r/Tailscale u/langtutheky 1d ago

Help Needed App connector in Docker Swarm advertises its own Tailscale IP (100.x) as a subnet route — stuck in "Awaiting Approval" forever

Running a Tailscale app connector as a Docker service using the official `tailscale/tailscale:latest` image on Docker Swarm. The connector shows the **Connector** badge correctly in the admin console, but on startup it automatically advertises a subnet route for its own Tailscale IP (`100.124.158.81/32`) — not any actual subnet I want to expose.

That route shows up under "Awaiting Approval" in the admin console. When I click Review, enable the route, click Save, and the UI says "Updated" — but the route just stays in "Awaiting Approval" indefinitely. No matter how many times I try, it never actually gets approved.

**Environment:**

- Docker Swarm

- `tailscale/tailscale:latest`

- Running as an app connector

**What I've tried:**

- Reviewing and saving the route multiple times through the admin UI

- Confirmed the connector itself is healthy and shows the Connector badge

**Questions:**

  1. Why is the connector advertising its own Tailscale IP as a subnet route at all? Is this expected behavior for an app connector?
  2. Is there a known bug where subnet routes get stuck in "Awaiting Approval" even after approving in the UI?
  3. Is there a way to suppress or remove this self-advertised route?

Any help appreciated — I also have a support ticket open (TSS-90294) but hoping the community has seen this before.

1 Upvotes

100% Upvoted

3 comments sorted by

2

u/Logvin 1d ago

Can you share your docker config? Also, your ACLs from the Tailscale GUI?

These commands you can run to check what is being advertised inside the container:

docker exec <container> tailscale status --json | jq '.Self.AllowedIPs, .Self.PrimaryRoutes'
docker exec <container> cat /proc/1/cmdline | tr '\0' ' '

1

u/langtutheky 12h ago

Hi Logvin,

Thanks for looking into this.

Unfortunately, I can no longer reproduce the issue. While troubleshooting, I observed that the behavior seemed to be tied to redeploying the Tailscale service.

Specifically, when I deleted the Tailscale daemon from the admin console and deployed it again, no subnet was advertised initially. However, after redeploying the same daemon a second time, it began advertising its own Tailscale IP unexpectedly..

To further test, I deleted the daemon again and recreated it as a completely new connector with a different name. Since then, I have been able to redeploy it multiple times without any issues, and no unexpected subnet advertisements have appeared.

Because the original daemon has been deleted and replaced, I no longer have access to the container state that was exhibiting the problem, so I cannot provide the tailscale status --json output or the original container configuration that reproduced the issue.

Based on my observations, it appears there may be a bug related to redeploying an existing Tailscale daemon as app connector, but I am unable to reproduce it consistently at this time.

1

u/Logvin 11h ago

Hey, if its working that was the goal right? While i always prefer to figure out the WHY too, I'll take a win when its there. LMK if it pops up again.