I have been testing Tailscale in a POC scenario for about two weeks in a home environment (with hopes to POC it into a business environment if i find it successful).
I have a few devices connected and in one sample scenario, am running KDE Connect between a laptop and mobile phone. KDE Connect uses a dynamic set of ports in the range of 1714-1764.
I have setup an ACL to allow all hosts to speak over these ports. My rules are normally more restrictive, but in debugging have arrived at the below:
{ "Action": "accept", "Users": ["*"], "Ports": ["*:1714-1764"] },
I do not appear to see a successful connection just with this rule. The below is a tcpdump of traffic from the laptop received when refreshing KDE connect on the phone.
tcpdump: listening on tailscale0, link-type RAW (Raw IP), capture size 262144 bytes
09:25:17.850631 IP (tos 0x0, ttl 64, id 37889, offset 0, flags [+], proto UDP (17), length 1276)
100.99.104.86.45022 > 100.114.126.6.1716: UDP, bad length 1751 > 1248
09:25:17.850667 IP (tos 0x0, ttl 64, id 37889, offset 1256, flags [none], proto UDP (17), length 523)
100.99.104.86 > 100.114.126.6: ip-proto-17
09:25:21.136517 IP (tos 0x0, ttl 64, id 38023, offset 0, flags [+], proto UDP (17), length 1276)
100.99.104.86.38194 > 100.114.126.6.1716: UDP, bad length 1751 > 1248
09:25:21.136537 IP (tos 0x0, ttl 64, id 38023, offset 1256, flags [none], proto UDP (17), length 523)
100.99.104.86 > 100.114.126.6: ip-proto-17
If i manually add an INPUT rule in iptables on the laptop with the following, traffic starts to flow correctly and a connection is successful on KDE Connet refresh.
sudo iptables -A INPUT -i tailscale0 -p udp -s 100.99.104.86 --match multiport --dport 1714:1764 -j ACCEPT
Not sure if i am missing something in the TS ACL or if i have hit a currently limitation with handling of the ACL and UDP maybe, but keen for any insight.
if any additional debugging is needed, happy to help.