tailscale: ssh X11 forwarding doesn't work

What is the issue?

I have two existing machines where X11 forwarding over ssh is working (without tailscale enabled at all). After installing tailscale and enabling tailscale ssh, attempting to use the same workflow, X11 forwarding no longer works.

Steps to reproduce

$ ssh -X host
X11 forwarding request failed on channel 0

Are there any recent changes that introduced the issue?

No response

OS

Linux

OS version

nixos unstable

Tailscale version

1.28.0

Bug report

BUG-1fbfdf798d35403dafe07fe51ffc616e6a1bb362e39d27608cd037d2dc6eda8b-20220724222054Z-7b30aeacf093624b

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 18
  • Comments: 22 (4 by maintainers)

Most upvoted comments

Unfortunately this still doesn’t work. I’ve tried with Win10 Enterprise and the X410 X server trying to connect to ubuntu 22.04 / tailscale 1.46. No DISPLAY variable is passed through to the tailnode.

+3
jmcp on Aug 9, 2023

Just discovered a trick and it works for me with this workaround!

# ~/.ssh/config

# assuming you have something like this
Host *
  # if not make sure to add these lines to others below too
  ForwardAgent yes
  ForwardX11 yes

# method 1 - a typical direct enough way to connect - doesn't require sshd service running at all (assuming tailscale is servicing SSH for that machine)
Host alias
  # connecting SSH via tailscale, X11 forwarding would not work
  Hostname name-on-tailscale
  # thanks to tailscale, no need to type user's password nor saving public key on the remote machine
  User your-user # @name-on-tailscale

# method 2 - this requires a separate sshd service running (nothing to do with tailscale) as well as the running tailscale servicing SSH
Host alias-via-self
  # Hostname localhost # this would work but mess with `~/.ssh/known_hosts`
  # but pretty much same as above
  # Hostname [other.ip.or.domain-name.other.than.localhost.but.pointing.to.same.machine]
  Hostname name-on-tailscale.ts.127.0.0.1.nip.io # this resolves to 127.0.0.1 and "namespacing" according to your naming to avoid messing up with `~/.ssh/knwon_hosts`
  # visit https://nip.io/ to learn more, if you are not familiar with it

  # you might have to enter password unless
  # your public key is saved at the remote machine's `~/.ssh/authorized_keys`
  User your-user
  ProxyJump alias # this is the essence of the trick
  # you might do below instead if you don't need `alias` at all
  # ProxyJump your-user@name-on-tailscale

# connect with the method 2
$ ssh alias-via-self
# You are now being served by the "typical" sshd (probably via openssh's)
# while tailscale is proxying (being a bastion host)

$ printenv DISPLAY
localhost:11.0 # voila!

# perhaps try this too if you want to verify even further
$ which xeyes && xeyes
+2
ryuheechul on Aug 26, 2023

Also getting the X11 forwarding request failed on channel 0 error on MacM1 to Ubuntu

+2
jckmnhn on May 2, 2023
Read more comments on GitHub
← tailscale: SSH and SCP commands to tailscale ssh endpoints do not return correct error / success codes
tailscale: Synology: tracking bug for use cases →