Headscale v0.27.0 not storing/propagating node endpoints - all connections forced through DERP relay #1134

New Issue

Closed

opened 2025-12-29 02:28:28 +01:00 by adam · 5 comments

adam commented 2025-12-29 02:28:28 +01:00

Owner

Copy Link

Originally created by @bradgarrison on GitHub (Nov 1, 2025).

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Current Behavior
Headscale v0.27.0 is not storing or propagating endpoint information to peers, causing all connections to relay through DERP servers instead of establishing direct peer-to-peer connections. This occurs even when nodes are on the same local subnet.
Evidence:

Headscale database shows null endpoints:

$ sudo headscale nodes list --output json | jq '.[] | {name: .name, endpoints: .endpoints}'
{
  "name": "jump",
  "endpoints": null
}
{
  "name": "dennis-pc",
  "endpoints": null
}

Clients are advertising their endpoints to Headscale:

From dennis-pc

"Self": {
  "Addrs": [
    "107.5.7.157:55181",
    "192.168.60.58:55181"
  ]
}

From jump

"Self": {
  "Addrs": [
    "107.5.7.157:49694",
    "192.168.60.60:49694",
    "192.168.70.44:49694",
    "192.168.100.53:49694"
  ]
}

But peers receive null endpoint data:

dennis-pc's view of jump:

"Peer": {
  "nodekey:...": {
    "HostName": "Jump",
    "Addrs": null,  // ← Should contain jump's endpoints
    "Relay": "ord"
  }
}

jump's view of dennis-pc

"Peer": {
  "nodekey:...": {
    "HostName": "Dennis-PC",
    "Addrs": null,  // ← Should contain dennis-pc's endpoints
    "Relay": "ord"
  }
}

Result: Forced DERP relay despite being on same subnet:

# Both machines on 192.168.60.0/24
$ ping 192.168.60.58
Reply from 192.168.60.58: time=2ms  # Direct local ping works

$ tailscale status
100.64.0.1  jump       jbtech@        windows  active; relay "ord", tx 572 rx 476
# ↑ Relaying through Chicago despite being 2ms away

Expected Behavior

Expected Behavior

Headscale should store endpoint information in the database
Peers should receive each other's endpoint lists in the network map (Addrs field populated)
Direct connections should be established when possible (especially on same subnet)
DERP relay should only be used as fallback when direct connection fails

Steps To Reproduce

Steps To Reproduce

Install Headscale v0.27.0 on Ubuntu 24.04
Configure with the following relevant settings:

yamlserver_url: https://headscale1.jbtech.me
randomize_client_port: true
derp:
  server:
    enabled: true
    region_id: 999
    stun_listen_addr: "0.0.0.0:3478"
  urls:
    - https://controlplane.tailscale.com/derpmap/default
policy:
  mode: file
  path: /etc/headscale/policy.json

Create ACL policy allowing all communication:

{
  "acls": [
    {
      "action": "accept",
      "src": ["*"],
      "dst": ["*:*"]
    }
  ]
}

Register two Windows nodes on the same subnet (Tailscale v1.90.4):

tailscale up --login-server=https://headscale1.jbtech.me --authkey=<preauth-key>

Verify nodes see each other:

tailscale status
100.64.0.1  jump       jbtech@        windows  -
100.64.0.2  dennis-pc  williamellis@  windows  active; relay "ord"

Check Headscale database for endpoints:

sudo headscale nodes list --output json | jq '.[] | {name: .name, endpoints: .endpoints}'
# Shows "endpoints": null for both nodes

Check client JSON status:

tailscale status --json | Out-File status.json
# Shows Peer.Addrs = null despite Self.Addrs being populated

Environment

• OS: Ubuntu 24.04 LTS (Headscale server), Windows 11 (clients)
• Headscale version: v0.27.0
• Tailscale client version: 1.90.4-t0d7298602-g1c96c3ed9
• Network topology: Both clients on same physical subnet (192.168.60.0/24)

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Debug information

Additional Context
This appears to be a regression - we have a production Tailscale network (official coordination server) with 60+ nodes that establishes direct connections correctly after applying randomizeClientPort: true to the ACL policy. The same configuration applied to Headscale does not propagate endpoints.

Comparison:

• Production Tailscale: Direct connections work, Peer.Addrs populated with endpoint list
• Headscale v0.27.0: All DERP relay, Peer.Addrs = null, database shows endpoints: null

No endpoint updates in logs:

sudo journalctl -u headscale --since "5 minutes ago" | grep -i "endpoint"
# No output - endpoints not being received/stored

Logs show nodes connecting successfully:

2025-10-31T20:42:24-04:00 INF Node connected node.id=3 node.name=jump
2025-10-31T20:42:24-04:00 INF Node connected node.id=4 node.name=dennis-pc

This bug effectively breaks peer-to-peer connectivity and forces all traffic through DERP relays, significantly degrading performance (30ms+ latency instead of <5ms for same-subnet connections).

---

EDIT(nblock): added code blocks to improve readability.

Originally created by @bradgarrison on GitHub (Nov 1, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Current Behavior Headscale v0.27.0 is not storing or propagating endpoint information to peers, causing all connections to relay through DERP servers instead of establishing direct peer-to-peer connections. This occurs even when nodes are on the same local subnet. Evidence: Headscale database shows null endpoints: ```console $ sudo headscale nodes list --output json | jq '.[] | {name: .name, endpoints: .endpoints}' { "name": "jump", "endpoints": null } { "name": "dennis-pc", "endpoints": null } ``` Clients are advertising their endpoints to Headscale: From dennis-pc ```json "Self": { "Addrs": [ "107.5.7.157:55181", "192.168.60.58:55181" ] } ``` From jump ```json "Self": { "Addrs": [ "107.5.7.157:49694", "192.168.60.60:49694", "192.168.70.44:49694", "192.168.100.53:49694" ] } ``` But peers receive null endpoint data: dennis-pc's view of jump: ```json "Peer": { "nodekey:...": { "HostName": "Jump", "Addrs": null, // ← Should contain jump's endpoints "Relay": "ord" } } ``` jump's view of dennis-pc ```json "Peer": { "nodekey:...": { "HostName": "Dennis-PC", "Addrs": null, // ← Should contain dennis-pc's endpoints "Relay": "ord" } } ``` Result: Forced DERP relay despite being on same subnet: ```console # Both machines on 192.168.60.0/24 $ ping 192.168.60.58 Reply from 192.168.60.58: time=2ms # Direct local ping works $ tailscale status 100.64.0.1 jump jbtech@ windows active; relay "ord", tx 572 rx 476 # ↑ Relaying through Chicago despite being 2ms away ``` ### Expected Behavior Expected Behavior Headscale should store endpoint information in the database Peers should receive each other's endpoint lists in the network map (Addrs field populated) Direct connections should be established when possible (especially on same subnet) DERP relay should only be used as fallback when direct connection fails ### Steps To Reproduce Steps To Reproduce Install Headscale v0.27.0 on Ubuntu 24.04 Configure with the following relevant settings: ```yaml yamlserver_url: https://headscale1.jbtech.me randomize_client_port: true derp: server: enabled: true region_id: 999 stun_listen_addr: "0.0.0.0:3478" urls: - https://controlplane.tailscale.com/derpmap/default policy: mode: file path: /etc/headscale/policy.json ``` Create ACL policy allowing all communication: ```json { "acls": [ { "action": "accept", "src": ["*"], "dst": ["*:*"] } ] } ``` Register two Windows nodes on the same subnet (Tailscale v1.90.4): ```console tailscale up --login-server=https://headscale1.jbtech.me --authkey=<preauth-key> ``` Verify nodes see each other: ```console tailscale status 100.64.0.1 jump jbtech@ windows - 100.64.0.2 dennis-pc williamellis@ windows active; relay "ord" ``` Check Headscale database for endpoints: ```console sudo headscale nodes list --output json | jq '.[] | {name: .name, endpoints: .endpoints}' # Shows "endpoints": null for both nodes ``` Check client JSON status: ```console tailscale status --json | Out-File status.json # Shows Peer.Addrs = null despite Self.Addrs being populated ``` ### Environment - **OS:** Ubuntu 24.04 LTS (Headscale server), Windows 11 (clients) - **Headscale version:** v0.27.0 - **Tailscale client version:** 1.90.4-t0d7298602-g1c96c3ed9 - **Network topology:** Both clients on same physical subnet (192.168.60.0/24) ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information Additional Context This appears to be a regression - we have a production Tailscale network (official coordination server) with 60+ nodes that establishes direct connections correctly after applying `randomizeClientPort: true` to the ACL policy. The same configuration applied to Headscale does not propagate endpoints. Comparison: - Production Tailscale: Direct connections work, Peer.Addrs populated with endpoint list - Headscale v0.27.0: All DERP relay, Peer.Addrs = null, database shows endpoints: null No endpoint updates in logs: ```console sudo journalctl -u headscale --since "5 minutes ago" | grep -i "endpoint" # No output - endpoints not being received/stored ``` **Logs show nodes connecting successfully:** ``` 2025-10-31T20:42:24-04:00 INF Node connected node.id=3 node.name=jump 2025-10-31T20:42:24-04:00 INF Node connected node.id=4 node.name=dennis-pc ``` This bug effectively breaks peer-to-peer connectivity and forces all traffic through DERP relays, significantly degrading performance (30ms+ latency instead of <5ms for same-subnet connections). --- EDIT(nblock): added code blocks to improve readability.

adam added the questionbug labels 2025-12-29 02:28:28 +01:00

adam closed this issue 2025-12-29 02:28:29 +01:00

adam commented 2025-12-29 02:28:29 +01:00

Author

Owner

Copy Link

@nblock commented on GitHub (Nov 1, 2025):

Headscale database shows null endpoints

There's no endpoints field in Headscale's node status. But the information is stored in the database, can you please provide the output of:

sqlite3 -readonly -cmd ".mode line" /path/to/db.sqlite 'SELECT hostname, given_name, endpoints, host_info FROM nodes'

Are you able to establish direct connections with randomize_client_port: false ?

@nblock commented on GitHub (Nov 1, 2025): > Headscale database shows null endpoints There's no `endpoints` field in Headscale's node status. But the information is stored in the database, can you please provide the output of: ```console sqlite3 -readonly -cmd ".mode line" /path/to/db.sqlite 'SELECT hostname, given_name, endpoints, host_info FROM nodes' ``` Are you able to establish direct connections with `randomize_client_port: false` ?

adam commented 2025-12-29 02:28:29 +01:00

Author

Owner

Copy Link

@bradgarrison commented on GitHub (Nov 1, 2025):

Here's the PostgreSQL database output (using PostgreSQL instead of SQLite):

id | hostname | given_name | endpoints
----+-----------+------------+-----------
3 | jump | jump | ["107.5.7.157:49694","192.168.60.60:49694","192.168.70.44:49694","192.168.100.53:49694"]
4 | dennis-pc | dennis-pc | ["107.5.7.157:55181","192.168.60.58:55181"]

As you can see, the endpoints column DOES contain endpoint data in the database. However, when querying via the API or CLI (headscale nodes list --output json), the endpoints field returns null:

{
"name": "jump",
"endpoints": null
}
{
"name": "dennis-pc",
"endpoints": null
}

This confirms the issue is with the API/response serialization, not with endpoint storage in the database. The endpoints are stored correctly in PostgreSQL, but they're not being returned by the API, which prevents clients from receiving peer endpoint information in their network maps (resulting in null Peer.Addrs and forced DERP relay).

Additional diagnostic information:

Headscale version:
headscale version v0.27.0
commit: 450a7b15ec
build time: 2025-10-27T10:18:57Z
built with: go1.25.1 linux/amd64

PostgreSQL version: 15.14

Summary of the bug:

• Clients are advertising endpoints to Headscale (visible in client status JSON)
• Endpoints ARE being stored in the PostgreSQL database
• API/CLI returns endpoints: null
• Clients receive null Peer.Addrs in network map
• Result: All connections forced through DERP relay

Regarding randomize_client_port: I haven't tested with this disabled yet, but can test if helpful for diagnosis.

@bradgarrison commented on GitHub (Nov 1, 2025): Here's the PostgreSQL database output (using PostgreSQL instead of SQLite): id | hostname | given_name | endpoints ----+-----------+------------+----------- 3 | jump | jump | ["107.5.7.157:49694","192.168.60.60:49694","192.168.70.44:49694","192.168.100.53:49694"] 4 | dennis-pc | dennis-pc | ["107.5.7.157:55181","192.168.60.58:55181"] As you can see, the endpoints column DOES contain endpoint data in the database. However, when querying via the API or CLI (headscale nodes list --output json), the endpoints field returns null: { "name": "jump", "endpoints": null } { "name": "dennis-pc", "endpoints": null } This confirms the issue is with the API/response serialization, not with endpoint storage in the database. The endpoints are stored correctly in PostgreSQL, but they're not being returned by the API, which prevents clients from receiving peer endpoint information in their network maps (resulting in null Peer.Addrs and forced DERP relay). Additional diagnostic information: Headscale version: headscale version v0.27.0 commit: 450a7b15ec7b08926738e308bd11ec17753d06ab build time: 2025-10-27T10:18:57Z built with: go1.25.1 linux/amd64 PostgreSQL version: 15.14 Summary of the bug: - Clients are advertising endpoints to Headscale (visible in client status JSON) - Endpoints ARE being stored in the PostgreSQL database - API/CLI returns endpoints: null - Clients receive null Peer.Addrs in network map - Result: All connections forced through DERP relay Regarding randomize_client_port: I haven't tested with this disabled yet, but can test if helpful for diagnosis.

adam commented 2025-12-29 02:28:29 +01:00

Author

Owner

Copy Link

@nblock commented on GitHub (Nov 1, 2025):

However, when querying via the API or CLI (headscale nodes list --output json), the endpoints field returns null:

There's no endpoints field in the output of headscale nodes list --output json. You produced that yourself by piping it through jq.

Please provide the output of tailscale debug netmap for both nodes (in full, add as attachment)

Please use code blocks to improve readability, thx.

@nblock commented on GitHub (Nov 1, 2025): > However, when querying via the API or CLI (headscale nodes list --output json), the endpoints field returns null: There's no `endpoints` field in the output of `headscale nodes list --output json`. You produced that yourself by piping it through `jq`. Please provide the output of `tailscale debug netmap` for both nodes (in full, add as attachment) Please use [code blocks](https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks) to improve readability, thx.

adam commented 2025-12-29 02:28:29 +01:00

Author

Owner

Copy Link

@bradgarrison commented on GitHub (Nov 1, 2025):

UPDATE: After further testing, the direct connection issue appears to be intermittent and possibly machine-specific rather than a systematic Headscale problem.
Current findings:

Some Windows nodes on the same subnet establish direct connections successfully
Other Windows nodes (including the test machines in my original report) fail to establish direct connections and fall back to DERP relay
The issue persists even with production Tailscale coordination on the affected machines
Network configuration appears correct (firewall rules allow UDP, randomizeClientPort is enabled)

Next steps:
I'll conduct more thorough testing this week to:

Identify what configuration differences exist between working and non-working machines
Test with fresh VM builds to rule out machine-specific issues
Gather more diagnostic data (netcheck output, detailed logs) from both working and failing nodes

I'll update this issue with findings. The problem may not be Headscale-specific after all, but rather related to specific Windows client configurations or network conditions. Apologies for the premature report - I'll have more concrete data soon.

@bradgarrison commented on GitHub (Nov 1, 2025): UPDATE: After further testing, the direct connection issue appears to be intermittent and possibly machine-specific rather than a systematic Headscale problem. Current findings: Some Windows nodes on the same subnet establish direct connections successfully Other Windows nodes (including the test machines in my original report) fail to establish direct connections and fall back to DERP relay The issue persists even with production Tailscale coordination on the affected machines Network configuration appears correct (firewall rules allow UDP, randomizeClientPort is enabled) Next steps: I'll conduct more thorough testing this week to: Identify what configuration differences exist between working and non-working machines Test with fresh VM builds to rule out machine-specific issues Gather more diagnostic data (netcheck output, detailed logs) from both working and failing nodes I'll update this issue with findings. The problem may not be Headscale-specific after all, but rather related to specific Windows client configurations or network conditions. Apologies for the premature report - I'll have more concrete data soon.

adam commented 2025-12-29 02:28:29 +01:00

Author

Owner

Copy Link

@nblock commented on GitHub (Nov 12, 2025):

No further details sent, closing for now.

@nblock commented on GitHub (Nov 12, 2025): No further details sent, closing for now.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug question

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1134