Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect to advertised subnet after installing PIA VPN #12152

Open
theasianpianist opened this issue May 16, 2024 · 1 comment
Open

Unable to connect to advertised subnet after installing PIA VPN #12152

theasianpianist opened this issue May 16, 2024 · 1 comment
Labels
bug Bug connectivity OS-linux subnet Issues relating to subnet routes, 4via6 T5 Usability Issue type

Comments

@theasianpianist
Copy link

theasianpianist commented May 16, 2024
edited

What is the issue?

I just installed the Private Internet Access VPN client on my laptop, which is also connected to my tailnet. I have a server advertising the subnet 192.168.1.0/24 to my tailnet. Prior to installing the Private Internet Access VPN client, I was able to access devices on this subnet without any issue. I am able to SSH to IPs in this subnet as well as resolve DNS queries to IPs in this subnet (I have split DNS setup to use a DNS server on this subnet).

As soon as I installed the PIA VPN client, my subnet became unreachable (this is prior to connecting to the VPN or even logging in to the client). Attempting to SSH to a device on this subnet results on a "No route to host" error. DNS lookups (using both dig and nslookup) will return NXDOMAIN messages.

As soon as I uninstall the PIA client, connectivity to that subnet is restored.

I would expect my subnet to be reachable with the PIA client installed but inactive.

It may be relevant that the router my laptop is connected to uses the same 192.168.1.0/24 subnet to assign private IPs. However, this has always been the case even when my advertised subnet was reachable.

Including some relevant command output below, please let me know if more information is needed:

With the PIA client installed (subnet unreachable):

❯ ip route show table 52
100.100.100.100 dev tailscale0 
<tailscale IP> dev tailscale0 
<tailscale IP> dev tailscale0 
192.168.1.0/24 dev tailscale0 
❯ ip route get 192.168.1.5
192.168.1.5 dev wlp2s0 src 192.168.1.167 uid 1000 
    cache 
❯ ip route
default via 192.168.1.1 dev wlp2s0 proto dhcp metric 600 
169.254.0.0/16 dev docker0 scope link metric 1000 linkdown 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlp2s0 proto kernel scope link src 192.168.1.167 metric 600

After removing the PIA client (subnet reachable):

❯ ip route show table 52
100.100.100.100 dev tailscale0 
<tailscale IP> dev tailscale0 
<tailscale IP> dev tailscale0 
192.168.1.0/24 dev tailscale0 
❯ ip route get 192.168.1.5
192.168.1.5 dev tailscale0 table 52 src <tailscale IP> uid 1000 
    cache 
❯ ip route
default via 192.168.1.1 dev wlp2s0 proto dhcp metric 600 
169.254.0.0/16 dev docker0 scope link metric 1000 linkdown 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
192.168.1.0/24 dev wlp2s0 proto kernel scope link src 192.168.1.167 metric 600

❯ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.4 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.4 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
❯ uname -a
Linux <device hostname> 5.15.0-106-generic #116-Ubuntu SMP Wed Apr 17 09:17:56 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Steps to reproduce

  1. Advertise the subnet 192.168.1.0/24 from device A on my tailnet.
  2. Connect device B to the tailnet with the command sudo tailscale up --accept-routes. The advertised subnet is now reachable.
  3. On device B, install the Private Internet Access Linux client. Do not login/activate the PIA connection.
  4. The advertised subnet is now unreachable from device B. (Other devices on my tailnet are still able to reach the subnet)

Are there any recent changes that introduced the issue?

Installing the Private Internet Access VPN Linux client.

OS

Linux

OS version

Ubuntu 22.04.4

Tailscale version

1.66.3

Other software

❯ resolvectl --version
systemd 249 (249.11-0ubuntu3.12)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified
❯ dpkg -l | grep iproute2
ii  iproute2                                      5.15.0-1ubuntu2                             amd64        networking and traffic control tools

Private Internet Access Linux client 3.5.7-08120

Bug report

BUG-1392a0535547afe4a81c1d5ceb0fd33ee44825d07600d14790c1bc068fab5290-20240516073253Z-018898a81b300011
@kelivel kelivel added connectivity T5 Usability Issue type subnet Issues relating to subnet routes, 4via6 OS-linux and removed needs-triage labels May 21, 2024
@racerxss
Copy link

I had the exact same issue with PIA and a Pop!_OS Linux Laptop with the remote subnet running behind pfSense. Pop laptop did not route to the remote subnet but Mac laptop and Android phone and iPad all running Tailscale worked fine. Removed PIA from the Pop laptop and the subnet routing worked again.

NAME="Pop!_OS"
VERSION="22.04 LTS"
ID=pop
ID_LIKE="ubuntu debian"
PRETTY_NAME="Pop!_OS 22.04 LTS"
VERSION_ID="22.04"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Bug connectivity OS-linux subnet Issues relating to subnet routes, 4via6 T5 Usability Issue type
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@theasianpianist @racerxss @kelivel