workspaces-images icon indicating copy to clipboard operation
workspaces-images copied to clipboard
verified publisher icon kasmtech

[ubuntu-focal-desktop-vpn] tailscaled fails to start

Open CyberAustin opened this issue 1 year ago • 2 comments

Configuration left at default, TLS key entered on the "Workspace Launch Form". Output from vpn_startup.log

+ VPN_LAUNCH_CONFIG=/dockerstartup/launch_selections.json
+ '[' -e /dockerstartup/launch_selections.json ']'
++ jq -r .vpn_service /dockerstartup/launch_selections.json
+ VPN_SERVICE=tailscale
+ '[' tailscale == tailscale ']'
++ jq -r .tailscale_key /dockerstartup/launch_selections.json
+ ts_key=[redacted]
+ process_tailscale [redacted]
+ local tailscale_key=[redacted]
+ '[' '!' -c /dev/net/tun ']'
+ mkdir -p /dev/net
+ mknod /dev/net/tun c 10 200
+ sleep 2
+ tailscaled
2025/01/02 10:18:55 logtail started
2025/01/02 10:18:55 Program starting: v1.76.6-t1edcf9d46-gd0a6cd8b2, Go 1.23.1: []string{"tailscaled"}
2025/01/02 10:18:55 LogID: [redacted]
2025/01/02 10:18:55 logpolicy: using system state directory "/var/lib/tailscale"
logpolicy.ConfigFromFile /var/lib/tailscale/tailscaled.log.conf: open /var/lib/tailscale/tailscaled.log.conf: no such file or directory
logpolicy.Config.Validate for /var/lib/tailscale/tailscaled.log.conf: config is nil
2025/01/02 10:18:55 dns: [rc=unknown ret=direct]
2025/01/02 10:18:55 dns: using "direct" mode
2025/01/02 10:18:55 dns: using *dns.directManager
2025/01/02 10:18:55 wgengine.NewUserspaceEngine(tun "tailscale0") ...
2025/01/02 10:18:55 Linux kernel version: 6.8.0-51-generic
2025/01/02 10:18:55 is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: modprobe: FATAL: Module tun not found in directory /lib/modules/6.8.0-51-generic
2025/01/02 10:18:55 tun module not loaded nor found on disk
2025/01/02 10:18:55 wgengine.NewUserspaceEngine(tun "tailscale0") error: tstun.New("tailscale0"): operation not permitted
2025/01/02 10:18:55 flushing log.
2025/01/02 10:18:55 logger closing down
2025/01/02 10:18:55 getLocalBackend error: createEngine: tstun.New("tailscale0"): operation not permitted
+ set +e
+ tailscale up --authkey=[redacted]
failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)
+ '[' 1 -ne 0 ']'
+ msg='Failed to establish tailscale connection. Please review the log at /dockerstartup/vpn_start.log'
+ echo msg
msg
+ notify-send -u critical -t 0 -i /usr/share/icons/ubuntu-mono-dark/status/22/network-error.svg 'VPN Configuration Failed' 'Failed to establish tailscale connection. Please review the log at /dockerstartup/vpn_start.log'
+ exit 1

CyberAustin avatar Jan 02 '25 09:01 CyberAustin

Confirmed that /dev/net/tun existed. Additional errors when trying to run tailscaled as root inside the container:

logtail started
Program starting: v1.76.6-t1edcf9d46-gd0a6cd8b2, Go 1.23.1: []string{"tailscaled"}
LogID: 09a461f0718e8321c53fb4e17271c15d0980d4359340f31e672f334028ca9446
logpolicy: using system state directory "/var/lib/tailscale"
dns: [rc=unknown ret=direct]
dns: using "direct" mode
dns: using *dns.directManager
dns: inotify addwatch: context canceled
linuxfw: clear iptables: multiple errors:
	deleting [-j ts-input] in filter/INPUT: running [/usr/sbin/iptables -t filter -D INPUT -j ts-input --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

	deleting [-j ts-forward] in filter/FORWARD: running [/usr/sbin/iptables -t filter -D FORWARD -j ts-forward --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

	deleting [-j ts-postrouting] in nat/POSTROUTING: running [/usr/sbin/iptables -t nat -D POSTROUTING -j ts-postrouting --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

	flushing filter/ts-input: running [/usr/sbin/iptables -t filter -N ts-input --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

	flushing filter/ts-forward: running [/usr/sbin/iptables -t filter -N ts-forward --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

	flushing nat/ts-postrouting: running [/usr/sbin/iptables -t nat -N ts-postrouting --wait]: exit status 3: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
cleanup: list tables: netlink receive: operation not permitted
wgengine.NewUserspaceEngine(tun "tailscale0") ...
Linux kernel version: 6.8.0-51-generic
is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: modprobe: FATAL: Module tun not found in directory /lib/modules/6.8.0-51-generic
tun module not loaded nor found on disk
wgengine.NewUserspaceEngine(tun "tailscale0") error: tstun.New("tailscale0"): operation not permitted
flushing log.
logger closing down
getLocalBackend error: createEngine: tstun.New("tailscale0"): operation not permitted
root@c5c281e9136c:/dev/net#

CyberAustin avatar Jan 06 '25 12:01 CyberAustin

Fixed it. Under Docker Run Config Override in the workspace settings, needed to add

  "cap_add": [
    "NET_ADMIN"
  ],

and

  "devices": [
    "/dev/net/tun:/dev/net/tun:rwm"
  ]

CyberAustin avatar Jan 07 '25 12:01 CyberAustin