Key expiration question

chudak

Hello
I was under the impression that the "Expire disabled" option in my TaleScale settings (via the website) would mean that I don't need to update anything.
However, it seems that my PFS setup wants a new key every 90 days.

Is there a way to avoid this?

Someone knowledgeable please clarify.
TIA

patient0

@chudak said in Key expiration question:

However, it seems that my PFS setup wants a new key every 90 days.

Does Tailscale send you a reminder that the key is expiring? I don't use Tailscale with pfSense daily (sometimes disabled), "Expire disabled" does work for all the devices I set it (OpenWrt, Gl.inet/OpenWrt, pfSense, Android).

Does the 'Expire disabled' work for other devices?

I just enabled Tailscale on pfSense again, after many moons, all good:

chudak

@patient0 said in Key expiration question:

@chudak said in Key expiration question:

However, it seems that my PFS setup wants a new key every 90 days.

Does Tailscale send you a reminder that the key is expiring? I don't use Tailscale with pfSense daily (sometimes disabled), "Expire disabled" does work for all the devices I set it (OpenWrt, Gl.inet/OpenWrt, pfSense, Android).

Does the 'Expire disabled' work for other devices?

I just enabled Tailscale on pfSense again, after many moons, all good:

I don’t recall getting any emails from TS
My PFS stopped connecting and that’s it ‍️

chudak

From TS support

"I’m Kelly from the Tailscale support team. Thanks for reaching out! This is a common point of confusion- Even with the “Key Expiry: Disabled” option selected in the Tailscale web UI, that only applies to machines authenticated via the web login.

You need to generate a Reusable, Ephemeral = false, Pre-Auth Key via the Tailscale admin panel, and use that on the pfsense."