Tailscale fails after first run

KatMB · June 16, 2026, 2:21am

I’m pretty new at this and I’m trying to understand this. I install tailscale and it launches on the first run but if I stop it and re run it it just says that the service is unavailable. I’ve tried changing the ports, changing the variables, and uninstalling it and deleying the files but it does not work. I install the app from the main app store and even when it launches I can’t connect to it. I’m not sure what is wrong but I wanna try to get it working if anyone can help.

gelbuilding · June 16, 2026, 3:01am

It sounds like the Tailscale container starts once, then fails when it is recreated or restarted. This may be related to the saved app data or the container state, but it is better to verify first before changing anything else.

Can you please open the ZimaOS terminal and run these commands?

docker ps -a | grep -i tailscale

docker logs --tail=100 $(docker ps -a --filter "name=tailscale" --format "{{.ID}}" | head -n 1)

docker inspect $(docker ps -a --filter "name=tailscale" --format "{{.ID}}" | head -n 1) --format '{{json .Mounts}}'

Please paste the output here.

The important thing is to confirm whether the container is actually stopping, whether it is failing because of a missing volume/path, or whether the Tailscale state file is damaged.

Also, changing ports usually will not fix Tailscale because it needs its own network/state setup rather than just a normal web app port change.

KatMB · June 16, 2026, 3:11am

I get this from trying to run them I’m not sure if I’m adding it right

KatMB@ZimaOS:~ ➜ $ sudo docker ps -a | grep -i tailscale
0f377fe67828   tailscale/tailscale:v1.98.3                               “/bin/sh -c 'tailsca…”   51 minutes ago   Up 5 seconds                                                                                                                                                                                                       tailscale
KatMB@ZimaOS:~ ➜ $ docker logs --tail=100 $(docker ps -a --filter “name=tailscale” --format “{{.ID}}” | head -n 1)
WARNING: Error loading config file: open /DATA/.docker/config.json: permission denied
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get “http://%2Fvar%2Frun%2Fdocker.sock/v1.47/containers/json?all=1&filters=%7B%22name%22%3A%7B%22tailscale%22%3Atrue%7D%7D”: dial unix /var/run/docker.sock: connect: permission denied
WARNING: Error loading config file: open /DATA/.docker/config.json: permission denied
“docker logs” requires exactly 1 argument.
See ‘docker logs --help’.

Usage:  docker logs [OPTIONS] CONTAINER

Fetch the logs of a container
KatMB@ZimaOS:~ ➜ $ docker inspect $(docker ps -a --filter “name=tailscale” --format “{{.ID}}” | head -n 1) --format ‘{{json .Mounts}}’
WARNING: Error loading config file: open /DATA/.docker/config.json: permission denied
permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get “http://%2Fvar%2Frun%2Fdocker.sock/v1.47/containers/json?all=1&filters=%7B%22name%22%3A%7B%22tailscale%22%3Atrue%7D%7D”: dial unix /var/run/docker.sock: connect: permission denied
WARNING: Error loading config file: open /DATA/.docker/config.json: permission denied
“docker inspect” requires at least 1 argument.
See ‘docker inspect --help’.

Usage:  docker inspect [OPTIONS] NAME|ID [NAME|ID…]

Return low-level information on Docker objects

gelbuilding · June 16, 2026, 3:16am

You are very close. The issue with the second and third commands is that only the first docker command had sudo.

Because your user does not have permission to access the Docker socket, the command inside $() also needs sudo.

Also make sure the quotes are normal straight quotes, not curly quotes copied from the forum.

Please run these instead:

sudo docker logs --tail=100 tailscale

sudo docker inspect tailscale --format '{{json .Mounts}}'

sudo docker inspect tailscale --format '{{.State.Status}} {{.State.ExitCode}} {{.State.Error}}'

Your first output shows the container is actually running:

Up 5 seconds

So now we need the logs to see why the Tailscale app/service is still showing unavailable.

gelbuilding · June 16, 2026, 3:22am

Just to explain the sudo part:

Your terminal prompt shows you are logged in as a normal user:

KatMB@ZimaOS:~ ➜ $

So Docker does not allow that user to access the Docker daemon directly.

That is why the first command worked when you used:

sudo docker ps -a | grep -i tailscale

But the next commands failed when they were run without sudo.

So for now, please use sudo in front of the Docker commands.

KatMB · June 16, 2026, 3:23am

Here’s the whole thing now

KatMB@ZimaOS:~ ➜ $ sudo docker logs --tail=100 tailscale
Password:
2026/06/16 03:21:50 health(warnable=no-derp-connection): ok
2026/06/16 03:21:50 [RATELIMIT] format(“health(warnable=%s): ok”)
2026/06/16 03:21:59 web server running on: ``http://0.0.0.0:5252
2026/06/16 03:21:59 localapi: [POST] /localapi/v0/upload-client-metrics
2026/06/16 03:21:59 web.Server: shutting down
TPM: error opening: stat /dev/tpmrm0: no such file or directory
2026/06/16 03:21:59 logtail started
2026/06/16 03:21:59 Program starting: v1.98.3-t8f2c8d6a1, Go 1.26.3: string{“tailscaled”, “–state=/var/lib/tailscale/tailscaled.state”}
2026/06/16 03:21:59 LogID: ce785d4e4e35955489d48c330fd16754cc80324f5e5f0dc686c74317325fd448
2026/06/16 03:21:59 logpolicy: using system state directory “/var/lib/tailscale”
2026/06/16 03:21:59 dns: [rc=unknown ret=direct]
2026/06/16 03:21:59 dns: using “direct” mode
2026/06/16 03:21:59 dns: using *dns.directManager
2026/06/16 03:21:59 dns: inotify: NewDirWatcher: context canceled
2026/06/16 03:21:59 wgengine.NewUserspaceEngine(tun “tailscale0”) …
2026/06/16 03:21:59 dns: [rc=unknown ret=direct]
2026/06/16 03:21:59 dns: using “direct” mode
2026/06/16 03:21:59 dns: using *dns.directManager
2026/06/16 03:21:59 link state: interfaces.State{defaultRoute=eth0 ifs={br-94640fadb178:[172.18.0.1/16 llu6] br-ce87e072ec39:[172.19.0.1/16] docker0:[172.17.0.1/16 llu6] eth0:[10.0.0.93/24 2601:cd:d000:c100::6d94/128 2601:cd:d000:c100:6eb8:228e:6111:a62a/64 llu6] virbr0:[192.168.122.1/24] ztcq3vshmp:[10.147.20.1/24 fde5:f059:f1c7:ec:4899:93e5:f059:f1c7/88 llu6]} v4=true v6=true}
2026/06/16 03:21:59 router: portUpdate(port=39922, network=udp6)
2026/06/16 03:21:59 router: using firewall mode pref
2026/06/16 03:21:59 magicsock: disco key = d:a146ec69fe1c9380
2026/06/16 03:21:59 Creating WireGuard device…
2026/06/16 03:21:59 Bringing WireGuard device up…
2026/06/16 03:21:59 Bringing router up…
2026/06/16 03:21:59 external route: up
2026/06/16 03:21:59 router: default choosing iptables
2026/06/16 03:21:59 router: disabling tunneled IPv6 due to system IPv6 config: kernel doesn’t support IPv6 policy routing: querying IPv6 policy routing rules: address family not supported by protocol
2026/06/16 03:21:59 router: portUpdate(port=57899, network=udp4)
2026/06/16 03:21:59 Clearing router settings…
2026/06/16 03:21:59 Starting network monitor…
2026/06/16 03:21:59 Engine created.
2026/06/16 03:21:59 monitor: ip rule deleted: {Family:2 DstLength:0 SrcLength:0 Tos:0 Table:254 Protocol:0 Scope:0 Type:1 Flags:0 Attributes:{Dst: Src: Gateway: OutIface:0 Priority:5210 Table:254 Mark:16711680 Pref: Expires: Metrics: Multipath:}}
2026/06/16 03:21:59 monitor: ip rule deleted: {Family:2 DstLength:0 SrcLength:0 Tos:0 Table:253 Protocol:0 Scope:0 Type:1 Flags:0 Attributes:{Dst: Src: Gateway: OutIface:0 Priority:5230 Table:253 Mark:16711680 Pref: Expires: Metrics: Multipath:}}
2026/06/16 03:21:59 monitor: ip rule deleted: {Family:2 DstLength:0 SrcLength:0 Tos:0 Table:0 Protocol:0 Scope:0 Type:7 Flags:0 Attributes:{Dst: Src: Gateway: OutIface:0 Priority:5250 Table:0 Mark:16711680 Pref: Expires: Metrics: Multipath:}}
2026/06/16 03:21:59 monitor: ip rule deleted: {Family:2 DstLength:0 SrcLength:0 Tos:0 Table:52 Protocol:0 Scope:0 Type:1 Flags:0 Attributes:{Dst: Src: Gateway: OutIface:0 Priority:5270 Table:52 Mark:0 Pref: Expires: Metrics: Multipath:}}
2026/06/16 03:21:59 pm: using backend prefs for “profile-b98d”: Prefs{ra=false dns=true want=true webclient=true routes= statefulFiltering=false nf=on update=check Persist{o=, n=[Xvkts] ``u="dclavel9@gmail.com``" ak=-}}
2026/06/16 03:21:59 logpolicy: using system state directory “/var/lib/tailscale”
2026/06/16 03:21:59 linkChange: in state NoState; PAC or proxyConfig changed; updating routes
2026/06/16 03:21:59 got LocalBackend in 12ms
2026/06/16 03:21:59 Start
2026/06/16 03:21:59 ipnext: “conn25”: skipping extension
2026/06/16 03:21:59 ipnext: active extensions: relayserver, taildrop, conn25, portlist, posture, clientupdate
2026/06/16 03:21:59 monitor: gateway and self IP changed: gw=10.0.0.1 self=10.0.0.93
2026/06/16 03:21:59 Start: loaded netmap from disk cache; 2 peers
2026/06/16 03:21:59 active login: ``dclavel9@gmail.com
2026/06/16 03:21:59 magicsock: home DERP changing from derp-0 [0ms] to derp-16 [0ms] (forced=true)
2026/06/16 03:21:59 netmap: suggested exit node: no preferred DERP, try again later
2026/06/16 03:21:59 Switching ipn state NoState → Starting (WantRunning=true, nm=true)
2026/06/16 03:21:59 magicsock: SetPrivateKey called (init)
2026/06/16 03:21:59 magicsock: private key changed, reconnecting to home derp-16
2026/06/16 03:21:59 magicsock: adding connection to derp-16 for home-keep-alive
2026/06/16 03:21:59 magicsock: 1 active derp conns: derp-16=cr0s,wr0s
2026/06/16 03:21:59 wgengine: Reconfig: configuring userspace WireGuard config (with 2 peers)
2026/06/16 03:21:59 derphttp.Client.Connect: connecting to derp-16 (mia)
2026/06/16 03:21:59 wgengine: Reconfig: configuring router
2026/06/16 03:21:59 portmapper: UPnP discovery response from non-UPnP port 59967
2026/06/16 03:21:59 router: enabling connmark-based rp_filter workaround
2026/06/16 03:21:59 wgengine: Reconfig: user dialer
2026/06/16 03:21:59 tsdial: bart table size: 5
2026/06/16 03:21:59 wgengine: Reconfig: configuring DNS
2026/06/16 03:21:59 dns: Set: {DefaultResolvers: Routes:{``tail1e697c.ts.net``.: ``ts.net``.:[199.247.155.53 2620:111:8007::53]}+65arpa SearchDomains:[``tail1e697c.ts.net``.] Hosts:3}
2026/06/16 03:21:59 dns: Resolvercfg: {Routes:{.:[75.75.75.75 75.75.76.76 2001:558:feed::1 2001:558:feed::2] ``ts.net``.:[199.247.155.53 2620:111:8007::53]} Hosts:3 LocalDomains:[``tail1e697c.ts.net``.]+65arpa}
2026/06/16 03:21:59 dns: OScfg: {Nameservers:[100.100.100.100 fd7a:115c:a1e0::53] SearchDomains:[``tail1e697c.ts.net``.] }
2026/06/16 03:21:59 rename of “/etc/resolv.conf” to “/etc/resolv.pre-tailscale-backup.conf” failed (rename /etc/resolv.conf /etc/resolv.pre-tailscale-backup.conf: device or resource busy), falling back to copy+delete
2026/06/16 03:21:59 peerapi: serving on ``http://100.67.240.71:57093
2026/06/16 03:21:59 peerapi: failed to do peerAPI listen, harmless (netstack available) but error was: listen tcp6 [fd7a:115c:a1e0::8233:f048]:0: bind: cannot assign requested address
2026/06/16 03:21:59 peerapi: serving on http://[fd7a:115c:a1e0::8233:f048]:1
2026/06/16 03:21:59 Backend: logs: be:ce785d4e4e35955489d48c330fd16754cc80324f5e5f0dc686c74317325fd448 fe:
2026/06/16 03:21:59 control: client.Login(0)
2026/06/16 03:21:59 health(warnable=warming-up): error: Tailscale is starting. Please wait.
2026/06/16 03:21:59 Switching ipn state Starting → Running (WantRunning=true, nm=true)
2026/06/16 03:21:59 health(warnable=no-derp-connection): ok
2026/06/16 03:21:59 health(warnable=no-derp-connection): ok
2026/06/16 03:21:59 control: doLogin(regen=false, hasUrl=false)
2026/06/16 03:21:59 health(warnable=no-derp-connection): ok
2026/06/16 03:21:59 health(warnable=warming-up): ok
2026/06/16 03:21:59 health(warnable=no-derp-connection): ok
2026/06/16 03:21:59 [RATELIMIT] format(“health(warnable=%s): ok”)
2026/06/16 03:21:59 listening on 100.67.240.71:5252
2026/06/16 03:22:00 magicsock: derp-16 connected; connGen=1
2026/06/16 03:22:00 router: somebody (likely systemd-networkd) deleted ip rules; restoring Tailscale’s
2026/06/16 03:22:00 portmapper: UPnP meta changed: [{Location:``http://10.0.0.1:49152/IGDdevicedesc_brlan0.xml`` Server:Linux/5.15.144-prod-24.2-pd, UPnP/1.0, Portable SDK for UPnP devices/1.6.22 USN:uuid:ebf5a0a0-1dd1-11b2-a90f-1c9eccd5c190: schemas-upnp-org:device:InternetGatewayDevice:1}]
2026/06/16 03:22:00 control: NetInfo: NetInfo{varies=false ipv6=true ipv6os=true udp=true icmpv4=false derp=#16 portmap=U link=“” firewallmode=“ipt-default”}
2026/06/16 03:22:00 magicsock: endpoints changed: 24.126.178.152:57899 (stun), [2601:cd:d000:c100::6d94]:39922 (stun), 10.0.0.93:57899 (local), 172.17.0.1:57899 (local), 172.18.0.1:57899 (local), 172.19.0.1:57899 (local), 192.168.122.1:57899 (local), [2601:cd:d000:c100::6d94]:57899 (local), [2601:cd:d000:c100:6eb8:228e:6111:a62a]:57899 (local)
2026/06/16 03:22:00 control: control server key from ``https://controlplane.tailscale.com``: ts2021=[fSeS+], legacy=[nlFWp]
2026/06/16 03:22:00 control: RegisterReq: onode= node=[Xvkts] fup=false nks=false
2026/06/16 03:22:00 control: RegisterReq: got response; nodeKeyExpired=false, machineAuthorized=true; authURL=false
2026/06/16 03:22:00 control: netmap: got new dial plan from control
2026/06/16 03:22:00 netmap: suggested exit node: ()
2026/06/16 03:22:01 LinkChange: major, rebinding: old: interfaces.State{defaultRoute=eth0 ifs={br-94640fadb178:[172.18.0.1/16 llu6] br-ce87e072ec39:[172.19.0.1/16] docker0:[172.17.0.1/16 llu6] eth0:[10.0.0.93/24 2601:cd:d000:c100::6d94/128 2601:cd:d000:c100:6eb8:228e:6111:a62a/64 llu6] virbr0:[192.168.122.1/24] ztcq3vshmp:[10.147.20.1/24 fde5:f059:f1c7:ec:4899:93e5:f059:f1c7/88 llu6]} v4=true v6=true} new: interfaces.State{defaultRoute=eth0 ifs={br-94640fadb178:[172.18.0.1/16 llu6] br-ce87e072ec39:[172.19.0.1/16] docker0:[172.17.0.1/16 llu6] eth0:[10.0.0.93/24 2601:cd:d000:c100::6d94/128 2601:cd:d000:c100:6eb8:228e:6111:a62a/64 llu6] tailscale0:[100.67.240.71/32 llu6] virbr0:[192.168.122.1/24] ztcq3vshmp:[10.147.20.1/24 fde5:f059:f1c7:ec:4899:93e5:f059:f1c7/88 llu6]} v4=true v6=true} diff: ips tailscale0: [fe80::e94c:765e:bb6a:aebd/64]->[100.67.240.71/32 fe80::e94c:765e:bb6a:aebd/64] rebind-reason=[ips-changed]
2026/06/16 03:22:01 dns: Set: {DefaultResolvers: Routes:{``tail1e697c.ts.net``.: ``ts.net``.:[199.247.155.53 2620:111:8007::53]}+65arpa SearchDomains:[``tail1e697c.ts.net``.] Hosts:3}
2026/06/16 03:22:01 dns: Resolvercfg: {Routes:{.:[75.75.75.75 75.75.76.76 2001:558:feed::1 2001:558:feed::2] ``ts.net``.:[199.247.155.53 2620:111:8007::53]} Hosts:3 LocalDomains:[``tail1e697c.ts.net``.]+65arpa}
2026/06/16 03:22:01 dns: OScfg: {Nameservers:[100.100.100.100 fd7a:115c:a1e0::53] SearchDomains:[``tail1e697c.ts.net``.] }
2026/06/16 03:22:01 wgengine: set DNS config again after major link change
2026/06/16 03:22:01 router: portUpdate(port=39922, network=udp6)
2026/06/16 03:22:01 router: portUpdate(port=57899, network=udp4)
2026/06/16 03:22:01 Rebind; defIf=“eth0”, ips=[10.0.0.93/24 2601:cd:d000:c100::6d94/128 2601:cd:d000:c100:6eb8:228e:6111:a62a/64 fe80::61bb:f8b9:947c:4a63/64]
2026/06/16 03:22:01 magicsock: 1 active derp conns: derp-16=cr2s,wr2s
2026/06/16 03:22:01 post-rebind ping of DERP region 16 okay
KatMB@ZimaOS:~ ➜ $ sudo docker inspect tailscale --format ‘{{json .Mounts}}’
[{“Type”:“bind”,“Source”:“/DATA/AppData/tailscale”,“Destination”:“/var/lib/tailscale”,“Mode”:“”,“RW”:true,“Propagation”:“rprivate”},{“Type”:“bind”,“Source”:“/dev/net/tun”,“Destination”:“/dev/net/tun”,“Mode”:“”,“RW”:true,“Propagation”:“rprivate”}]
KatMB@ZimaOS:~ ➜ $ sudo docker inspect tailscale --format ‘{{.State.Status}} {{.State.ExitCode}} {{.State.Error}}’
running 0

gelbuilding · June 16, 2026, 3:28am

Good, this output is very helpful.

From what you posted, Tailscale itself looks like it is running correctly now.

These lines are the important ones:

Switching ipn state Starting → Running

machineAuthorized=true

running 0

Your mount also looks normal:

/DATA/AppData/tailscale -> /var/lib/tailscale
/dev/net/tun -> /dev/net/tun

So I do not think the container is crashing. It looks more like the ZimaOS app page/web UI is showing “service unavailable,” even though the Tailscale daemon is running.

Please check this next:

sudo docker exec tailscale tailscale status

sudo docker exec tailscale tailscale ip -4

sudo docker port tailscale

If tailscale status shows your device and peers, then Tailscale is working and the issue is likely only with accessing the app web interface.

KatMB · June 16, 2026, 3:46am

Yeah it is showing the devices I think it’s working then or at least turning on cause I still can’t connect to my services from my phone when it’s turned on

gelbuilding · June 16, 2026, 3:50am

Good, that means Tailscale is running.

The next thing to check is how you are trying to connect from your phone.

If you are using your normal home LAN address, for example:

http://10.0.0.93:port

that may not work over Tailscale unless subnet routing is configured.

Try using the ZimaOS Tailscale IP instead. You can get it with:

sudo docker exec tailscale tailscale ip -4

Then from your phone, while connected to Tailscale, try:

http://TAILSCALE-IP:PORT

For example, if ZimaOS shows 100.x.x.x and Jellyfin is on port 8096, try:

http://100.x.x.x:8096

Also confirm your phone is connected to the same Tailscale account/tailnet.

If you want to access your whole home network using normal LAN IPs like 10.0.0.x, that is a different setup called subnet routing and needs extra configuration and approval in the Tailscale admin console.

gelbuilding · June 16, 2026, 3:55am

Have you seen this?

KatMB · June 16, 2026, 4:01am

It is letting me connect doing the IP that way. It is a little slow but it does connect now.