Tater logo Tater Tunnel
Troubleshooting

Follow the path one hop at a time.

Most tunnel issues are one of four things: pairing, VPS firewall, WireGuard handshake, or a route target that needs a base URL/WebSocket tweak.

Pairing says disabled

That is normal after the VPS is claimed. Pairing mode should turn off so random new Home Agents cannot claim the VPS.

Expected after claim

Phone internet IP is not the VPS

The current profile is for tunnel access to Tater routes, not always-full internet egress. Test 10.88.0.1 routes instead.

Split tunnel

No WireGuard handshake

Confirm UDP 51888 is open on the VPS firewall and cloud firewall, then check sudo wg show tater0.

Firewall first

Blank route page

Test the local target from the Home Agent machine. Then enable WebSockets or set the app's own base/public URL if it hard-codes assets.

Route health
Quick checks

Run the smallest possible test for each hop.

Health checks 
curl -fsS https://tunnel.example.com/api/health
sudo wg show tater0
curl -fsS http://10.88.0.1:4174/api/health
curl -fsS http://10.88.0.1:4174/relay/api/state
VPS service 
sudo systemctl status tater-tunnel-vps
sudo journalctl -u tater-tunnel-vps -f
sudo systemctl restart tater-tunnel-vps
Route debug pattern

Use the Home Agent route test before trying the phone.

  1. Confirm the Home Agent UI shows the VPS as claimed and connected.
  2. Open the local target from the Home Agent machine.
  3. Use the route Test button in Access Routes.
  4. Connect the phone to WireGuard and open the displayed Use URL.
  5. If the page partially loads, enable WebSockets or configure that app's public/base URL.