Tailscale with pfsense exit node, no DNS
-
@michmoor not using headscale, the main reason for me to upgrade the tailscale client was to be able to connect to headscale!
-
I experienced the same problem (couldn't resolve names) using pfsense as exit node after I upgraded tailscale client on pfsense connecting to headscale. To troubleshoot:
- I turned off and on advertise-exit-node on pfsense.
- on headscale, I disable / enable the route
It worked for a few hours and then stopped working.
I also experienced routing problem from hosts behind pfsense to other hosts meshed through tailscale. I downgraded headscale and tailscale client on pfsense. It has been working fine since this morning.
-
@Defiling2063 What version did you downgraded headscale to make it work with default tailscale client?
-
0.23.0.
I may be able to run an later version but that was the version I upgraded from before thing went south. I reverted the upgrade.
p/s wish I saw this thread before I upgraded headscale and tailscale client on pfsense. That would have saved me a week of pulling hair. Cheers.
-
I believe I am experiencing the same issue. I recently set up a fresh tailnet and added pfsense as an exit node. The exit node works except when Tailscale DNS is enabled on the client, in which case DNS breaks. This problem doesn't occur when other exit nodes are used.
Package Versions:
headscale 0.25.1
pfSense-pkg-Tailscale 0.1.4
tailscale (freebsd pkg on pfsense) 1.80.3 -
Linking relevant threads on the Tailscale GitHub and Lawrence Systems forum which describe related issues (it looks like @Soloam has participated in all of these).
If anyone having a similar problem bumps into this, please take a minute to document your experience so that we can collect more information and try to solve this. Thanks
-
@jacobhall said in Tailscale with pfsense exit node, no DNS:
Linking relevant threads on the Tailscale GitHub and Lawrence Systems forum which describe related issues (it looks like @Soloam has participated in all of these).
If anyone having a similar problem bumps into this, please take a minute to document your experience so that we can collect more information and try to solve this. Thanks
This problem, from what I can tell, only happens on people using headscale, because we have to change the tailscale client version on pfsense...With Tailscale services the tailscale client on the pfsense package works and it seams to be imune to this problem
-
Not sure if related, but there are some TestFlight builds which include DNS fixes.
-
@elvisimprsntr I'd be willing to try it out. When my client uses pfSense as an exit node, it can ping 100.100.100.100, but DNS queries to the same IP address time out. This makes me think there is an issue with the pfSense/FreeBSD implementation specifically.
-
I don't seem to have a problem with DNS when using pfSense or NAS docker container as an exit node, but I am not using headscale.
PFSENSE
- 2.7.2 CE
- Tailscale package 1.4.0
- Tailscale 1.80.3_1
- Advertise sub-net routes and exit node enabled
- Accept DNS from control server enabled
NAS
- TrueNAS SCALE 24.10.2
- Tailscale docker app 1.2.14
- Tailscale 1.80.3
- Advertise sub-net routes and exit node enabled
- Accept DNS from control server enabled
ADMIN CONSOLE
- Nameservers: Magic DNS
- Global nameservers, Local DNS settings: pfSense LAN IP
- Search domains: tailnet, pfSense domain
- Advertise sub-net routes and exit node enabled for both pfSense and NAS
CLIENT
- iOS 18.4 RC
- Tailscale 1.81.193 via TestFlight
-
1.82.0 is released with some MagicDNS fixes.
I manually updated my NAS docker container.
tailscale update rebootGive it a few days for a FreeBSD package to be available.
-
@elvisimprsntr I'll give it another try once that version makes it to Google Play, but at first glance this appears to be an unrelated bugfix. I have been experiencing this issue using a v1.82.0 client on Linux, which should include the patch you mention. My pfSense box is currently running 1.80.3, so maybe it's worth testing 1.80.3_1 in case that makes a difference.
I agree with @Soloam above that this is likely an issue only experienced by headscale users. Regardless, I think it's the pfSense package that requires fixing as my other exit nodes running Linux have not had any issues. I don't have the time right now to delve into the Tailscale, FreeBSD, and pfSense codebases at the moment, but I hope to support this bugfix however I can.
I am hopeful someone on this forum can help contextualize this issue in terms of pfSense's DNS system and point us (me) in the right direction for contributing a fix.
-
I upgraded 2.7.2 CE to TS 1.82.0
No issues so far.
-
I was on the stock version (pfsense community 2.7.2) of tailslcale connecting to headscale.
I upgraded tailscale client on pfsense to 1.82.5 while leaving headscale unchanged. I was able to reproduce the problem -- my android tailscale client cannot resolve dns when using the tailscale client on pfsense as an exit node. If I disable "Use tailscale DNS" on my android client, internet connectivity works.
I am going to leave it broken for now, if anyone wants me to try different things. Thanks.
-
@jacobhall @Defiling2063
I think it has something to do with DNS over HTTPS DoH.I have all the same issues. For me it worked after setup until i rebooted.
It seems that the clients are pushed a faulty dns config and thinks it can do dns over https:
sudo tailscale dns statusResolvers (in preference order):
- 1.1.1.1
- 9.9.9.9
I can use dig to check that the dns resolves using these servers just fine.
When the system uses tailscales dns servers, the issue arises:
% tailscale dns query apple.com DNS query for "apple.com" (A) using internal resolver: failed to query DNS: 500 Internal Server Error: resolving using "/dns-query": unrecognized resolver type "/dns-query" unrecognized resolver type "/dns-query"My guess is that headscale is pushing a faulty dns config?
-
I would like to note here that Headscale recently released version v0.26.0, which included some significant changes. I intend to test if the DNS issues persist using this new version soon.
@mathiashedberg, would you be willing to share the software versions you tried in your testing, for our reference? Many thanks.
Additionally, I have been dealing with this unrelated issue with Tailscale (w/ Headscale) on Android. In case you fellow Headscale users are experiencing something similar...I'm trying to iron out the usability of this VPN system :)
-
Quick update: I upgraded my Headscale control server to version 0.26.0, and this issue persists. I continue to use the pfSense-pkg-Tailscale 0.1.4 and tailscale 1.80.3 in pfSense.
-
@jacobhall Hi.
For me the issue was prevalent pre 0.26. I set up a new fresh headscale instance with v0.26.0 (upgrade did not work) and everything worked until i rebooted pfsense.
I mitigate this by adding --accept-dns=False to my clients when using exit nodes, and then set that dns manually in the system.
Regarding issues, im dealing with this also: https://github.com/juanfont/headscale/issues/2634
-
@mathiashedberg to clarify, even using your fresh 0.26.0 instance, your clients had to disable the accept-dns option when using the pfSense exit node? This aligns with my experience (with both 0.26.0 and previous versions).
Setting the DNS manually is possible, but a headache. I don't want to make all of my users do so, especially on mobile.
Regarding issues, im dealing with this also: https://github.com/juanfont/headscale/issues/2634
Concerning indeed!
-
@jacobhall With my fresh instance on 0.26.0, and pfsense added to the net, my clients could use pfsense as an exit node without disabling accept-dns. It was only after rebooting that it stopped working.
