Cannot access relayed routes from windows

I have a relay node setup in AWS to forward traffic from my Windows client to an private server. It used to work, but some time within the last month the relay stopped working.

I can still SSH into the relay node from my Windows client and connect to the private server from there. But I cannot access the private server directly from Windows.

I have verified that tailscale is running with --advertise-routes on the relay node. net.ipv4.ip_forward = 1 is in sysctl.conf. “Subnet routes” are enabled in the Admin console.I do not see any routes for the subnet on the Windows client using route print.

Any pointers on how to debug would be greatly appreciated.

Shift + right-click on the Tailscale menu. Check if “Test: Route Subnets” is enabled.

“Test: Route Subnets” was off. I turned it on. Also clicked “Log In” from the Tailscale menu to refresh the desktop key (not sure I needed to, but did just in case) and now it works.

Thanks for the tip @33b5e5 . What’s that menu supposed to do? Route Subnets is not an experimental feature, right?

I think it’s supposed to be on by default, but it’s getting disabled for some users:

Ah, thanks! That makes sense. The new key expiry stuff caught me off-guard. I tried tailscale up on Windows which probably reset that flag.

Ohh, that makes sense. tailscale up doesn’t accept subnet routes by default, for historical reasons.