#tailscale issues

It likely is though. Discord connects to vc fine with tailscale connected

offfcial desktop app?

yeah, the stable ver

i have vencord installed on it asw

try Chrome/Chromium/Brave/whichever chromium browser you want and see if you can repro the issue

comparing to the official discord app is pointless because it functions very differently

need to compare to the web app

also which distro do you use

i cannot reproduce at all on fedora43

trying atm

cachyos

ive spoken to some people in the server it seems nix also has the same issue occuring

I doubt distro matters

tried it on brave, was able to connect

likely another factor

how do you run vesktop

installed via aur, i've also tried using the flatpak version, and then just running it through application menu

flags etc

no flags

web app (firefox) and official client work flawlessly

only vesktop doesn't work, on nixos

try chromium and like I said official app is irrelevant

web app (firefox) + (chromium) and official client work flawlessly

I've also had this exact issue on vesktop

and i tried the same thing on google chrome, brave. EVEN EDGE "puke" Vivaldi. all works flawlessly without issue. its vesktop

whats weird is the windows branch works just fine

im using tailscale and vesktop but the only issues ive noticed are streams not starting/working

im not sure if thats because of vesktop of tailscale though

@shell pewter do you have Docker installed on ur machine

yup

then it may not be a tailscale issue but a docker issue

any steps to further debug would be welcomed

horror

wanted to note that i didn't have docker installed

and once u tailscale down it’s fixed?

yeap

tailscale up while in vc odesnt affect it asw

this might be an issue with any fake interface tbh

came in to look for help on this exact issue, amazing there's a thread.
I'll just post what I've experienced so far as well just to add information to the pile.
Infinite DTLS if I join VC while tailscale is up. No issue if I do tailscale up while I'm already in VC. I'm on CachyOS and have podman docker running in the background.
No issue whatsoever if I join VC in the browser.
No issue with joining a call on desktop with just docker running in the background as well.

attempting to reproduce in a Debian 13 test environment rn, have tailscale running + have tried creating docker containers, no issues yet.

I've installed tailscale, created multiple docker containers, set them up to have port forwards, even created a second docker network and tried things with that one, can't reproduce so far, any other useful information?

Even firewalling off IPv6 doesn't seem to get any results

oh this? i've never had an issue with tailscale and discord

weird how other people have trouble

Can't reproduce on debian 13 with iptables-nft, if you're going to try to reproduce, I'd suggest a focus on iptables-legacy and {older,other} distros personally, although ofc up to each person to decide

it seems to be happening on Arch Linux (BTW)

@hollow verge take that L

Is there an easyish way to reproduce, out of curiosity? sorry if I'm a nuisance

idk i use macos

works for me

i tried reproducing on fedora 43 but couldn't

same on Debian 13

I might try an arch VM tbh

if you test on arch/probably anywhere, I'd suggest using iptables-legacy to test, as docker and tailscale both like using iptables, iirc base depends on iptables, and iptables-legacy/iptables (idk which the package name is, I think it's one of those) will be installed instead of iptables-nft when using pacstrap, which picks the first package when given a list every time.

I do not have any docker running and ran into the same issue

can you try if you can reproduce this issue in an up to date chromium browser please?

chromium 143

heya just tried it with the version you specified. was unable to reproduce the issue

connected fine on chromium

Can u try official discord client? Also, go to Vesktop Settings > Developer Options > Open chrome://webrtc-internals, and while connected to a voice channel, go to the last connection on the list, expand the option that mentions "DTLS connected", and tell me what it says in "dtlsCipher".

I know it's a lot, but that's how I found out about a weird quirk where it connected through RSA but not ECDSA

The official discord client works. As for vesktop, I will update you tommorow once i get to test it

Okii

Also, is your internet connection through Ethernet cable or WiFi?

testing official discord client is irrelevant as it uses a completely different method for vc

skimmed through this but didnt read everything, could someone confirm there is NO fix for the DLTS connecting error (except tailscale down or using discord in the browser?)

not yet

Oddly enough I was having this issue and it seems to at least temporarily have fixed itself for me

Actually, potentially important, I am now on university wifi, not home, that maay be why it works now

So possibly a network thing

My network is double natted, I can check at school tomorrow to

Just ran into this issue without tailscale running, but with a wireguard tunnel using kernel wireguard configured, going to try configuring a link-local v6 address to see if that helps matters ig

issue doesn't go away when I remove the wireguard tunnel

wifi. found the thing u mentined about

Damn, then your situation is completely different from what I discovered. You can connect normally through Chromium >=142, but not Vesktop...

:(

And the ECDSA makes it even more confusing, because the times I got it to work was under RSA cipher

I wonder if ICE is still creating ports for the tailscale interface tho

You'd have to grab the packages through wireshark and see what sends DTLS' HelloClient

That's how I found out about the issue...

update: different internet + tailscale worked fine

👋 hey everyone. was looking around here and trying to see whats up. Chromium is adding some new post quantum crypto ciphers for dtls, which might explain a few of the cipher differences between chrome and vesktop.

I'm running chrome 143.0.7499.192. If I set chrome://flags/#webrtc-pqc-for-dtls to enabled, I get stuck on DTLS connecting. Disabled, I'm fine.
I've not been able to figure out a command line option to fix this in vesktop. I figured --flag-switches-begin --disable-features=--flag-switches-begin --disable-features=WebRtcPqcForDtls --flag-switches-end --flag-switches-end would do the trick, but in vesktop it has no effect.

Of note, discord's stable app's devtools version is 138, the flag was added somewhere after the current latest 138 and the latest 139.

https://chromium-review.googlesource.com/c/chromium/src/+/6652581
https://issues.chromium.org/issues/425617388

Any suggestions on how to verify the flag is actually available in electron and if so, if I am setting it correctly?

PS - this is also only if I've got tailscaled running, so I think this is getting close.

OK, I'm gonna go to bed for now lol, but I tried one last thing.... I added
win.webContents.setWebRTCIPHandlingPolicy("default_public_interface_only");
to createMainWindow in mainWindow.ts. and I can connect with tailscale on.

I can probably capture packets tomorrow evening via wireshark if helpful.

vai what does this do

The line win.webContents.setWebRTCIPHandlingPolicy("default_public_interface_only"); configures how WebRTC handles IP addresses within the Vencord application. WebRTC is a technology used for real-time communication, like voice and video calls, and it often needs to discover your IP address to establish a direct connection.

Specifically, "default_public_interface_only" instructs WebRTC to only use your public IP address and to not expose your local (private) IP addresses. By default, WebRTC might attempt to use all available network interfaces, which could potentially reveal local IP addresses even when using a VPN or similar tools.

This setting can be beneficial for privacy, as it prevents local IP addresses from being exposed during WebRTC connections. The fact that you can connect with Tailscale on after adding this line suggests that it's helping WebRTC work correctly with your VPN setup by limiting the interfaces it tries to use.

-# Response generated by gemini-2.5-flash. AI may be incorrect or misleading.

remove those flag switches begin/end flags they do nothing and might interfere

and to verify whether it works, vesktop will log to the terminal what features are enabled/disabled

if it has your feature it's working

disable-features can't be passed more than once but you're passing it twice, that might be the issue

OK cool, I've tried this, but I'm not confident the flag is present in the electron code to act upon. If a put some bogus feature name in there it also lists as disabled.

> /usr/lib/vesktop/vesktop --disable-features=WebRtcPqcForDtls,ThisDoesNotExist
APPIMAGE env is not defined, current application is not an AppImage
Vesktop v1.6.3
Disabled Chromium features: WebRtcPqcForDtls, ThisDoesNotExist, WinRetrieveSuggestionsOnlyOnDemand, HardwareMediaKeyHandling, MediaSessionService

any updates on this?

No effect from the command line is all I've got. Still poking around on my spare time.

☹️

also running into this, archlinux + nft. looking from pcaps, it looks like at least one reason the official client works is because it simply does not use dtls or stun for me

so from my machine's pcaps the behavior of discord web app on firefox is only sending out STUN requests from my public IP/default route.

However vesktop is sending requests via both default route and the tailscale ip.
We receive a STUN response from the peer on default route, and because my tailnet does not have a route to the internet enabled we obviously don't recieve a response there. Speculating that the code is blocking on waiting for a response there for some reason?

Enabling an exit node does allow responses from tailnet IP, and i'm able to connect to calls with tailscale up as well.

There's a bug I saw but couldn't confirm yet that suggests tailscale just steals all STUN outbound to their servers unless you set a route to the actual target (Discord) servers ip

It's on github tailscale issues

interesting, could you link the issue?

either way, I think it would make sense to set default_public_interface_only or default_public_and_private_interfaces anyways, afaik discord is not actually ever peer-to-peer, and should probably just follow the default routes set by OS

Yeah here it is. Was just responding on my phone before or I'd have had it for ya. https://github.com/tailscale/tailscale/issues/12996

Not sure if the OP was taking about a route just in the route table on the local machine or in tailscale on an exit node. I don't have any approved tailscale routes for all traffic in my setup though, just to a few private IPs

oh nice, connecting to an exit node did actually make it work. I just setup an exit node on the PI in my room through the same network and now I can use tailscale 😂

thats funny

idk if that's a great workaround because now all of your internet traffic is going to be routed through your PI and will probably degrade performance lol. better to add win.webContents.setWebRTCIPHandlingPolicy("default_public_interface_only"); to your own build of vesktop as mentioned above if you're comfortable doing so.

but i mean it works

yeah probably not the best idea. im assuming an actual fix will be put out soon though right?

idk im not affiliated with vesktop or tailscale lol

i guess we have enough to open an issue somewhere

My only hesitation here is if would prevent or even trigger a leak if the user were trying to tunnel through a VPN

same issue on my end. Infinite DTLS connecting if I try to connect to VC through Vesktop

• It DOES work if I open it in a VPN first, but otherwise it hangs
• I tested the official app, and browser; and each of those work
• OS is Manjaro on my Desktop. I don't have the same issue on my laptop but settings are pretty similar so I dunno what to check for that.
• Don't have Tailscale or Docker installed and dunno what other packages could break it (Dockers even installed on my laptop without isue)
• Tried from Flatpak, standalone, and the AUR and none of em made a difference

i wonder if its an issue with dns maybe? i forget if thats been discussed before

When looking at wireshark it's got packets going out to the discord STUN server on both interfaces but the tailscale interface doesn't get a response back. Almost like it doesn't have a config to give up on no response

yeah that's what i noticed

I also have adguard to

sooooo

Been poking around more just to compare the difference between the official discord and vesktop and I've also noticed that at least for me, when inspecing the websocket used to start the voice connection vesktop offfers webrtc while discord actually just says "udp". In the UDP message I see my public IP and a port sent to the server while thats missing for webrtc...
edit: this is when I set the default_public_interface_only I don't even get so far without that.

Disabling tailscale I get the same behavior actually. Vesktop uses webrtc and discord is udp

yeah, issue present with tailscale off now

I can connect with tailscale still, just saw its actually using a different protocol according to their own websocket messages

I've been having this issue for a while and can cofirm bringing tailscale down lets me connect. It happeend to me on my machine when I was opensuse and now on debian

got this today myself, booted up mullvad vpn and turned it on, instantly fixed the issue

seems really dumb how that fixes it, but whatever

Like you have tailscale, it's still up and you add mullvad as an exit from your tailnet to fix it or what?

nope

dont have tailscale

only have docker

just had the issue

came here

someone said VPN

so i turned on vpn

and it fixed it

also having this issue without tailscale installed, some regions also always work for me which is strange (US South, for example)

US south worked for me too for audio, but not for screen sharing strangely

I tested making this fix as a plugin last night and it worked out ok. I’ll request the plugin and volunteer to submit it tonight.

And see what they say

Is the relevant code available at this time?

you just need win.webContents.setWebRTCIPHandlingPolicy("default_public_interface_only"); somewhere. I just got a timeout for responding with more. Not sure why.
you can put it in createMainWindow in vesktop.

The zip was automodded

If possible I'd like to request or contribute this being either a plugin or setting so its easy enough to just toggle for the people effected here. But I see plugin submissions are closed. Would this be a setting that could be added?