https://bugs.kde.org/show_bug.cgi?id=515707
Bug ID: 515707
Summary: KDE Connect 1.35.x fails TLS handshake over Tailscale
VPN — regression from 1.34.4
Classification: Applications
Product: kdeconnect
Version First unspecified
Reported In:
Platform: Android
OS: Android 14.x
Status: REPORTED
Severity: major
Priority: NOR
Component: android-application
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
SUMMARY
STEPS TO REPRODUCE
1. Set up a Tailscale network with the desktop configured as an exit node
2. Configure firewall to allow KDE Connect ports 1714-1764 TCP/UDP on the
Tailscale interface
3. Install KDE Connect 1.35.1 or 1.35.2 on Android phone
4. Install KDE Connect (kdeconnectd 25.12.1) on desktop
5. Connect both devices to the same LAN
6. Pair devices over LAN — pairing succeeds, all plugins load
7. Disconnect phone from LAN WiFi
8. Enable Tailscale on the phone, using the desktop as the exit node
9. Verify Tailscale connectivity: ping desktop Tailscale IP
10. Verify other services work over Tailscale: VNC on port 5900 connects fine
11. Open KDE Connect on phone, refresh device list
12. Manually add desktop's Tailscale IP (100.x.x.x) in KDE Connect on phone
13. Phone shows ping succeeds but no device connection is established
14. tcpdump on desktop shows: UDP identity packet arrives, TCP three-way
handshake completes, phone sends RST during TLS negotiation
15. Revert phone to KDE Connect 1.34.4 — repeat steps 7-12, connection works
immediately over Tailscale
OBSERVED RESULT
Phone sends UDP identity packet (received by desktop). Desktop initiates TCP
connection back to phone (three-way handshake completes). During TLS
negotiation, phone sends TCP RST, killing the connection. Devices never connect
over Tailscale. Even manually adding the desktop's Tailscale IP on the phone
shows a successful ping but no KDE Connect connection.
EXPECTED RESULT
Devices connect over Tailscale as they did on version 1.34.4.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Linux 43
KDE Plasma Version: 6.5.5
KDE Frameworks Version: 6.22.0
Qt Version: 6.10.1
Phone: Samsung S21 Ultra, Android 14, KDE Connect 1.35.1 / 1.35.2
Tailscale: forced DERP relay
ADDITIONAL INFORMATION
VNC (port 5900) works perfectly over the same Tailscale tunnel, so the network
path itself is fine.
Firewall ports 1714-1764 TCP/UDP confirmed open on tailscale and trusted zones.
tcpdump on desktop confirms: UDP identity packets arrive, TCP handshake
completes, phone sends RST during TLS.
Desktop debug log (QT_LOGGING_RULES="kdeconnect.*=true") shows: "TCP connection
done (I'm the existing device)" then "Starting server ssl (I'm the client TCP
socket)" — nothing after that.
Reverting to KDE Connect Android 1.34.4 fixes it right away. Pairing on LAN and
then roaming to Tailscale works perfectly on 1.34.4.
Issue reproduces on both 1.35.1 and 1.35.2.
This appears to be the Android app rejecting TLS connections arriving on VPN
interfaces.
--
You are receiving this mail because:
You are watching all bug changes.
