TAILMON [RELEASE] TAILMON v1.0.12 -May 23, 2024- WireGuard-based Tailscale Installer, Configurator and Monitor (Now available in AMTM!)

[Viktor Jaep]

Haha maybe you or @ColinTaylor can raise a ticket on Tailscales GitHub. Maybe other Arch Linux users (GLiNET, Openwrt) have a similar issue and it’ll gain traction (unless someone already complained..)

Meh. It's either probably "by design", or "for security reasons", or "due to limitations in the OS".

 

[phneeley]

No problem there with technical nous, was just seeing if you could, with ALL your current settings under userspace mode, make the change to kernel mode and see if it fails, thus confirming it is a mode change that makes it go TU. Thanks

I just switched to Kernel mode. The subnet routes to the RPis stopped working. I then switched back to Userspace mode and they immediately started working again.

 

[jksmurf]

I just switched to Kernel mode. The subnet routes to the RPis stopped working. I then switched back to Userspace mode and they immediately started working again.

Great, thanks for doing the trial, always great when it is repeatable .

I can't help you fix it (not enough expertise) and I am not sure if ColinTaylor would ask you to turn off these and try again, to see if it is the combination with Kernel and either one or both of those, but you've certainly narrowed it down to the Kernel mode; either by itself or in combination with something else (e.g. QoS and AiProtection), whereas userspace doesn't get affected, either alone or by that combination. [you noted "I have QoS and AiProtection both enabled"].

 

[evo17paul]

Just for info, looks like 1.66.3 is available now - Changelog here - https://tailscale.com/changelog
Updated via tailmon, with no dramas, so far

 

[Viktor Jaep]

I just switched to Kernel mode. The subnet routes to the RPis stopped working. I then switched back to Userspace mode and they immediately started working again.

I'm able to confirm the same behavior. When I switch to "standard" tailmon kernel mode, I can no longer access my router from remote. When I switch back to userspace mode, everything works perfectly. Not sure what it could be. But this is the same problem I've had from the start with kernel mode. Tested on both my GT-AX6000 and RT-AX88U.

 

[Rajjco]

Connecting to raspberrypi using local ip 192.168.*.* works normally In kernel mode.
If your trying to access using Tailnet ip which starts with 100.*.*.* requires the user to serve the services on Tailnet.

To access from the Internet remotely you need to use funnel.

Here are examples from Tailscale cli:

Serve content and local servers on your tailnet

USAGE
  tailscale serve <target>
  tailscale serve status [--json]
  tailscale serve reset

Tailscale Serve enables you to share a local server securely within your tailnet.

To share a local server on the internet, use `tailscale funnel`

<target> can be a file, directory, text, or most commonly the location to a service running on the
local machine. The location to the location service can be expressed as a port number (e.g., 3000),
a partial URL (e.g., localhost:3000), or a full URL including a path (e.g., http://localhost:3000/foo).

EXAMPLES
  - Expose an HTTP server running at 127.0.0.1:3000 in the foreground:
    $ tailscale serve 3000

  - Expose an HTTP server running at 127.0.0.1:3000 in the background:
    $ tailscale serve --bg 3000

  - Expose an HTTPS server with invalid or self-signed certificates at https://localhost:8443
    $ tailscale serve https+insecure://localhost:8443

For more examples and use cases visit our docs site https://tailscale.com/kb/1247/funnel-serve-use-cases

SUBCOMMANDS
  status  View current serve configuration
  reset   Reset current serve config

FLAGS
  --bg, --bg=false
        Run the command as a background process (default false)
  --http uint
        Expose an HTTP server at the specified port
  --https uint
        Expose an HTTPS server at the specified port (default mode)
  --set-path string
        Appends the specified path to the base URL for accessing the underlying service
  --tcp uint
        Expose a TCP forwarder to forward raw TCP packets at the specified port
  --tls-terminated-tcp uint
        Expose a TCP forwarder to forward TLS-terminated TCP packets at the specified port
  --yes, --yes=false
        Update without interactive prompts (default false)

Edit:
Would be helpful to debug the issue If people facing the issue with kernel mode to post how to replicate It.

 

[Viktor Jaep]

Connecting to raspberrypi using local ip 192.168.*.* works normally In kernel mode.
If your trying to access using Tailnet ip which starts with 100.*.*.* requires the user to serve the services on Tailnet.

To access from the Internet remotely you need to use funnel.

Here are examples from Tailscale cli:

Serve content and local servers on your tailnet

USAGE
  tailscale serve <target>
  tailscale serve status [--json]
  tailscale serve reset

Tailscale Serve enables you to share a local server securely within your tailnet.

To share a local server on the internet, use `tailscale funnel`

<target> can be a file, directory, text, or most commonly the location to a service running on the
local machine. The location to the location service can be expressed as a port number (e.g., 3000),
a partial URL (e.g., localhost:3000), or a full URL including a path (e.g., http://localhost:3000/foo).

EXAMPLES
  - Expose an HTTP server running at 127.0.0.1:3000 in the foreground:
    $ tailscale serve 3000

  - Expose an HTTP server running at 127.0.0.1:3000 in the background:
    $ tailscale serve --bg 3000

  - Expose an HTTPS server with invalid or self-signed certificates at https://localhost:8443
    $ tailscale serve https+insecure://localhost:8443

For more examples and use cases visit our docs site https://tailscale.com/kb/1247/funnel-serve-use-cases

SUBCOMMANDS
  status  View current serve configuration
  reset   Reset current serve config

FLAGS
  --bg, --bg=false
        Run the command as a background process (default false)
  --http uint
        Expose an HTTP server at the specified port
  --https uint
        Expose an HTTPS server at the specified port (default mode)
  --set-path string
        Appends the specified path to the base URL for accessing the underlying service
  --tcp uint
        Expose a TCP forwarder to forward raw TCP packets at the specified port
  --tls-terminated-tcp uint
        Expose a TCP forwarder to forward TLS-terminated TCP packets at the specified port
  --yes, --yes=false
        Update without interactive prompts (default false)

Edit:
Would be helpful to debug the issue If people facing the issue with kernel mode to post how to replicate It.

Sure enough... that "tailscale serve" command did the trick... and I was able to get to my router web UI remotely in kernel mode! But what a PITA! You would have to run a separate command each time that would have it run in the background just for this to work... and may require one of the URL approvals each time. Actually, it looks like you can run the serve command without intervention the next time around. Still. UGH.

The fact that this just works out-of-the-box under userspace mode makes things so much easier. Think I'll just keep using that.

I appreciate your advice on this! @ColinTaylor... this might be a good addition for your Wiki?

 

[jksmurf]

If you're using version 1.66 or later and want LAN clients to connect to the other network you need to set --stateful-filtering=false.

Looks like it’s now off by default in 1.66.4.

 

[evo17paul]

Has anyone updated to the latest 1.66.4 version?

Not sure if this is normal, due to the new version but had the following symptoms:

- Update worked fine
- Service was showing as started
- Connection was showing as disconnected

Every time I tried to manually UP the connection, I only get a quick flash of a message appearing

Fix:
- Changed tailscale operating mode from Userspace to Custom
- Changed the CMDS parameter from --advertise-routes=<subnet address>/24 to --advertise-routes=<subnet address>/24 -- stateful-filtering

Upon acceptance of change, service was restarted successfully, and connection came up with no issues

Again, not sure if this is correct behaviour or not but just wanted to mention

 

[jksmurf]

Has anyone updated to the latest 1.66.4 version?
snip
- Connection was showing as disconnected

Every time I tried to manually UP the connection, I only get a quick flash of a message appearing

Fix:
- Changed tailscale operating mode from Userspace to Custom
- Changed the CMDS parameter from --advertise-routes=<subnet address>/24 to --advertise-routes=<subnet address>/24 -- stateful-filtering

Upon acceptance of change, service was restarted successfully, and connection came up with no issues

Again, not sure if this is correct behaviour or not but just wanted to mention

Dang, you're absolutely right. Didn't see that when I updated.

Couldn't screen-capture the message (too fast) but I went out of Tailmon to the CLI and just typed tailscale up, went back into Tailmon and it seems it connected OK. No other changes, I was and remain in Kernel mode.

 

[evo17paul]

Very odd, as previously the only difference between yours and mine is the Operating Mode, I had mine in Userspace

As a test, I just reverted my Custom additional command line, to remove --stateful-filtering and just advertise the route.
Saved, and as expected the connection failed to go up and remained disconnected

I then decided to replicate your configuration by moving the Operating Mode from Custom to Kernel, but again no luck the Connection would not come up
Have reverted finally back to something that works i.e. Operating Mode = Custom, and the CMD line arguments of having advertise-routes and the addition of enabling --stateful-filtering

I'll see if I can find some more logs, as the logs in tailmon are a little too simple with their outputs at present

ps
One more thing, as I forgot something in reading your message again...

Although I removed the --stateful-filting and the connection did not come up, if you exit tailmon and issue the command tailscale up and go back into tailmon and the connection is up
So seems like some kind of issue in tailmon itself... what i do not know

 

[jksmurf]

then decided to replicate your configuration

Odd that it didn't work doing that. Wonder what your config or setup has that mine doesn't or vv?
Mine's a very simple setup. Kernel mode, subnet, no exit node, no special options but see attached.

 

[evo17paul]

Just added something to my message above your last one @jksmurf
I didn't try running tailscale up in the command line itself, that worked regardless of the operating mode and tailmon reports it connected

 

[jksmurf]

Just added something to my message above your last one @jksmurf
I didn't try running tailscale up in the command line itself, that worked regardless of the operating mode and tailmon reports it connected

Alrighty then; hopefully @Viktor Jaep has enough to go on there and I am sure when he wakes up bright-eyed and bushy-tailed it'll be fixed in a jiffy. All good.

EDIT: Also happens if I change from Kernel to Custom Mode and vv.

 

[stefaanbolle]

This TAILMON script is great, thanks!
I have 2 routers connected via the Internet, each running tailscale as exit node.

Home router H has LAN ip A.A.A.1 and tailscale (exit node and advertising its LAN - if tailscale0) IP X.X.X.X => LAN range is A.A.A.x
Remote router R has LAN ip B.B.B.1 and tailscale (exit node and advertising its LAN - if tailscale0) IP Y.Y.Y.Y => LAN range is B.B.B.x

I would like that all systems in HOME LAN A.A.A.x automatically connect to the remote router's LAN via the tailscale tunnel.
How do I need to set this up at the Home router? use a static route? using iptables config? both?
Who can help what to configure to make Home router the default gateway for only the Remote router's LAN IP range?
Thanks!

 

[jksmurf]

This TAILMON script is great, thanks!
I have 2 routers connected via the Internet, each running tailscale as exit node.

Home router H has LAN ip A.A.A.1 and tailscale (exit node and advertising its LAN - if tailscale0) IP X.X.X.X => LAN range is A.A.A.x
Remote router R has LAN ip B.B.B.1 and tailscale (exit node and advertising its LAN - if tailscale0) IP Y.Y.Y.Y => LAN range is B.B.B.x

I would like that all systems in HOME LAN A.A.A.x automatically connect to the remote router's LAN via the tailscale tunnel.
How do I need to set this up at the Home router? use a static route? using iptables config? both?
Who can help what to configure to make Home router the default gateway for only the Remote router's LAN IP range?
Thanks!

Not 100% sure but I think what you are after is site to site, if so, see the post in that link and also Colin's post which refers to Tailscale's site to site instructions.

Essentially what Viktor said:

--accept-routes accept subnet routes that other nodes advertise. Linux devices default to not accepting routes.

i.e. ... use the "Custom" operating mode, and add that --accept-routes switch.

i.e. append “--accept-routes” after “--advertise-routes=192.168.X.Y/24” on the command line.

Note with the latest 1.66.4 I believe you no longer need to actively disable —stateful-filtering per Colin's post; it is now disabled by default.

To get into Custom mode either:

For Custom Commandline Options, go to (C), 3, 3 for Custom (of Userspace, Kernel, Custom), exit (e), y to restart the services then you should get a prompt to customize the Tailscale settings, choose y, then select (4) and amend the above line.

OR

For Custom Commandline Options, go to (C), 3, 3 for Custom (of Userspace, Kernel, Custom), exit (e), n, then you should see the extra menu under the Custom Menu, (O), where you can amend the Custom Tailscale settings, you then select (4) and amend the above line. If you say (n) to a restart, you will need to restart it manually from the main menu after you make the changes.

With Custom Mode enabled, you will (from this point on) see the extra menu under the Custom Menu, (O), where you can amend the settings again if needed.

Let us know how you get on

@Viktor Jaep see the StepE attachment; some weird double (y) questions and an error (from 1.66.4 maybe?) plus as above, tailscale went down OK, but did not come up again, until I did a CLI tailscale up?

 

[stefaanbolle]

Not 100% sure but I think what you are after is site to site, if so, see the post in that link and also Colin's post which refers to Tailscale's site to site instructions.

Essentially what Viktor said:



i.e. append “--accept-routes” after “--advertise-routes” on the command line.

Note with the latest 1.66.4 I believe you no longer need to actively disable stateful filtering per Colin's post; it is now disabled by default.

To get into the Custom Commandline Options, go to (C), 3, 3 for Custom (of Userspace, Kernel, Custom), exit (e), y, then you should get a prompt to customize the Tailscale settings, you then select (4) and amend teh abovce lines.

You wil also see an extra menu under the Custom Menu, (O), where you can amend to again if needed.

Let us know how you get on

Thanks!
I have looked to the sie-to-site, but there's something missing and I do not know how to correctly configure it.
My ip route show does not show a route to route B.B.B.B/24 via de tailscale0 interface.

 

[Viktor Jaep]

Great... gotta love how rapid development on their end is breaking the functionality of their client due to added or deprecated features. I'll start reading up on the .4 changelogs and start playing with it on my test router. Ugh. Thanks for the heads-up!

 

[breakline]

Hello, I first wanted to say that this is awesome!! Thank you so much for this, I have been hoping for a long while something like this would be created.

I also wanted to post that the solutions mentioned earlier also worked for me. I have 2 ax86u routers one at home and one remote, I was not able to access or ping my devices on the remote network and adding --accept routes to the custom values for command line fixed it

--advertise-routes=x.x.x.0/24 --accept-routes

Thank you everyone!!

 

[evo17paul]

Has anyone noticed this message before in TailMon

# Health check:
# - Linux DNS config not ideal. /etc/resolv.conf overwritten. See https://tailscale.com/s/dns-fight

Literally only noticed it this morning and never seen previously.
I looked at the said /etc/resolv.conf and it contains my Pi-Hole DNS servers (I have two Pi-Holes acting as Primary / Secondary DNS) and I use DNS Director to force all DNS traffic to them.

Does anyone know what /etc/resolv.conf on the Router had previously or even existed?
Things still working normally, just wondering more than anything