I've been using Tailscale on Android for a few weeks now and seeing an
intermittent problem:

When I leave the house and the phone switches from wifi to cellular
data, occasionally all network traffic will stop flowing. If I turn off
Tailscale, it works again. If I then reconnect to Tailscale, it
continues to work. It seems as though the VPN connection isn't being
properly re-initialized when I go from wifi to cellular. The reverse,
cellular to wifi, works fine.

This has happened across two different Android devices.

Anyone run into this before? Any suggestions?

john

On Thu, 06 Jul 2023 19:43:25 +0000, John wrote:

> I've been using Tailscale on Android

First question is what is "Tailscale on Android" so I looked it up.

https://github.com/tailscale/tailscale-android
https://play.google.com/store/apps/details?id=com.tailscale.ipn
https://f-droid.org/en/packages/com.tailscale.ipn/

"Tailscale is a mesh VPN alternative that makes it easy to connect your
devices, wherever they are. No more fighting configuration or firewall
ports. Built on WireGuard, Tailscale enables an incremental shift to
zero-trust networking by implementing "always-on" remote access. This
guarantees a consistent, portable, and secure experience independent of
physical location."

I installed it from Windows using the F-Droid repository link to the APK.
https://f-droid.org/repo/com.tailscale.ipn_169.apk
Name: com.tailscale.ipn_169.apk
Size: 36635998 bytes (34 MiB)
SHA256: 6E84520B989C4FF5688CBFF42FF9DAFEA9C247CC50765AC4895C0103E866576E

When first started it says "We collect and use your email address and name,
as well as your device name, OS version, and IP address in order to help
you to connect your devices and manage your settings. We log when you are
connected to your network.", which doesn't seem all that encouraging.

Pressing the "Get Started" button brings up your default web browser to
https://login.tailscale.com/login?

But it asks for an account that I don't have, so there's no way to proceed.
Sign in with Google
Sign in with Microsoft
Sign in with GitHub
Sign in with Apple
Sign in with a passkey

When I clicked around for how to create an account the normal way it said
https://login.tailscale.com/start
Sign up with Google
Sign up with Microsoft
Sign up with GitHub
Sign up with Apple
Sign up with OIDC

When I pressed the link saying "Need another provider?" it went to
https://tailscale.com/kb/1013/sso-providers/

Supported SSO identity providers
Tailscale works on top of the identity provider (IdP) or single sign-on
(SSO) provider that you already use.

Standard identity providers are available on all plans.
Advanced identity providers are available on the Free, Premium, and
Enterprise plans.

Supported standard identity providers
Tailscale natively supports the following identity providers:

Apple
Google, including Gmail and Google Workspace (G Suite)
GitHub
Microsoft, including Microsoft Accounts, Office365, Active Directory, and
Azure Active Directory (Azure AD)
Okta
OneLogin
A GitHub standalone account can only be used for a single user tailnet. A
free and easy method for adding multiple users to your tailnet is to create
a GitHub organization. For more information, see Creating a multi-user
tailnet with GitHub organizations.

Supported custom identity providers
In addition to the natively supported identity providers, Tailscale also
allows you to authenticate with custom OpenID Connect (OIDC) providers.
Tailscale has successfully tested several custom identity providers,
including:

Auth0
Authelia
Authentik
Codeberg
Dex
Duo
Gitea
GitLab and GitLab self-managed
JumpCloud
Ory Network and Ory self-hosted
Ping Identity
ZITADEL Cloud and ZITADEL Open Source
John <john@building-m.simplistic-anti-spam-measure.net> wrote

> I've been using Tailscale on Android

First question is what is "Tailscale on Android" for starters.
https://github.com/tailscale/tailscale-android
https://play.google.com/store/apps/details?id=com.tailscale.ipn
https://f-droid.org/en/packages/com.tailscale.ipn/
"Tailscale is a mesh VPN alternative that makes it easy to connect your
devices, wherever they are. No more fighting configuration or firewall
ports. Built on WireGuard, Tailscale enables an incremental shift to
zero-trust networking by implementing "always-on" remote access. This
guarantees a consistent, portable, and secure experience independent of
physical location."

I installed it from Windows using the F-Droid repository
https://f-droid.org/repo/com.tailscale.ipn_169.apk
Name: com.tailscale.ipn_169.apk
Size: 36635998 bytes (34 MiB)
SHA256: 6E84520B989C4FF5688CBFF42FF9DAFEA9C247CC50765AC4895C0103E866576E

When first started it says "We collect and use your email address and name,
as well as your device name, OS version, and IP address in order to help
you to connect your devices and manage your settings.
We log when you are connected to your network.", which doesn't seem all
that encouraging.

Pressing the "Get Started" button brings up your default web browser to
https://login.tailscale.com/login?

But it asks for an account that I don't have, so there's no way to proceed.
Sign in with Google
Sign in with Microsoft
Sign in with GitHub
Sign in with Apple
Sign in with a passkey

When I clicked around for how to create an account the normal way it said
https://login.tailscale.com/start
Sign up with Google
Sign up with Microsoft
Sign up with GitHub
Sign up with Apple
Sign up with OIDC

When I pressed the link saying "Need another provider?" it went to
https://tailscale.com/kb/1013/sso-providers/

Supported SSO identity providers
Tailscale works on top of the identity provider (IdP) or single sign-on
(SSO) provider that you already use.

Standard identity providers are available on all plans.
Advanced identity providers are available on the Free, Premium, and
Enterprise plans.

Supported standard identity providers
Tailscale natively supports the following identity providers:

Apple
Google, including Gmail and Google Workspace (G Suite)
GitHub
Microsoft, including Microsoft Accounts, Office365, Active Directory, and
Azure Active Directory (Azure AD)
Okta
OneLogin
A GitHub standalone account can only be used for a single user tailnet. A
free and easy method for adding multiple users to your tailnet is to create
a GitHub organization. For more information, see Creating a multi-user
tailnet with GitHub organizations.

Supported custom identity providers
In addition to the natively supported identity providers, Tailscale also
allows you to authenticate with custom OpenID Connect (OIDC) providers.
Tailscale has successfully tested several custom identity providers,
including:

Auth0
Authelia
Authentik
Codeberg
Dex
Duo
Gitea
GitLab and GitLab self-managed
JumpCloud
Ory Network and Ory self-hosted
Ping Identity
ZITADEL Cloud and ZITADEL Open Source

When you activate your domain name with Tailscale for the first time, one
of the steps is to choose which identity provider you want to use.

Once you've authenticated a Tailscale client by connecting it to your
identity provider, it automatically exchanges keys and connectivity
information and connects to other Tailscale clients on your network,
subject to your security policy.

Support for 2FA and MFA
Tailscale supports two-factor and multi-factor authentication.

We never handle authentication itself. Instead, you can enable 2FA and MFA
features in your single sign-on identity provider, and they will apply to
all your apps, including Tailscale.

Support for passkeys
Tailscale supports the use of passkey authentication for any tailnet that
you are authorized to join.

Signing up with an email address
We don't support sign-up with email addresses. By design, Tailscale is not
an identity provider-there are no Tailscale passwords.

Using an identity provider is not only more secure than email and password,
but it allows us to automatically rotate connection encryption keys, follow
security policies set by your team (e.g., 2FA), and more.

Changing identity providers
If you need to change identity providers, contact support.

Unfortunately, we cannot migrate your tailnet from/to GitHub or Apple as an
identity provider.
What Tailscale accesses from identity providers
Tailscale requests the minimum access needed to function. Tailscale only
uses your organization's team membership to ensure users can join the
tailnet for their organization.

With the GitHub identity provider, Tailscale requests the minimum set of
permissions needed to get team membership, which includes access to your
repositories and project boards. Tailscale does not use any content in your
repositories or project boards.

Identity provider availability by plan
Standard identity provider integrations Advanced identity provider
integrations
Available on all plans Available on the Free, Premium, and Enterprise plans
Google
Microsoft
GitHub
Keycloak
Dex
GitLab self-managed
Ory self-hosted
ZITADEL Open Source
Authentik
Apple
Authelia
Codeberg
Gitea
Okta
OneLogin
JumpCloud
Auth0
Duo
GitLab
Ory Network
Ping Identity
ZITADEL Cloud
Other custom OIDC providers
Last updated Jun 13, 2023

So I gave up and deleted the app as someone with an account on those
platforms will have to be the person to test this to help you out.
When you activate your domain name with Tailscale for the first time, one
of the steps is to choose which identity provider you want to use.

On Thu, 6 Jul 2023 22:39:14 -0400, Mickey D wrote:

> So I gave up and deleted the app as someone with an account on those
> platforms will have to be the person to test this to help you out.

Sorry for the long double copy as I edited it & somehow (because it was
long) I hadn't realized there was the original unedited copy at the BOTTOM.

Anyway, may I ask the OP to explain what the use model is for tailscale?

I tried to help but soon realized I'm not expert enough to help at all.
Maybe one of experts on this newsgroup can help you with the software.

I don't know what this "tailscale mesh VPN networks" is supposed to do.

Mickey D <mickeydavis078XX@ptd.net> writes:

> On Thu, 6 Jul 2023 22:39:14 -0400, Mickey D wrote:
>
>> So I gave up and deleted the app as someone with an account on those
>> platforms will have to be the person to test this to help you out.
>
> Sorry for the long double copy as I edited it & somehow (because it was
> long) I hadn't realized there was the original unedited copy at the BOTTOM.
>
> Anyway, may I ask the OP to explain what the use model is for tailscale?
>
> I tried to help but soon realized I'm not expert enough to help at all.
> Maybe one of experts on this newsgroup can help you with the software.
>
> I don't know what this "tailscale mesh VPN networks" is supposed to do.

You install it on your computers, it creates a private VPN between them
all, and then you can e.g. have your phone connect to your home NAS
without having to punch a hole in the firewall for the whole world to
see. The phone and the NAS just get additional network addresses in the
100.64.0.0/10 subnet and you use those.

john

On Fri, 07 Jul 2023 14:35:14 +0000, John wrote:

>> I don't know what this "tailscale mesh VPN networks" is supposed to do.
>
> You install it on your computers, it creates a private VPN between them
> all, and then you can e.g. have your phone connect to your home NAS
> without having to punch a hole in the firewall for the whole world to
> see. The phone and the NAS just get additional network addresses in the
> 100.64.0.0/10 subnet and you use those.

Thanks for explaining the purpose and intent of tailscale's use model,
which somehow also uses an account on an Internet server to do that.

There's probably only three people on this newsgroup that can help you.
One is in the UK. The others are in the USA. I hope one of them responds.

This is probably not an expert enough ng for this question though, so you
may also wish to extend your question out to some of the networking groups.

Best of luck.

John <john@building-m.simplistic-anti-spam-measure.net> writes:

> I've been using Tailscale on Android for a few weeks now and seeing an
> intermittent problem:
>
> When I leave the house and the phone switches from wifi to cellular
> data, occasionally all network traffic will stop flowing. If I turn off
> Tailscale, it works again. If I then reconnect to Tailscale, it
> continues to work. It seems as though the VPN connection isn't being
> properly re-initialized when I go from wifi to cellular. The reverse,
> cellular to wifi, works fine.
>
> This has happened across two different Android devices.
>
> Anyone run into this before? Any suggestions?
>
> john

The solution appears to have been to disable "Magic DNS" in Tailscale, a
feature I wasn't using anyway. The problem has not recurred.

john