[Bug] Automatic route approval doesn't work for tagged preauth keys #1145

New Issue

Closed

opened 2025-12-29 02:28:32 +01:00 by adam · 4 comments

adam commented 2025-12-29 02:28:32 +01:00

Owner

Copy Link

Originally created by @YouSysAdmin on GitHub (Nov 14, 2025).

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

This may be normal behavior, then just close the issue.

If for pre auth key set tag that route autoApprovers policy not work
Everything works correctly for keywords without tags.
Adding a tag to the 'autoApprovers' list will correct the automatic approval mechanism.

eg:

"autoApprovers": {
    "routes": {
      "10.0.0.0/8": [
        "group:ops",
        "tag:bastion"
      ]
    }
  }

Expected Behavior

Same behavior for tagged and untagged keys - ability to use group for automatic approval

Steps To Reproduce

Policy

{
  "groups": {
    "group:ops": [
      "ops@",
    ]
  },

"autoApprovers": {
    "routes": {
      "10.0.0.0/8": [
        "group:ops"
      ]
    }
  }
}

Create key with tag

# user id=1  - `ops` user  in `ops` group, in this context
headscale preauthkeys -u 1 create --reusable --ephemeral --tags "tag:bastion"

Client UP

tailscale up --authkey "$TAILSCALE_AUTH_KEY" \
                    --hostname "$TAILSCALE_HOSTNAME" \
                    --login-server "$TAILSCALE_LOGIN_SERVER" \
                    --advertise-routes "10.4.0.0/16"

Headscale routes list after client up

ID  | Hostname                             | Approved       | Available         | Serving (Primary)
69 | uat-bastion                   |                        | 10.4.0.0/16      | 

Environment

- OS: Debian 12
- Headscale version: 0.27.1
- Tailscale version:

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Debug information

DB

sqlite> select id,hostname,host_info,approved_routes  from nodes where id='81';
81|uat-bastion|{"OS":"linux","Distro":"debian","DistroVersion":"12.12","Hostname":"uat-bastion","Machine":"x86_64","GoArch":"amd64","RoutableIPs":["10.4.0.0/16"],"NetInfo":{"MappingVariesByDestIP":true,"HairPinning":null,"WorkingIPv6":false,"OSHasIPv6":true,"WorkingUDP":true,"WorkingICMPv4":false,"UPnP":false,"PMP":false,"PCP":false,"PreferredDERP":21,"DERPLatency":{"1-v4":0.009070842,"10-v4":0.081262963,"11-v4":0.13606014,"12-v4":0.02044391,"13-v4":0.061451616,"14-v4":0.081832816,"15-v4":0.241200031,"16-v4":0.039034265,"17-v4":0.074230918,"18-v4":0.082251698,"19-v4":0.10117933,"2-v4":0.082480161,"20-v4":0.234122746,"21-v4":0.008008314,"22-v4":0.101433938,"24-v4":0.123173362,"25-v4":0.234396404,"26-v4":0.099917196,"27-v4":0.015020913,"28-v4":0.123128849,"4-v4":0.087856278,"5-v4":0.226289572,"7-v4":0.184715257,"8-v4":0.078007608,"9-v4":0.052908437},"FirewallMode":"ipt-default"},"Cloud":"aws","Userspace":false,"UserspaceRouter":false,"AppConnector":false,"StateEncrypted":false}|

Debug log:

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "info",
  "node.id": 81,
  "node.name": "uat-bastion",
  "time": 1763122351,
  "message": "Node connected"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:157",
  "node.id": 81,
  "prefixes": [],
  "time": 1763122351,
  "message": "PrimaryRoutes.SetRoutes called"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:49",
  "time": 1763122351,
  "message": "updatePrimaryLocked starting"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:81",
  "prefix": "10.252.18.0/24",
  "availableNodes": [2],
  "time": 1763122351,
  "message": "Processing prefix for primary route selection"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:140",
  "changed": false,
  "finalState": "Available routes:

Node 2: 10.254.6.0/24, 10.18.0.0/16, 
Node 69: 10.32.0.0/16

Current primary routes:

Route 10.254.6.0/24: 2
Route 10.18.0.0/16: 2
  "time": 1763122351,
  "message": "updatePrimaryLocked completed"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:175",
  "node.id": 81,
  "wasPresent": false,
  "changed": false,
  "newState": "Available routes:

Node 2: 10.254.6.0/24, 10.18.0.0/16, 
Node 69: 10.32.0.0/16

Current primary routes:

Route 10.254.6.0/24: 2
Route 10.18.0.0/16: 2",
  "time": 1763122351,
  "message": "SetRoutes completed (remove)"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "info",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/poll.go:383",
  "omitPeers": false,
  "stream": true,
  "node.id": 81,
  "node.name": "uat-bastion",
  "time": 1763122351,
  "message": "node has connected, mapSession: 0xc0001f9c80, chan: 0xc00028afc0"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/mapper/batcher_lockfree.go:499",
  "node.id": 81,
  "chan": "0xc00028afc0",
  "conn.id": "b18a740e7149fe3d",
  "time": 1763122351,
  "message": "addConnection: waiting for mutex - POTENTIAL CONTENTION POINT"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/mapper/batcher_lockfree.go:507",
  "node.id": 81,
  "chan": "0xc00028afc0",
  "conn.id": "b18a740e7149fe3d",
  "total_connections": 1,
  "mutex_wait_time": 0.009107,
  "time": 1763122351,
  "message": "Successfully added connection after mutex wait"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/mapper/batcher_lockfree.go:101",
  "node.id": 81,
  "total.duration": 8.37243,
  "active.connections": 1,
  "time": 1763122351,
  "message": "Node connection established in batcher because AddNode completed successfully"
}

Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: {
  "level": "debug",
  "caller": "/home/runner/work/headscale/headscale/hscontrol/poll.go:232",
  "node.id": 81,
  "node.name": "uat-bastion",
  "time": 1763122351,
  "message": "AddNode succeeded in poll session because node added to batcher"
}

Originally created by @YouSysAdmin on GitHub (Nov 14, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior > This may be normal behavior, then just close the issue. If for pre auth key set tag that route `autoApprovers` policy not work Everything works correctly for keywords without tags. Adding a tag to the 'autoApprovers' list will correct the automatic approval mechanism. eg: ```json "autoApprovers": { "routes": { "10.0.0.0/8": [ "group:ops", "tag:bastion" ] } } ``` ### Expected Behavior Same behavior for tagged and untagged keys - ability to use group for automatic approval ### Steps To Reproduce **Policy** ``` { "groups": { "group:ops": [ "ops@", ] }, "autoApprovers": { "routes": { "10.0.0.0/8": [ "group:ops" ] } } } ``` **Create key with tag** ``` # user id=1 - `ops` user in `ops` group, in this context headscale preauthkeys -u 1 create --reusable --ephemeral --tags "tag:bastion" ``` **Client UP** ``` tailscale up --authkey "$TAILSCALE_AUTH_KEY" \ --hostname "$TAILSCALE_HOSTNAME" \ --login-server "$TAILSCALE_LOGIN_SERVER" \ --advertise-routes "10.4.0.0/16" ``` **Headscale routes list after client up** ``` ID | Hostname | Approved | Available | Serving (Primary) 69 | uat-bastion | | 10.4.0.0/16 | ``` ### Environment ```markdown - OS: Debian 12 - Headscale version: 0.27.1 - Tailscale version: ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information DB ``` sqlite> select id,hostname,host_info,approved_routes from nodes where id='81'; 81|uat-bastion|{"OS":"linux","Distro":"debian","DistroVersion":"12.12","Hostname":"uat-bastion","Machine":"x86_64","GoArch":"amd64","RoutableIPs":["10.4.0.0/16"],"NetInfo":{"MappingVariesByDestIP":true,"HairPinning":null,"WorkingIPv6":false,"OSHasIPv6":true,"WorkingUDP":true,"WorkingICMPv4":false,"UPnP":false,"PMP":false,"PCP":false,"PreferredDERP":21,"DERPLatency":{"1-v4":0.009070842,"10-v4":0.081262963,"11-v4":0.13606014,"12-v4":0.02044391,"13-v4":0.061451616,"14-v4":0.081832816,"15-v4":0.241200031,"16-v4":0.039034265,"17-v4":0.074230918,"18-v4":0.082251698,"19-v4":0.10117933,"2-v4":0.082480161,"20-v4":0.234122746,"21-v4":0.008008314,"22-v4":0.101433938,"24-v4":0.123173362,"25-v4":0.234396404,"26-v4":0.099917196,"27-v4":0.015020913,"28-v4":0.123128849,"4-v4":0.087856278,"5-v4":0.226289572,"7-v4":0.184715257,"8-v4":0.078007608,"9-v4":0.052908437},"FirewallMode":"ipt-default"},"Cloud":"aws","Userspace":false,"UserspaceRouter":false,"AppConnector":false,"StateEncrypted":false}| ``` Debug log: ``` Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "info", "node.id": 81, "node.name": "uat-bastion", "time": 1763122351, "message": "Node connected" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:157", "node.id": 81, "prefixes": [], "time": 1763122351, "message": "PrimaryRoutes.SetRoutes called" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:49", "time": 1763122351, "message": "updatePrimaryLocked starting" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:81", "prefix": "10.252.18.0/24", "availableNodes": [2], "time": 1763122351, "message": "Processing prefix for primary route selection" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:140", "changed": false, "finalState": "Available routes: Node 2: 10.254.6.0/24, 10.18.0.0/16, Node 69: 10.32.0.0/16 Current primary routes: Route 10.254.6.0/24: 2 Route 10.18.0.0/16: 2 "time": 1763122351, "message": "updatePrimaryLocked completed" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/routes/primary.go:175", "node.id": 81, "wasPresent": false, "changed": false, "newState": "Available routes: Node 2: 10.254.6.0/24, 10.18.0.0/16, Node 69: 10.32.0.0/16 Current primary routes: Route 10.254.6.0/24: 2 Route 10.18.0.0/16: 2", "time": 1763122351, "message": "SetRoutes completed (remove)" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "info", "caller": "/home/runner/work/headscale/headscale/hscontrol/poll.go:383", "omitPeers": false, "stream": true, "node.id": 81, "node.name": "uat-bastion", "time": 1763122351, "message": "node has connected, mapSession: 0xc0001f9c80, chan: 0xc00028afc0" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/mapper/batcher_lockfree.go:499", "node.id": 81, "chan": "0xc00028afc0", "conn.id": "b18a740e7149fe3d", "time": 1763122351, "message": "addConnection: waiting for mutex - POTENTIAL CONTENTION POINT" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/mapper/batcher_lockfree.go:507", "node.id": 81, "chan": "0xc00028afc0", "conn.id": "b18a740e7149fe3d", "total_connections": 1, "mutex_wait_time": 0.009107, "time": 1763122351, "message": "Successfully added connection after mutex wait" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/mapper/batcher_lockfree.go:101", "node.id": 81, "total.duration": 8.37243, "active.connections": 1, "time": 1763122351, "message": "Node connection established in batcher because AddNode completed successfully" } Nov 14 12:12:31 ip-10-255-1-11 headscale[266502]: { "level": "debug", "caller": "/home/runner/work/headscale/headscale/hscontrol/poll.go:232", "node.id": 81, "node.name": "uat-bastion", "time": 1763122351, "message": "AddNode succeeded in poll session because node added to batcher" } ```

adam added the bugtags labels 2025-12-29 02:28:32 +01:00

adam closed this issue 2025-12-29 02:28:32 +01:00

adam commented 2025-12-29 02:28:32 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Nov 19, 2025):

Did this work in 0.26.1? Just want to classify it, and if it did not, I will tag it for the next release which is focusing on fixing tags to behave correctly.

@kradalby commented on GitHub (Nov 19, 2025): Did this work in 0.26.1? Just want to classify it, and if it did not, I will tag it for the next release which is focusing on fixing tags to behave correctly.

adam commented 2025-12-29 02:28:32 +01:00

Author

Owner

Copy Link

@YouSysAdmin commented on GitHub (Nov 19, 2025):

H @kradalby
I can't say for sure, in version 0.27.1 I first used preAuthkey with a tag, so as not to declare tags separately for each host, before I simply did not use this feature.
I'm not sure I'll have time to test version 0.26.1 for this behavior anytime soon.

@YouSysAdmin commented on GitHub (Nov 19, 2025): H @kradalby I can't say for sure, in version 0.27.1 I first used `preAuthkey` with a tag, so as not to declare tags separately for each host, before I simply did not use this feature. I'm not sure I'll have time to test version 0.26.1 for this behavior anytime soon.

adam commented 2025-12-29 02:28:33 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Nov 19, 2025):

Don’t worry, I’ll treat it as a tag problem and put it under 0.28

@kradalby commented on GitHub (Nov 19, 2025): Don’t worry, I’ll treat it as a tag problem and put it under 0.28

adam commented 2025-12-29 02:28:33 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Dec 16, 2025):

@YouSysAdmin upon having time to reread this issue, this is the correct behaviour.

As I understand, you are trying to cover a node that has a tag with a group. tags and users are not the same, in the way that groups cover users, and tags themselves is one or more machines.

It might be helpful to think of tags as service accounts, where they are separate to the whole user system. This means that you cannot refer to a tagged machine with either user or group.

This will hopefully be fully clear with the next release where we implements tags correctly based on the Tailscale documentation.

@kradalby commented on GitHub (Dec 16, 2025): @YouSysAdmin upon having time to reread this issue, this is the correct behaviour. As I understand, you are trying to cover a node that has a `tag` with a `group`. `tags` and `users` are not the same, in the way that `groups` cover users, and `tags` themselves is one or more machines. It might be helpful to think of `tags` as service accounts, where they are separate to the whole user system. This means that you cannot refer to a tagged machine with either `user` or `group`. This will hopefully be fully clear with the next release where we implements tags correctly based on the Tailscale documentation.

adam referenced this issue 2025-12-29 03:18:51 +01:00

[PR #1145] [CLOSED] gorm: put Where before Find #1913

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug tags

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1145