I have a Synology at a friend of mine’s house which is on Tailscale and the key has expired while he’s out of town. I can see the machine is online on my Tailscale Admin Console, but I can’t connect to it.
I know I need to reauthenticate to it, but if I can’t connect in, how do I do that? I can disable key expiry, which lets me log back into the web interface for the Synology. When I opened Tailscale on the Synology, it switches me to a web browser tab showing the Tailscale IP of my Synology and a link that says “Authenticate”.
I click Authenticate and nothing happens for a long time, and eventually,
it says “Failed to login, load failed”. But it never asked me for a login…
So … how do I reauthenticate? I feel like I’m missing a fundamental piece of this puzzle.
I suspect (but haven’t checked) that you can’t authenticate a node that has no expiry. For something that classes as a server (i.e. always on, no direct user normally) that’s the state I’d leave it in.
If you prefer to authenticate regularly, try turning off the doesn’t expire setting and just use the ‘Temporarily extend key’ option from the control panel instead - that gives you 30 mins to log in and reauthenticate.
I think I see what you mean @Spidge. I’m telling it no expiry and then trying to authenticate for expiration.
Let me ask a question - in reading the docs I haven’t been able to figure out the purpose of key expiration, or the keys in the first place. I assumed it was for a security reason but if it makes sense to disable them for an always-on server, then I definitely don’t understand what they’re for.
It’s indeed for increased security.
Imagine you’re in an environment where you have multiple users in your tailnet, like in a company. In that scenario you might want to force users to re-authenticate their device every now and then, just to make sure it’s still them using the devices and not someone who e.g. stole a laptop that was still connected to the tailnet.
It’s similar to websites asking you to login again after some time.
1 Like
Ah that DOES make a lot of sense. Thanks @bluefish. It would also support the idea @Spidge suggested that having key expiry on the server you manage is probably not necessary or valuable. Would you agree? (Please say yes cuz this is a PIA!)
Yep, I’d say so. I’ve disabled key expiry on my NAS for this exact reason.
I’m not always at home but want to access my NAS over the internet via tailscale. So if its key were to expire while I’m away, I’d have to resort to backup-access solutions which I don’t really want to employ.
For my desktop computer I have key expiry enabled though, because it’s not a hassle to quickly log back in. I could disable it for my desktop computer to be honest because it’s stationary at home.
But for my phone I’ll definitely keep the expiry, because I take it with me when I leave the house.
Same goes for laptops.
It really depends on personal taste and your security requirements, but in general I would disable expiry on devices you can’t always be near in order to re-authenticate.
1 Like
Welp, now that I’ve disabled key expiry, I can’t connect to my Synology at my buddy’s house. Can’t ping it by MagicDNS or by Tailscale IP.
I hate to be a pest but I just haven’t been able to get this to work.
Looks connected OK - normally I blame DNS for everything (political issues? it’s the DNS) but you say you’ve tried by IP so we’ll assume not in this case.
- Check your local machine is also connected correctly
- Try a
tailscale ping as well as a normal ping.
- Check the ACL to make sure you’re allowed to access it. The default is allow everything in the Tailnet, so if you haven’t changed that everything should be fine there.
- Lastly, a good old fashioned reboot at both ends covers a lot of problems, particularly when you’ve been fiddling with settings.
Thanks. Last night I re-enabled key expiry. This morning I gave it temporary key access, which let me see the Synology through the web interface via MagicDNS this morning. My joy was shortlived. The first thing I did was open TailScale, which offered to let me reauthenticate. It failed to authenticate (never asking for login as before) and now I again can’t get in.
- I can connect using MagicDNS to the other Synology in the house so I think I’m connected properly
- I didn’t know about
tailscale ping, that’s nifty. Doesn’t get a response (via IP)
- I haven’t played with ACLs
- My buddy will be home for one day on Friday so I’m hoping from inside his house I can do as you suggest. Or maybe
tailscale up --force-reauth as suggested by the docs.
Closing this one out.
I went to my buddies house and from there I was able to get into the Synology via the local IP.
Even better, when I opened Tailscale, it gave me the option to authenticate, and it DID ask me for my credentials and allowed me to log in. Remember from my home it would offer to let me authenticate but it would never ask for my credentials, it would just fail.
So … I’m whole now that I disabled the keys on the Synology, but it seems it should have worked remotely.
Thanks again for the help folks!
1 Like
