new Tailscale issue?

Started by biggreydog, May 26, 2025, 04:54:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 26, 2025, 04:54:18 PM
I updated OPNsense to 25.1.7-4 yesterday.  I was also going to convert to dnsmasq from ISC DHCP and made this adjustment this morning... small office, only turned off one and turned on the other.  After, I was unable to connect to my router/network with Tailscale.  I restarted Tailscale and also made sure I did not need to login/authenticate for Tailscale again..  I also reverted back to a previous router config and rebooted.  Still did not help.  Tailscale on router stays Netcheck is up.  Tailscale IPs on the router says null. 

Not sure where to go from here.  If it was a setting change I created, I would think that reverting to a previous state would resolve the issue.
May 26, 2025, 08:31:16 PM #1
Hi, I found the same thing on a test OPNSense.
I recently updated the test box and observed the same issue.
I didn't give it much attention until now that you mentioned it here.
I'm using a non reusable preauth key and the status says "Backend: NeedsLogin, Tailscale IPs: null"
It was working during the beta tests phase on January, with this same key.
I'm using Headscale as the coordination server.
May 27, 2025, 12:18:25 AM #2
I looked at everything and didn't see what could have changed to cause that issue other than my small change to my DHCP/DNS settings.

I ended up deleting and reinstalling, Tailscale, didn't work.

I deleted router from the Tailscale machine list and re-added, didn't work

Finally I deleted the pre-auth key in OPNsense and created a new one on the Tailscale website and that finally worked.

Hope this helps others.
May 28, 2025, 01:43:31 PM #3
Well, thank you. It helped me.
I created a new preauth key and expired the previous one.
Now, for some reason, it works with the new key.
June 05, 2025, 09:08:02 PM #4
I updated to the latest OPNsense and Tailscale does not automatically start like it used to.
To get it going again I have to SSH into OPNsense open shell and enter the command 'tailscale login' which presents an authentication link clicking on it then it works as it should. Only works until you reboot.
June 15, 2025, 03:42:09 PM #5
Same here. Tailscale stopped running after the latest OPNsense update. I had to create a new Auth key and it's working fine again. Just FYI...
June 19, 2025, 10:00:56 AM #6
Can confirm, new API key solved the issues.
June 19, 2025, 10:30:30 AM #7
I've been seeing these reports and I don't even know what should have caused them in the first place. The last Tailscale plugin change was in 25.1.

Tailscale upstream software updates in:

25.1.6: 1.82.5
25.1.5: 1.82.0
25.1.4: 1.80.3
25.1.3: 1.80.2
25.1.1: 1.80.0

but not in .7, .8. and .9 which correlates more with reports that this starts being problematic.


Cheers,
Franco
June 19, 2025, 12:24:30 PM #8
Can confirm I'm seeing the same thing here. I've looked at my Tailscale status and I'm seeing the following

# Health check:
#     - You are logged out. The last login error was: invalid key: API key does not exist

Yet I know I it was logged in ok yesterday. I've logged back in using 'Tailscale login' and everything is back up and running. Will check back on the status tomorrow.
June 19, 2025, 02:18:52 PM #9
I had the very exact same issue. My solution was to delete the contents of /var/db/tailscale and redo the login process and verify that the settings in the GUI where still OK (which was not the case for me).
Then I installed 25.1.9 and did a reboot (to be sure) and Tailscale is up and running without any manual intervention.
June 19, 2025, 05:07:35 PM #10
I had the same issue after update and creating a new key solved it.  Another issue I'm not having with Tailscale is my exit node (through opnsense) just stops working from time to time.  I can still access my network but if I enable the exit node, I have no network connection.  If I uncheck advertise, apply, recheck advertise, apply, it starts working again.
June 21, 2025, 03:33:22 PM #11 Last Edit: June 21, 2025, 05:30:42 PM by Adramyttium Reason: Updated with reference to tailscale key documentation
I just did some checking and can confirm that my pre-authorized key used by opnsense was no longer found in tailscale. Recreating it solved the issue.

I think this has to do with the expiration of a node-key, which is different from the expiration of the pre-auth key used by Opnsense. Here is the tailscale documentation:

"If an auth key expires, any device authorized by it remains authorized until its node key expires. Each device generates a node key when you log in to Tailscale and uses it to identify itself to the tailnet. **By default, node keys automatically expire every 180 days.** You can change the default node key expiry from the Key Expiry section of the Device management page of the admin console."

[See: https://tailscale.com/kb/1085/auth-keys?q=auth]

From what I can tell, the node key expiry cannot be overridden. What may have happened is that those of us who started using the new tailscale plugin were using node keys that finally expired, which might explain why the reports in the forum are spread out over several days. It seems that reauthentication is necessary at some point, even if you have chosen "Expiry disabled" for the machine in question. I think.
June 22, 2025, 03:44:21 PM #12
I am fairly new to OPNsense, but had been using Tailscale with pfSense for over 180 days without having this issue.  The link you have above to Tailscale says "Set the number of days a device can stay logged in to Tailscale before it needs to re-authenticate with Apple."  Not sure if this is only applicable to Apple devices.
Print
Go Up Pages1
User actions