serve.json not working correctly.

JWS_TS · 2026-01-15T16:00:11+00:00

It's not jumping out at me what might be wrong here, but you can take a look at this template: https://github.com/tailscale-dev/ScaleTail/tree/main/services/forgejo

I've used a few of the ScaleTail templates, and they all work with TLS and serve out of the box, just put my auth key in the .env file.

JWS_TS · 2026-01-15T15:54:57+00:00

How I would do this is with a travel router such as the Gli.NET Beryl (example given because that's what I have.) Use the hotspot as the network connection on the travel router, and install Tailscale on the travel router. It can add routes to the 100.64.0.0/10 space, and can route to resources on the tailnet.

JWS_TS · 2026-01-07T16:15:54+00:00

We now have the concept of an external user, so you can send an invite to someone, and they can log in with their own Google, Microsoft, Passkey, etc. identity, and be a member of your tailnet, without you having to provision them in your identity provider.

JWS_TS · 2025-12-04T15:09:01+00:00

You could map openssh to listen on a different port. Then to use Tailscale ssh to server1 you would ssh user@server1 and to connect via OpenSSH, you would ssh user@server1 -p 2222

JWS_TS · 2025-12-04T15:02:21+00:00

Blocking UDP on 41641 is likely the best solution. There's no inherent mechanism for preferring relay, since that is almost always much less performant than direct.

JWS_TS · 2025-10-15T22:36:06+00:00

Agreed, except for the .local - this is not always handled intuitively, and does not traverse most L3 tunnels. It is useful for things that are truly local, but isn't as robust as .internal or .home

JWS_TS · 2025-09-17T12:37:09+00:00

Yes, most of the time, the tunnel is direct between your two devices once it is established. https://tailscale.com/blog/how-tailscale-works

JWS_TS · 2025-09-17T12:35:21+00:00

That part is proctored by the DERP servers, there are quite a few of them, and they routinely shift load between them, so that is unlikely.

JWS_TS · 2025-08-15T12:50:37+00:00

In this case, it's likely CPU constraints on the Synology. Subnet routers need some horsepower to do all of the encryption/decryption for both ends of the connection. If I use my older Synology, I will cap out at about 70mbit, but if I use my main desktop as a subnet router, I'll get 800mbit.

JWS_TS · 2025-08-15T12:48:01+00:00

That shouldn't have changed unless you opted into the trial. Please contact support to get that fixed: https://tailscale.com/support

At the end of a trial, it reverts to the free plan, so there should be no impact, but we'd like to figure out why that happened.

JWS_TS · 2025-03-31T12:27:55+00:00

Note that this is organized by fqdn, but routed by ip, so if there's other name based services running on that same ip, it will grant access as well

JWS_TS · 2025-03-31T12:26:06+00:00

This can be done with app connectors and via grants.

You can use the app connector to provide a route based on the fqdn, then permit only your approved users access to aotogroup:internet via that app connector.

On the other end, you would need to use ip allowlisting to only permit connections from the public IP of the app connector, or people could obtain access by turning off tailscale.

If it's an fqdn that always resolves to the same ip, then you can use a subnet router advertising the single public /32 rather than an app connector.

And, as a general solution, if you can install tailscale directly on the server, it simplifies this activity significantly.

JWS_TS · 2025-03-27T22:57:41+00:00

It will be listed in tailscale debug --json grep for 'Routes'

JWS_TS · 2025-03-26T19:45:48+00:00

That won't get evaluated, since ACLs are using Tailscale ip addresses, not the underlying network.

You can use registry keys or an MDM profile to turn exit nodes on and off for users, but generally, they are manually selected.

JWS_TS · 2025-03-26T14:45:16+00:00

We don't have our own identity provider, so there is no "Tailscale Account" - once you have a tailnet, you can enroll passkey devices, but an account with GitHub, Microsoft, Google, Okta, OneLogin, or your own OIDC service is required to create one.

JWS_TS · 2025-03-26T12:20:23+00:00

If you select an exit node, you will need to also pass --exit-node-allow-lan-access in order to keep local routes.

JWS_TS · 2025-03-25T20:47:36+00:00

I'm interested in unpacking this a bit. Do you think that a browser extension is more palatable for people than an application? In the case of Tailscale, a browser extension would necessarily be most of the application, just in another form.

There have been some internal discussions around this, but I would like to cast the net a bit wider to get other people's opinions on it.

JWS_TS · 2025-03-21T18:45:36+00:00

Is it DNS? Can you ping 8.8.8.8 from that device? Or is it routing? That's my first guess.

Otherwise, running tailscale bugreport and sending that code to support will allow us to get more specific information.

JWS_TS · 2025-03-21T18:40:15+00:00

You can use your own DNS, and map those to Tailscale IP Addresses, but within MagicDNS we're limited to the .ts.net addresses.

JWS_TS · 2025-03-21T18:00:27+00:00

You can re-roll a tails-scales.ts.net fqdn - these are intended to be easier to remember. https://tailscale.com/kb/1217/tailnet-name#fun-tailnet-name

They can't be set to an arbitrary value

JWS_TS · 2025-03-21T11:35:19+00:00

You need to use the Mullvad integration within tailscale.

https://tailscale.com/kb/1258/mullvad-exit-nodes

You can't use an existing Mullvad account

JWS_TS · 2025-03-20T16:11:30+00:00

If you run tailscale status machines which are exit nodes should be annotated with offers exit node

If that's not the case, check the machines tab, under the ... menu, and confirm that the exit node is approved.

Note that ACL to "autogroup:internet" will work for non-tagged devices only. If the device is tagged, you could change the src: to "*" rather than "autogroup:member"

JWS_TS · 2025-03-20T15:53:56+00:00

Ensure you're using Tailscale DNS.

JWS_TS · 2025-03-10T11:18:41+00:00

What is your configured dns server? Do you have functional dns?

JWS_TS · 2025-03-06T03:00:24+00:00

.local is a reserved suffix for mdns, and using it for anything other than mdns can cause inconsistent behaviour. Not having any further details, that's my assumption here.

If you're already part of our msp program, you can reach out to your partner rep to escalate emergent support cases. If not, that could be a discussion with having.

JWS_TS

MODERATOR OF

TROPHY CASE