MacOS System Extension

I’ve installed the latest tailscale version via homebrew and I’ve setup the system extension following the instructions here Tailscaled on macOS · tailscale/tailscale Wiki · GitHub. So the steps I’ve ran:

1. Logged in as a normal user
2. brew install tailscale
3. sudo tailscaled install-system-daemon (tailscaled is the homebrew installed version)
4. tailscale up / complete login process
5. tailscale status to confirm connection
6. Successfully VNCed into my machine

However, when I restart the machine, I’m unable to VNC in. I’m not able to VNC in until I log back in as the user that I setup Tailscale with.

I’m also unable to ping the machine before a user is logged in.

Is this expected behavior? My understanding was that with the system daemon installed I could

I guess the first thing to check is /Library/LaunchDaemons/com.tailscale.tailscaled.plist: is it owned by root? Does “launchctl load /Library/LaunchDaemons/com.tailscale.tailscaled.plist” return any errors?

Thanks for getting back to me!

Here are the permissions for the plist entry

rwx------  1 root  wheel  387 Apr  2 18:56 /Library/LaunchDaemons/com.tailscale.tailscaled.plist

No errors either when running launchctl load (ran as both sudo and non sudo after unloading).

That said as soon as I log in I’m able to connect to the instance, so it seems to be something to do with the first boot (non logged in) state.

The next thing I’d suggest is to reboot the system, leave it sit for a couple minutes, then log in. You can run /Applications/Utilities/Console.app and search for “tailscale” to see if it even tried to run prior to logging in, and what happened when it did.

I’ve tried three things to get tailscaled logs:

1. Open console app and search tailscale (by simply putting “tailscale” into the search box). I tried each Device / Report section and did not see any logs related tailscale. Note I did not enable streaming and I’m assuming that if there were any tailscale related logs they’d come up. I’m not super familiar with console app so if I’m not searching properly please let me know.

2. I opened a terminal and ran "sudo log show --start “2022-04-10 13:19:00”, grepping for tailscale returned me some entries related to “mDNSResponder” (DNSServiceQueryRecord entries) and “symptomsd” (recording an analytics entry).

3. I configured launchctl to output logs from tailscaled via:

<key>StandardErrorPath</key>
<string>/tmp/mycommand.err</string>
<key>StandardOutPath</key>
<string>/tmp/mycommand.out</string>

in the launchctl file. When I look at the std err output I see logs relating to bootstrap DNS / log.tailscale.io and connection failures (no route to host, network unreachable). These logs seem to be in a retry loop of some kind. Then around the time of login I see:

2022/04/11 16:16:34 LinkChange: major, rebinding. New state: interfaces.State{defaultRoute= REDACTED
2022/04/11 16:16:37 LinkChange: major, rebinding. New state: interfaces.State{defaultRoute=en1 REDACTED
2022/04/11 16:16:37 Rebind; defIf="en1", REDACTED
2022/04/11 16:16:37 magicsock: 0 active derp conns
2022/04/11 16:16:37 Rebind; defIf="en1",REDACTED
2022/04/11 16:16:37 magicsock: 0 active derp conns
2022/04/11 16:16:37 control: control server key  REDACTED
2022/04/11 16:16:37 control: RegisterReq:REDACTED
2022/04/11 16:16:38 control: RegisterReq: REDACTED
2022/04/11 16:16:38 active login: ci
2022/04/11 16:16:38 Switching ipn state NoState -> Starting (WantRunning=true, nm=true)
2022/04/11 16:16:38 magicsock: SetPrivateKey called (init)

Out of an abundance of caution I redacted all but what seemed to be the basic message of the log entry - happy to provide more detail.

Seems like the link isn’t actually being activated until the user logs in. Could this be a permissions issue with the network being accessible by the tailscaled process? I’ve read MacOS can be quite strict with network permissions in launchctl daemons pre login.

I’m using MacOS 12.1 and I do have another piece of software (Screens Connect - this is what I’d like to replace with tailscale) that runs before login and enables remote inbound connections, so I know that the network is available and the machine is able to receive connections.

I’m not familiar with ScreensConnect, but it does change the network settings, I’m wondering if that might be interfering with tailscale establishing a connection.

Is it running as a System Extension?
systemextensionsctl list will tell you.

Can you remove that and test again?

Removing ScreensConnect seems to have done it! Just tested a couple times and I’m not able to connect after reboot. Thank you!

In case it helps in the future: sudo systemextensionsctl list shows “0 extension(s)”

I may have spoken too soon

I performed a few restarts after disabling screens connect and I was able to connect. I’ve just tried again and was unable to connect, not sure what happened in the few retries after uninstalling screens connect!

Hey @Jay, we’ve given this some time to run without screens connect and though sometimes we’re able to remotely connect, the majority of the time it requires a login.

We’ve got a basic M1 MacOS Big Sur installation and other than screens connect nothing else installed on the server and we’ve installed Tailscale via homebrew. This is a supported configuration, right? Want to check its not something simple before digging into debugging more :).

Thanks for your help so far!

Tailscale didn’t produce the homebrew package but does provide the tailscaled-on-MacOS implementation that it builds.