# Tailscale Funnel userspace-networking SSL 失败 — 2026-05-23 ## 环境 - Tailscale: userspace-networking 模式(`--tun=userspace-networking --socket=/tmp/tailscaled.sock`) - Funnel: 已启用,状态显示 "Available on the internet" - 后端: localhost:5679 (Python SimpleHTTPServer 测试) - 域名: `https://kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net/` - tailscaled PID: 59495 ## 问题现象 - `tailscale funnel status` 显示 "Available on the internet" 和 "Funnel on" - Funnel 配置指向 `http://127.0.0.1:5679` - 本地 curl `http://127.0.0.1:5679` 返回 200 OK - 外部访问 `https://kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net/` — **SSL handshake timeout** ## 诊断过程 ### 1. Funnel 状态检查 ```bash $ tailscale --socket=/tmp/tailscaled.sock funnel status # Funnel on: # - https://kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net https://kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net (Funnel on) |-- / proxy http://127.0.0.1:5679 Funnel started and running in the background. ``` ### 2. tailscaled 日志关键片段 ``` dns: using "systemd-resolved" mode creating dns cleanup: route ip+net: no such network interface wgengine.NewUserspaceEngine(tun "userspace-networking") ... dns: using dns.noopManager ``` 关键:`dns: using dns.noopManager` — DNS manager 是空的,意味着无法进行真实的 DNS 配置。 ### 3. DNS 解析测试(通过) ```bash $ resolvectl query kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net: 176.58.88.82 -- link: wlp1s0 ``` DNS 解析本身是通的!域名解析到公网 IP 176.58.88.x。 ### 4. SSL 连接测试 ```bash $ curl -v --connect-timeout 5 https://kuhnn-lenovo-ideapad-710s-13isk.tail95fef0.ts.net * Trying 176.58.88.108:443... * Connected to ... tail95fef0.ts.net (176.58.88.108) port 443 (#0) * ALPN, offering h2, http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): ... * SSL connection timeout ``` TCP 连接到 443 成功,但 TLS 握手超时。这说明有证书问题。 ### 5. 端口监听检查 ```bash $ ss -tlnp | grep tailscaled LISTEN 0 4096 0.0.0.0:42898 0.0.0.0:* users=(("tailscaled",pid=59495,fd=15)) ``` Funnel 没有监听 443 端口!Funnel 应该监听 443 但实际上没有。 ## 根因定位 通过 GitHub Issue [#12788](https://github.com/tailscale/tailscale/issues/12788) 找到答案: **Funnel 在 userspace-networking 模式下无法获取 Let's Encrypt SSL 证书。** 原因: 1. Funnel 依赖 `tailscale cert` 命令向 Let's Encrypt CA 获取证书 2. `tailscale cert` 需要向 Let's Encrypt 的 DNS 服务器做 DNS challenge 3. 这需要修改系统的 DNS 配置(写入 `/etc/resolv.conf` 或通过 `systemd-resolved`),需要 root 权限 4. userspace 模式以普通用户运行,没有权限修改系统 DNS 5. 证书获取失败 → SSL 握手超时 ## 结论 **Funnel + userspace-networking = 无法提供公网 HTTPS 访问** 这是设计限制,不是配置问题。Funnel 状态可能显示 "Available on the internet",但实际上证书不存在,SSL 握手必然失败。 ## 解法 ### TUN 模式(需要 root) ```bash pkill tailscaled sudo tailscaled --socket=/tmp/tailscaled.sock tailscale --socket=/tmp/tailscaled.sock up tailscale --socket=/tmp/tailscaled.sock funnel --bg 5679 ``` ### 替代工具(无 root 需求) - cloudflared tunnel(Cloudflare Tunnel) - ngrok - frp 内网穿透