Updated CE 2.7.2 to 1.88.1 Changelog pkg add -f https://pkg.freebsd.org/FreeBSD:14:amd64/latest/All/tailscale-1.88.1.pkg Freshports

Well, I spent some time tonight playing around with this and I think I have it. Some suggestions for others: Generate the OAuth client in the Tailscale admin before anything else. Make sure to create the tag you'll need. One per pfSense instance (and clearly, one OAuth client per pfSense instance). Give the OAuth client the permissions you think appropriate. Very Important: make sure that you can generate an API key with the OAuth creds. The OAuth creds are, apparently, used by the CLI to generate an API key. The latter is what does the trick in tailscale up. Do this from the pfSense console: curl -d "client_id=kY5Mv4h8kQ11CNTRL" -d "client_secret=tskey-client-kY5[invalidchars]CNTRL-ZXo2FfBbb[moreinvalidchars]GVT" "https://api.tailscale.com/api/v2/oauth/token" If you don't get back something like this, you'll never be able to get it to work: {"access_token":"tskey-api-kM[lotsofinvalidchars]NTRL-[stillmoreinvalidchars]9YevL","token_type":"Bearer","expires_in":3600,"scope":"all"} Here's what worked for me if the above returned an API token: /usr/local/bin/tailscale up --auth-key=tskey-client-[greekedout]GVT\?ephemeral=false\&preauthorized=true --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=192.168.211.0/24 --advertise-tags=tag:[yourtaghere] Make sure you have the cron package installed. Then add a @reboot entry using the full path (see above). I also added a cron entry every six hours as if Tailscale is up, this command does not interrupt or reset any sessions. I've left some bytes of the creds in these examples to make it clearer where your full creds should go. The curl command requires the escape symbol (\) in the parameters that will be passed to the control plane. FWIW, I lost an hour or more because I had (God only knows why) set Tailscale on one pfSense instance to accept DNS. Do this and the router cannot resolve the control plane API endpoint. Dumb. And I own it. I don't know if this "fixes" everything. But it's a lot of work and it shouldn't be necessary. Somehow, this package to be useful needs to survive reboot without the need to go to these lengths.

@totalimpact in my case I dsid not reboot the router, after I copied the new key tailscale went online.

With Tailscale, I just recommend sticking with the FreeBSD15 version. Yes, it may currently work using the FreeBSD 14 package despite being on 15, but any number of other updates could result in that not being the case anymore. Not to mention the fact that any updates newer than 1.84.2_1 don't really impact functionality for what people would be using Tailscale for with PfSense so updating past that is not an absolute necessity. I run 1.86.4 on my desktop+phone and 1.84.2_1 on my pfsense router. Phone commonly uses the PfSense router as an exit node and there's no difference for PfSense. TL;DR: Better to be safe than sorry and stick with the FreeBSD 15 version even if it's not the latest version of Tailscale.

Any luck getting this fixed? I am running into the exact same issue with my setup. Latest Headscale (0.26.1), PFSense 2.7.2, and Tailscale package 1.84.2 installed on PfSense.

@maxpol @TravisH Did you get this resolved? I have th esame issues or very similiar. The first tailnet client works, then when i add additional ones they sometimes work, but majoritvly they fail. PFSense+ latest f/w. All endpoint showing online in tailscale status within pfsense and also on the tailscale portal. Thanks

Thank you, @elvisimprsntr, I did that and it worked beautifully.

From TS support "I’m Kelly from the Tailscale support team. Thanks for reaching out! This is a common point of confusion- Even with the “Key Expiry: Disabled” option selected in the Tailscale web UI, that only applies to machines authenticated via the web login. You need to generate a Reusable, Ephemeral = false, Pre-Auth Key via the Tailscale admin panel, and use that on the pfsense."

@Gertjan Thanks for the reply! Thats what I was afraid of. We have 100s of pfsense/tailscale nodes that we don't have UI access to. We use Ansible to automatically configure them in a remote fashion, everything was fine until this routes issue. But I will check out the link. Thanks again!