Exit node on Oracle OCI

I’m trying to set up an exit node on Oracle OCI (Ubuntu LTS 20.04).

What I’ve done so far:

  • Installed Tailscale on various iOS/Android/Mac devices
  • Set an exit node on a local machine I own (Ubuntu LTS): this works fine. So I know my clients can handle exit nodes.
  • Installed Tailscale on the OCI machine and run it with --advertise-exit-node.
  • Ping the OCI machine from my clients → this works fine
  • Set the OCI machine as my exit node from the clients → this does not work

Running tcpdump -i tailscale0 on the OCI machine, I see lots of traffic from the client to the OCI machine, but nothing in the opposite direction.

I assume this could be a firewall issue, but iptables shows what look to me to be tailscale-configured rules that all look…reasonable.

What’s the next step to debug?

Thanks!

Access Oracle Cloud VMs privately using Tailscale · Tailscale shows how to add rules to the OCI cloud-hosted firewall. I wouldn’t expect the cloud firewall to break exit node (it allows outgoing connections by default) but could be experimented with.

Thanks. I saw those instructions and tried them, though as I read it the OCI firewall changes are just needed to allow direct connections instead of NAT traversal, no?

In any case, since I do see the incoming traffic on tcpdump, I sort of assume the issue is something to do with the host firewall. But I don’t see any tailscale docs on having to manually change iptables configs, nor does it seem necessary since, if I read correctly, TS has inserted its own chains at the top of the FORWARD and INPUT chains, right?

Tailscale adds new iptables chains, yes.

Since Oracle Linux is a RedHat Enterprise derivative, it may need:
firewall-cmd --permanent --add-masquerade

Thanks, but this is running Ubuntu 20.04. :-/

You running 1.20.0+ on both sides?

When both sides are 1.20, it changes the DNS handling to the new mode.

When it’s in the broken state, can I get a tailscale bugreport on both sides? (macOS and OCI Ubuntu)

Hey Brad,

Yes, 1.20.+ on both sides.

BUG-426f960fa63ebe3770c8dc7bc6a73b0bdfe68dd298a28b87b7b006603ce912e5-20220127093928Z-6dfc9debeca1763b

from the server.

From the client:

BUG-e97c575179c45e626e0a4e17267fa06b397850d348174216fa25388bbe9bdb2c-20220127095758Z-1e7284088973ea45

https://pkgs.tailscale.com/unstable/ has a 1.21.43 release which may help, making a change in how DNS is routed through an exit node. The top of that page has instructions of how to switch to the unstable track to try it.

If it resolves the issue, the same fix will be in the 1.22 stable release. You could switch back to the stable track when that is out, instructions are on https://pkgs.tailscale.com/stable/

Sorry for the slow reply.

Installing unstable on the exit node fixed the problem! Thanks!

Thank you guys, was doing the exact same thing on OCI and was stumped. Upgraded the exit node to 1.21.56 and everything is peachy.

I’ve also updated to the unstable version which made it finally work for me. However, I still occasionally have problems connecting to the internet, which seems to resolve by itself after a few minutes. Does anyone know how to fix this?

Here’s the bug report from the server when it happens:
BUG-293bb3fa72b4026a25538f209aba77f5c7e7df0dfa5ab81e70355f447fc735f5-20220812001804Z-4ccd3ba5ced55f48

and the client:

BUG-84eef1558a3d2e8621aaf6b0402b8cbed20426c17663465beddb974096c09227-20220812001744Z-ceab2b4a4e65a5a4