Tailscale VPN: Private IP blocked

I’ve been trying out tailscale the last few weeks. Very cool, easy to set up mesh VPN software based on Wireguard. However it has trouble running on Hestia boxes. I’ve tried it on a number of servers, and its the ones running Hestia that don’t seem to work, so I’m mentioning it here in case anyone has insight into the operation of iptables, and why that might be.

So basically, when you install tailscale, you get a private VPN IP assigned to each client. 100.x.x.x The IP seems to be permanent, or at least will last for a long time. So on other test boxes, each service running on the local interfaces eth0, wlan0 etc, is also bound to the 100.x.x.x IP address. However on Hestia, it seems not to be, so ssh, http, https over the 100.x.x.x IP are simply not running, although ping works fine, and the ‘tailscale status’ command reports everything is normal.

Looking at the iptables config, it looks like all the rules are bound to every IP address. I’ve tried restarting everything, reinstalling. Any clues where to start looking next?

I’m seeing that Hestia adds a rule to iptables for the public IP.
ACCEPT all -- <public-ip> 0.0.0.0/0

And I can see that tailscale adds a corresponding one under its own chain

Chain ts-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  100.x.x.x        0.0.0.0/0

Did you try whitelisting the ip('s) in the fail2ban config?

ignoreip = 12.34.567.8 12.34.567.8 12.34.567.8

No, but I did check that they weren’t banned.

#!/bin/bash
JAILLIST=$( fail2ban-client status | grep "Jail list:" | cut -d ':' -f 2 | tr -d ',' )
for JAIL in $JAILLIST; do
/usr/bin/fail2ban-client status $JAIL | grep -i banned
echo "---"
done

Tried adding the local 100.x.x.x address as a system IP. That didn’t work, although another duplicate line appeared in iptables, as expected.

ACCEPT     all  --  100.x.x.x        0.0.0.0/0

Haven’t got any further with this. I’ve installed tailscale on a few more servers, and its only the ones with Hestia that don’t expose ssh (and, in fact all other running services, http, https etc) on the tailscale interface. So I’m fairly sure its something to do with the way Hestia interacts with iptables. Maybe I’ll have another look today.

OK, I got to the bottom of this. The IP range 100.64.0.0/10 was blocked by one of the lists downloaded by the ipset blacklist.sh script. This range is reserved for CG Nat, and so effectively is private, but its also the range used by tailscale.

So at this point, I had two options: 1) I could try to hack the blacklist.sh and remove that IP range from the blacklist; 2) I could write a firewall rule explicitly ALLOWing those IPs. (Which supercedes the DENY from the blacklist).

Because I wasn’t sure if changes I made to the blacklist script would be preserved, I opted for the second option, and, on learning that tailscale IPs never change in their lifetime, I just stuck all those into a file, and used it as an ipset whitelist.

Case closed. Thought I’d update it here, in case anyone else searched for tailscale.

List containing the 100.64.0.0/10 subnet is this one
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset