Funnel Not available - not set

ctech · December 23, 2022, 11:17pm

I am trying to run

tailscale serve funnel on

on a FreeBSD machine with version 1.34.1. I get:

Funnel not available; "funnel" node attribute not set. See https://tailscale.com/kb/1223/tailscale-funnel/.

But I have done this. Here is my policy file end.:

	"nodeAttrs": [
		{
			// Funnel policy, which lets tailnet members control Funnel
			// for their own devices.
			// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
			"target": ["autogroup:members"],
			"attr":   ["funnel"],
		},
	],
}

What should I do to get past this issue?

muzicman0 · December 23, 2022, 11:35pm

I just went through this. I had to set up a group instead of autogroup.

“groups”: {
“group:can-funnel”: [
“my.email@gmail.com”,
],
},

AND:

“nodeAttrs”: [
{
// Funnel policy, which lets tailnet members control Funnel
// for their own devices.
// Learn more at Tailscale Funnel · Tailscale
“target”: [“group:can-funnel”],
“attr”: [“funnel”],
},
],

ctech · December 24, 2022, 12:21am

That worked. Thanks!

muzicman0 · December 24, 2022, 12:43am

great! One thing also, at least for internet enabled sites, it took quite a bit longer than the 10 minutes for it to be up for me. Probably closer to 20-30 minutes.

ctech · December 24, 2022, 4:22pm

So with these permissions, can you access the .ts.net address that it gives you from any public IP without being on the tailscale network? I’m not able to and I’m trying to figure out why and it seems like it only allows me to do it when signed in.

Edit: it should work fine. I just was not going to the HTTPs version. Sorry for the confusion.

itspetemorgan · January 17, 2023, 8:33pm

This fixed it for me too. A small nudge to the docs would really help for this!

drio · April 4, 2023, 7:15pm

@muzicman0 Thank you for helping with this.

I am confused with the functionality of the funnel feature.
If I am not mistaken, it allows you to expose tcp services running on your tailnet nodes to the public Internet.

The problem is that when I finish all the setup process:

Enable certs
Add funnel to policy
Enable funnel on a specific host

I end up with:

➜ tailscale serve status

# Funnel on:
#     - https://air.xxxx.ts.net

https://air.xxxxx.ts.net (Funnel on)
|-- / proxy http://127.0.0.1:3000

But air.xxxx.ts.net resolves to a 100.x ip so that is not going to be available to the public Internet.

What am I missing?

muzicman0 · April 4, 2023, 7:53pm

How long did you wait? The last time I enabled Funnels, it took hours to work. I would give it quite a while. Also you should test on something that is not connected to your tailnet.

drio · April 4, 2023, 7:58pm

Thank you.

I gave it maybe a bit less than an hour.
So, what do you see after the dns update? You see a public IPv4 instead a private 100.x on that hostname?

muzicman0 · April 4, 2023, 8:00pm

I don’t remember for sure, it turned out that (at least currently), a funnel didn’t have enough bandwidth to handle what I needed to do. But it would have to be something reachable from the public internet.

drio · April 4, 2023, 8:13pm

You may want to look into cloudflare’s tunnels. I have used them and they work quite well.

But I prefer to use Tailscale. This is still beta and I am happy to give feedback to the team so we bring this feature to a first class level.

Thank you @muzicman0.

muzicman0 · April 4, 2023, 8:15pm

That is what I am using now. I was looking for an alternative as a backup, just in case.