When Tailscale works, it feels almost magical—secure devices connected across networks as if they were on the same local LAN. But when it stops working, that magic quickly turns into frustration. Devices won’t connect, exit nodes fail, SSH times out, or the admin console shows machines offline. Fortunately, most Tailscale issues are straightforward to diagnose and fix with the right approach.
TLDR: Most Tailscale problems stem from connectivity blocks, outdated clients, firewall rules, DNS misconfigurations, or expired authentication. Start by checking device status in the admin console, updating the client, and verifying firewall and UDP port access. Re-authenticating the device and restarting the Tailscale service often resolves common glitches. For persistent issues, reviewing logs and subnet routes usually reveals the root cause.
Common Reasons Why Tailscale Stops Working
Tailscale relies on WireGuard tunnels, coordination servers, and relay nodes (DERP). If any layer fails, connectivity can break. Understanding the most common causes helps narrow things down quickly.
- Expired or revoked authentication
- Firewall or NAT blocking UDP traffic
- Outdated Tailscale client version
- Incorrect DNS configuration
- Subnet routing conflicts
- Exit node misconfiguration
Before diving into technical debugging, confirm whether the issue affects one device or the entire tailnet. This distinction saves time and prevents unnecessary configuration changes.
Step 1: Check Device Status in the Admin Console
The first troubleshooting step is verifying device health in the Tailscale admin console. If a device appears offline, the issue is likely local. If multiple devices are disconnected, it may point to a broader network or authentication problem.
Key things to check:
- Is the device marked Connected or Offline?
- Has the device key expired?
- Has the machine been disabled?
- Are routes or exit nodes properly enabled?
If authentication expired, re-running tailscale up and signing back in often fixes the issue immediately.
Step 2: Restart the Tailscale Service
Sometimes the problem is temporary. Restarting the Tailscale daemon refreshes connections and renegotiates WireGuard tunnels.
On Windows:
- Open Services
- Restart the Tailscale service
On macOS or Linux:
sudo tailscale down
sudo tailscale up
Alternatively, rebooting the device can clear networking conflicts.
Step 3: Check Firewall and Router Settings
Tailscale prefers direct peer-to-peer UDP connections. If UDP traffic is blocked, it falls back to DERP relay servers, which may cause slower connections or failures.
Ensure:
- Outbound UDP traffic is allowed
- Port 41641 is not blocked locally
- No corporate firewall is restricting WireGuard traffic
In restrictive corporate environments, traffic inspection systems may disrupt encrypted peer connections. Testing from a different network (such as mobile hotspot) can confirm if the firewall is the issue.
Step 4: Update Tailscale to the Latest Version
Running outdated versions may cause compatibility problems, especially if the control plane has received updates.
To update:
- On Linux: Use the package manager
- On macOS: Update via Homebrew or direct download
- On Windows: Install the latest release from the official client
After updating, reconnect the device and confirm it appears properly in the admin panel.
Step 5: Diagnose DNS Issues
DNS misconfiguration is one of the most overlooked causes of Tailscale malfunction. MagicDNS might not resolve device names if settings are incorrect.
Troubleshooting steps:
- Confirm MagicDNS is enabled in the admin console
- Verify the system is using Tailscale DNS settings
- Test IP connectivity directly instead of hostnames
If pinging the device’s Tailscale IP works but hostname fails, the issue is almost certainly DNS-related.
Step 6: Inspect Subnet Routes and Exit Nodes
Advanced setups using subnet routers or exit nodes introduce another layer of complexity.
Common problems:
- Subnet routes not approved in admin console
- IP forwarding disabled on subnet router
- Exit node selected but not allowed
- Conflicting local network IP ranges
For Linux subnet routers, confirm IP forwarding is enabled:
sudo sysctl -w net.ipv4.ip_forward=1
Also check for overlapping IP ranges between the local LAN and advertised subnets. Overlaps can quietly break connectivity.
Step 7: Review Logs for Specific Errors
If the issue persists, logs provide clarity.
Run:
tailscale status
tailscale netcheck
tailscale netcheck reveals:
- Whether UDP is blocked
- NAT traversal capability
- DERP relay usage
Logs often highlight authentication failures, routing problems, or connectivity blocks that aren’t obvious from surface symptoms.
Tailscale Quick Fix Comparison Table
| Problem | Likely Cause | Quick Fix |
|---|---|---|
| Device shows offline | Expired authentication | Run tailscale up |
| Cannot ping device | Firewall blocking UDP | Allow outbound UDP |
| Hostname not resolving | DNS misconfiguration | Enable MagicDNS |
| Slow connection | Using DERP relay | Check NAT or firewall rules |
| Subnet access not working | Route not approved | Approve route in admin console |
| No internet via exit node | Exit node not allowed | Re-enable and select exit node |
When the Problem Is Outside Your Control
On rare occasions, the issue lies with:
- Tailscale control plane outages
- DERP region downtime
- ISP-level UDP restrictions
Checking the service status page or testing from a completely different ISP can rule this out.
Resetting Tailscale as a Last Resort
If all else fails, a full reset may help. This removes device configuration and forces a fresh registration.
tailscale logout
tailscale up
For persistent conflicts, uninstalling and reinstalling the client ensures no residual configuration remains. After reinstalling, confirm the device is re-added properly and old entries are removed from the admin console.
Preventing Future Tailscale Problems
Proactive steps reduce the chance of future issues:
- Keep clients updated
- Avoid overlapping subnets
- Regularly review route approvals
- Monitor key expiration settings
- Document exit node and subnet configurations
Well-documented networks are significantly easier to troubleshoot when something breaks.
Frequently Asked Questions (FAQ)
Why is Tailscale connected but not working?
This usually indicates a routing or firewall issue. The tunnel may be established, but traffic is blocked or misrouted. Checking firewall rules and subnet overlaps typically resolves it.
How do you fix Tailscale DNS problems?
Ensure MagicDNS is enabled, verify system DNS settings point to Tailscale, and test connectivity using raw Tailscale IPs. Restarting the Tailscale service can also reapply DNS configuration.
What port does Tailscale use?
Tailscale uses UDP port 41641 by default for peer-to-peer WireGuard communication. If blocked, it falls back to DERP relay servers over HTTPS.
Why is Tailscale slow?
Slow performance usually means traffic is relayed instead of direct. Running tailscale netcheck will confirm whether direct UDP connections are possible.
Can corporate firewalls block Tailscale?
Yes. Strict firewalls may block UDP or encrypted peer-to-peer traffic. Allowing outbound UDP or using approved exit nodes can help restore connectivity.
Is reinstalling Tailscale safe?
Yes. Uninstalling and reinstalling does not affect other devices in the tailnet. The device simply re-registers upon login.
How do you know if a subnet router is working?
Verify routes are approved in the admin console and confirm IP forwarding is enabled on the router. Testing connectivity to devices within the advertised subnet confirms proper functionality.
While Tailscale issues can feel disruptive, they are rarely complex once approached methodically. By checking authentication, connectivity, DNS, routing, and firewall settings in a structured order, most problems can be resolved within minutes. A systematic approach turns troubleshooting from guesswork into a clear path toward restoring secure, seamless connectivity.