Updated CE 2.8.1 to 1.94.1_1 Freshports pkg add -f https://pkg.freebsd.org/FreeBSD:15:amd64/latest/All/tailscale-1.94.1_1.pkg Changelog

@Wolf666 I went to https://login.tailscale.com/admin/settings/trust-credentials my-client-id - OAuth - Feb 4, 2026 - all:read This is from the Com Port of PUTTY curl -s \ -d "client_id=my-client-id" -d "client_secret=tskey-client-my-client-id-my-client-secret" -d "grant_type=client_credentials" https://api.tailscale.com/api/v2/oauth/token | jq -r '.access_token' > /root/ts_oauth_token TAILSCALE_AUTH="tskey-api-$(cat /root/ts_oauth_token)" tailscale down #tailscale up -auth-key=$TAILSCALE_AUTH --accept-dns=false --accept-routes --advertise-exit-node --advertise-tags=tag:pfsense \ --advertise-routes=192.25.25.0/24 \ --hostname=pfsense tailscale up \ --auth-key=$TAILSCALE_AUTH --accept-dns=false --accept-routes --advertise-exit-node --advertise-tags=tag:pfsense \ too many non-flag arguments: [" "] --advertise-routes=172.25.25.0/24 \ --hostname=pfsense -sh: --advertise-routes=172.25.25.0/24: not found From the SSH prompt: curl -s ? -d "client_id=k7ohW6S9j621CNTRL" ? -d "client_secret=tskey-client-k7ohW6S9j621CNTRL-ZzX9cBqo5fYDQmn4Hyp5gYmSG9gb4PNE" ? -d "grant_type=client_credentials" ? https://api.tailscale.com/api/v2/oauth/token ? | jq -r '.access_token' > /root/ts_oauth_token /root/ts_oauth_token: Permission denied.

I fixed switching to OAuth: https://forum.netgate.com/post/1237434

@johnpoz Thanks for this. Helped me today. I ended up handling it a bit differently. I guess your way would make it impossible to re-auth via the GUI if you ever needed to enter a new auth key. What I do instead is run this via a cron job every 10m. It does a few common healthchecks and nukes the authkey from its source rc file if it finds the service is logged out. I haven't tested yet, but in theory this should allow the normal auth + key method to still operate. #!/bin/sh QRY='my-pfsense-hostname.foo-blah.ts.net' WANT='100.100.101.101' #pfSense tailnet IP RESTART=0 res=$(dig +time=1 +tries=1 +short -t a $QRY @100.100.100.100) if [ "$res" != "$WANT" ] ; then RESTART=1 logger -t tailscaled "Quad100 invalid DNS response ($res)" fi if ! ifconfig -g Tailscale | grep -q tailscale0 ; then RESTART=1 logger -t tailscaled "tailscale0 does not have interface group set" fi res=$(tailscale status --json | jq -r '.Health[] | contains("logged out")') if [ "$res" = "true" ]; then RESTART=1 logger -t tailscaled "tailscale is logged out" sed -i.bak '/pfsense_tailscaled_authkey.*/d' /usr/local/etc/rc.conf.d/pfsense_tailscaled fi if [ "$RESTART" -eq 1 ] ; then logger -t tailscaled "Restarting tailscale service" pfSsh.php playback svc restart tailscale fi

@Wolf666 Thank you, I will try it. Unfortunately, since I had already replaced the contents of /usr/local/etc/rc.d/tailscaled and it had been working so far, I will not be able to tell which of the two solved the problem. And of course, I can't find a copy of the old .../rc.d/tailscaled. Therefore, if none of this works, it will require yet another delete and reinstall of everything Tailscale in my system.

@totalimpact in my case I dsid not reboot the router, after I copied the new key tailscale went online.

With Tailscale, I just recommend sticking with the FreeBSD15 version. Yes, it may currently work using the FreeBSD 14 package despite being on 15, but any number of other updates could result in that not being the case anymore. Not to mention the fact that any updates newer than 1.84.2_1 don't really impact functionality for what people would be using Tailscale for with PfSense so updating past that is not an absolute necessity. I run 1.86.4 on my desktop+phone and 1.84.2_1 on my pfsense router. Phone commonly uses the PfSense router as an exit node and there's no difference for PfSense. TL;DR: Better to be safe than sorry and stick with the FreeBSD 15 version even if it's not the latest version of Tailscale.

Any luck getting this fixed? I am running into the exact same issue with my setup. Latest Headscale (0.26.1), PFSense 2.7.2, and Tailscale package 1.84.2 installed on PfSense.

@maxpol @TravisH Did you get this resolved? I have th esame issues or very similiar. The first tailnet client works, then when i add additional ones they sometimes work, but majoritvly they fail. PFSense+ latest f/w. All endpoint showing online in tailscale status within pfsense and also on the tailscale portal. Thanks

Thank you, @elvisimprsntr, I did that and it worked beautifully.

From TS support "I’m Kelly from the Tailscale support team. Thanks for reaching out! This is a common point of confusion- Even with the “Key Expiry: Disabled” option selected in the Tailscale web UI, that only applies to machines authenticated via the web login. You need to generate a Reusable, Ephemeral = false, Pre-Auth Key via the Tailscale admin panel, and use that on the pfsense."