tailscale icon indicating copy to clipboard operation
tailscale copied to clipboard
verified publisher icon tailscale

MacOS VPN on demand connects VPN but not Tailscale itself

Open ghost opened this issue 1 year ago • 6 comments

What is the issue?

Initial state: Tailscale and VPN show disconnected: Screenshot 003221@2x

Opening a Terminal and try to SSH in a Tailscale conencted device with it's MagicDNS hostname. On demand VPN seem to work and connect the VPN, but Tailscale itself stays disconnected and the connection is not possible: Screenshot 003222@2x

When connecting Tailscale manually, the connection is possible.

Steps to reproduce

  • Install Tailscale from MacOS appstore
  • Enable VPN on demand
  • Disable Tailscale / VPN
  • Try to connect to a host with MagicDNS

Are there any recent changes that introduced the issue?

No response

OS

macOS

OS version

No response

Tailscale version

14.5

Other software

No response

Bug report

No response

ghost avatar May 19 '24 10:05 ghost

Hi @itmokel, what do your Tailscale VPN On-Demand settings look like in Tailscale > Settings > Manage (VPN On-Demand)? For MagicDNS to trigger a connection, you'll need to set your Wifi and Ethernet settings to "Do nothing", and enable "Detect MagicDNS hostnames".

kelivel avatar May 21 '24 18:05 kelivel

Hi @kelivel,

of course it is set like you mentioned ;): Screenshot 003280@2x

And i guess it's partly working, otherwise MacOS would not trigger the VPN, but Tailscale is not connecting somehow. And there is no difference if i call the MagicDNS name from the terminal or browser, and no difference if i enable VPN on demand within the VPN settings themselfes. By the way, updated to Tailscale 1.66.3 from the AppStore and it's still the same.

ghost avatar May 22 '24 04:05 ghost

I'm having the same issue on 1.68.1 from the Mac App Store.

maxcrees avatar Jul 02 '24 21:07 maxcrees

I'm also having the same issue on 1.68.1 from the Mac App Store.

I am trying to access a web site via Safari using a MagicDNS hostname. I also tried via ssh. No luck. Perhaps we need to reboot?

jdandrea avatar Jul 04 '24 03:07 jdandrea

I have the same issue with 1.80.1 (managed via MDM). I set up VPN on Demand to everything except my Company network, and every single time I see the same status - VPN setting says connected, Tailscale says disconnected, and VPN is actually not working (no DNS). Clicking the VPN status checkbox in the settings does nothing, it does not actually cause Tailscale to connect or disconnect.

danielkza avatar Mar 14 '25 21:03 danielkza

Experiencing this too.

Other factors:

  • I have 2 accounts on my client, both have these settings. I've tried disconnecting from them both, still doesn't connect on either.
  • I have other wireguard configs installed, but I haven't used them in a little while and none are currently active
  • I use LuLu, but I've tried disabling it and it doesn't make a difference.

Whatever is supposed to be starting the dns proxy on demand from the network extension doesn't seem to be triggering when I try to resolve a .ts.net host. I don't want to spend time debugging further without guidance on what to do here.

I'm running the standalone pkg version on osx 15.5 (24F74)

Image Image

laithalissa avatar Jun 11 '25 13:06 laithalissa