• node:tsReleaseTrack == 'stable'
• node:tsAutoUpdate

• tsnet nodes do not auto-update
• tsnet nodes do not have a release channel
• tsnet nodes often lack many “managed” attributes

"defaultSrcPosture": ["posture:human"]

• Admin can see the tsnet node
• Other nodes cannot see it at all
• Node exists in admin console
• Tag is correct
• Grants look correct
• But it is invisible

• Do NOT use defaultSrcPosture globally
• Only apply posture on rules that involve human devices
• Service nodes (tsnet, infra) must be posture-free

"postures": {
  "posture:human": [
    "node:tsReleaseTrack == 'stable'",
    "node:tsAutoUpdate"
  ]
}

"srcPosture": ["posture:human"]

“Node A can never talk to Node B under any rule”

• Node does not appear
• No ping
• No connection attempt
• Looks like it “does not exist”

• Missing grants
• Bad posture
• Tag mismatch
• Group mismatch
• ACL/grant shadowing

• Tags are per-node, not per-host
• Tags must exist in tagOwners
• Tag must be approved or auto-approved
• Tags do NOT override posture
• Tags do NOT override user ownership rules

• Node is tagged in UI but policy does not list the tag in tagOwners
• Node has multiple tags and only some rules match
• tsnet node was created under tagged-devices user and rules are user-scoped

• It is evaluated
• It can block things even if grants allow them
• It can cause peer suppression

• Use grants only
• Remove ACLs entirely unless you fully understand both systems

• User-based rules
• They do not apply to tagged service nodes
• tsnet nodes almost always belong to tagged-devices

• Writing rules like:

"src": ["group:admins"]

tailscale status
tailscale status --json | jq '.Self'
tailscale status --json | jq '.Peer[].DNSName'

• Does the node exist in admin?
• Does it have the tag?
• Does the rule path exist?
• Does posture apply?
• Does any rule match at all?

{
  "src": ["*"],
  "dst": ["*"],
  "ip": ["*"]
}

Your policy graph was unsatisfiable.

• krknc is just using the machine’s Tailscale (not the -krkns tsnest node)
• If the machine can’t reach something, krknc can’t either
• There is no separate node, no separate identity, no separate auth

• The krkns tsnet node:
  • Is not tagged
  • Is posture-blocked
  • Is policy-suppressed
  • Or has no policy path from the client machine

• The client machine:
  • Is missing the required tag
  • Is blocked by posture
  • Is blocked by policy

• The machine itself does not have a valid policy path
• Test from the machine directly

tailscale ping <krkns-node>

• tailscale status
• tailscale ping <target>
• Check:
  • Does the machine have the correct tag?
  • Does policy allow it to talk to krkns?
  • Is posture blocking it?

• The krkns primary host (not the tsnet node)
  • Is not tagged
  • Is policy suppressed
  • Or has no policy path from the tentacle machine

• It creates a tsnet node.
• This is a separate machine identity in your tailnet
• It has:
  • Its own IP
  • Its own hostname
  • Its own tags (if any)
  • Its own posture evaluation
  • Its own auth state

• Your workstation’s Tailscale login ≠ krkns’s Tailscale login

​

Option A — Interactive Login (Default)

• krkns will start
• It will block waiting for authentication
• You must visit the printed login URL (only visible in debug logs)
• After successful login, the node is registered
• From then on:
  • The auth state is persisted
  • You do NOT need to login again on future starts

⚠️ If debug logging is NOT enabled, you may not see the login URL and it will look like the client is “hung”.

​

Option B — Auth Key (Non-interactive / Headless)

export TS_AUTHKEY=tskey-xxxxxxxxxxxxxxxx
export TS_FORCE_LOGIN=1

• TS_AUTHKEY provides a pre-auth key
• TS_FORCE_LOGIN=1 forces tsnet to use it even if cached state exists
• The node will:
  • Register automatically
  • Appear in the admin console
  • Be ready without any browser login

✅ This is ideal for headless machines, CI, or scripted deployments.

⚠️ This is ONLY required for the initial registration. After that, the node identity is persisted and the env vars are no longer needed.

​

Important: You Only Need to Auth ONCE

• The node identity is stored on disk
• Future runs will:
  • Reuse the same node
  • Reuse the same IP
  • Reuse the same registration
• You do NOT need:
  • TS_AUTHKEY
  • TS_FORCE_LOGIN
  • Or interactive login again

• You delete the state directory
• You run with a different hostname
• You force a re-login
• You run in ephemeral mode (if supported)

​

Where the Auth “Hang” Happens

• krkns starts
• Nothing seems to happen
• No errors
• No progress
• No network connectivity

tsnet is waiting for authentication, but the login URL is only shown in debug logs.

• Start krkns with debug logging enabled
• Look for a line containing a login URL
• Open it in your browser
• Approve the node

• Machines list
• You should see something like:
  • krknc-<hostname>
  • Or similar

tailscale status

​

Tags and Visibility

• It may be invisible to other nodes if:
  • It does not have the correct tag (e.g., tag:krkn)
  • Or policy does not allow any path to it

If Tailscale policy says “this node can never talk to that node”, the peer is suppressed and does not appear at all.

​

Posture and Client Nodes

• tsnet nodes often FAIL posture
• Because they:
  • Do not auto-update
  • Do not have a release channel
  • Do not look like “managed” clients

The client node may be silently excluded from the network graph.

• Do not apply posture to service nodes
• Only apply posture to human devices
• See the main Krkn Tailscale Troubleshooting Guide

• Is debug logging enabled?
• Do you see a login URL?
• Does the node appear in admin?
• Does it have the correct tag?
• Does policy allow it to talk to anything?

tailscale status

The control plane has suppressed it due to policy.