[Bug] Auto approve routes broken for tags #1054

New Issue

adam · 2025-12-29T02:27:59+01:00

adam commented

2025-12-29 02:27:59 +01:00

Originally created by @paragor on GitHub (Jul 3, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

ACL for autoApprove routes currently broken (and accept policy too actually, but i have good case for approveRoute).
Right now Headscale doesn't approve routes via acl's when tags are used.
And on engine v1 all works as expected.

Expected Behavior

Headscale approve routes via ACL policy.

Steps To Reproduce

Just go to 37dc0dad35/hscontrol/policy/route_approval_test.go (L147)
text of test

		{
			name:  "multiple-routes-in-policy",
			node:  normalNode,
			route: p("172.16.10.0/24"),
			policy: `{
				"tagOwners": {
					"tag:router": ["user3@"]
				},
				"groups": {
					"group:admin": ["user1@"]
				},
				"acls": [
					{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]}
				],
				"autoApprovers": {
					"routes": {
						"192.168.0.0/16": ["group:admin"],
						"172.16.0.0/12": ["group:admin"],
						"10.0.0.0/8": ["tag:router"]
					}
				}
			}`,
			canApprove: true,
		},

and change

route: p("172.16.10.0/24") 
->
route: p("10.0.0.0/8"),

test will fail, but should pass

Environment

- Headscale version: v0.26.1

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

Originally created by @paragor on GitHub (Jul 3, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior ACL for autoApprove routes currently broken (and accept policy too actually, but i have good case for approveRoute). Right now Headscale doesn't approve routes via acl's when tags are used. And on engine v1 all works as expected. ### Expected Behavior Headscale approve routes via ACL policy. ### Steps To Reproduce Just go to https://github.com/juanfont/headscale/blob/37dc0dad3532ef3310e7cf32597b763d84b512ef/hscontrol/policy/route_approval_test.go#L147 text of test ``` { name: "multiple-routes-in-policy", node: normalNode, route: p("172.16.10.0/24"), policy: `{ "tagOwners": { "tag:router": ["user3@"] }, "groups": { "group:admin": ["user1@"] }, "acls": [ {"action": "accept", "src": ["group:admin"], "dst": ["*:*"]} ], "autoApprovers": { "routes": { "192.168.0.0/16": ["group:admin"], "172.16.0.0/12": ["group:admin"], "10.0.0.0/8": ["tag:router"] } } }`, canApprove: true, }, ``` and change ``` route: p("172.16.10.0/24") -> route: p("10.0.0.0/8"), ``` test will fail, but should pass ### Environment ```markdown - Headscale version: v0.26.1 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information -

adam added the bug label 2025-12-29 02:27:59 +01:00

adam closed this issue

2025-12-29 02:27:59 +01:00

adam commented

2025-12-29 02:27:59 +01:00

@mathieuruellan commented on GitHub (Oct 3, 2025):

Hello, Any news about this issue? Is it confirmed? Is there a workaround?
What should be the rule for a router with multi subnet? One string with subnet with coma seperator, or multi json attributes in the "routes" object (including 0.0.0.0/0)

My current issue:
the exit node advertises with the tag exitnode and the preauthkey has also a tag exitnode set.

Acl is

"autoApprovers": {
    "routes": {
      "0.0.0.0/0": ["tag:exitnode"],
      "::/0": ["tag:exitnode"],
      "192.168.0.0/16": ["tag:exitnode"], 
      "xxx:xx:xxx:xxxx::/64": ["tag:exitnode"]
    }  
  }

The 0.0.0.0/0 and ::/0 are not auto approved, but 192. and ipv6 - private networks are.
Here is the result on new exit node :

ID | Hostname     | Approved                                             | Available                                            | Serving (Primary)                                       
32 | exit-node-sg | 192.168.0.0/16, xx:xx:xxx:xxxx::/64                  | 0.0.0.0/0, 192.168.0.0/16, ::/0, xx:xx:xxx:xxxx::/64 |

@mathieuruellan commented on GitHub (Oct 3, 2025): Hello, Any news about this issue? Is it confirmed? Is there a workaround? What should be the rule for a router with multi subnet? One string with subnet with coma seperator, or multi json attributes in the "routes" object (including 0.0.0.0/0) My current issue: the exit node advertises with the tag exitnode and the preauthkey has also a tag exitnode set. Acl is ``` "autoApprovers": { "routes": { "0.0.0.0/0": ["tag:exitnode"], "::/0": ["tag:exitnode"], "192.168.0.0/16": ["tag:exitnode"], "xxx:xx:xxx:xxxx::/64": ["tag:exitnode"] } } ``` The 0.0.0.0/0 and ::/0 are not auto approved, but 192. and ipv6 - private networks are. Here is the result on new exit node : ``` ID | Hostname | Approved | Available | Serving (Primary) 32 | exit-node-sg | 192.168.0.0/16, xx:xx:xxx:xxxx::/64 | 0.0.0.0/0, 192.168.0.0/16, ::/0, xx:xx:xxx:xxxx::/64 | ```

adam commented

2025-12-29 02:27:59 +01:00

@nblock commented on GitHub (Oct 9, 2025):

Any news about this issue?

I cannot reproduce this on 0.26.1. The following works in my tests (tested with the linked docs):

Also the combination of both worked with this policy:

{
  "tagOwners": {
    "tag:exit": [
      "alice@"
    ],
    "tag:router": [
      "alice@"
    ]
  },
  "autoApprovers": {
    "exitNode": [
      "tag:exit"
    ],
    "routes": {
      "192.168.0.0/24": [
        "tag:router"
      ]
    }
  },
  "acls": [
    {
      "action": "accept",
      "src": [
        "*"
      ],
      "dst": [
        "*:*"
      ]
    }
  ]
}

Client: tailscale up --login-server https://headscale.example.com --advertise-tags tag:exit,tag:router --advertise-exit-node --advertise-routes 192.168.0.0/24

Headscale:

$ headscale node list-routes
ID | Hostname | Approved                        | Available                       | Serving (Primary)              
1  | n1       | 0.0.0.0/0, 192.168.0.0/24, ::/0 | 0.0.0.0/0, 192.168.0.0/24, ::/0 | 192.168.0.0/24, 0.0.0.0/0, ::/0

@nblock commented on GitHub (Oct 9, 2025): > Any news about this issue? I cannot reproduce this on 0.26.1. The following works in my tests (tested with the linked docs): - [Automatically approve routes of a subnet router](https://headscale.net/0.26.1/ref/routes/#automatically-approve-routes-of-a-subnet-router) - [Automatically approve an exit node with auto approvers](https://headscale.net/0.26.1/ref/routes/#automatically-approve-an-exit-node-with-auto-approvers) Also the combination of both worked with this policy: ```json { "tagOwners": { "tag:exit": [ "alice@" ], "tag:router": [ "alice@" ] }, "autoApprovers": { "exitNode": [ "tag:exit" ], "routes": { "192.168.0.0/24": [ "tag:router" ] } }, "acls": [ { "action": "accept", "src": [ "*" ], "dst": [ "*:*" ] } ] } ``` Client: `tailscale up --login-server https://headscale.example.com --advertise-tags tag:exit,tag:router --advertise-exit-node --advertise-routes 192.168.0.0/24` Headscale: ```console $ headscale node list-routes ID | Hostname | Approved | Available | Serving (Primary) 1 | n1 | 0.0.0.0/0, 192.168.0.0/24, ::/0 | 0.0.0.0/0, 192.168.0.0/24, ::/0 | 192.168.0.0/24, 0.0.0.0/0, ::/0 ```

adam commented

2025-12-29 02:27:59 +01:00

@mathieuruellan commented on GitHub (Oct 11, 2025):

@nblock I succeed to make it work! Just a typo in my advertise tags. Thanks a lot!

@mathieuruellan commented on GitHub (Oct 11, 2025): @nblock I succeed to make it work! Just a typo in my advertise tags. Thanks a lot!

adam referenced this issue

2025-12-29 02:31:57 +01:00

[PR #1058] [MERGED] Fix duplicate nodes due to incorrect implementation of the protocol #1847

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1054