Tailscale VPN: Private IP blocked

I’ve been trying out tailscale the last few weeks. Very cool, easy to set up mesh VPN software based on Wireguard. However it has trouble running on Hestia boxes. I’ve tried it on a number of servers, and its the ones running Hestia that don’t seem to work, so I’m mentioning it here in case anyone has insight into the operation of iptables, and why that might be.

So basically, when you install tailscale, you get a private VPN IP assigned to each client. 100.x.x.x The IP seems to be permanent, or at least will last for a long time. So on other test boxes, each service running on the local interfaces eth0, wlan0 etc, is also bound to the 100.x.x.x IP address. However on Hestia, it seems not to be, so ssh, http, https over the 100.x.x.x IP are simply not running, although ping works fine, and the ‘tailscale status’ command reports everything is normal.

Looking at the iptables config, it looks like all the rules are bound to every IP address. I’ve tried restarting everything, reinstalling. Any clues where to start looking next?

I’m seeing that Hestia adds a rule to iptables for the public IP.
ACCEPT all -- <public-ip> 0.0.0.0/0

And I can see that tailscale adds a corresponding one under its own chain

Chain ts-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  100.x.x.x        0.0.0.0/0

Did you try whitelisting the ip('s) in the fail2ban config?

ignoreip = 12.34.567.8 12.34.567.8 12.34.567.8

No, but I did check that they weren’t banned.

#!/bin/bash
JAILLIST=$( fail2ban-client status | grep "Jail list:" | cut -d ':' -f 2 | tr -d ',' )
for JAIL in $JAILLIST; do
/usr/bin/fail2ban-client status $JAIL | grep -i banned
echo "---"
done

Tried adding the local 100.x.x.x address as a system IP. That didn’t work, although another duplicate line appeared in iptables, as expected.

ACCEPT     all  --  100.x.x.x        0.0.0.0/0

Haven’t got any further with this. I’ve installed tailscale on a few more servers, and its only the ones with Hestia that don’t expose ssh (and, in fact all other running services, http, https etc) on the tailscale interface. So I’m fairly sure its something to do with the way Hestia interacts with iptables. Maybe I’ll have another look today.