Exit node not working without /0 route on iPadOS

Tailscale version - 1.7.356
Your operating system & version - iPadOS 14.6 Beta 1

I’ve been racking my brain around this for a few weeks. I originally thought it was a DNS issue (DNS server is pi.hole running on Raspberry OS Buster (latest version) with Tailscale 1.6.

When running exit node, it appears no Internet destined packets are hitting the Tailscale tunnel on iPad OS. I’ve confirmed this by running tcpdump on the Pi for any traffic on the tailscale0 interface. I do see DNS traffic over the tunnel as well as any traffic destined for the Pi. DNS resolution does work via the tunnel.

I ended up trying the following command on the Pi and now exit node works (I think as all traffic from the iPad is now going through the tunnel):

sudo tailscale up --advertise-exit-node --advertise-routes=0.0.0.0/0,::/0

So in my case, I’m assuming that even with exit node configured and enabled, there is no /0 route on the iPad.

Disabling exit node restores normal Internet routing on the iPad.

Thoughts? Anything to try?

Is it possible that an --advertise-routes=192.168.1.0/24 (or similar) was done in the past? Like it used to be a subnet router?

The behavior sounds like the Raspberry Pi was configured to be an exit node but only offered routes to the LAN. With 1.7.x and the future 1.8 releases, “tailscale up” remembers options previously configured and applies the new command line options on top of those. It will only complain if the new options are in conflict.

No chance. This is the first time I’ve used advertise-routes. It’s a really simple setup.

Any chance of pushing out 1.7.x out for Raspberry pi os for Buster? I have the repro setup for that. I can test with the newer build on the Pi to see if that helps at all.

We’ll be building binaries for Raspberry Pi for the 1.8 release, which may be out next week. We don’t generally build the full suite of binaries for unstable releases during development.

If you want to build locally on the Raspberry Pi, you can copy cmd/tailscale/tailscale and cmd/tailscaled/tailscaled to the locations where the package would put them and let systemd start it up.

I’ll wait until it releases then. I don’t want to fubar anything up. :slight_smile:

Amy

Okay, so 1.7 got pushed out for Raspberry Pios Buster and testing with that.

I was running into some strange issues with still trying to get exit node working that didn’t make sense. It appeared that DNS resolution nor routing was working (and looks like 1.7 doesn’t advertise default route any longer).

I ended up deleting tailscale from my iPad and re-installed it and…. Exit node now works great. Will keep testing it to see if anything changes.

Also noting, I have DNS configured to point to my pi.hole Tailscale IP and am not using magic DNS. This is twice I’ve been bitten by a corrupt install in the last few weeks for a beta app. :slight_smile: That will be my first step in future troubleshooting.

Argh. I spoke too soon. Now back to my original situation. More testing.

Okay. I got exit node working on my iPad finally. Yay!!

To get it to work, I ended up deleting a very old OpenVPN profile (has been inactive for well over 6 months).

Deleting and re-installing Tailscale got me back to the original issue I was having (DNS not resolving with exit node enabled). IP traffic was routing this time but just no DNS resolution.

I was able to get a new tcpdump and I found that my DNS queries were hitting my pi.hole DNS server via the tailscale interface and answers were hitting the tailscale interface on my PI but various apps on the iPad were not getting the responses.

Now I’m working on breaking things again so I can find what exactly was causing the problem. Seems strange that inactive OpenVPN profiles could cause any issue but then again, I’ve seen similar types of issues when I used to administer multiple types of VPN servers in the past.

I’ll also post this in the DNS thread in case that helps there.