starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

VPN Fails (no SSH/Ping) in windows 10 devices after restart or logging off #116

New Issue
Closed
opened 2025-12-29 01:23:28 +01:00 by adam · 4 comments
adam commented 2025-12-29 01:23:28 +01:00
Owner
Copy Link

Originally created by @Ranakau62 on GitHub (Feb 3, 2022).

Description -

Hi, I started using headscale for a small personal project and i ran into an issue with regard to implementing it in windows devices. I am new to this and cant quite figure out where the issue lies, whether its in the tailscale client or the server.

When ever a windows machine is shutdown, restarted, user is logged off and relogged in and if logged off from the tailscale client itself, The data transfer through the VPN stops. Tailscale ping works across all devices. But normal ping as well as ssh fail. I was able ping/ssh before performing the above actions.

To Reproduce -

  • Setup headscale server, and namespace
  • Add node using windows 10
  • Restart device, Log off from the user and re-log in, Log off from tailscale client
  • run ping/ssh to other nodes in the network

Context info -

  • Windows 10 node
  • Running tailscale 1.20.2
  • headscale built using docker ( output of the headscale version command - dev )
  • using a ubuntu 20.04.3 LTS EC2 instance for the server.

Things i've tried

  • All of the above mentioned scenarios where the VPN fails
  • Multiple windows devices, including a VM, (all windows 10)
  • Multiple tailscale client versions (1.16, 1.18, 1.20)
  • Tested the same scenarios with linux and mac devices where no problems persisted
  • Custom firewall rules to allow inbound UDP
  • Tested with firewalls down.

Server config file content -

{
"server_url": "http://33.225.165.15:8080",
"listen_addr": "0.0.0.0:8080",
"private_key_path": "private.key",
"derp": {
"urls": [
"https://controlplane.tailscale.com/derpmap/default"
],
"paths": [
"derp.yaml"
],
"auto_update_enabled": true,
"update_frequency": "24h"
},
"disable_check_updates": false,
"ephemeral_node_inactivity_timeout": "30m",
"db_type": "postgres",
"db_host": "localhost",
"db_port": 5432,
"db_name": "headscale",
"db_user": "foo",
"db_pass": "bar",
"acme_url": "https://acme-v02.api.letsencrypt.org/directory",
"acme_email": "",
"tls_letsencrypt_hostname": "",
"tls_letsencrypt_listen": ":http",
"tls_letsencrypt_cache_dir": ".cache",
"tls_letsencrypt_challenge_type": "HTTP-01",
"tls_cert_path": "",
"tls_key_path": "",
"acl_policy_path": "",
"dns_config": {
"nameservers": [
"1.1.1.1"
],
"domains": [],
"magic_dns": true,
"base_domain": "example.com"
},
"unix_socket": "/var/run/headscale.sock"
}

The only workaround found is killing the tailscale process, deleting the node from the server and re-adding the device to the VPN.

Originally created by @Ranakau62 on GitHub (Feb 3, 2022). Description - Hi, I started using headscale for a small personal project and i ran into an issue with regard to implementing it in windows devices. I am new to this and cant quite figure out where the issue lies, whether its in the tailscale client or the server. When ever a windows machine is shutdown, restarted, user is logged off and relogged in and if logged off from the tailscale client itself, The data transfer through the VPN stops. Tailscale ping works across all devices. But normal ping as well as ssh fail. I was able ping/ssh before performing the above actions. To Reproduce - - Setup headscale server, and namespace - Add node using windows 10 - Restart device, Log off from the user and re-log in, Log off from tailscale client - run ping/ssh to other nodes in the network Context info - - Windows 10 node - Running tailscale 1.20.2 - headscale built using docker ( output of the headscale version command - dev ) - using a ubuntu 20.04.3 LTS EC2 instance for the server. Things i've tried - All of the above mentioned scenarios where the VPN fails - Multiple windows devices, including a VM, (all windows 10) - Multiple tailscale client versions (1.16, 1.18, 1.20) - Tested the same scenarios with linux and mac devices where no problems persisted - Custom firewall rules to allow inbound UDP - Tested with firewalls down. Server config file content - { "server_url": "http://33.225.165.15:8080", "listen_addr": "0.0.0.0:8080", "private_key_path": "private.key", "derp": { "urls": [ "https://controlplane.tailscale.com/derpmap/default" ], "paths": [ "derp.yaml" ], "auto_update_enabled": true, "update_frequency": "24h" }, "disable_check_updates": false, "ephemeral_node_inactivity_timeout": "30m", "db_type": "postgres", "db_host": "localhost", "db_port": 5432, "db_name": "headscale", "db_user": "foo", "db_pass": "bar", "acme_url": "https://acme-v02.api.letsencrypt.org/directory", "acme_email": "", "tls_letsencrypt_hostname": "", "tls_letsencrypt_listen": ":http", "tls_letsencrypt_cache_dir": ".cache", "tls_letsencrypt_challenge_type": "HTTP-01", "tls_cert_path": "", "tls_key_path": "", "acl_policy_path": "", "dns_config": { "nameservers": [ "1.1.1.1" ], "domains": [], "magic_dns": true, "base_domain": "example.com" }, "unix_socket": "/var/run/headscale.sock" } The only workaround found is killing the tailscale process, deleting the node from the server and re-adding the device to the VPN.
adam added the bug label 2025-12-29 01:23:28 +01:00
adam closed this issue 2025-12-29 01:23:28 +01:00
adam commented 2025-12-29 01:23:29 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Feb 3, 2022):

See this comment: https://github.com/juanfont/headscale/issues/269#issuecomment-1010758673

@kradalby commented on GitHub (Feb 3, 2022): See this comment: https://github.com/juanfont/headscale/issues/269#issuecomment-1010758673
adam commented 2025-12-29 01:23:29 +01:00
Author
Owner
Copy Link

@rjmalagon commented on GitHub (Feb 5, 2022):

For the Windows clients, the use of a Headscale server exposes the subtle and complex credential management that the Tailscale client do in the user context.

The tailscaled daemon store the main auth and config on c:\programdata\tailscale, but the login credentials are stored on %localappdata%\tailscale where the current user has the tailscale-ipn gui app loaded.

Without the unattended flag, the user tailscale-ipn app manages and resets this login process when loaded, with the unattended flag (or the unattended checkbox within tailascale-ipn app) the client store the login credentials on the user %localappdata%\tailscale and a special config on c:\programdata\tailscale that points to this user folder for the login data when the tailscaled service is started even without the user tailscale-ipn app loaded.

The catch with Headscale. The user tailscale-ipn app resets the login server config on %localappdata%\tailscale folder when loaded, and make a mess with Headscale connection keys process. But if you try to store the config via tailscale cli commnad without the user tailscale-ipn app (and prevent tailscale-ipn app to load), it fails to properly store the login server config too.

(TLDR is here)
The registry config is news for me, and my actual workaround is login on the Headscale server via cli with the user tailscale-ipn app loaded, then check the unattended box on the gui app, close the gui app, and prevent the same user app from loading, usually removing the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\tailscale.lnk file.

Tip, if tailscale-ipn made a mess with the config, a shortcut is to clean the config: close the user Tailscale gui app, stop the Tailscale service, remove %localappdata%\tailscale and c:\programdata\tailscale, start the Tailscale service, open the Tailsacle gui app.

Opinion here.
The elegant simplicity on the *nix Tailscale client is a hard contrast to, somewhat overengineered, ACL and user credential management of the Windows (and OS X) Tailscale client. A big part of the complexity that Wireguard lacks, and someone needs (and Loves?).

@rjmalagon commented on GitHub (Feb 5, 2022): For the Windows clients, the use of a Headscale server exposes the subtle and complex credential management that the Tailscale client do in the user context. The tailscaled daemon store the main auth and config on c:\programdata\tailscale, but the login credentials are stored on %localappdata%\tailscale where the current user has the tailscale-ipn gui app loaded. Without the unattended flag, the user tailscale-ipn app manages and resets this login process when loaded, with the unattended flag (or the unattended checkbox within tailascale-ipn app) the client store the login credentials on the user %localappdata%\tailscale and a special config on c:\programdata\tailscale that points to this user folder for the login data when the tailscaled service is started even without the user tailscale-ipn app loaded. The catch with Headscale. The user tailscale-ipn app resets the login server config on %localappdata%\tailscale folder when loaded, and make a mess with Headscale connection keys process. But if you try to store the config via tailscale cli commnad without the user tailscale-ipn app (and prevent tailscale-ipn app to load), it fails to properly store the login server config too. (TLDR is here) The registry config is news for me, and my actual workaround is login on the Headscale server via cli with the user tailscale-ipn app loaded, then check the unattended box on the gui app, close the gui app, and prevent the same user app from loading, usually removing the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\tailscale.lnk file. Tip, if tailscale-ipn made a mess with the config, a shortcut is to clean the config: close the user Tailscale gui app, stop the Tailscale service, remove %localappdata%\tailscale and c:\programdata\tailscale, start the Tailscale service, open the Tailsacle gui app. Opinion here. The elegant simplicity on the *nix Tailscale client is a hard contrast to, somewhat overengineered, ACL and user credential management of the Windows (and OS X) Tailscale client. A big part of the complexity that Wireguard lacks, and someone needs (and Loves?).
adam commented 2025-12-29 01:23:29 +01:00
Author
Owner
Copy Link

@rjmalagon commented on GitHub (Feb 19, 2022):

As a followup, this bug can be closed for now.
The docs have the right answers for the correct Windows client setup
https://github.com/juanfont/headscale/blob/main/docs/windows-client.md

The registry keys make the setup easier enough.

@rjmalagon commented on GitHub (Feb 19, 2022): As a followup, this bug can be closed for now. The docs have the right answers for the correct Windows client setup https://github.com/juanfont/headscale/blob/main/docs/windows-client.md The registry keys make the setup easier enough.
adam commented 2025-12-29 01:23:30 +01:00
Author
Owner
Copy Link

@ghost commented on GitHub (Jun 23, 2022):

For the Windows clients, the use of a Headscale server exposes the subtle and complex credential management that the Tailscale client do in the user context.

The tailscaled daemon store the main auth and config on c:\programdata\tailscale, but the login credentials are stored on %localappdata%\tailscale where the current user has the tailscale-ipn gui app loaded.

Without the unattended flag, the user tailscale-ipn app manages and resets this login process when loaded, with the unattended flag (or the unattended checkbox within tailascale-ipn app) the client store the login credentials on the user %localappdata%\tailscale and a special config on c:\programdata\tailscale that points to this user folder for the login data when the tailscaled service is started even without the user tailscale-ipn app loaded.

The catch with Headscale. The user tailscale-ipn app resets the login server config on %localappdata%\tailscale folder when loaded, and make a mess with Headscale connection keys process. But if you try to store the config via tailscale cli commnad without the user tailscale-ipn app (and prevent tailscale-ipn app to load), it fails to properly store the login server config too.

(TLDR is here) The registry config is news for me, and my actual workaround is login on the Headscale server via cli with the user tailscale-ipn app loaded, then check the unattended box on the gui app, close the gui app, and prevent the same user app from loading, usually removing the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\tailscale.lnk file.

Tip, if tailscale-ipn made a mess with the config, a shortcut is to clean the config: close the user Tailscale gui app, stop the Tailscale service, remove %localappdata%\tailscale and c:\programdata\tailscale, start the Tailscale service, open the Tailsacle gui app.

Opinion here. The elegant simplicity on the *nix Tailscale client is a hard contrast to, somewhat overengineered, ACL and user credential management of the Windows (and OS X) Tailscale client. A big part of the complexity that Wireguard lacks, and someone needs (and Loves?).

so , is there a way to use tailscale/tailscaled cli without tailscale-ipn (Tailsacle gui app) on windows ? i really need it

@ghost commented on GitHub (Jun 23, 2022): > For the Windows clients, the use of a Headscale server exposes the subtle and complex credential management that the Tailscale client do in the user context. > > The tailscaled daemon store the main auth and config on c:\programdata\tailscale, but the login credentials are stored on %localappdata%\tailscale where the current user has the tailscale-ipn gui app loaded. > > Without the unattended flag, the user tailscale-ipn app manages and resets this login process when loaded, with the unattended flag (or the unattended checkbox within tailascale-ipn app) the client store the login credentials on the user %localappdata%\tailscale and a special config on c:\programdata\tailscale that points to this user folder for the login data when the tailscaled service is started even without the user tailscale-ipn app loaded. > > The catch with Headscale. The user tailscale-ipn app resets the login server config on %localappdata%\tailscale folder when loaded, and make a mess with Headscale connection keys process. But if you try to store the config via tailscale cli commnad without the user tailscale-ipn app (and prevent tailscale-ipn app to load), it fails to properly store the login server config too. > > (TLDR is here) The registry config is news for me, and my actual workaround is login on the Headscale server via cli with the user tailscale-ipn app loaded, then check the unattended box on the gui app, close the gui app, and prevent the same user app from loading, usually removing the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\tailscale.lnk file. > > Tip, if tailscale-ipn made a mess with the config, a shortcut is to clean the config: close the user Tailscale gui app, stop the Tailscale service, remove %localappdata%\tailscale and c:\programdata\tailscale, start the Tailscale service, open the Tailsacle gui app. > > Opinion here. The elegant simplicity on the *nix Tailscale client is a hard contrast to, somewhat overengineered, ACL and user credential management of the Windows (and OS X) Tailscale client. A big part of the complexity that Wireguard lacks, and someone needs (and Loves?). so , is there a way to use tailscale/tailscaled cli without tailscale-ipn (Tailsacle gui app) on windows ? i really need it
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#116
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?