@atlmcw

I had no issues.

I want to improve the script above to make it "force" direct connections.

Another issue with this script is that its pinging only once and if that ping fails, it stops and then starts the service.

I think it would be much better if the script pings 10 times, and if 10 out of 10 fails, it will restart the service.
This would increase the reliability of the script and also in the same time, make connections leave the relay and connect directly.

But I'm failing to do so, any ideas to improve the code with the insights above in mind ?

Edit:

I think I got it..

1- It will ping "headquarters" 10 times using tailscale.
This will help connections through tailscale prefer "direct" instead of relay.
2- If at least one of the tailscale ping works, it won't do anything.
This will avoid the service to being brought down every time.
3- If all pings fails, it will restart the tailscale service.

#!/bin/sh DEST="headquarters" SUCCESS=0 COUNT=0 while [ $COUNT -le 9 ] do for DEST in $DEST do COUNT=`expr $COUNT + 1` tailscale ping --c 1 -timeout 1s $DEST >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi done done if [ $SUCCESS -ge 1 ] && [ $COUNT -eq 10 ] then exit 0 else /usr/local/sbin/pfSsh.php playback svc stop tailscale sleep 5 /usr/local/sbin/pfSsh.php playback svc start tailscale sleep 5 exit 1 fi done

One important observation is, if there are more peers in the tailscale network, you can and should add them to this script.
See, if you are only pinging one host, if that host goes down, the script will take the entire tailscale service down affecting other hosts.

Code for multiple hosts

#!/bin/sh DEST="server-1" DEST1="server-2" DEST2="servier-3" SUCCESS=0 COUNT=0 while [ $COUNT -le 9 ] do for DEST in $DEST do COUNT=`expr $COUNT + 1` tailscale ping --c 1 --timeout 1s $DEST >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi tailscale ping --c 1 --timeout 1s $DEST1 >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST1 if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi tailscale ping --c 1 --timeout 1s $DEST2 >/dev/null 2>/dev/null # ping -c 1 -t 100 $DEST2 if [ $? -eq 0 ] then SUCCESS=`expr $SUCCESS + 1` fi done done if [ $SUCCESS -ge 1 ] && [ $COUNT -eq 10 ] then exit 0 else /usr/local/sbin/pfSsh.php playback svc stop tailscale sleep 5 /usr/local/sbin/pfSsh.php playback svc start tailscale sleep 5 exit 1 fi done

The code above will sum SUCCESS variable, and if any of the hosts answers, tailscale service will be considered to be UP and no actions will be taken.

Unfortunaetly I don't have much to add in a solution, but I seem to be in the same boat as you are. This only seems to happen on pfSense+ from what I can tell though. Have 3 boxes on CE and those work great with the NAT rule, but I can't seem to have anything behind the plus box route through the tailnet. Hopefully someone has some info no this.

@DavcoreTech

Looks like you may be running an older version of pfSense and/or Tailscale.

You might want to upgrade to latest version (1.78.1) on all clients, which may resolve some of the connection issues.

Although, Netgate has not updated the Tailscale package in some time, you can manually update

How to update to the latest Tailscale version?

You may also want to upgrade Windows 8.1, which MS officially stopped supporting on January 10, 2023

@chudak

Service Status
Shows running or not

Otherwise no widget avail might blew up the dashboard caused by the amount of possible nodes / clients on a tails scale net (filtering or show only specific clients might do the trick)

Might be a cool project for someone

Br np

I am having trouble getting this to work.

Will this work behind a double NAT? I have pfSense behind another Mikrotik 4G router. I have confirmed too that I can ping the remote host subnet via pfSense directly just not behind the pfSense LAN, So I'm guessing the double NAT is not an issue.

Also, for the NAT rule,

Would the source be the Source Network of the pfSense LAN, and the destination be the final Destination Network of the other network behind tailscale?

Then the NAT Address would be the tailscale IP of the other side network.

IE>>

pfSense network = 192.168.10.0/24
Remote Network = 192.168.20.0/24
pfSense Tailscale = 100.90.20.10
Remote Tailscale = 100.90.42.2

Would my NAT entry look like this.

bf2e3c74-f2e2-4b0a-afeb-86630f0964bc-image.png

Thanks

@harshness FYI, a tailscale update fixed this for both Pfsense and the Apple TV. All has been working fine for quite some time now.

@mowest Do you have pfSense configured to "accept subnet routes"?

@chickendog I've been looking at this for a while and I believe that is indeed the case. Thanks for confirming.

I too have had this issue today.
The ssh session hung at "Stopping Tailscale"
I found a "reboot" from shell worked.

Has anyone found a fix to stop this?

https://redmine.pfsense.org/issues/15673

Feature Request Is Now Open

@mfld my guess would be you have magicdns enabled

https://tailscale.com/kb/1081/magicdns

I think they changed that to be default enabled a while back, use to be off by default. So depending on when you created your tailscale account?

I do not have enabled.. Makes no sense when you run your own dns.