Tailscale issues
Symptom: you can't reach a kiosk over Tailscale. Could be:
- The dashboard's Tailscale IP field is blank for this sign
- The device shows up in the Tailscale admin console but you can't ping its tail-IP
- You can ping but RDP / VNC connection is refused
- The kiosk used to be reachable; isn't anymore
This page assumes you've followed Tailscale integration for the image build and Remote access for using it. If those weren't completed during the image build, the kiosk is not on Tailscale at all and needs to be re-imaged.
Quick diagnostic
Three checks tell you which layer is broken:
- Tailscale admin console. Does the device show up? Is it tagged
tag:displaysync-sign? Is it marked as expired? - From your laptop:
ping <kiosk-tailscale-ip>. Does it respond? - From the kiosk (if you have any access — local KB, or via venue LAN):
tailscale status. What's it report?
The combination of these three points the way.
The dashboard's Tailscale IP field is blank
DisplaySync reads tailscale ip -4 on every heartbeat. A blank field means either Tailscale isn't running on the kiosk, or the kiosk app can't read its output.
Check from kiosk PowerShell:
# Service running?
Get-Service Tailscale | Select-Object Status, StartType
# Tailscale CLI works?
& "C:\Program Files\Tailscale\tailscale.exe" status
# Tail-IP assigned?
& "C:\Program Files\Tailscale\tailscale.exe" ip -4
| Symptom | Fix |
|---|---|
Service Stopped | Start-Service Tailscale. If it won't start, check Event Viewer → Application logs |
Service Running, status shows "Logged out" | Re-run tailscale up --authkey <key> --unattended; the auth key may have expired |
| Status is fine, IP returns blank | Tailscale started but hasn't joined the tailnet — wait 30 seconds, recheck |
| Permission denied reading CLI | The kiosk user isn't in the Tailscale Admin group; usually fine via the named-pipe access — restart the sign app if it's not picking up |
Device shows up but ping doesn't respond
Tailscale auth + service are fine, but the device isn't reachable.
Most common cause: Tailscale ACL.
In the Tailscale admin console → Access Controls, run the ACL Tester:
- From: your laptop's tailnet identity (or
[email protected]) - To: the kiosk's hostname or tail-IP
- Port: the protocol you're testing (e.g., 3389 for RDP, 5900 for VNC, 22 for SSH)
If the test reports denied, your ACL doesn't grant your source-tag access to tag:displaysync-sign. Update the policy file — see Tailscale integration → ACL pattern.
Other causes if ACL is fine:
- Both sides on Tailscale exit nodes — exit nodes can mask peer-to-peer routing. Disable exit-node usage on either side.
- Tailscale's MagicDNS confusion — try the raw 100.x.y.z IP instead of the hostname.
- Your client side is paused — check the Tailscale tray icon on your laptop; toggle off/on.
Auth key expired
Tagged devices don't need re-authentication, but if the original auth key you minted has expired, you can't onboard new clones — they'll fail to register.
Symptom: new kiosks (clones, fresh provisions) appear in the kiosk app's logs with tailscale up: auth key expired. Existing kiosks already on the tailnet are unaffected.
Fix: mint a new auth key in the admin console and update your image / USB recovery kit to use it. Old kiosks keep working with their cached node identity.
Used to work, now doesn't
The kiosk was reachable yesterday; today it isn't. Common causes in order of likelihood:
| Cause | Symptom | Fix |
|---|---|---|
| Tailscale service stopped (post-update, post-restart) | Device gone from admin console as "expired" or "offline" | RDP via venue LAN or fix on-site; Start-Service Tailscale |
| Venue firewall changed to block Tailscale | All venue's signs disappeared | Re-allowlist Tailscale ports — *.tailscale.com 443, UDP 41641 |
| ACL policy changed | ACL tester now shows "denied" where it was "allowed" | Revert the policy or re-add the missing grant |
| Kiosk's Tailscale node was logged out manually | Admin console shows the device with a "logged out" badge | Re-run tailscale up --authkey <new-key> --unattended |
If the venue firewall changed under you, that's a venue IT issue — sometimes resolved by a polite ping to the venue. Bring the Network requirements page; it documents the Tailscale destinations specifically.
Tailscale up but RDP / VNC connection refused
Tailscale ping works (kiosk is reachable), but the actual remote-desktop protocol doesn't connect.
For RDP:
# On the kiosk: is RDP running and listening?
Get-Service TermService | Select-Object Status
Get-NetTCPConnection -LocalPort 3389
# Is the firewall allowing RDP on the Tailscale interface?
Get-NetFirewallRule -DisplayGroup "Remote Desktop" |
Format-List DisplayName, Enabled, Direction, Profile
| Symptom | Fix |
|---|---|
| Port 3389 not listening | Enable RDP — see Path A in Remote access |
| Firewall blocks 3389 on Tailscale | Add a firewall rule scoped to the Tailscale interface |
| User not in "Remote Desktop Users" group | Add-LocalGroupMember -Group "Remote Desktop Users" -Member DisplaySync |
| Connection accepts then disconnects | Already-active session — RDP-as-kiosk-user kicks the wall; use VNC or the local admin account instead |
For VNC:
The VNC server is whatever you installed (TightVNC, etc.). Failures are usually password-related or service-state-related:
Get-Service tvnserver | Select-Object Status
Get-NetTCPConnection -LocalPort 5900
If the service isn't running, restart it. If it is and connections refuse, the bind-IP is wrong (it should match the kiosk's Tailscale IP, which can change after a major Tailscale update — see Remote access → Path B).
Interpreting tailscale netcheck output
Run & "C:\Program Files\Tailscale\tailscale.exe" netcheck (Windows) or sudo tailscale netcheck (Linux) to see the kiosk's view of its Tailscale connectivity.
Key fields:
| Field | Means | When it's a problem |
|---|---|---|
| UDP: true | Direct WireGuard works — peer-to-peer over UDP/41641 or via STUN UDP/3478 | (this is the good case) |
| UDP: false | Direct UDP blocked; kiosk falls back to DERP relay over TCP/443 | Higher latency; if venue blocks UDP entirely this is the only path |
| Nearest DERP | Geographically nearest DERP relay | > 200ms RTT suggests routing through a far-away relay — check *.derp.tailscale.com allowlist |
| DERP latency | Per-relay ping table | All relays > 200ms = venue's outbound routing is the issue |
If UDP: false and you'd like direct UDP, open UDP/3478 (STUN) and UDP/41641 (WireGuard) outbound at the venue firewall — see Network ports → Tailscale (optional but recommended).
Connection drops every few minutes
A working connection drops mid-session. Common causes:
- Wi-Fi roaming on the kiosk — Tailscale handles this gracefully but RDP/VNC don't, and the session breaks. Wired Ethernet fixes it.
- Tailscale relay (DERP) routing — peer-to-peer failed and you're going through a relay; relays are reliable but introduce more failure paths. Run
tailscale netcheckon the kiosk to see whether direct connection is possible. - Idle timeout — some VNC servers disconnect after N minutes of inactivity. Configure or accept the disconnect.
Tailscale isn't reaching the venue at all
tailscale netcheck from the kiosk reports it can't reach any DERP relay or coordination server. This means the venue is blocking Tailscale outbound:
- Coordination:
controlplane.tailscale.com(HTTPS 443) - DERP relays:
*.derp.tailscale.com(HTTPS 443) - Direct peer (preferred): UDP 41641
Diagnose:
Test-NetConnection controlplane.tailscale.com -Port 443
If that fails, venue IT has blocked Tailscale. Get them to allowlist the destinations in Network requirements → Tailscale.
Re-onboarding a kiosk
When the device's Tailscale state is genuinely broken (service crashes on start, identity corrupted) the cleanest fix is to re-onboard:
# Tailscale service down
Stop-Service Tailscale
# Wipe Tailscale state
Remove-Item "C:\ProgramData\Tailscale" -Recurse -Force
# Bring service back up
Start-Service Tailscale
# Re-authenticate with a fresh auth key
& "C:\Program Files\Tailscale\tailscale.exe" up `
--authkey "tskey-auth-NEW-KEY-HERE" `
--hostname $env:COMPUTERNAME `
--unattended
The device gets a new node identity in your tailnet — admin console will show two entries until you delete the old one.
Orphan device record after auth-key reuse: if you re-onboard a kiosk using the same Tailscale auth key (or a fresh key minted from the same tag), the kiosk's old device record stays in the Tailscale admin console. New record appears alongside; old one shows as offline and never recovers. Cleanup: in the Tailscale admin console → Machines → find the kiosk by hostname (e.g. sign-<serial>) → Remove. Wait ~60s for tailnet propagation before the dashboard reflects the cleanup.
Leaving orphan records is harmless but accumulates clutter and counts against tailnet device limits on free plans.
Still stuck
Capture per Getting support:
tailscale statusandtailscale netcheckfrom the kiosk- The Tailscale admin console's view of this specific device (screenshot)
- The ACL tester result for your source → kiosk → port
Get-Service Tailscaleand the last 50 lines of the Tailscale Windows Application log