Tailscale with pfsense exit node, no DNS
-
I don't seem to have a problem with DNS when using pfSense or NAS docker container as an exit node, but I am not using headscale.
PFSENSE
- 2.7.2 CE
- Tailscale package 1.4.0
- Tailscale 1.80.3_1
- Advertise sub-net routes and exit node enabled
- Accept DNS from control server enabled
NAS
- TrueNAS SCALE 24.10.2
- Tailscale docker app 1.2.14
- Tailscale 1.80.3
- Advertise sub-net routes and exit node enabled
- Accept DNS from control server enabled
ADMIN CONSOLE
- Nameservers: Magic DNS
- Global nameservers, Local DNS settings: pfSense LAN IP
- Search domains: tailnet, pfSense domain
- Advertise sub-net routes and exit node enabled for both pfSense and NAS
CLIENT
- iOS 18.4 RC
- Tailscale 1.81.193 via TestFlight
-
1.82.0 is released with some MagicDNS fixes.
I manually updated my NAS docker container.
tailscale update rebootGive it a few days for a FreeBSD package to be available.
-
@elvisimprsntr I'll give it another try once that version makes it to Google Play, but at first glance this appears to be an unrelated bugfix. I have been experiencing this issue using a v1.82.0 client on Linux, which should include the patch you mention. My pfSense box is currently running 1.80.3, so maybe it's worth testing 1.80.3_1 in case that makes a difference.
I agree with @Soloam above that this is likely an issue only experienced by headscale users. Regardless, I think it's the pfSense package that requires fixing as my other exit nodes running Linux have not had any issues. I don't have the time right now to delve into the Tailscale, FreeBSD, and pfSense codebases at the moment, but I hope to support this bugfix however I can.
I am hopeful someone on this forum can help contextualize this issue in terms of pfSense's DNS system and point us (me) in the right direction for contributing a fix.
-
I upgraded 2.7.2 CE to TS 1.82.0
No issues so far.
-
I was on the stock version (pfsense community 2.7.2) of tailslcale connecting to headscale.
I upgraded tailscale client on pfsense to 1.82.5 while leaving headscale unchanged. I was able to reproduce the problem -- my android tailscale client cannot resolve dns when using the tailscale client on pfsense as an exit node. If I disable "Use tailscale DNS" on my android client, internet connectivity works.
I am going to leave it broken for now, if anyone wants me to try different things. Thanks.
-
@jacobhall @Defiling2063
I think it has something to do with DNS over HTTPS DoH.I have all the same issues. For me it worked after setup until i rebooted.
It seems that the clients are pushed a faulty dns config and thinks it can do dns over https:
sudo tailscale dns statusResolvers (in preference order):
- 1.1.1.1
- 9.9.9.9
I can use dig to check that the dns resolves using these servers just fine.
When the system uses tailscales dns servers, the issue arises:
% tailscale dns query apple.com DNS query for "apple.com" (A) using internal resolver: failed to query DNS: 500 Internal Server Error: resolving using "/dns-query": unrecognized resolver type "/dns-query" unrecognized resolver type "/dns-query"My guess is that headscale is pushing a faulty dns config?
-
I would like to note here that Headscale recently released version v0.26.0, which included some significant changes. I intend to test if the DNS issues persist using this new version soon.
@mathiashedberg, would you be willing to share the software versions you tried in your testing, for our reference? Many thanks.
Additionally, I have been dealing with this unrelated issue with Tailscale (w/ Headscale) on Android. In case you fellow Headscale users are experiencing something similar...I'm trying to iron out the usability of this VPN system :)
-
Quick update: I upgraded my Headscale control server to version 0.26.0, and this issue persists. I continue to use the pfSense-pkg-Tailscale 0.1.4 and tailscale 1.80.3 in pfSense.
-
@jacobhall Hi.
For me the issue was prevalent pre 0.26. I set up a new fresh headscale instance with v0.26.0 (upgrade did not work) and everything worked until i rebooted pfsense.
I mitigate this by adding --accept-dns=False to my clients when using exit nodes, and then set that dns manually in the system.
Regarding issues, im dealing with this also: https://github.com/juanfont/headscale/issues/2634
-
@mathiashedberg to clarify, even using your fresh 0.26.0 instance, your clients had to disable the accept-dns option when using the pfSense exit node? This aligns with my experience (with both 0.26.0 and previous versions).
Setting the DNS manually is possible, but a headache. I don't want to make all of my users do so, especially on mobile.
Regarding issues, im dealing with this also: https://github.com/juanfont/headscale/issues/2634
Concerning indeed!
-
@jacobhall With my fresh instance on 0.26.0, and pfsense added to the net, my clients could use pfsense as an exit node without disabling accept-dns. It was only after rebooting that it stopped working.
-
Any luck getting this fixed? I am running into the exact same issue with my setup. Latest Headscale (0.26.1), PFSense 2.7.2, and Tailscale package 1.84.2 installed on PfSense.