Tailscale peer-relay feature doesn't work #3657
Description
Operating system
Linux
System version
NixOS, macOS
Installation type
Original sing-box Command Line
If you are using a graphical client, please provide the version of the client.
No response
Version
❯ sing-box version
sing-box version 1.12.14
Environment: go1.25.4 linux/amd64
Tags: with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_gvisor,with_tailscale
CGO: enabled
❯ sing-box version
sing-box version 1.12.14
Environment: go1.25.4 darwin/arm64
Tags: with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_gvisor,with_tailscale
CGO: enabled
flakes on main [!]
❯
"grants": [
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{"src": ["*"], "dst": ["*"], "ip": ["*"]},
{
"src": ["*"],
"dst": ["tag:relay"],
"app": {"tailscale.com/cap/relay": []},
},
// Allow users in "group:example" to access "tag:example", but only from
// devices that are running macOS and have enabled Tailscale client auto-updating.
// {"src": ["group:example"], "dst": ["tag:example"], "ip": ["*"], "srcPosture":["posture:autoUpdateMac"]},
],
LoliIsland-VPS has been tagged as "relay"Description
Peers relays should work as expected, but doesn't work in sing-box
Reproduction
{ config, ... }:
let
secret = name: {
_secret = config.sops.secrets.${name}.path;
};
in
{
log = {
level = "info";
};
experimental = {
cache_file = {
enabled = true;
};
# clash_api = rec {
# external_controller = "127.0.0.1:9000";
# # external_ui = pkgs.metacubexd;
# access_control_allow_origin = [ "http://${external_controller}" ];
# };
};
dns = {
servers = [
{
type = "local";
tag = "dns-local";
}
{
type = "tailscale";
tag = "dns-tailscale";
endpoint = "tailscale-endpoint";
accept_default_resolvers = false;
}
{
type = "fakeip";
tag = "fakeip";
inet4_range = "198.18.0.0/15";
# inet6_range = "fc00::/18";
}
{
type = "tcp";
server = "8.8.8.8";
server_port = 53;
tag = "dns-google";
}
{
type = "https";
tag = "doh-cn";
server = "223.5.5.5";
server_port = 443;
path = "/dns-query";
headers = {
Host = "dns.alidns.com";
};
tls = {
enabled = true;
server_name = "dns.alidns.com";
};
}
{
type = "https";
tag = "doh-proxy";
server = "1.1.1.1";
server_port = 443;
path = "/dns-query";
headers = {
Host = "cloudflare-dns.com";
};
tls = {
enabled = true;
server_name = "cloudflare-dns.com";
};
detour = "proxy";
}
];
rules = [
{
query_type = [
"A"
"AAAA"
];
server = "fakeip";
}
{
ip_accept_any = true;
server = "dns-tailscale";
}
{
rule_set = [ "gfwlist" ];
server = "doh-proxy";
}
{
rule_set = [ "geosite-cn" ];
server = "doh-cn";
}
];
final = "doh-proxy";
strategy = "ipv4_only";
};
endpoints = [
{
type = "tailscale";
tag = "tailscale-endpoint";
auth_key = "";
hostname = config.networking.hostName;
}
];
inbounds = [
{
type = "tun";
tag = "tun-in";
address = [
"172.19.0.1/30"
# "fdfe:dcba:9876::1/126"
];
mtu = 9000;
auto_route = true;
strict_route = true;
stack = "system";
}
{
type = "direct";
tag = "dns-in";
listen = "127.0.0.1";
listen_port = 53;
network = "udp";
}
];
outbounds = [
{
type = "selector";
tag = "proxy";
outbounds = [
"lax0"
"tyo0"
"tyo1"
];
default = "tyo1";
}
{
type = "direct";
tag = "direct";
}
{
type = "block";
tag = "block";
}
{
type = "vless";
tag = "lax0";
server = secret "sing-box-lax0-server";
server_port = 27253;
uuid = secret "sing-box-vless-uuid";
flow = "xtls-rprx-vision";
tls = {
enabled = true;
server_name = secret "sing-box-lax0-server";
utls = {
enabled = true;
fingerprint = "chrome";
};
};
}
{
type = "vless";
tag = "tyo0";
server = secret "sing-box-tyo0-server";
server_port = 27253;
uuid = secret "sing-box-vless-uuid";
flow = "xtls-rprx-vision";
tls = {
enabled = true;
server_name = secret "sing-box-tyo0-server";
utls = {
enabled = true;
fingerprint = "chrome";
};
};
}
{
type = "vless";
tag = "tyo1";
server = secret "sing-box-tyo1-server";
server_port = 27253;
uuid = secret "sing-box-vless-uuid";
flow = "xtls-rprx-vision";
tls = {
enabled = true;
server_name = secret "sing-box-tyo1-server";
utls = {
enabled = true;
fingerprint = "chrome";
};
};
}
];
route = {
default_domain_resolver = {
server = "dns-google";
};
rule_set = [
{
type = "remote";
tag = "geosite-cn";
format = "binary";
url = "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-cn.srs";
download_detour = "proxy";
}
{
type = "remote";
tag = "geoip-cn";
format = "binary";
url = "https://raw.githubusercontent.com/SagerNet/sing-geoip/rule-set/geoip-cn.srs";
download_detour = "proxy";
}
{
type = "remote";
tag = "gfwlist";
format = "binary";
url = "https://raw.githubusercontent.com/KaringX/karing-ruleset/sing/ACL4SSR/ProxyGFWlist.srs";
download_detour = "proxy";
}
];
rules = [
{
action = "sniff";
}
{
protocol = "dns";
action = "hijack-dns";
}
{
domain_suffix = [
"example.com"
"example.net"
];
outbound = "proxy";
}
{
domain_suffix = [
"frp-mad.com"
];
outbound = "direct";
}
{
ip_cidr = [
"100.64.0.0/10"
];
outbound = "tailscale-endpoint";
}
{
rule_set = [ "gfwlist" ];
outbound = "proxy";
}
{
ip_is_private = true;
outbound = "direct";
}
{
ip_cidr = [
"103.97.201.87"
"131.143.240.18"
];
outbound = "direct";
}
{
rule_set = [ "geosite-cn" ];
outbound = "direct";
}
{
rule_set = [ "geoip-cn" ];
outbound = "direct";
}
];
final = "proxy";
auto_detect_interface = true;
};
}
[root@LoliIsland-VPS:~]# tailscale netcheck
Report:
* Time: 2025-12-30T02:42:00.897294583Z
* UDP: true
* IPv4: yes, ***:54923
* IPv6: no, but OS has support
* MappingVariesByDestIP: false
* PortMapping:
* Nearest DERP: Hong Kong
* DERP latency:
- hkg: 1.6ms (Hong Kong)
- sin: 30.7ms (Singapore)
- tok: 47.2ms (Tokyo)
- blr: 96.6ms (Bangalore)
- dbi: 106.3ms (Dubai)
- sea: 126ms (Seattle)
- nyc: (New York City)
- sfo: (San Francisco)
- fra: (Frankfurt)
- syd: (Sydney)
- lhr: (London)
- dfw: (Dallas)
- sao: (São Paulo)
- ord: (Chicago)
- den: (Denver)
- ams: (Amsterdam)
- jnb: (Johannesburg)
- mia: (Miami)
- lax: (Los Angeles)
- par: (Paris)
- mad: (Madrid)
- tor: (Toronto)
- waw: (Warsaw)
- hnl: (Honolulu)
- nai: (Nairobi)
- nue: (Nuremberg)
- iad: (Ashburn)
- hel: (Helsinki)
[root@LoliIsland-VPS:~]# tailscale set --relay-server-port=40000
[root@LoliIsland-VPS:~]# tailscale status
100.79.244.21 loliisland-vps loliisland-vps.tailf5f129.ts.net linux -
100.77.216.53 google-pixel-9-pro-xl tagged-devices android idle; offline, last seen 12m ago, tx 1188 rx 1204
100.79.224.106 loliisland-laptop-nix tagged-devices linux offline, last seen 43m ago
100.78.102.87 loliisland-mac tagged-devices macOS -
100.106.63.93 loliisland-pc-nix tagged-devices linux -
100.87.173.27 loliisland-vm moeleaking@ windows offline, last seen 13h ago
[root@LoliIsland-VPS:~]# tailscale ping loliisland-pc-nix
pong from loliisland-pc-nix (100.106.63.93) via DERP(sfo) in 636ms
pong from loliisland-pc-nix (100.106.63.93) via DERP(sfo) in 377ms
pong from loliisland-pc-nix (100.106.63.93) via DERP(sfo) in 450ms
pong from loliisland-pc-nix (100.106.63.93) via ***:57565 in 164ms
[root@LoliIsland-VPS:~]#
❯ systemctl status sing-box -n1000000000 | rg "tailscale"
Dec 30 10:25:35 LoliIsland-PC-Nix sing-box[53926]: INFO[0001] dns: lookup succeed for controlplane.tailscale.com: 192.200.0.106 192.200.0.104 192.200.0.108 192.200.0.115 192.200.0.101 192.200.0.116 192.200.0.107 192.200.0.113 192.200.0.103 192.200.0.112 192.200.0.110 192.200.0.102 192.200.0.111 192.200.0.109 192.200.0.114 192.200.0.105
Dec 30 10:25:35 LoliIsland-PC-Nix sing-box[53926]: INFO[0001] endpoint/tailscale[tailscale-endpoint]: output connection to 192.200.0.106:80
Dec 30 10:25:35 LoliIsland-PC-Nix sing-box[53926]: INFO[0001] dns/tailscale[dns-tailscale]: updated 67 routes, 6 hosts, default resolvers: 8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844
Dec 30 10:25:45 LoliIsland-PC-Nix sing-box[53926]: INFO[0011] endpoint/tailscale[tailscale-endpoint]: inbound connection from 100.78.102.87:21822
Dec 30 10:25:45 LoliIsland-PC-Nix sing-box[53926]: INFO[0011] endpoint/tailscale[tailscale-endpoint]: inbound connection to 127.0.0.1:22
Dec 30 10:26:06 LoliIsland-PC-Nix sing-box[53926]: INFO[0032] endpoint/tailscale[tailscale-endpoint]: inbound connection from 100.78.102.87:56598
Dec 30 10:26:06 LoliIsland-PC-Nix sing-box[53926]: INFO[0032] endpoint/tailscale[tailscale-endpoint]: inbound connection to 127.0.0.1:22
Dec 30 10:26:32 LoliIsland-PC-Nix sing-box[53926]: INFO[0058] endpoint/tailscale[tailscale-endpoint]: output connection to invalid IP:443
Dec 30 10:26:32 LoliIsland-PC-Nix sing-box[53926]: INFO[0058] endpoint/tailscale[tailscale-endpoint]: output connection to [2606:b740:49::113]:443
Dec 30 10:26:32 LoliIsland-PC-Nix sing-box[53926]: INFO[0058] endpoint/tailscale[tailscale-endpoint]: output connection to 192.200.0.113:443
Dec 30 10:26:32 LoliIsland-PC-Nix sing-box[53926]: INFO[0058] endpoint/tailscale[tailscale-endpoint]: output connection to invalid IP:443
Dec 30 10:26:32 LoliIsland-PC-Nix sing-box[53926]: INFO[0058] endpoint/tailscale[tailscale-endpoint]: output connection to [2606:b740:49::105]:443
Dec 30 10:26:33 LoliIsland-PC-Nix sing-box[53926]: INFO[0059] endpoint/tailscale[tailscale-endpoint]: output connection to 192.200.0.105:443
Dec 30 10:27:10 LoliIsland-PC-Nix sing-box[53926]: INFO[0096] endpoint/tailscale[tailscale-endpoint]: inbound connection from 100.78.102.87:48881
Dec 30 10:27:10 LoliIsland-PC-Nix sing-box[53926]: INFO[0096] endpoint/tailscale[tailscale-endpoint]: inbound connection to 127.0.0.1:22
Dec 30 10:27:25 LoliIsland-PC-Nix sing-box[53926]: INFO[0111] endpoint/tailscale[tailscale-endpoint]: inbound connection from 100.77.216.53:38376
Dec 30 10:27:25 LoliIsland-PC-Nix sing-box[53926]: INFO[0111] endpoint/tailscale[tailscale-endpoint]: inbound connection to 127.0.0.1:22
Dec 30 10:34:52 LoliIsland-PC-Nix sing-box[53926]: INFO[0558] endpoint/tailscale[tailscale-endpoint]: inbound connection from 100.78.102.87:24683
Dec 30 10:34:52 LoliIsland-PC-Nix sing-box[53926]: INFO[0558] endpoint/tailscale[tailscale-endpoint]: inbound connection to 127.0.0.1:22
Dec 30 10:36:13 LoliIsland-PC-Nix sing-box[53926]: INFO[0639] endpoint/tailscale[tailscale-endpoint]: inbound connection from 100.78.102.87:56488
Dec 30 10:36:13 LoliIsland-PC-Nix sing-box[53926]: INFO[0639] endpoint/tailscale[tailscale-endpoint]: inbound connection to 127.0.0.1:22
Logs
Supporter
- I am a sponsor
Integrity requirements
- I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
- I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
- I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
- I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.