnService$Builder; or its super classes (declaration of 'android.net.VpnService$Builder' appears in /system/framework/framework.jar!classes2.dex)
Do you happen to use the built-in Android Private DNS feature?
I'm seeing this in your logs which could be the root cause of the issue:
10.1M/254.2M authReconfig: ra=true dns=true 0x02: No virtual method excludeRoute(Landroid/net/IpPrefix;)Landroid/net/VpnService$Builder; in class Landroid/net/VpnService$Builder; or its super classes (declaration of 'android.net.VpnService$Builder' appears in /system/framework/framework.jar!classes2.dex)
Do you happen to use the built-in Android Private DNS feature?
Android's "Private DNS" is Off. I have a Pi-Hole running on my home network, which is set in Tailscale DNS.
excludeRoute
A quick search pointed out that excludeRoute
is related to "Split tunneling", which seems to have been introduced in Android 13 according to Android's documentation on Tethering.
I have seen Split Tunneling mentioned in Tailscale's 1.70.0 changelog, stating Android: New: Use split tunneling to force or exclude app traffic through your tailnet..
My phone is running Android 11. Could it be that the new app depends on an API that is not available for older devices?
Edit: the call to excludeRoute
was introduced here https://github.com/tailscale/tailscale-android/pull/324, first released in tag 1.65.167-t258b5042f-g5c494450af4
.
What is the issue?
Today I upgraded Tailscale on Android 11 to 1.70.0, and I could no longer send traffic through the exit node.
I'm not sure which version I had previously, but the UI was very different, so I think it was the "legacy" app I've seen mentioned in some issues. This is installed via F-Droid (
1.70.0-td601f16e1-g6deb61a20e5
on a Samsung Galaxy A40 with Android 11).After upgrading, with the Android set to "block connections without VPN" and "Always-on VPN", I can't connect to the internet. I can see the list of my other devices on the tailscale app, and even use the "ping" functionality on that screen, but I can't, for example, access
http://100.x.x.x:8080
from the phone, while I can from the exit node. The android drawer has the Tailscale notification saying "Connected" and an Android System notification saying "Disconnected from always-on VPN / Change network or VPN settings".I tried uninstalling 1.70 and installing 1.68, but suffers from the same problem. I can no longer install the legacy app (F-Droid doesn't have it anymore, I think), so I can't confirm that the upgrade to the new version was the problem, but it was immediately after upgrading that it stopped working.
Steps to reproduce
Are there any recent changes that introduced the issue?
Upgrade from legacy app to new app
OS
Android
OS version
Android 11
Tailscale version
1.70.0
Other software
No response
Bug report
BUG-2b9e3c0741f4be9aa3ff7dafe3f5862930da595c41b7af407cd7804339a7166a-20240812171443Z-fdd026ebf0d97013