# Tailscale Funnel Debug Log — 2026-05-18

## Environment
- Tailscale: userspace-networking mode (`--tun=userspace-networking --socket=/tmp/tailscaled.sock`)
- Funnel: configured and enabled
- Backend: localhost:5679 (cloud-drive-con service)
- Tailscale IP: 100.96.60.110
- Domain: kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net
- Funnel status: `https://kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net (tailnet only) | / proxy http://localhost:5679`

## Symptom
External users reported both:
1. `https://kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net` → timeout / "could not resolve host"
2. `89.39.139.202:59846` → connection refused

## Root Cause Analysis

### Issue 1: DNS resolution failure
```bash
$ resolvectl query kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net
kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net: resolve call failed: '...' not found
```
systemd-resolved (nameserver 127.0.0.53) doesn't know about `.ts.net` MagicDNS zone.
Tailscale MagicDNS only works when Tailscale is the DNS server, which requires either:
- TUN mode (creates tailscale0 interface as DNS server), OR
- Device uses Tailscale as its upstream DNS explicitly

### Issue 2: 89.39.139.202:59846 is not a listening port
`89.39.139.202:59846` is the source port of the machine's outbound UDP connection to DERP,
NOT an inbound port. Tailscale/Funnel does NOT open inbound ports on the public IP.

### Issue 3: Localhost test works, but Tailscale IP times out
```bash
$ curl http://localhost:5679  # ✅ 200 OK
$ curl http://100.96.60.110:42898  # ❌ timeout
```
In userspace-networking mode, the Tailscale IP is only reachable by OTHER Tailscale peers,
not by the host itself. This is expected behavior.

## Solution Applied
Added "Funnel DNS Requirement" section to SKILL.md covering:
- systemd-resolved `resolvectl dns` fix
- /etc/hosts manual workaround
- userspace mode limitations

## Key Commands Reference
```bash
# Check Funnel status
tailscale --socket=/tmp/tailscaled.sock funnel status

# Check what ports are listening
ss -tlnp

# Check Tailscale state (JSON)
tailscale --socket=/tmp/tailscaled.sock status --json | jq '.Self'

# Check DNS resolution
resolvectl query <device>.tail95fef0.ts.net

# Restart tailscaled (no systemctl, userspace)
kill <pid>
/home/kuhnn/.local/bin/tailscaled --tun=userspace-networking --socket=/tmp/tailscaled.sock &
```