[Feature] Hide inaccessible nodes from my devices #1089

New Issue

adam · 2025-12-29T02:28:12+01:00

adam commented

2025-12-29 02:28:12 +01:00

Originally created by @timemaster5 on GitHub (Aug 20, 2025).

Use case

I believe Tailscale has resolved this in this GitHub issue: https://github.com/tailscale/tailscale/issues/824. I’ve done some tests and it seems like with Headscale, I can see all devices even though I don’t have access to them.

I’d like to use Tailscale to interconnect multiple clients, and it’s not acceptable for them to see other devices besides theirs.

Description

I want to hide all devices with restricted access by ACL from My device list.

Contribution

I can test a pre-release

How can it be implemented?

I believe the same way as Tailscale did, but don't have a detail.

Originally created by @timemaster5 on GitHub (Aug 20, 2025). ### Use case I believe Tailscale has resolved this in this GitHub issue: https://github.com/tailscale/tailscale/issues/824. I’ve done some tests and it seems like with Headscale, I can see all devices even though I don’t have access to them. I’d like to use Tailscale to interconnect multiple clients, and it’s not acceptable for them to see other devices besides theirs. ### Description I want to hide all devices with restricted access by ACL from My device list. ### Contribution - [ ] I can test a pre-release ### How can it be implemented? I believe the same way as Tailscale did, but don't have a detail.

adam added the enhancement label 2025-12-29 02:28:12 +01:00

adam closed this issue

2025-12-29 02:28:12 +01:00

adam commented

2025-12-29 02:28:12 +01:00

@kradalby commented on GitHub (Aug 20, 2025):

They are trimmed: https://headscale.net/stable/about/faq/#why-do-two-nodes-see-each-other-in-their-status-even-if-an-acl-allows-traffic-only-in-one-direction

I would suspect that one machine can see the other, and not vice versa, therefore it has to be in both maps. This is the case for the upstream too.

@kradalby commented on GitHub (Aug 20, 2025): They are trimmed: https://headscale.net/stable/about/faq/#why-do-two-nodes-see-each-other-in-their-status-even-if-an-acl-allows-traffic-only-in-one-direction I would suspect that one machine can see the other, and not vice versa, therefore it has to be in both maps. This is the case for the upstream too.

adam commented

2025-12-29 02:28:12 +01:00

@timemaster5 commented on GitHub (Aug 20, 2025):

Thank you, will try adjusting ACLs again then to confirm

@timemaster5 commented on GitHub (Aug 20, 2025): Thank you, will try adjusting ACLs again then to confirm

adam commented

2025-12-29 02:28:12 +01:00

@timemaster5 commented on GitHub (Aug 30, 2025):

Ok I tested, and no matter what I do, it doesn't work for me..

Here is my ACL:

{
"acls": []
}

According to the documentation https://tailscale.com/kb/1192/acl-samples#deny-all, this should be a simple deny all rule, meaning I shouldn’t see any other devices in the Tailscale client -> Network devices -> My devices.

However, they are still there.

I also tried more complicated rules, such as assigning a tag to my laptop and accepting communication to only one target. This should also mean that the other host will hide if there are three hosts in the network, but nothing worked :(

Am I doing something wrong?

@timemaster5 commented on GitHub (Aug 30, 2025): Ok I tested, and no matter what I do, it doesn't work for me.. Here is my ACL: { "acls": [] } According to the documentation https://tailscale.com/kb/1192/acl-samples#deny-all, this should be a simple deny all rule, meaning I shouldn’t see any other devices in the Tailscale client -> Network devices -> My devices. However, they are still there. I also tried more complicated rules, such as assigning a tag to my laptop and accepting communication to only one target. This should also mean that the other host will hide if there are three hosts in the network, but nothing worked :( Am I doing something wrong?

adam commented

2025-12-29 02:28:12 +01:00

@nblock commented on GitHub (Aug 30, 2025):

According to the documentation https://tailscale.com/kb/1192/acl-samples#deny-all, this should be a simple deny all rule, meaning I shouldn’t see any other devices in the Tailscale client -> Network devices -> My devices.

Unfortunately, the ACLs are not identical to Tailscale's implementation and in particular the cases empty ACL file, deny all differ. They got fixed for the next release.

To get you started, here's a working example for Headscale 0.26.1 with 3 nodes (all belong to the same user):

n1 (ip: 100.64.0.1):
- can access node n2 on port 80 and 443.
- It can also ping n1 implicitly
- It sees n2 in tailscale status
n2 (ip: 100.64.0.2):
- no access to anything
- sees n1 in tailscale status but cannot access anything there either
n3 (ip: 100.64.0.3):
- no access to anything
- cannot see other the other nodes in tailscale status

ACL:

{
  "acls": [
    {
      "action": "accept",
      "src": [
        "100.64.0.1"
      ],
      "dst": [
        "100.64.0.2:80,443"
      ]
    }
  ]
}

Output of headscale nodes list

ID | Hostname | Name | MachineKey | NodeKey | User  | IP addresses                  | Ephemeral | Last seen           | Expiration | Connected | Expired
1  | n1       | n1   | [TfIDO]    | [SE6aq] | alice | 100.64.0.1, fd7a:115c:a1e0::1 | false     | 2025-08-30 12:45:33 | N/A        | online    | no     
2  | n2       | n2   | [jO8+d]    | [DHMwH] | alice | 100.64.0.2, fd7a:115c:a1e0::2 | false     | 2025-08-30 12:45:41 | N/A        | online    | no     
3  | n3       | n3   | [q5lng]    | [Mh/04] | alice | 100.64.0.3, fd7a:115c:a1e0::3 | false     | 2025-08-30 12:46:03 | N/A        | online    | no

@nblock commented on GitHub (Aug 30, 2025): > According to the documentation https://tailscale.com/kb/1192/acl-samples#deny-all, this should be a simple deny all rule, meaning I shouldn’t see any other devices in the Tailscale client -> Network devices -> My devices. Unfortunately, the ACLs are not identical to Tailscale's implementation and in particular the cases empty ACL file, deny all differ. They got fixed for the next release. To get you started, here's a working example for Headscale 0.26.1 with 3 nodes (all belong to the same user): - n1 (ip: 100.64.0.1): - can access node n2 on port 80 and 443. - It can also ping n1 implicitly - It sees n2 in `tailscale status` - n2 (ip: 100.64.0.2): - no access to anything - sees n1 in `tailscale status` but cannot access anything there either - n3 (ip: 100.64.0.3): - no access to anything - cannot see other the other nodes in `tailscale status` ACL: ```json { "acls": [ { "action": "accept", "src": [ "100.64.0.1" ], "dst": [ "100.64.0.2:80,443" ] } ] } ``` Output of `headscale nodes list` ``` ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired 1 | n1 | n1 | [TfIDO] | [SE6aq] | alice | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2025-08-30 12:45:33 | N/A | online | no 2 | n2 | n2 | [jO8+d] | [DHMwH] | alice | 100.64.0.2, fd7a:115c:a1e0::2 | false | 2025-08-30 12:45:41 | N/A | online | no 3 | n3 | n3 | [q5lng] | [Mh/04] | alice | 100.64.0.3, fd7a:115c:a1e0::3 | false | 2025-08-30 12:46:03 | N/A | online | no ```

adam commented

2025-12-29 02:28:13 +01:00

@timemaster5 commented on GitHub (Sep 11, 2025):

It’s great that this worked well, thank you! The problem was that I had been following the Tailscale guide by mistake.

@timemaster5 commented on GitHub (Sep 11, 2025): It’s great that this worked well, thank you! The problem was that I had been following the Tailscale guide by mistake.

adam referenced this issue

2025-12-29 02:32:03 +01:00

[PR #1089] [MERGED] Add ko-fi sponsor button #1868

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1089