search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
19.56k stars 1.53k forks source link

Using exit node causes Parallels Desktop network subnet unreachable #7454

Open jungin500 opened 1 year ago

jungin500 commented 1 year ago

What is the issue?

While using Tailscale along with Parallels Desktop, enabling exit node makes Parallels network interface (bridge100, bridge101, ...) subnet is not reachable from Host machine. Guest VM still had internet connection but couldn't ping each other(Host->Guest, Guest->Host).

Disabling exit node and restarting Parallels network interface through ifconfig bridge101 down; ifconfig bridge101 up resolves problem.

Steps to reproduce

  1. Start Parallels Desktop with Tailscale exit node disabled
  2. Ping each other (Host->VM, VM->Host) through Host-Only Network interface bridge101 succeded
  3. Enable using Tailscale exit node
  4. Step 2 failed. Also tried traceroute at this point but traiffic falls through Host network interface's gateway (public network), not a Tailscale network nor bridge101 interface subnet.

Are there any recent changes that introduced the issue?

I haven't used this combination, so I can't conclude software update could be possible issue.

OS

macOS

OS version

macOS Ventura 13.2.1

Tailscale version

1.36.2 (App Store)

Other software

Firewalls

Ad-Blockers

Bug report

BUG-0a2c38da09ffdaf500b0f7174416f5772ab4fb18e7297f30e19c55beff1c6eb2-20230304065900Z-fae07145e379bdf9

DentonGentry commented 1 year ago

There is something about the addressing which isn't matching what was programmed into Wireguard. [vbziu] is the exit node.

2023-03-04 06:54:10.557418 +0000 UTC: peer keys: [vbziu]
2023-03-04 06:54:20.353862 +0000 UTC: wg: IPv4 packet with disallowed source address from [vbziu]
2023-03-04 06:54:20.354145 +0000 UTC: wg: [vbziu] - Received handshake initiation
2023-03-04 06:54:20.354175 +0000 UTC: wg: [vbziu] - Sending handshake response
2023-03-04 06:54:20.415299 +0000 UTC: wg: [vbziu] - Receiving keepalive packet
2023-03-04 06:54:22.425246 +0000 UTC: wg: IPv4 packet with disallowed source address from [vbziu]
2023-03-04 06:54:32.426778 +0000 UTC: wg: [vbziu] - Sending keepalive packet
2023-03-04 06:54:51.748462 +0000 UTC: wg: IPv4 packet with disallowed source address from [vbziu]
2023-03-04 06:55:01.749751 +0000 UTC: wg: [vbziu] - Sending keepalive packet
2023-03-04 06:55:37.773954 +0000 UTC: wg: IPv4 packet with disallowed source address from [vbziu]
2023-03-04 06:55:47.77561 +0000 UTC: wg: [vbziu] - Sending keepalive packet
2023-03-04 06:56:06.943972 +0000 UTC: wg: IPv4 packet with disallowed source address from [vbziu]
2023-03-04 06:56:16.945536 +0000 UTC: wg: [vbziu] - Sending keepalive packet
2023-03-04 06:56:20.682345 +0000 UTC: wg: IPv4 packet with disallowed source address from [vbziu]
...
2023-03-04 06:59:18.928263 +0000 UTC: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:q:r]:50660 => [2606:x::x:x]:443) to node [vbziu]; online=yes, lastRecv=4s
2023-03-04 06:59:18.994624 +0000 UTC: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:q:r]:50661 => [2606:x::x:x]:443) to node [vbziu]; online=yes, lastRecv=4s
2023-03-04 06:59:18.995222 +0000 UTC: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:q:r]:50662 => [2606:x::x:x]:443) to node [vbziu]; online=yes, lastRecv=4s
2023-03-04 06:59:19.018358 +0000 UTC: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:q:r]:50663 => [2606:x::x:x]:443) to node [vbziu]; online=yes, lastRecv=4s
2023-03-04 06:59:19.253875 +0000 UTC: open-conn-track: timeout opening (TCP [fd7a:115c:a1e0:ab12:4843:cd96:q:r]:50673 => [2606:x:x::x]:443) to node [vbziu]; online=yes, lastRecv=5s
DentonGentry commented 1 year ago

2023-03-04 07:00:22.737974 +0000 UTC: allowing exit node access to local IPs: [127.0.0.0/8 fe80::/64]

https://github.com/tailscale/tailscale/blob/a9c17dbf939049ba7fc8f0be0bc1cb3510753287/ipn/ipnlocal/local.go#L3433 is trying to add the local interfaces used for VMs when --exit-node-allow-lan-access is set, but it doesn't appear to be handling Parallels.

https://github.com/tailscale/tailscale/blob/a9c17dbf939049ba7fc8f0be0bc1cb3510753287/ipn/ipnlocal/local.go#L1607

DentonGentry commented 1 year ago

Likely duplicate of https://github.com/tailscale/tailscale/issues/2339

DentonGentry commented 1 year ago

Submitter suggests: https://github.com/jungin500/tailscale/commit/1d1d2386a472cbc59ceb3140ebdc695fdc49290d

mikescott commented 1 year ago

Is there any update on this or #2339 ?