Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tailnet lock issues #94

Open
yanfali opened this issue Dec 11, 2024 · 9 comments
Open

tailnet lock issues #94

yanfali opened this issue Dec 11, 2024 · 9 comments

Comments

@yanfali
Copy link

yanfali commented Dec 11, 2024
edited
Loading

I'm looking for guidance on what best practices are for tailnets where lock is enabled. I am able to successfully add tsdproxy services to my tailnet, they come up unsigned. I can sign the new nodes and them to the tailnet. Services initially work and I am able to use them successfully.

I have disabled expiry for the keys on the proxied services. However at some point the key expires anyway. This is not what I was expecting. Do you have any advice as how to prevent this from happening? tsdproxy is an awesome project and I'm just looking for advice on how to keep these running operationally.

Thanks
@yanfali
Copy link
Author

yanfali commented Dec 11, 2024

image

I am not updating these expirations. Is this a feature of tsdproxy?

@yanfali
Copy link
Author

yanfali commented Dec 11, 2024

It seems just restarting the proxied container causes the key to expire. For my tsdproxy I am using a non-expiring auth key. I had hoped this would be enough.

@yanfali
Copy link
Author

yanfali commented Dec 11, 2024

Yep that's it. When I restart the jellyfin container it expires the key automatically. I even did this with a tagged auth key. Is there a way to prevent this behavior? Thanks

@freezurbern
Copy link

I suggest trying a tailscale key with "Pre-approved" checked during creation.

@DarrenYOW
Copy link

Device approval can't be used while tailnet lock is enabled. Device approval must be enabled in order for the "Pre-Approved" option to be available during key creation. In my case, it was NOT enabled prior to turning on the tailnet lock. As a result, I have to manually re-approve each container if they are recreated. Not the end of the world, but it is inconvenient.

@yanfali
Copy link
Author

yanfali commented Dec 15, 2024

Device approval can't be used while tailnet lock is enabled. Device approval must be enabled in order for the "Pre-Approved" option to be available during key creation. In my case, it was NOT enabled prior to turning on the tailnet lock. As a result, I have to manually re-approve each container if they are recreated. Not the end of the world, but it is inconvenient.

Thanks. Ya, it's pretty painful to use it with lock. So if I disable lock then add the machine and then do pre-approval and then turn lock back on it would work?

@DarrenYOW
Copy link

Device approval can't be used while tailnet lock is enabled. Device approval must be enabled in order for the "Pre-Approved" option to be available during key creation. In my case, it was NOT enabled prior to turning on the tailnet lock. As a result, I have to manually re-approve each container if they are recreated. Not the end of the world, but it is inconvenient.

Thanks. Ya, it's pretty painful to use it with lock. So if I disable lock then add the machine and then do pre-approval and then turn lock back on it would work?

Sorry, I don't know. I am not able to turn off the tailnet lock to test that use case.

@cattaildumpling
Copy link

cattaildumpling commented Dec 18, 2024
edited
Loading

Device approval can't be used while tailnet lock is enabled. Device approval must be enabled in order for the "Pre-Approved" option to be available during key creation. In my case, it was NOT enabled prior to turning on the tailnet lock. As a result, I have to manually re-approve each container if they are recreated. Not the end of the world, but it is inconvenient.

Thanks. Ya, it's pretty painful to use it with lock. So if I disable lock then add the machine and then do pre-approval and then turn lock back on it would work?

Happy to hear if this workflow works or not. Every time I restart a container it seems to be offline in the admin panel. Then I need to delete the machine and tsdproxy creates a new one. After that I need to approve the new machine again.

@yanfali
Copy link
Author

yanfali commented Dec 18, 2024

Device approval can't be used while tailnet lock is enabled. Device approval must be enabled in order for the "Pre-Approved" option to be available during key creation. In my case, it was NOT enabled prior to turning on the tailnet lock. As a result, I have to manually re-approve each container if they are recreated. Not the end of the world, but it is inconvenient.

Thanks. Ya, it's pretty painful to use it with lock. So if I disable lock then add the machine and then do pre-approval and then turn lock back on it would work?

Happy to hear if this workflow works or not. Every time I restart a container it seems to be offline in the admin panel. Then I need to delete the machine and tsdproxy creates a new one. After that I need to approve the new machine again.

My exact problems. I haven't figured out what to do yet. I may just spin up a traditional reverse proxy and do a sidecar and just point at the apps I want to use

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yanfali @freezurbern @DarrenYOW @cattaildumpling