Installed Tailscale, router cannot download anything, intermittently

slhck · September 13, 2021, 8:39am

I've set up a Belkin RT3200 with OpenWRT using this installer tool. It runs r17443-90e167abaa as a snapshot now.

I also installed Tailscale using this tool. It runs fine and I can connect to the router via Tailscale.

The issue is that I cannot download anything. When I try opkg update, it just waits and prints nothing. I have wget installed, but it gets stuck at:

root@OpenWrt:~# wget https://google.com
--2021-09-13 08:37:36--  https://google.com/
Resolving google.com... 142.250.187.238, 2a00:1450:4009:820::200e
Connecting to google.com|142.250.187.238|:443...

Here it does nothing for 30 seconds or more. Then it shows:

HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://www.google.com/ [following]
--2021-09-13 08:38:08--  https://www.google.com/
Resolving www.google.com... 216.58.213.4, 2a00:1450:4009:816::2004
Connecting to www.google.com|216.58.213.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://consent.google.com/ml?continue=https://www.google.com/&gl=GB&m=0&pc=shp&hl=en&src=1 [following]
--2021-09-13 08:38:08--  https://consent.google.com/ml?continue=https://www.google.com/&gl=GB&m=0&pc=shp&hl=en&src=1
Resolving consent.google.com... 172.217.16.238, 2a00:1450:4009:821::200e
Connecting to consent.google.com|172.217.16.238|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'

index.html                  [ <=>                            ]   9.96K  --.-KB/s    in 0.004s  

2021-09-13 08:38:08 (2.69 MB/s) - 'index.html' saved [10196]

I managed to SCP a static build of curl onto the router, and this shows:

root@OpenWrt:~# ./curl-aarch64 -v https://google.com
*   Trying 142.250.187.238:443...
*   Trying 2a00:1450:4009:820::200e:443...
* Immediate connect fail for 2a00:1450:4009:820::200e: Permission denied

After around 30 seconds, it shows the remainder of the connection log:

 Connected to google.com (142.250.187.238) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.google.com
*  start date: Aug 23 01:38:08 2021 GMT
*  expire date: Nov 15 01:38:07 2021 GMT
*  subjectAltName: host "google.com" matched cert's "google.com"
*  issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f909fbab0)
> GET / HTTP/2
> Host: google.com
> user-agent: curl/7.78.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 301 
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< date: Mon, 13 Sep 2021 08:40:04 GMT
< expires: Mon, 13 Sep 2021 08:40:04 GMT
< cache-control: private, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< set-cookie: CONSENT=PENDING+198; expires=Fri, 01-Jan-2038 00:00:00 GMT; path=/; domain=.google.com; Secure
< p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

So, sometimes it works, but mostly it doesn't. Or there is a huge timeout between a request and its response.

What could be the problem?

Updated with routing table

root@OpenWrt:~# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         OpenWrt.lan     0.0.0.0         UG    0      0        0 wan
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.1.0     *               255.255.255.0   U     0      0        0 wan

root@OpenWrt:~# route -A inet6
Kernel IPv6 routing table
Destination                                 Next Hop                                Flags Metric Ref    Use Iface
fd7a:115c:a1e0::/48                         ::                                      U     1024   1        0 tailscale0
::/0                                        ::                                      !n    -1     1        0 lo      
::/0                                        ::                                      !n    -1     1        0 lo      
fd7a:115c:a1e0:ab12:4843:cd96:625c:1554/128 ::                                      U     256    1        0 tailscale0
fdbd:c098:3bec::/64                         ::                                      U     1024   3        0 br-lan  
fdbd:c098:3bec::/48                         ::                                      !n    2147483647 3        0 lo      
fe80::/64                                   ::                                      U     256    1        0 eth0    
fe80::/64                                   ::                                      U     256    3        0 br-lan  
fe80::/64                                   ::                                      U     256    3        0 wan     
fe80::/64                                   ::                                      U     256    1        0 tailscale0
::/0                                        ::                                      !n    -1     1        0 lo      
::1/128                                     ::                                      Un    0      4        0 lo      
fd7a:115c:a1e0:ab12:4843:cd96:625c:1554/128 ::                                      Un    0      2        0 tailscale0
fdbd:c098:3bec::/128                        ::                                      Un    0      3        0 br-lan  
fdbd:c098:3bec::1/128                       ::                                      Un    0      6        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 eth0    
fe80::/128                                  ::                                      Un    0      3        0 br-lan  
fe80::/128                                  ::                                      Un    0      3        0 wan     
fe80::/128                                  ::                                      Un    0      3        0 tailscale0
fe80::a9d2:357b:1ca0:8bd0/128               ::                                      Un    0      2        0 tailscale0
fe80::ea9f:80ff:fed5:d8b6/128               ::                                      Un    0      3        0 wan     
fe80::ea9f:80ff:fed5:d8b7/128               ::                                      Un    0      6        0 eth0    
fe80::ea9f:80ff:fed5:d8b7/128               ::                                      Un    0      3        0 br-lan  
ff00::/8                                    ::                                      U     256    3        0 eth0    
ff00::/8                                    ::                                      U     256    3        0 br-lan  
ff00::/8                                    ::                                      U     256    3        0 wan     
ff00::/8                                    ::                                      U     256    1        0 tailscale0
::/0                                        ::                                      !n    -1     1        0 lo

frollic · September 13, 2021, 8:56am

and if you disable Tailscale ?

slhck · September 13, 2021, 10:45am

For the moment I cannot do that, as the router is at a remote location. Are there any steps I could take to troubleshoot this from the command line?

frollic · September 13, 2021, 10:47am

sorry. my bad, wrong post, I mixed up two thread

slhck · September 13, 2021, 10:48am

What specifically do you mean by "incorrect configuration"? What type of configuration do you have in mind, so I can show you how the router was configured? (Note that nothing was changed in terms of OpenWRT config files or the like.)

In other words, what could be causing a machine to take 30 seconds upwards to initiate HTTP(S) connections?

I know that disabling Tailscale would be one possible way to rule out issues with that, but I cannot do that for now.

slhck · September 13, 2021, 10:55am

Oh, I see, no problem! Thanks anyway!

frollic · September 13, 2021, 10:55am

Something is changed, or you wouldn't need an openwrt-tailscale-enabler script.
There's also a service starting - /etc/init.d/tailscale start, according to the link you posted.

Well, tailscale is a black box (at least for me), so it hard to tell ...
hence the recommendation to disable it, to be able to rule it out.