How to use GUI over Tailscale ssh on Arch with KDE plasma wayland?

I use tailscale ssh for the security (so no waypipe), and now I need to run a GUI remotely. I’m reading about ssh -Y or -X, but I get errors, I’m not sure if they’re failing due to the fact I’m using wayland or incorrect settings. on the client computer I edited /etc/ssh/ssh_config to include:

ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes
XauthLocation /usr/bin/xauth

To the end of .bashrc I added

export DISPLAY=localhost:0

On the host computer I added the settings below in sshd_config:

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost no

when I run tailscale ssh [user]@[host] -Y I get the following warning and error:

Warning: No xauth data; using fake authentication data for X11 forwarding
X11 forwarding request failed on channel 0

since the ssh CLI is still successful I try another command

XAUTHORITY=/run/user/1000/gdm/Xauthority DISPLAY=:0 [program]
Authorization required, but no authorization protocol specified

qt.qpa.xcb: could not connect to display :0
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: eglfs, linuxfb, minimal, minimalegl, offscreen, vnc, wayland-egl, wayland, wayland-xcomposite-egl, wayland-xcomposite-glx, xcb.

Aborted (core dumped)

both computers have xorg-xauth installed. I think xhost shouldn’t be used because it would allow local attacks?

Input appreciated!

Well, I didn’t touch X11UseLocalhost (it’s commented out - but effectively the same as setting it to no?) and then I restarted the sshd daemon.

I had issues with -Y but not -X

I use openssh.. I’m not familiar with tailscale but it should be able to negotiate vanilla ssh one would think.

you might try removing the

export DISPLAY=localhost:0

and just leave it as :0

I guess /etc/hosts has to be readable as well:

chmod 644 /etc/hosts

I removed the export and chmod’d no dice.

From here (I can’t include links) superuser .com /questions/1817634/how-to-start-a-wayland-application-from-the-linux-console I found these which supposedly could run them in a session

tr '\0' '\n' < /proc/$(pgrep -u $(id -u) -n plasmashell)/environ | grep -E 'WAYLAND_DISPLAY|XDG_RUNTIME_DIR|DBUS_SESSION_BUS_ADDRESS'

which claimed with the below variables

XDG_RUNTIME_DIR=/run/user/1000
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
WAYLAND_DISPLAY=wayland-0

I could run a process

XDG_RUNTIME_DIR=/run/user/1000 WAYLAND_DISPLAY=wayland-0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus [app]

but it just didn’t return anything.

then I found this stackoverflow. com/questions/31213773/how-to-start-gnome-wayland-session-from-command-line-tty where they were launching a session so I thought I might be able to trim that back to just a gui program

$ sudo MOZ_ENABLE_WAYLAND=1 QT_QPA_PLATFORM=wayland XDG_SESSION_TYPE=wayland [app]

again no response, I thought maybe I’d try the previous posts’ command but with the wayland display

XAUTHORITY=/run/user/1000/gdm/Xauthority WAYLAND_DISPLAY=wayland-0  [app]

surprise, no response

I also followed this stackoverflow .com/questions/38961495/x11-forwarding-request-failed-on-channel-0 and added the family_address inet, but when I went to restart sshd with systemctl restart sshd I was surprised to get

 sshd.service: Unit cannot be reloaded because it is inactive.

could tailscale have it’s own ssh config and that’s why my edits were ineffective?
I went to try

tailscale ssh [user]@[host] -o ForwardX11=yes -v -Y

but realized it wouldn’t help on the server side? It only seems to have keys though


it seems the sshd.service was a fluke though, it ran just fine when I exited and came back.

I don’t know tailscale (I’d be surprised if it were much more than a standard ssh client as far as its ssh features), and, ssh requires client and server.. so, if there’s no sshd (or equivalent) then there’s no connection.

To restart sshd when it’s in the inactive state:

systemctl enable sshd
systemctl start sshd

Sometimes there could be socket issues and you’d have to disable and stop sshd.socket first. But, I don’t think this was an issue in your case.. maybe.

Regardless, seems like you’re all set though? Great. :slightly_smiling_face: Give yourself a “solved”..

ope, miscommunication. I meant that the sshd restarted just fine, I think tailscale is doing its own thing though, because I can tailscale ssh in and systemctl status sshd reports

$ systemctl status sshd
○ sshd.service - OpenSSH Daemon
     Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; preset: disabled)
     Active: inactive (dead)

sshd is dead according to your status… On the host this definitely has to be changed. i.e. status should return something like:

● ssh.service - OpenSSH Daemon
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-06-13 09:04:50 EDT; 8h ago

On the client you only need ssh (i.e. tailscale)

Also, on the host, you might try:

sudo journalctl -b 0 -u sshd

# or

sudo journalctl -b 0 -u ssh

This is just to check the log for ssh related error messages since the most recent boot (-b 0)

Note: (-u ssh or -u sshd) depends on your OS (e.g. sshd for some versions of systemd, ssh for others). Technically, -u can be used to specify a unit OR pattern according to the man page.

I think it does NOT need to be changed, because tailscale ssh was still working without sshd. I think I need to find a way to edit tailscale’s config specifically, but they only seem to have keys in their folder.

Yes, after reading a bit about tailscale. It can be both server and client. The public docs are a little ambiguous about whether there has to be a tailscale server running on a host to provide ssh (or ssh-like?) connectivity.

It has quite a few degrees of freedom according to the docs. e.g. the docs claim it can be combined with sshd, but, then it says something about still requiring a tailscale server, which makes no practical sense to me. However, boilerplate docs and official user docs are two different things.

Ok, I defer.. Good luck