starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] ACLs not applied on newly added nodes using OIDC #1146

New Issue
Closed
opened 2025-12-29 02:28:32 +01:00 by adam · 10 comments
adam commented 2025-12-29 02:28:32 +01:00
Owner
Copy Link

Originally created by @flodakto on GitHub (Nov 14, 2025).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have a node used as gateway in my tailnet, ie advertising a routes. In my ACLs, I have a routes whitelist depending on the connected user.

When I add a new node, I can't reach any of the advertised routes allowed in my ACLs.

Expected Behavior

All routes allowed in ACLs for my user should be accessible.

Steps To Reproduce

  1. Configure OIDC (in my case, I'm using Microsoft Entra)
  2. Configure ACLs like the following example:
{
  "acls": [
    {
      "action": "accept",
      "dst": [
        "10.102.1.7/32:*"
      ],
      "src": [
        "john.doe@example.com"
      ]
    }
  ]
}
  1. Connect new node using tailscale command line:
tailscale up --accept-dns --accept-routes  --login-server=https://vpn.example.com
  1. Check that ip route show table 52 show the expected route
  2. Try ssh on 10.102.1.7 -> connection hangs

Environment

- OS:Ubuntu 24.04
- Headscale version: 0.27.1
- Tailscale version: 1.88.4
- Number of nodes: 2

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Debug information

Useful information that may help find the issue:

  • Same issue with v0.27.0, but it's working as expected in v0.26.1
  • Running a headscale config reload (systemctl reload headscale) fixes the issue
  • Tested using a non-OIDC user, this bug does not show

Debug logs:

logs_headscale.txt
tailscale_status.json
tailscale_debug.netmap.json

Originally created by @flodakto on GitHub (Nov 14, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior I have a node used as gateway in my tailnet, ie advertising a routes. In my ACLs, I have a routes whitelist depending on the connected user. When I add a new node, I can't reach any of the advertised routes allowed in my ACLs. ### Expected Behavior All routes allowed in ACLs for my user should be accessible. ### Steps To Reproduce 1. Configure OIDC (in my case, I'm using Microsoft Entra) 2. Configure ACLs like the following example: ```json { "acls": [ { "action": "accept", "dst": [ "10.102.1.7/32:*" ], "src": [ "john.doe@example.com" ] } ] } ``` 3. Connect new node using tailscale command line: ```shell tailscale up --accept-dns --accept-routes --login-server=https://vpn.example.com ``` 4. Check that `ip route show table 52` show the expected route 5. Try ssh on 10.102.1.7 -> connection hangs ### Environment ```markdown - OS:Ubuntu 24.04 - Headscale version: 0.27.1 - Tailscale version: 1.88.4 - Number of nodes: 2 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information Useful information that may help find the issue: - Same issue with v0.27.0, but **it's working as expected in v0.26.1** - Running a headscale config reload (`systemctl reload headscale`) fixes the issue - Tested using a non-OIDC user, this bug does not show Debug logs: [logs_headscale.txt](https://github.com/user-attachments/files/23545248/logs_headscale.txt) [tailscale_status.json](https://github.com/user-attachments/files/23545247/tailscale_status.json) [tailscale_debug.netmap.json](https://github.com/user-attachments/files/23545246/tailscale_debug.netmap.json)
adam added the bugregression labels 2025-12-29 02:28:32 +01:00
adam closed this issue 2025-12-29 02:28:32 +01:00
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@YouSysAdmin commented on GitHub (Nov 14, 2025):

I encountered the same issue: the user who logged in for the first time couldn't access the network.
Either restart headscale or re-apply the policy helped (I can't say which).

@YouSysAdmin commented on GitHub (Nov 14, 2025): I encountered the same issue: the user who logged in for the first time couldn't access the network. Either restart headscale or re-apply the policy helped (I can't say which).
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Nov 14, 2025):

Can you try the fix in: https://github.com/juanfont/headscale/pull/2890

@kradalby commented on GitHub (Nov 14, 2025): Can you try the fix in: https://github.com/juanfont/headscale/pull/2890
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@YouSysAdmin commented on GitHub (Nov 14, 2025):

Hi @kradalby
I can theoretically check on Monday if @flodakto hasn't checked by then.

Thanks for your work.

@YouSysAdmin commented on GitHub (Nov 14, 2025): Hi @kradalby I can theoretically check on Monday if @flodakto hasn't checked by then. Thanks for your work.
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@flodakto commented on GitHub (Nov 17, 2025):

@kradalby Thanks for quick fix proposal, unfortunately, it does not fix the issue. I double checked, same behavior as before. Please tell me if you need new logs or debug information for troubleshooting.

@YouSysAdmin Did you gave it a try ?

@flodakto commented on GitHub (Nov 17, 2025): @kradalby Thanks for quick fix proposal, unfortunately, it does not fix the issue. I double checked, same behavior as before. Please tell me if you need new logs or debug information for troubleshooting. @YouSysAdmin Did you gave it a try ?
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@YouSysAdmin commented on GitHub (Nov 17, 2025):

Hi @flodakto
Sorry, we had some issues with our production environment this morning, so I haven't tested this Headscale fix.

@YouSysAdmin commented on GitHub (Nov 17, 2025): Hi @flodakto Sorry, we had some issues with our production environment this morning, so I haven't tested this Headscale fix.
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Nov 25, 2025):

I've pushed some changes to https://github.com/juanfont/headscale/pull/2890 again, can either of test it?

@kradalby commented on GitHub (Nov 25, 2025): I've pushed some changes to https://github.com/juanfont/headscale/pull/2890 again, can either of test it?
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@flodakto commented on GitHub (Nov 28, 2025):

@kradalby Thanks for this new fix, this is now working as expected, the newly connected node is able to reach advertised routes without restarting or reloading headscale server.

@flodakto commented on GitHub (Nov 28, 2025): @kradalby Thanks for this new fix, this is now working as expected, the newly connected node is able to reach advertised routes without restarting or reloading headscale server.
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@YouSysAdmin commented on GitHub (Nov 28, 2025):

I can probably also confirm this, yesterday one new user was join and there were no complaints about access problems, at least according to the teammates.

@YouSysAdmin commented on GitHub (Nov 28, 2025): I can probably also confirm this, yesterday one new user was join and there were no complaints about access problems, at least according to the teammates.
adam commented 2025-12-29 02:28:33 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Nov 30, 2025):

I've made a rc.1 release for 0.27.2 with fixes, would be great if you can test this and then close this (or give feedback so I can).

@kradalby commented on GitHub (Nov 30, 2025): I've made a [rc.1 release for 0.27.2](https://github.com/juanfont/headscale/releases/tag/v0.27.2-rc.1) with fixes, would be great if you can test this and then close this (or give feedback so I can).
adam commented 2025-12-29 02:28:34 +01:00
Author
Owner
Copy Link

@flodakto commented on GitHub (Dec 2, 2025):

Testing rc.1 release since yesterday on our test environment, no issue so far. I'll keep you posted by the end of the week.

@flodakto commented on GitHub (Dec 2, 2025): Testing rc.1 release since yesterday on our test environment, no issue so far. I'll keep you posted by the end of the week.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug regression
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#1146
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?