Preflight checks
Problem or motivation
Problem. On Linux, with the firewall (kill-switch) On, traffic to a coexisting VPN's
interface is dropped. Concrete case: my Tailscale tailnet (tailscale0, 100.64.0.0/10)
is unreachable while Windscribe is connected — can't git push / SSH to a self-hosted peer.
Routing is fine on its own (the peer resolves to dev tailscale0, and tailscale ping
works with the firewall On, so the encrypted underlay isn't what's blocked). The kill-switch
drops the originating app's packet into tailscale0, since it only permits output via
lo, tun0, and bypass-cgroup traffic.
Split tunneling doesn't fix it. Excluding the tailscaled daemon only frees the
underlay (already working) — confirmed its PID enters the bypass net_cls cgroup and the
bypass route is installed, yet normal apps' packets to tailscale0 are still dropped.
Making it work would need every tailnet app (git, ssh, ping, …) in the bypass cgroup.
There's no way to just trust the interface.
Proposed solution
Let the kill-switch whitelist a user-specified interface (tailscale0)
or CIDR (100.64.0.0/10) — like "Allow LAN traffic" but arbitrary. General mechanism;
also covers other coexisting VPNs and self-hosted/LAN services, with Tailscale the most
common case.
Alternatives considered
app split tunneling (fails, above); firewall off (works but kills leak
protection); manual nftables/routes (Windscribe rewrites them on reconnect).
Which platforms should this apply to?
Linux (GUI)
Additional context
Windscribe desktop/CLI, Linux (Ubuntu 24.04), firewall On, OpenVPN UDP; Tailscale
alongside (tailscale0, 100.64.0.0/10).
Preflight checks
Problem or motivation
Problem. On Linux, with the firewall (kill-switch) On, traffic to a coexisting VPN's
interface is dropped. Concrete case: my Tailscale tailnet (
tailscale0,100.64.0.0/10)is unreachable while Windscribe is connected — can't git push / SSH to a self-hosted peer.
Routing is fine on its own (the peer resolves to
dev tailscale0, andtailscale pingworks with the firewall On, so the encrypted underlay isn't what's blocked). The kill-switch
drops the originating app's packet into
tailscale0, since it only permits output vialo,tun0, and bypass-cgroup traffic.Split tunneling doesn't fix it. Excluding the
tailscaleddaemon only frees theunderlay (already working) — confirmed its PID enters the bypass
net_clscgroup and thebypass route is installed, yet normal apps' packets to
tailscale0are still dropped.Making it work would need every tailnet app (git, ssh, ping, …) in the bypass cgroup.
There's no way to just trust the interface.
Proposed solution
Let the kill-switch whitelist a user-specified interface (
tailscale0)or CIDR (
100.64.0.0/10) — like "Allow LAN traffic" but arbitrary. General mechanism;also covers other coexisting VPNs and self-hosted/LAN services, with Tailscale the most
common case.
Alternatives considered
app split tunneling (fails, above);
firewall off(works but kills leakprotection); manual nftables/routes (Windscribe rewrites them on reconnect).
Which platforms should this apply to?
Linux (GUI)
Additional context
Windscribe desktop/CLI, Linux (Ubuntu 24.04), firewall On, OpenVPN UDP; Tailscale
alongside (
tailscale0,100.64.0.0/10).