DisplaySync

Tailscale issues

Symptom: you can't reach a kiosk over Tailscale. Could be:

  • The dashboard's Tailscale IP field is blank for this sign
  • The device shows up in the Tailscale admin console but you can't ping its tail-IP
  • You can ping but RDP / VNC connection is refused
  • The kiosk used to be reachable; isn't anymore

This page assumes you've followed Tailscale integration for the image build and Remote access for using it. If those weren't completed during the image build, the kiosk is not on Tailscale at all and needs to be re-imaged.

Quick diagnostic

Three checks tell you which layer is broken:

  1. Tailscale admin console. Does the device show up? Is it tagged tag:displaysync-sign? Is it marked as expired?
  2. From your laptop: ping <kiosk-tailscale-ip>. Does it respond?
  3. From the kiosk (if you have any access — local KB, or via venue LAN): tailscale status. What's it report?

The combination of these three points the way.

The dashboard's Tailscale IP field is blank

DisplaySync reads tailscale ip -4 on every heartbeat. A blank field means either Tailscale isn't running on the kiosk, or the kiosk app can't read its output.

Check from kiosk PowerShell:

# Service running?
Get-Service Tailscale | Select-Object Status, StartType

# Tailscale CLI works?
& "C:\Program Files\Tailscale\tailscale.exe" status

# Tail-IP assigned?
& "C:\Program Files\Tailscale\tailscale.exe" ip -4
SymptomFix
Service StoppedStart-Service Tailscale. If it won't start, check Event Viewer → Application logs
Service Running, status shows "Logged out"Re-run tailscale up --authkey <key> --unattended; the auth key may have expired
Status is fine, IP returns blankTailscale started but hasn't joined the tailnet — wait 30 seconds, recheck
Permission denied reading CLIThe kiosk user isn't in the Tailscale Admin group; usually fine via the named-pipe access — restart the sign app if it's not picking up

Device shows up but ping doesn't respond

Tailscale auth + service are fine, but the device isn't reachable.

Most common cause: Tailscale ACL.

In the Tailscale admin console → Access Controls, run the ACL Tester:

  • From: your laptop's tailnet identity (or [email protected])
  • To: the kiosk's hostname or tail-IP
  • Port: the protocol you're testing (e.g., 3389 for RDP, 5900 for VNC, 22 for SSH)

If the test reports denied, your ACL doesn't grant your source-tag access to tag:displaysync-sign. Update the policy file — see Tailscale integration → ACL pattern.

Other causes if ACL is fine:

  • Both sides on Tailscale exit nodes — exit nodes can mask peer-to-peer routing. Disable exit-node usage on either side.
  • Tailscale's MagicDNS confusion — try the raw 100.x.y.z IP instead of the hostname.
  • Your client side is paused — check the Tailscale tray icon on your laptop; toggle off/on.

Auth key expired

Tagged devices don't need re-authentication, but if the original auth key you minted has expired, you can't onboard new clones — they'll fail to register.

Symptom: new kiosks (clones, fresh provisions) appear in the kiosk app's logs with tailscale up: auth key expired. Existing kiosks already on the tailnet are unaffected.

Fix: mint a new auth key in the admin console and update your image / USB recovery kit to use it. Old kiosks keep working with their cached node identity.

Used to work, now doesn't

The kiosk was reachable yesterday; today it isn't. Common causes in order of likelihood:

CauseSymptomFix
Tailscale service stopped (post-update, post-restart)Device gone from admin console as "expired" or "offline"RDP via venue LAN or fix on-site; Start-Service Tailscale
Venue firewall changed to block TailscaleAll venue's signs disappearedRe-allowlist Tailscale ports — *.tailscale.com 443, UDP 41641
ACL policy changedACL tester now shows "denied" where it was "allowed"Revert the policy or re-add the missing grant
Kiosk's Tailscale node was logged out manuallyAdmin console shows the device with a "logged out" badgeRe-run tailscale up --authkey <new-key> --unattended

If the venue firewall changed under you, that's a venue IT issue — sometimes resolved by a polite ping to the venue. Bring the Network requirements page; it documents the Tailscale destinations specifically.

Tailscale up but RDP / VNC connection refused

Tailscale ping works (kiosk is reachable), but the actual remote-desktop protocol doesn't connect.

For RDP:

# On the kiosk: is RDP running and listening?
Get-Service TermService | Select-Object Status
Get-NetTCPConnection -LocalPort 3389

# Is the firewall allowing RDP on the Tailscale interface?
Get-NetFirewallRule -DisplayGroup "Remote Desktop" |
  Format-List DisplayName, Enabled, Direction, Profile
SymptomFix
Port 3389 not listeningEnable RDP — see Path A in Remote access
Firewall blocks 3389 on TailscaleAdd a firewall rule scoped to the Tailscale interface
User not in "Remote Desktop Users" groupAdd-LocalGroupMember -Group "Remote Desktop Users" -Member DisplaySync
Connection accepts then disconnectsAlready-active session — RDP-as-kiosk-user kicks the wall; use VNC or the local admin account instead

For VNC:

The VNC server is whatever you installed (TightVNC, etc.). Failures are usually password-related or service-state-related:

Get-Service tvnserver | Select-Object Status
Get-NetTCPConnection -LocalPort 5900

If the service isn't running, restart it. If it is and connections refuse, the bind-IP is wrong (it should match the kiosk's Tailscale IP, which can change after a major Tailscale update — see Remote access → Path B).

Interpreting tailscale netcheck output

Run & "C:\Program Files\Tailscale\tailscale.exe" netcheck (Windows) or sudo tailscale netcheck (Linux) to see the kiosk's view of its Tailscale connectivity.

Key fields:

FieldMeansWhen it's a problem
UDP: trueDirect WireGuard works — peer-to-peer over UDP/41641 or via STUN UDP/3478(this is the good case)
UDP: falseDirect UDP blocked; kiosk falls back to DERP relay over TCP/443Higher latency; if venue blocks UDP entirely this is the only path
Nearest DERPGeographically nearest DERP relay> 200ms RTT suggests routing through a far-away relay — check *.derp.tailscale.com allowlist
DERP latencyPer-relay ping tableAll relays > 200ms = venue's outbound routing is the issue

If UDP: false and you'd like direct UDP, open UDP/3478 (STUN) and UDP/41641 (WireGuard) outbound at the venue firewall — see Network ports → Tailscale (optional but recommended).

Connection drops every few minutes

A working connection drops mid-session. Common causes:

  • Wi-Fi roaming on the kiosk — Tailscale handles this gracefully but RDP/VNC don't, and the session breaks. Wired Ethernet fixes it.
  • Tailscale relay (DERP) routing — peer-to-peer failed and you're going through a relay; relays are reliable but introduce more failure paths. Run tailscale netcheck on the kiosk to see whether direct connection is possible.
  • Idle timeout — some VNC servers disconnect after N minutes of inactivity. Configure or accept the disconnect.

Tailscale isn't reaching the venue at all

tailscale netcheck from the kiosk reports it can't reach any DERP relay or coordination server. This means the venue is blocking Tailscale outbound:

  • Coordination: controlplane.tailscale.com (HTTPS 443)
  • DERP relays: *.derp.tailscale.com (HTTPS 443)
  • Direct peer (preferred): UDP 41641

Diagnose:

Test-NetConnection controlplane.tailscale.com -Port 443

If that fails, venue IT has blocked Tailscale. Get them to allowlist the destinations in Network requirements → Tailscale.

Re-onboarding a kiosk

When the device's Tailscale state is genuinely broken (service crashes on start, identity corrupted) the cleanest fix is to re-onboard:

# Tailscale service down
Stop-Service Tailscale

# Wipe Tailscale state
Remove-Item "C:\ProgramData\Tailscale" -Recurse -Force

# Bring service back up
Start-Service Tailscale

# Re-authenticate with a fresh auth key
& "C:\Program Files\Tailscale\tailscale.exe" up `
  --authkey "tskey-auth-NEW-KEY-HERE" `
  --hostname $env:COMPUTERNAME `
  --unattended

The device gets a new node identity in your tailnet — admin console will show two entries until you delete the old one.

Orphan device record after auth-key reuse: if you re-onboard a kiosk using the same Tailscale auth key (or a fresh key minted from the same tag), the kiosk's old device record stays in the Tailscale admin console. New record appears alongside; old one shows as offline and never recovers. Cleanup: in the Tailscale admin console → Machines → find the kiosk by hostname (e.g. sign-<serial>) → Remove. Wait ~60s for tailnet propagation before the dashboard reflects the cleanup.

Leaving orphan records is harmless but accumulates clutter and counts against tailnet device limits on free plans.

Still stuck

Capture per Getting support:

  • tailscale status and tailscale netcheck from the kiosk
  • The Tailscale admin console's view of this specific device (screenshot)
  • The ACL tester result for your source → kiosk → port
  • Get-Service Tailscale and the last 50 lines of the Tailscale Windows Application log