I have a friend in Russia, who before was able to access login.tailscale.com just fine and have a subnet, but pkgs.tailscale.com would only return the text “Service unavailable for legal reasons”.

That was fine, since I could just download the client for them, and they would be able to create a tailnet and add and talk to other devices on it just fine. However, today we noticed that now login.tailscale.com suddenly returns that message too.

This is fine on a Windows PC, since that one can still access it through an exit node in another country and reauthenticate as needed, but immediately bricked the Android app, which seems to rely on the web connection to login.tailscale.com to even show the UI to enable the exit node in the first place, causing a catch 22 scenario.

To add insult to injury, tailscale.com itself still opens up just fine in Russia. And, to clarify, this is specifically geoblocking of Russian IP addresses by Tailscale servers, unrelated to Russian ISPs trying to block VPN services.

…If I want to keep helping them, should I host Headscale now? lmao

edit: nevermind, the connection also died on the Windows PC too.

Update: I set up Headscale today, and that works perfectly well for everyone involved now.

Update: Seems this got repealed, as it now works again in Russia. Huh.

Update: According to a comment here, this is only temporary, as they still have to legally block it, but they will try to provide a warning before that.

…as a legal obligation, we’ll still need to implement these changes, but we’ll do so at a future date. When that happens, we’ll provide notification ahead of time and be available to help with any questions…

Since the start of the Ukraine war there are sanctions in place for companies doing business in Russia.

Tailscale has geoblocked Russian IPs for quite a while. Previously it was just when downloading binaries, seems like they make have extended that to the login servers.

Either switch to headscale or route the login IP address(es) via a VPN.

As of today, Talscale has removed the geoblocking and is accessible in Russia again.

According to the message from their Support, they did it to minimise the disruption cased by the action without notice. However, they will still implement this in future:

“…as a legal obligation, we’ll still need to implement these changes, but we’ll do so at a future date. When that happens, we’ll provide notification ahead of time and be available to help with any questions…”

I am in Russia and I can confirm that they really suddenly cut off the control server for all devices with Russian IP addresses.

In the admin panel they show all devices as offline, when connecting it says “service unavailable for legal reasons”, but the current connections are still working.

I have a few k8s clusters with private services, betting on how fast it will all fucking fall apart lol.

I’m thinking of getting Headscale up quickly.

Unfortunately, I have to use Tailscale because it’s my employer’s requirement. I found a couple of solutions to bypass the limitation on macOS.

1. Router

This solution requires access to the router settings.

1. Get a temporary free PPTP proxy, there are plenty of providers, you can find in Google. You can use any protocol you like, PPTP is just supported by all routers.
2. Go to your router VPN settings and input the proxy credentials.
3. Log-in in the Tailscale app as usual.
4. Disable the VPN in the router settings. Tailscale will keep its VPN connection. If you want to disable Tailscase temporarily, don’t turn it off, instead switch the exit node to None, otherwise you’ll have to repeat the procedure.

2. DNS + HTTPS proxy

The solution requires a remote Linux machine outside Russia and some Linux administration skills.

1. Deploy a custom DNS server to the remote machine. This is necessary because the Tailscale app ignores /etc/hosts. I use CoreDNS. Configure it to return the remote machine’s IP for controlplane.tailscale.com and login.tailscale.com, and forward other domains to a public DNS server like 8.8.8.8.
2. Deploy an HTTPS tunnel to the remote machine. I use Xray because I already had it installed, but maybe there is a simpler tool. Configure the tunnel to proxy all 443 port traffic to 3.78.132.146. This is one of IPs behind controlplane.tailscale.com; you may use the domain itself, but it will cause a request recursion (because the custom DNS server points the domain to this machine) unless the DNS server is on another machine. If the tool supports SNI, you may configure it to proxy only requests to controlplane.tailscale.com and login.tailscale.com.
3. Set your DNS machine IP as the DNS server in the macOS network settings.
4. Start the Tailscale login process by using this terminal command: /Applications/Tailscale.app/Contents/MacOS/Tailscale login. Login via the UI doesn’t work for some reason.

Note: the DNS server can reside on any other machine, even inside Russia, but it must point the Tailscale domains to the remote machine outside Russia.

That’s definitely an IP block from the Tailscale side at “controlplane.tailscale.com” as the TLS certificate is valid. Same behaviour as on pkgs.tailscale.com before.

That’s really sad, as I recommended TS to many people as a primary way to circumvent censorship for their families and SOs who aren’t really tech-savvy. Perhaps, that’s the right time to set up Headscale and self-owned network of DERPs

I don’t know how, but now it’s working in Russia

Might be simpler to use wireguard than headscale?

Depends on your use case.

AHH no , invading other countries backfired?

Has anyone contacted Tailscale via their Support portal to ask what is going on? I see a lot of people post on here about their concerns, but no one seems to contact their Support team.

Roskomnadzor is targeting various VPN providers to comply. Often Roskomnadzor can tackle and block some things themselves but depending on the architecture, blocks need to be done by the providers.

That’s also why they focus on people not to use non-complying VPN and encourage them to use VK, Yandex and Telegram (at least after the year 2000 - before the year 2000 Telegram and the Russian government didn’t have a good relationship) instead of alternative platforms.

However, I do not know whether this is also the case for Tailscale.
It could also be that they want to block attackers from russian IPs.

Or it’s just the trade sanctions stuff (that’s what I’d be betting for but I don’t know).

Fyi, Apple just removed hundreds of VPN iOS apps from Russian access as well. I suspect the us government applied some pressure to both companies.

Headscale is surprisingly easy to host on a vps. Grab a free Oracle cloud and follow an easy to find youtube video to set it up. Once you figure out the documentation, open some ports, and set up LetsEncrypt, it’s perfect. Note that the free Ampere servers have way more horsepower than the free EPYC ones.

This is a very unpleasant action. The Tailscale team should have informed their clients about such radical steps, giving them the opportunity to transfer their remote resources to another solution. Now, people have lost access to their remote machines. Everyone needs to be cautious — you never know who Tailscale might choose to ban without notice tomorrow.

Try openvpn on a custom port

What’s the http return code? I’m guessing http/451

Seems like they rolled back. Tailscale working again in Russia

I’m from Russia, and it’s true, can’t connecting to Tailscale on all devices, also can’t enter to my profile without vpn.

I live in Russia and I can confirm that tailscale isn’t working on both my android device and Chromebook, haven’t checked windows yet