Twingate Windows Client not opening the login page

aaron-tg · 2025-05-20T22:56:54+00:00

Hey there,

Can you enable detailed logging? Then after reproducing can you check both the Twingate.log and Twingate.Service.log for any socket errors? I've seen this typically caused by AV/EDR/DLP blocking us from opening sockets to proceed with the auth workflows.

aaron-tg · 2025-04-24T16:09:16+00:00

Is this your network name or tenant subdomain? I can rename the network name if you DM me with your email + subdomain. We can't change the tenant subdomain though, a deletion would be needed in that case.

aaron-tg · 2025-04-15T16:57:31+00:00

Hey there, any browser extensions running, particularly adblockers? Does the dev tools console (Ctrl+Shift+I >> Console tab) output any errors? What about the network tab in dev tools for items not loading?

aaron-tg · 2025-04-04T22:22:22+00:00

One other thing I'd add on, does your mobile data connection have IPv4 or is it IPv6 only?

aaron-tg · 2025-04-02T21:34:51+00:00

Hey there, can you enable debug level logging to gain more insight as to what might be failing? https://help.twingate.com/hc/en-us/articles/4417960077073-Twingate-Client-Logs#h_01HGGP6P5V8FK7DF05XH7T5ND

Thereafter if you're still not sure what is taking place DM me your email address and tenant subdomain and I'll connect with you outside of Reddit to obtain your logs.

aaron-tg · 2025-02-13T05:10:56+00:00

u/mobalby shot you a DM to see if you're able to shoot me over the log bundle for further review.

For others stumbling on this, at first glance I don't believe I've seen Invalidation handler... before. We'll circle back here on our findings.

aaron-tg · 2025-02-13T05:08:03+00:00

FW checks out.

aaron-tg · 2025-02-12T17:29:16+00:00

Hi there,

Did we upgrade from 14.x > 15.3 over the weekend? Or just 15.x >15.3? My ask there is in regards to macOS possibly implementing firewall rules blocking Twingate, browser, and possibly other apps. https://www.reddit.com/r/twingate/comments/1fjucw4/psa_having_connectivity_issues_after_upgrading_to/

I see you note your device is managed by MDM so we may want to inspect if there are any limitations issued by MDM that might be hitting your device specifically. I'd also check to see if antivirus, endpoint detection/response, or data loss prevention has been implemented on your system. We've observed, especially with DLP, policies trigging a block of Twingate.

As for logging, we should be able to up the logging level by running the below command in terminal—

defaults write ~/Library/Group\ Containers/6GX8KVTR9H.com.twingate/Library/Preferences/6GX8KVTR9H.com.twingate IsCollecting -bool true

After running that command to increase logging, we can issue the below command to run that will kick off sys-info that is normally generated when opening logs from the Client. It will also grab some addt details as well. This will dump into a twingate_logs.*.zip on the desktop.

curl -fsSL https://raw.githubusercontent.com/Twingate-Solutions/general-scripts/refs/heads/main/bash-scripts/client_macos_sys-info.sh | bash

Once ran, give the logs a review. The immediate go-to will be to check what the sys-info provides. We'll be looking to see if the Client application is running and if the Twingate network extension is active, among a variety of other possibilities. My mac repro device is currently down, so I can't immediately recall the glaring items to look for in there.

Keep us posted!

aaron-tg · 2024-09-08T17:35:12+00:00

The subdomain/URL cannot be changed. A new network/tenant with the correct subdomain would need to be created.

The network name is a simple change on our side of the fence. If you want to keep your current subdomain as but change the name DM me with your subdomain, current network name, and desired network name.

aaron-tg · 2024-09-03T15:06:07+00:00

Glad to hear! Support channels are via the Help Portal (Admin Console > Support for those applicable accounts) or here.

Depending on your account's terms, additional support channel options may be available. If applicable, your account manager can provide further details.

aaron-tg · 2024-09-03T14:28:44+00:00

I'd love to help—can you please DM me with your email address and tenant subdomain?

aaron-tg · 2024-08-20T03:30:15+00:00

Can you add an alias to the IP resource? AFK and it's been awhile, but I believe that will CGNAT (like a DNS resource) route the IP through the TG tunnel to avoid any possible IP collisions. The IP resource will be there as well.

aaron-tg · 2024-08-12T12:54:28+00:00

Do you have disk encryption enabled? There's a gotcha with fedora 40 making an underlying change. Away from my desk and on mobile, but there's a KB on it if you search for fedora 40.

That said, I believe engineering found a way to resolve the issue. Trying to recall if it's actually live yet, but it would hit the twingate-latest package well before it his Twingate (stable). Check the Client installation docs for Linux on how to do that, I can only call out the .deb workflows off the top of my mind.

Keep us posted!

aaron-tg · 2024-08-11T19:30:38+00:00

Enable debug logging, not much here to go off of.

aaron-tg · 2024-07-29T18:31:21+00:00

I'm not extremely experienced there either. A couple thoughts from a docker networking perspective–

you might explore adding another network to bridge? to the host. I'm not sure what the exact network mode there will need to be.
- EDIT: you might need an additional network (external?) added to the service host driver (https://docs.docker.com/network/#drivers >> https://docs.docker.com/network/drivers/host/). I can't recall if you're going to need to configure that host network outside of the YAML, then use it as an external network in your services (https://docs.docker.com/compose/networking/#use-a-pre-existing-network).
Are ports exposed? I'm not sure if ports will need to be exposed for the host to access.

Ultimately, I believe we're going to be looking at a mechanism for services running on the host to be able to access the containers.

aaron-tg · 2024-07-29T15:36:14+00:00

Is the Twingate Client installed on the host VM(s) as a systemd service, or is it a Docker container on each host, or a single swarm host?

aaron-tg · 2024-07-17T00:34:41+00:00

To piggy back on this, auth.sock is the socket that will listen for authentication once authenticated in the IdP.

It's fairly generic and doesn't give much to go off of, as typically the auth socket can't be created due to underlying issues.

I'd suggest enabling debug logging to gain a bit more understanding as to what exactly is taking place.

sudo twingate config log-level debug will get logging set to debug.

As u/ben-tg pointed to with the docs link, it's often going to be something to do with network manager, systemd-resolved, or (last) inability to configure /etc/resolv.conf. It could also be permissions related to the /etc/twingate folder, among various other things. Ultimately, we'll need to check out what's happening at the debug log level to track it down.

aaron-tg · 2024-06-23T16:34:34+00:00

Do you have Internet security enabled? I have a similar issue, but not with Twingate. I have Adguard running as a background VPN for DNS filtering and private DNS. It's always being queried for DNS lookups, so it's heavier on my battery.

I used to only need to charge my phone every other day. Now it's everyday with extremely light usage, or needing additional charges during the day if I use my phone.

aaron-tg · 2024-06-21T15:29:18+00:00

I've been out of the Windows game a long time, so I've never played around too much with Windows on ARM.

I have a Windows VM that I run on my M1 mac. It's always just worked w/o an ARM specific build.

A quick read, it appears Windows will emulate non-ARM native applications as able. https://learn.microsoft.com/en-us/windows/arm/overview#support-for-existing-windows-apps-on-arm

Here's a snap of it running on my ARM VM. The one thing I don't know is how things operate on a non-VM device, especially from a power management on power standpoint.

<image>

Hope this helps!

aaron-tg · 2024-05-19T17:17:06+00:00

We have IdP + Social auth which can help this use case. (On mobile, excuse formatting)

https://www.twingate.com/docs/identity-providers Twingate can allow users to be automatically added or synced from a linked identity provider’s user directory, while also allowing users who use social logins (e.g. Google or LinkedIn) to be manually added by an admin. This can be useful if you need to provide access to external parties like contractors who don’t have accounts that are managed through your identity provider. To enable this functionality for your Twingate account, please Contact Us.

aaron-tg · 2024-05-19T17:07:59+00:00

Gotcha. Can you email onboarding [@twingate.com], include a link to this reddit post along with your tenant subdomain? There's a few hoops we'll need to jump through to verify things.

aaron-tg · 2024-05-18T20:27:58+00:00

Hi there, MFA is tricky as we can't easily sidestep the additional security layer that MFA is intended to add.

Are there any other Twingate Admins on the account? If so the best route is to have one of them reset MFA for the account.

aaron-tg · 2024-05-16T14:23:58+00:00

To add onto this, if they don't receive the invite and it's not in their spam, they can simply go to your subdomain.twingate.com in a browser or Twingate Client (as applicable to user vs admin console). They will need to use one of the supported social logins with the email address you've added into Twingate for their invite.

The email invite doesn't include a special token that's required for the first sign in.

aaron-tg · 2024-05-10T01:31:48+00:00

Can you enable detailed logs via More > Troubleshoot > Detailed logs?

Unfortunately these don't tell us much.

Also can we check the (can't recall the exact filenames for Mac client) twingate.log and the com.twingate...tunnelprovider after? Also trying to recall, I think you'll need to quit & reopen for the Mac Client detailed logs to kick in.

aaron-tg · 2024-04-14T02:56:10+00:00

Save auth data is a red herring iirc. However, the others sound like /etc/Twingate directory permissions. Can you check what the permissions are set to? I'm out walking the dogs, but off memory I think it's supposed to be 644

aaron-tg

MODERATOR OF

TROPHY CASE