Taildrop not working when sending a file from Iphone to a NixOS machine

1

Hi,

I got taildrop working fine when sending a file from my NixOS machine to an Iphone but the opposite doesn’t seem to be working: I get “reconnect to tailscale and try again” on the phone.

On the NixOS side, I just started on the background:

$ sudo tailscale file get -wait -verbose .
waiting for file...

In the logs there doesn’t seem to be any particular related error, I see some ACKs but nothing relevant beyond that:

May 11 12:26:53 nixos tailscaled[12466]: Accept: TCP{100.117.13.46:50485 > 100.114.22.77:60886} 64 tcp ok
May 11 12:26:54 nixos tailscaled[12466]: Accept: TCP{100.117.13.46:50485 > 100.114.22.77:60886} 64 tcp ok
May 11 12:26:55 nixos tailscaled[12466]: Accept: TCP{100.117.13.46:50485 > 100.114.22.77:60886} 64 tcp ok
May 11 12:27:04 nixos tailscaled[12466]: Accept: TCP{100.117.13.46:50485 > 100.114.22.77:60886} 64 tcp ok

Given that this is a beta feature, it may be not supported yet so just checking :slight_smile:

2

This is interesting. I just tried to replicate it on my NixOS box and I was unable to have my iPhone XS running Tailscale 1.8.x fail to send me a picture:

$ sudo tailscale file get -wait -verbose .
waiting for file...
wrote IMG_4203.JPG (1642122 bytes)
moved 1 files

I did reboot my NixOS box after updating it from Tailscale 1.6.x to Tailscale 1.8.x though (nixos-unstable had a kernel patch go through), maybe try rebooting and see if that helps? I’m going to take a closer look after this meeting though.

3

hm so I tried a reboot but no difference so far. Maybe I have a bit of an odd setup, let me share some details:

  • I run NixOS 20.09 20.09.20210508.1b688ca
  • I do some mixup with flakes to grab some packages from nixos-unstable like tailscale.
  • kernel version is 5.4.114 but not sure if that’s relevant as iirc tailscale uses user-space wireguard.

Running tailscale status seems to show extra info for my Iphone, maybe that’s not expected?

$ tailscale status
100.114.22.77   nixos                amine@       linux   -
100.117.13.46   amines-iphone        amine@       iOS     active; relay "fra", tx 248 rx 1160
100.101.102.103 ("hello")            services@    linux   -
100.114.179.5   linode               amine@       linux   -

relay "far" maybe indicates the Iphone for some reason doesn’t go through the nat traversal magic and going through a relay so that may be related?

4

Do you have your configuration.nix file anywhere?

5

Unfortunately, I don’t have it public.
Any parts in particular you’re interested to check ?

6

That’s fine, I was just wondering if you could paste the parts that pull from unstable and where you override Tailscale to use the package from unstable so I can recreate that issue in my lab (context: I am a tailscale employee).

7

I basically have this very simple module

$ cat common/tailscale.nix
tailscaleUnstable:

{ pkgs, lib, ... }:
{
  services.tailscale = {
    enable = true;
    package = tailscaleUnstable;
  };
}

in my configuration.nix I do

imports =
    [
      (import ../common/tailscale.nix flakes.unstablepkgs.legacyPackages.x86_64-linux.tailscale)
     <...>
    ]

so the option services.tailscale.package just gets assigned whatever package is in nixos-unstable channel.

Thanks for looking into this :slight_smile: Let me know if I can share anything else that could be helpful

8

I found I have to do the following: networking.firewall.trustedInterfaces = [ "tailscale0" ];

i.e.

# cat tailscale.nix
# Tailscale VPN

{ config, pkgs, lib, ... }:

with lib;

let
  enable = true;
  openssh = config.services.openssh.enable;
  ports = config.services.openssh.ports;
in
{
  # Tailscale VPN
  services.tailscale.enable = enable;

  # allow the Tailscale UDP port through the firewall; is this a nessasary setting? If so when?
  # networking.firewall.allowedUDPPorts = [ config.services.tailscale.port ];
  # Do we rely upon tailscale controls??? Then:
  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  # Or be explicit
  # networking.firewall.interfaces."tailscale0".allowedTCPPorts = if enable && openssh then ports else []; # allow SSH from VPN
}

It would be really nice to know what ports TailDrop will connect to…

I’d love to configure a mapping between device and directory / owner so that different devices can push to different directories…