Tailscale updates fail: TLS handshake does not go through in AWS environment

A couple of days ago my tailscale updates started to fail (apt-get).

Upon further investigation I found out that my TLS sessions against fly.io do not go through.

curl -iv  -L https://dl.tailscale.com
* Host dl.tailscale.com:443 was resolved.
* IPv6: 2a09:8280:1::a:1a71
* IPv4:
*   Trying
* Connected to dl.tailscale.com ( port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
**** stuck here***

I run ubuntu 24LTS but this seems to happen on all EC2 instances, independently of the OS.

You can find tcpdump traffic here.

The TCP handshake completes but the TLS handshake does not complete (it fails in the first hello stage).

I do not have control over the networking segment between my VPC and the edge router (public IP) so I can only troubleshoot up to the network interfaces on my EC2s.

Another piece of information. It seems tailscale redirects dl.tailscale.com to pkgs.tailscale.com and that is served in another ISP. TLS requests there work fine for me.

Finally, this only happens in this particular AWS environment. I don’t have issues on my other environments (even AWS).

Is there anyone from fly that can help me figure out what is happening?

Thank you,

It seems we had a bizarre firewall rule that was block only this concrete TLS traffic. Don’t ask.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.