starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-13 12:50:32 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] autoApprove does not work from start #1005

New Issue
Closed
opened 2025-12-29 02:27:23 +01:00 by adam · 1 comment
adam commented 2025-12-29 02:27:23 +01:00
Owner
Copy Link

Originally created by @spymobilfon on GitHub (Apr 24, 2025).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Hello!
Sorry to bother but I think this fix did not help 2506

I was running Tailscale v1.82.5 on a Linux instance and Headscale which was builded from main branch (commit 9a4d0e1a99) as a controller on Linux as well.

My workaround for auto-approve looks like in this issue 2485:

the tailscale client was started with --advertise-exit-node
then was started without (--advertise-exit-node=false)
then was started again with --advertise-exit-node

the first run the routes list looks like this

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   |                 | 0.0.0.0/0, ::/0 |

without advertise exit node

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   |                 |                 |

again with advertise exit node

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0

Expected Behavior

have the routes auto-enabled from start

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0

Steps To Reproduce

config

---
server_url: https://hs.example.org
listen_addr: 127.0.0.1:8080
metrics_listen_addr: 127.0.0.1:9090
grpc_listen_addr: 127.0.0.1:50443
grpc_allow_insecure: false

noise:
  private_key_path: /var/lib/headscale/noise_private.key

prefixes:
  v4: 100.64.0.0/10
  v6: fd7a:115c:a1e0::/48
  allocation: sequential

derp:
  server:
    enabled: false
    region_id: 999
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
    stun_listen_addr: "0.0.0.0:3478"
    private_key_path: /var/lib/headscale/derp_server_private.key
    automatically_add_embedded_derp_region: true
    ipv4: 1.2.3.4
    ipv6: 2001:db8::1
  urls:
    - https://controlplane.tailscale.com/derpmap/default
  paths: []
  auto_update_enabled: true
  update_frequency: 24h

disable_check_updates: true
ephemeral_node_inactivity_timeout: 30m

database:
  type: postgres
  gorm:
    prepare_stmt: true
    parameterized_queries: true
    skip_err_record_not_found: true
    slow_threshold: 1000

  postgres:
    host: localhost
    port: 5432
    name: headscale
    user: headscale
    pass: xxxxxxxxxx
    max_open_conns: 10
    max_idle_conns: 10
    conn_max_idle_time_secs: 3600

acme_url: https://acme-v02.api.letsencrypt.org/directory
acme_email: admin@example.org

tls_letsencrypt_hostname: ""
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_listen: ":http"
tls_cert_path: ""
tls_key_path: ""

log:
  format: text
  level: debug

policy:
  mode: file
  path: /etc/headscale/acl.hujson

dns:
  magic_dns: false
  base_domain: vpn

  nameservers:
    global:
      - 1.1.1.1
    split:
      {}
  search_domains: []
  extra_records: []

unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"

oidc:
  only_start_if_oidc_is_available: true
  issuer: https://issuer.example.org
  client_id: headscale
  client_secret: xxxxxxxxxx
  expiry: 1d
  use_expiry_from_token: false
  scope: ["openid", "profile", "email"]
  allowed_domains:
    - example.org

logtail:
  enabled: false

randomize_client_port: false

policy

{
  "groups": {
    "group:exit-nodes": [
      "exit-node"
    ]
  },
  "tagOwners": {
    "tag:exit-nodes": [
      "group:exit-nodes"
    ]
  },
  "autoApprovers": {
    "routes": {},
    "exitNode": [
      "tag:exit-nodes"
    ]
  },
  "acls": [
    {
      "action": "accept",
      "src": [
        "*"
      ],
      "dst": [
        "group:exit-nodes:0",
        "autogroup:internet:*"
      ]
    }
  ]
}

tailscale

tailscale up --login-server https://hs.example.org --hostname=exit-node --advertise-exit-node --accept-routes=false --accept-dns --snat-subnet-routes --advertise-tags=tag:exit-nodes

Environment

- OS: Ubuntu 24.04
- Headscale version: main branch (commit 9a4d0e1a99a5020d6198cf6751de89ff0b595792)
- Tailscale version: v1.82.5

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Debug information

route management is not logged
only this debug messages

Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG Expanding alias=group:exit-nodes
Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG Expanding alias=group:exit-nodes
Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: message repeated 2 times: [ 2025-04-24T17:35:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]]
Apr 24 17:35:33 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:33Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=group:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=group:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=tag:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=tag:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: message repeated 2 times: [ 2025-04-24T17:37:24Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]]
Apr 24 17:37:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
Originally created by @spymobilfon on GitHub (Apr 24, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Hello! Sorry to bother but I think this fix did not help [2506](https://github.com/juanfont/headscale/pull/2506) I was running Tailscale v1.82.5 on a Linux instance and Headscale which was builded from main branch (commit 9a4d0e1a99a5020d6198cf6751de89ff0b595792) as a controller on Linux as well. My workaround for auto-approve looks like in this issue [2485](https://github.com/juanfont/headscale/issues/2485): the tailscale client was started with --advertise-exit-node then was started without (--advertise-exit-node=false) then was started again with --advertise-exit-node the first run the routes list looks like this ``` ID | Hostname | Approved | Available | Serving (Primary) 2412 | exit-node | | 0.0.0.0/0, ::/0 | ``` without advertise exit node ``` ID | Hostname | Approved | Available | Serving (Primary) 2412 | exit-node | | | ``` again with advertise exit node ``` ID | Hostname | Approved | Available | Serving (Primary) 2412 | exit-node | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 ``` ### Expected Behavior have the routes auto-enabled from start ``` ID | Hostname | Approved | Available | Serving (Primary) 2412 | exit-node | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 ``` ### Steps To Reproduce config ``` --- server_url: https://hs.example.org listen_addr: 127.0.0.1:8080 metrics_listen_addr: 127.0.0.1:9090 grpc_listen_addr: 127.0.0.1:50443 grpc_allow_insecure: false noise: private_key_path: /var/lib/headscale/noise_private.key prefixes: v4: 100.64.0.0/10 v6: fd7a:115c:a1e0::/48 allocation: sequential derp: server: enabled: false region_id: 999 region_code: "headscale" region_name: "Headscale Embedded DERP" stun_listen_addr: "0.0.0.0:3478" private_key_path: /var/lib/headscale/derp_server_private.key automatically_add_embedded_derp_region: true ipv4: 1.2.3.4 ipv6: 2001:db8::1 urls: - https://controlplane.tailscale.com/derpmap/default paths: [] auto_update_enabled: true update_frequency: 24h disable_check_updates: true ephemeral_node_inactivity_timeout: 30m database: type: postgres gorm: prepare_stmt: true parameterized_queries: true skip_err_record_not_found: true slow_threshold: 1000 postgres: host: localhost port: 5432 name: headscale user: headscale pass: xxxxxxxxxx max_open_conns: 10 max_idle_conns: 10 conn_max_idle_time_secs: 3600 acme_url: https://acme-v02.api.letsencrypt.org/directory acme_email: admin@example.org tls_letsencrypt_hostname: "" tls_letsencrypt_cache_dir: /var/lib/headscale/cache tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_listen: ":http" tls_cert_path: "" tls_key_path: "" log: format: text level: debug policy: mode: file path: /etc/headscale/acl.hujson dns: magic_dns: false base_domain: vpn nameservers: global: - 1.1.1.1 split: {} search_domains: [] extra_records: [] unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" oidc: only_start_if_oidc_is_available: true issuer: https://issuer.example.org client_id: headscale client_secret: xxxxxxxxxx expiry: 1d use_expiry_from_token: false scope: ["openid", "profile", "email"] allowed_domains: - example.org logtail: enabled: false randomize_client_port: false ``` policy ``` { "groups": { "group:exit-nodes": [ "exit-node" ] }, "tagOwners": { "tag:exit-nodes": [ "group:exit-nodes" ] }, "autoApprovers": { "routes": {}, "exitNode": [ "tag:exit-nodes" ] }, "acls": [ { "action": "accept", "src": [ "*" ], "dst": [ "group:exit-nodes:0", "autogroup:internet:*" ] } ] } ``` tailscale ``` tailscale up --login-server https://hs.example.org --hostname=exit-node --advertise-exit-node --accept-routes=false --accept-dns --snat-subnet-routes --advertise-tags=tag:exit-nodes ``` ### Environment ```markdown - OS: Ubuntu 24.04 - Headscale version: main branch (commit 9a4d0e1a99a5020d6198cf6751de89ff0b595792) - Tailscale version: v1.82.5 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information route management is not logged only this debug messages ``` Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG Expanding alias=group:exit-nodes Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG Expanding alias=group:exit-nodes Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[] Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: message repeated 2 times: [ 2025-04-24T17:35:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]] Apr 24 17:35:33 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:33Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[] Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=group:exit-nodes Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=group:exit-nodes Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=tag:exit-nodes Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=tag:exit-nodes Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[] Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: message repeated 2 times: [ 2025-04-24T17:37:24Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]] Apr 24 17:37:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[] ```
adam added the bugwell described ❤️ labels 2025-12-29 02:27:23 +01:00
adam closed this issue 2025-12-29 02:27:23 +01:00
adam commented 2025-12-29 02:27:23 +01:00
Author
Owner
Copy Link

@nblock commented on GitHub (Apr 24, 2025):

Thx for your report, a fix is in the works: https://github.com/juanfont/headscale/pull/2528

@nblock commented on GitHub (Apr 24, 2025): Thx for your report, a fix is in the works: https://github.com/juanfont/headscale/pull/2528
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug well described ❤️
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#1005
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?