I’m finding the key expiry experience frustrating with Tailscale. I do not see any way to re-auth a remote Mac client whose key is about to expire without breaking the Tailscale connection, so I need to have an alternate connection method available.
I’ve tried both using the menu item to “Log in as a different account” (Log in… does not appear until the current key has expired and i want to do this proactively). This immediately disconnects me so I do not see the browser.
Same result from the command line with tailscale up --force-reauth.
I have not yet tried waiting until the key expires and then using Extend Key from the admin console to regain temporary access. However, this would presumably still leave me in the same boat where once connected to the Mac all of my options to reauth would result in dropping the Tailscale connection.
Would it be bad to disable key expiry for the device?
I can as a workaround. I do this with servers. This happens to be a personal device (not tagged) that I am away from for an extended period due to construction.
A reasonable workflow for executing a remote re-auth seems a reasonable need. A gap I see in the Mac client is that there is no safe (does not drop existing connections) proactive reauth option. IMO this makes the Extend Key functionality in the admin console not useful because I still need an alternate connection method to re-auth once I’ve extended the key temporarily.
I can think of two work-arounds for this.
If the Mac is part of its own network and has another machine operating on the network with both tailscale and ssh support, then you could use ssh tunneling. Simply put use that machine to forward ports to the target Mac. Use Google and search ssh tunneling. If you can do this it’s the easy way.
But… if its the only machine at that remote location then an ugly solution is to install an alternate tool like ZeroTier and use it only when needed. You could even install, fix TailScale, and then uninstall. It’s brute force but if it’s all you got, use it.