Tailscale VPN "block connections without VPN"

GraphinatedSoda

Hey guys, super new to Graphene, have set up and used tailscale for a while on multiple devices. Can't work out why I have no wider internet connection when using tailscale (standalone) if I have the option checked to "block connections without a VPN"
I have a fresh install of tailscale on my pixel 8a, connecting to tailscale is not an issue however if my device is set to block connections without a vpn I have no connection at all to any website.
I was wondering if this is due to tailscale not routing all my web traffic through itself or if it actually is routing all traffic through tailscale even without the connection blocking and not telling me?
Is this maybe because I don't have a specific exit node set up? To be clear I can connect and ping devices on the tailscale network but I cannot access the wider internet.
duckduckgo errors with ERR_NETWORK_ACCESS_DENIED is this maybe firewall settings within tailscale or is this denied because of the blocked connection without a VPN?
Quite a few other people seem to have this issue and the only way to resolve it is currently to disable blocking connections without a vpn but this obviously exposes my ip to the wider network.

Any advice gratefully received

DeletedUser202

GraphinatedSoda I have the option checked to "block connections without a VPN"

You will probably have to disable it.

Tailscale blocks connections without VPN by default. #14079
Android app should notify the user when isLockdownEnabled=true, but no exit node in use #12925
Android (GrapheneOS) - no internet after installation #6516

GraphinatedSoda

SOLVED: Set an exit node to work with tailscale. I used a pihole YMMV

ecs

Hi @GraphinatedSoda, did your pihole solution to the tailscale probelm end up being a setup you kept? I'd very much like to add my phone to my tailnet, but am encountering the same problem.

r134a

ecs I'm using tailscale aswell, and using an exit-node in tailscale will work with tailscale and androids block connections withoutvpn.

Without exitnode i believe u aren't routing the traffic through tailscale (it's exit node), u just are connected to your tailnet but the traffic from your phone is still routed as it would be routed without tailscale (same ip), probably hence why it doesn't work with 'block connections without vpn', and does when routed through your exit node. Though i don't actually know if this is what happens on a deeper level, i thought it may be plausible.

U can also use a pihole in your tailnet and then point dns somewhere on your tailscale dashboard to the pihole its tailscale ip. Pihole does not specifically be your exit node, any exitnode will do.

ecs

r134a Thanks, that's good to know. I had found they added "App split tunneling" as a feature, and just excluded all of the apps from Tailscale that didn't need it, but I think the exit-node solution is more elegant (and probably more secure?)

r134a

ecs but I think the exit-node solution is more elegant (and probably more secure?)

I'm not really qualified to answer that question, but i believe in general if you want to prevent leaks, it's best to use the option 'block connections without vpn'. I guess it all depends on your setup both on phone and your exit-node, aswell as threat model. Perhaps u only use one profile with say thunderbird linked to your gmail, and your exit-node is routed through a vpn, then u might disallow thunderbird to use that tunnel for example. So it's not easy to answer that question without knowing your whole setup and threat model, and even then i'm not really qualified to give security advice to be honest. I try to improve my knowledge on that field but i'm certainly no expert whatsoever.