I’m evaluating Tailscale for an organisation with multiple datacenters and several sites across a large metropolitan area. I am (unfortunately) not a Network Engineer.
All works brilliantly apart from a single site where a local HTTP proxy is in place to proxy all outbound connections.
Tailscale at the site technically “works” – the host registers correctly, connects to the tailnet and I’m able to SSH in from elsewhere.
tailscale ping results in a 30-40ms response from the host.
However, the SSH session is unbearably slow (like often timing out or many seconds from keypress to character display).
I’m running Tailscale 1.48.1 in Docker (Ubuntu 22.04 base).
I’ve tried both kernel & userspace networking with no discernible difference.
Tested connection speed from the host to multiple Speedtest.net servers and consistently get several hundred Mb/s symmetrical through the proxied connection.
Most of the info I’ve found regarding “slow” Tailscale relate to routing via DERP vs direct connections.
I don’t believe this is the problem as another of our sites is only able to connect via relay and the connection is orders of magnitude faster and totally usable. (I’ve configured the derpMap to only use a geographically local server).
There is a repeated error output from tailscaled:
2023/09/04 14:54:06 tshttpproxy: CONNECT response from http://www-cache-n.xyz.org:3128/ for target "controlplane.tailscale.com:443" (auth ""): 200 Connection est[209/1876]
2023/09/04 14:54:06 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=true; authURL=false
2023/09/04 14:54:06 control: netmap: got new dial plan from control
2023/09/04 14:54:07 control: NetInfo: NetInfo{varies= hairpin= ipv6=false ipv6os=false udp=false icmpv4=false derp=#8 portmap= link="" firewallmode=""}
2023/09/04 14:54:07 tshttpproxy: CONNECT response from http://www-cache-n.xyz.org:3128/ for target "controlplane.tailscale.com:443" (auth ""): 200 Connection established
2023/09/04 14:54:10 control: controlhttp: failed dialing using DialPlan, falling back to DNS; errs=multiple errors:
all connection attempts failed (HTTP: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" doesn't m
atch expected "controlplane.tailscale.com", HTTPS: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" does
n't match expected "controlplane.tailscale.com")
all connection attempts failed (HTTP: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" doesn't m
atch expected "controlplane.tailscale.com", HTTPS: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" does
n't match expected "controlplane.tailscale.com")
all connection attempts failed (HTTP: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" doesn't m
atch expected "controlplane.tailscale.com", HTTPS: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" does
n't match expected "controlplane.tailscale.com")
all connection attempts failed (HTTP: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" doesn't m
atch expected "controlplane.tailscale.com", HTTPS: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" does
n't match expected "controlplane.tailscale.com")
all connection attempts failed (HTTP: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" doesn't m
atch expected "controlplane.tailscale.com", HTTPS: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" does
n't match expected "controlplane.tailscale.com")
2023/09/04 14:54:10 [RATELIMIT] format("control: controlhttp: failed dialing using DialPlan, falling back to DNS; errs=%s")
2023/09/04 14:54:10 tshttpproxy: CONNECT response from http://www-cache-n.xyz.org:3128/ for target "controlplane.tailscale.com:443" (auth ""): 200 Connection established
2023/09/04 14:54:10 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=true; authURL=false
2023/09/04 14:54:10 control: netmap: got new dial plan from control
2023/09/04 14:54:10 [RATELIMIT] format("active login: %v") (2 dropped)
2023/09/04 14:54:10 active login: me@github
2023/09/04 14:54:10 [RATELIMIT] format("Switching ipn state %v -> %v (WantRunning=%v, nm=%v)") (2 dropped)
2023/09/04 14:54:10 Switching ipn state NoState -> Starting (WantRunning=true, nm=true)
2023/09/04 14:54:10 Switching ipn state Starting -> Running (WantRunning=true, nm=true)
2023/09/04 14:54:10 [RATELIMIT] format("Switching ipn state %v -> %v (WantRunning=%v, nm=%v)")
2023/09/04 14:54:11 [RATELIMIT] format("Start") (1 dropped)
2023/09/04 14:54:11 Start
2023/09/04 14:54:11 active login:
Given
control: controlhttp: failed dialing using DialPlan, falling back to DNS; errs=multiple errors:
all connection attempts failed (HTTP: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" doesn't m
atch expected "controlplane.tailscale.com", HTTPS: proxyconnect tcp: failed to resolve "www-cache-n.xyz.org": dnscache: unexpected hostname "www-cache-n.xyz.org" does
n't match expected "controlplane.tailscale.com")
I haven’t been able to find anything related to DialPlan and most of the tshttpproxy issues on GH refer to Windows.
tailscale status also indicates
# Health check:
# - dns-os: getting OS base config is not supported
# - dns: getting OS base config is not supported
I found FR: Use tailscale over local http proxy like OpenVPN #8017 but it seems to imply that it shouldn’t work at all.
What do I need to do to get a usable SSH session over Tailscale when it is behind a local HTTP(S) proxy?
Is it even possible or am I wasting my time? (I am not a Network Engineer).
Is it a DNS issue or a problem with running Tailscale in Docker? (deployments at this site are only possible via containers)
Any pointers greatly appreciated