Tailscale, ProtonVPN and RDP not working

Tailscale version 1.18.0 (uptodate)
Windows 11 21H2 (uptodate)

I’ve been using tailscale for a while now, véry happy with it. Last weekend I purchased a subscription to ProtonVPN. It’s very configurable, including split tunnel.

However; when protonvpn is active, I can’t use rdp (port 3389) to connect to a remote machine through tailscale. As soon as I disconnect, it works fine.

I’ve configured protonvpn to use the openvpn protocol instead of wireguard, I’ve excluded the target ip, I’ve excluded the tailscale binaries, I’ve excluded the entire tailscale subnet - nothing.

The weird thing is: I can ping the machine on its tailscale ip. I can also connect to http servers on other tailscale-connected machines, but rdp doesn’t seem to work on any of them.

I’ve just tested with ftp, and that doesn’t work either. It feels random, does anyone know a technical reason this is happening?

My thought is that Tailscale and ProtonVPN are fighting over control of the firewall. Most of the time Tailscale plays nice with other VPN programs, but it looks like ProtonVPN is fighting with you here. My guess is that ProtonVPN has decided that Tailscale’s network is a local network and is blocking access to that local destination somehow. I don’t personally have experience with ProtonVPN’s app, but look and see if there is some checkbox somewhere that allows you to access local network destinations. These VPN apps are really paranoid and sometimes that paranoia extends to blocking access to the local network to prevent some rare kinds of IP address leaks.