After re-authing, the `tailscale0` interface is not a member of the `Tailscale` group, thus firewall blocks all incoming traffic

luckman212

Running 25.11RC (25.11.r.20251126.1732) + Tailscale 1.90.6

Yesterday after Tailscale on my pfSense got logged out for some reason, I had to re-auth using a new auth key. The service came back up and showed "Tailscale is online" in the GUI, but I noticed that my router was not accepting any incoming connections (not even ICMP).

After some twiddling around, I decided to bounce the service using pfSsh.php playback svc restart tailscale and lo and behold that "fixed" the problem.

Comparing ifconfig tailscale0 output from before and after, I noted that the Tailscale group designation was not applied to the tailscale interface when it was in the non-working state.

"before"

tailscale0: flags=1008043<UP,BROADCAST,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
	options=4080000<LINKSTATE,MEXTPG>
	inet 100.100.101.101 netmask 0xffffffff broadcast 100.100.101.101
	inet6 fd7a:115c:a1e0::8034:6859 prefixlen 48
===>	groups: tun  # missing "Tailscale"
	nd6 options=101<PERFORMNUD,NO_DAD>
	Opened by PID 95984

"After"

tailscale0: flags=1008043<UP,BROADCAST,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 1280
	options=4080000<LINKSTATE,MEXTPG>
	inet 100.100.101.101 netmask 0xffffffff broadcast 100.100.101.101
	inet6 fd7a:115c:a1e0::8034:6859 prefixlen 48
===>	groups: tun Tailscale
	nd6 options=101<PERFORMNUD,NO_DAD>
	Opened by PID 91908

Not sure the why or how of this, but some sort of healthcheck and auto-bounce of the service would be a nice thing to add to the package, especially if someone relies on this to be working when away from the console port.

luckman212

I cobbled a little script together and set it to run every 10 min in my crontab. (scroll down for the updated script)

johnpoz

@luckman212 I ran into an auth isssue the other day while out of town..

My routes were not listed, etc. I tried restarting the service and was seeing auth error..

I have it set to never expire - here is what I did to fix it.

nano /usr/local/etc/rc.d/pfsense_tailscaled

# tailscale auth fix
# handle the --auth-key parameter
# pfsense_tailscaled_up_flags="--auth-key=${pfsense_tailscaled_authkey}"

I just commented out the that portion to pfsense_tailscaled up.

Restarted and working fine - I had to re allow my routes on the tailscale site.. But all working now.

I have not messed with this all that much, it just worked.. My pfsense never restarts, etc. I do recall some funkiness last time updated to to 25.07.. I am currently not on the 25.11 rc.. But I ran across this fix somewhere and post it here in case its related or helps.

luckman212

@johnpoz Thanks for this. Helped me today. I ended up handling it a bit differently. I guess your way would make it impossible to re-auth via the GUI if you ever needed to enter a new auth key.

What I do instead is run this via a cron job every 10m. It does a few common healthchecks and nukes the authkey from its source rc file if it finds the service is logged out. I haven't tested yet, but in theory this should allow the normal auth + key method to still operate.

#!/bin/sh

QRY='my-pfsense-hostname.foo-blah.ts.net'
WANT='100.100.101.101'  #pfSense tailnet IP
RESTART=0

res=$(dig +time=1 +tries=1 +short -t a $QRY @100.100.100.100)
if [ "$res" != "$WANT" ] ; then
	RESTART=1
	logger -t tailscaled "Quad100 invalid DNS response ($res)"
fi

if ! ifconfig -g Tailscale | grep -q tailscale0 ; then
	RESTART=1
	logger -t tailscaled "tailscale0 does not have interface group set"
fi

res=$(tailscale status --json | jq -r '.Health[] | contains("logged out")')
if [ "$res" = "true" ]; then
	RESTART=1
	logger -t tailscaled "tailscale is logged out"
	sed -i.bak '/pfsense_tailscaled_authkey.*/d' /usr/local/etc/rc.conf.d/pfsense_tailscaled
fi

if [ "$RESTART" -eq 1 ] ; then
	logger -t tailscaled "Restarting tailscale service"
	pfSsh.php playback svc restart tailscale
fi