Having trouble using Telepresence with Tailscale
francescov1 opened this issue · comments
Describe the bug
Our team has been trying to integrate Telepresence into our workflow, but we have not been able to get it to play nicely with Tailscale. Telepresence gives us a success message when we run telepresence connect
, but we can't actually access any k8s services. When we try it with the VPN disconnected, it works fine.
We've followed instructions from here: https://www.getambassador.io/docs/telepresence/latest/reference/vpn. Here's what our setup looks like:
- GKE cluster using
10.96.0.0/14
pod IP range and10.100.0.0/20
services IP range - Tailscale running in a GCP VM. It assigns IP addresses to clients somewhere in the 100.X.X.X range
- Ran
telepresence helm upgrade --set client.routing.allowConflictingSubnets="{10.96.0.0/14,10.100.0.0/20}"
- Added
10.96.0.0/14
and10.100.0.0/20
as subnet routes in the Tailscale settings for the exit node
What are we missing? Any insight would be super useful.
Telepresence logs:
telepresence_logs.zip
To Reproduce
Steps to reproduce the behavior:
- Connect to VPN
- Run
telepresence connect
- Can't access cluster resources
Expected behavior
Can access cluster resources
Versions (please complete the following information):
-
Output of
telepresence version
:
Client : v2.18.1
Root Daemon : v2.18.1
User Daemon : v2.18.1
Traffic Manager: v2.18.1 -
Operating system of workstation running
telepresence
commands
MacOS Ventura 13.4 -
Kubernetes environment and Version [e.g. Minikube, bare metal, Google Kubernetes Engine]
GKE, version 1.27.8-gke.1067004
VPN-related bugs:
If you're reporting an issue around telepresence connectivity when using a VPN,
and are running Telepresence 2.4.8 or above, please also attach the output
of telepresence test-vpn
, and the following information:
Tried running telepresence test-vpn
but got an error that its deprecated.
- Which VPN client are you using?
Tailscale - Which VPN server are you using?
Tailscale - How is your VPN pushing DNS configuration? It may be useful to add the contents of /etc/resolv.conf
Uses Tailscale MagicDNS, running on IP 100.100.100.100
Additional context
Add any other context about the problem here.
There's no conflict between subnet 100.
(Tailscape) and subnets starting with 10.
unless one of them has a very small mask (just 2 bits, which is unusual).
I don't understand why the allowConflictingSubnets
setting is at all needed, or why you would be adding the GKE cluster subnets to Tailscape.
Can you please elaborate on why you're trying this? In what way is Tailscape interfering with the cluster's subnet?
I tried adding it because telepresence would stop resolving to cluster DNS every time I connected to my vpn. I agree it doesn’t really make sense to add since the IP ranges don’t overlap but I didn’t know what else could be conflicting so I did just in case.
I’ve gone through the docs and tailscale settings but haven’t found anything else that could be causing issues. I’m pretty new to telepresence so wondering if I’m missing something, but again I’ve combed through the docs and haven’t found anything obvious.
I believe that what you see here is a DNS issue. Tailscale installs a somewhat intrusive DNS resolver and it will override Telepresence's DNS. I believe that you can configure Tailscale to not do that.
@thallgren Do you have any idea how I'd do this? I dont see any obvious options in the Tailscale DNS settings
Wondering if its Tailscale DNS outright, or something to do with MagicDNS. Have you tried disabling MagicDNS and does Telepresence work any differently in that case?
Ive been experimenting today and it seems to have fixed the problem, thanks! I will re-open this if the problem re-occurs