How do I reauth a client properly?

How is this still an issue? I disabled key expiry for a machine today, then I noticed it said it was going to expire in 20 minutes.

Okay, so I guess it’s not going to auto-renew, so I look for a CLI option to renew key, but there is none.

So I naively issue a tailscale up --force-reauth and again, am kicked out of my remote machine. Awesome. Whatever login link I was meant to see, is not really accessible to me.

This is unpleasant, to put it nicely. What am I even supposed to do here to avoid this?

Whenever I am making changes to the Tailscale service I have an alternative remote solution running (Teamviewer, for instance), even if it’s just a temporary one while that work is happening.

I guess I find it hard to believe that I’m not the only one (read: there are paying clients with more serious needs than mine) who wants to manually re-key machines and wants to do it by-hand, even for remote machines. With a bit of alerting too…

If you want to manually rekey machines you can generate a key in the control plane and then use that key to auth.

sudo tailscale up --authkey tskey-abcdef1432341818

This really should be in the docs under the renew keys section if it is the preferred way to manually reauth a remote unit (via tailscale only).

I tested this on a remote windows rdp connection via tailscale using a preauthorized key and was able to reconnect via tailscale without any local input so it does work in this role.