ACLs and routes #236

New Issue

adam · 2025-12-29T01:24:36+01:00

adam commented

2025-12-29 01:24:36 +01:00

Originally created by @reynico on GitHub (Mar 15, 2022).

👋 Hi!

I'm using an EC2 instance as a VPN termination node to connect to my internal VPC resources. With no ACLs defined I'm able to push the required route (10.0.0.0/16) from the Tailscale instance living on EC2, thus I'm also able to connect from my laptop to my internal resources.

These are the routes I see on my laptop, for the Tailscale client (on utun3)

default            link#27            UCSIg           utun3
10/16              link#27            UCS             utun3
10.0.11.161        link#27            UHWIi           utun3
10.1/16            link#27            UCS             utun3
100.64.0.1/32      link#27            UCS             utun3
100.64.0.2         100.64.0.2         UH              utun3
100.100.100.100/32 link#27            UCS             utun3
100.100.100.100    link#27            UHWIi           utun3
224.0.0/4          link#27            UmCSI           utun3
255.255.255.255/32 link#27            UCSI            utun3

If I define the following ACL huJSON file:

{
    "ACLs": [
        {
            "Action": "accept",
            "Users": [
                "ec2-dev",
            ],
            "Ports": [
                "*:*",
            ],
        },
        {
            "Action": "accept",
            "Users": [
                "nico-mbp",
            ],
            "Ports": [
                "10.0.0.0/16:*",
                "100.0.0.0/8:*",
            ]
        }
    ]
}

I lose connection to the entire 10.0.0.0/16 network, but I'm still able to ping/ssh the ec2-dev EC2 instance on 100.64.0.1 (where Headscale and Tailscale are running). And my routes look the following now:

10.0.11.161        link#27            UHWIig          utun3
100.64.0.2         100.64.0.2         UH              utun3
100.100.100.100/32 link#27            UCS             utun3
100.100.100.100    link#27            UHWIi           utun3
224.0.0/4          link#27            UmCSI           utun3
255.255.255.255/32 link#27            UCSI            utun3

If I set my ACL as Ports *:* the 10.0.0.0/16 networks access comes back:

 {
            "Action": "accept",
            "Users": [
                "nico-mbp",
            ],
            "Ports": [
                "*:*",
            ]
        }

EDIT:
Narrowing down the last test where I set Ports *:*, connection to my internal resources also works if I just permit 22

 {
            "Action": "accept",
            "Users": [
                "nico-mbp",
            ],
            "Ports": [
                "*:22",
            ]
        }

Not sure what am I missing here,
Thanks.

Originally created by @reynico on GitHub (Mar 15, 2022). 👋 Hi! I'm using an EC2 instance as a VPN termination node to connect to my internal VPC resources. With no ACLs defined I'm able to push the required route (`10.0.0.0/16`) from the Tailscale instance living on EC2, thus I'm also able to connect from my laptop to my internal resources. These are the routes I see on my laptop, for the Tailscale client (on utun3) ``` default link#27 UCSIg utun3 10/16 link#27 UCS utun3 10.0.11.161 link#27 UHWIi utun3 10.1/16 link#27 UCS utun3 100.64.0.1/32 link#27 UCS utun3 100.64.0.2 100.64.0.2 UH utun3 100.100.100.100/32 link#27 UCS utun3 100.100.100.100 link#27 UHWIi utun3 224.0.0/4 link#27 UmCSI utun3 255.255.255.255/32 link#27 UCSI utun3 ``` If I define the following ACL huJSON file: ``` { "ACLs": [ { "Action": "accept", "Users": [ "ec2-dev", ], "Ports": [ "*:*", ], }, { "Action": "accept", "Users": [ "nico-mbp", ], "Ports": [ "10.0.0.0/16:*", "100.0.0.0/8:*", ] } ] } ``` I lose connection to the entire `10.0.0.0/16` network, but I'm still able to ping/ssh the `ec2-dev` EC2 instance on `100.64.0.1` (where Headscale and Tailscale are running). And my routes look the following now: ```default link#27 UCSIg utun3 10.0.11.161 link#27 UHWIig utun3 100.64.0.2 100.64.0.2 UH utun3 100.100.100.100/32 link#27 UCS utun3 100.100.100.100 link#27 UHWIi utun3 224.0.0/4 link#27 UmCSI utun3 255.255.255.255/32 link#27 UCSI utun3 ``` If I set my ACL as Ports `*:*` the `10.0.0.0/16` networks access comes back: ``` { "Action": "accept", "Users": [ "nico-mbp", ], "Ports": [ "*:*", ] } ``` EDIT: Narrowing down the last test where I set Ports `*:*`, connection to my internal resources also works if I just permit `22` ``` { "Action": "accept", "Users": [ "nico-mbp", ], "Ports": [ "*:22", ] } ``` Not sure what am I missing here, Thanks.

adam added the bug label 2025-12-29 01:24:36 +01:00

adam closed this issue

2025-12-29 01:24:36 +01:00

adam commented

2025-12-29 01:24:37 +01:00

@restanrm commented on GitHub (Mar 17, 2022):

What is the name of you router ?

I saw in my config that we need to allow the computers to talk to the router in order to allow traffic to be forwarded to subnet, so the good rule would be (if my understanding of your setup is ok):

{
  "acls": [
    {"action":"accept", "users": ["ec2-dev"], "ports": ["*:*"]},
    {"action":"accept", "users": ["nico-mbp"], "ports": [
      "ec2-dev:0",       // Allow nico-mbp to go through ec2-dev without accessing any ports
      "10.0.0.0/16:*",   // allow traffic to go to destination on all ports
      ], 
    },
  ]
}

@restanrm commented on GitHub (Mar 17, 2022): What is the name of you router ? I saw in my config that we need to allow the computers to talk to the router in order to allow traffic to be forwarded to subnet, so the good rule would be (if my understanding of your setup is ok): ```hujson { "acls": [ {"action":"accept", "users": ["ec2-dev"], "ports": ["*:*"]}, {"action":"accept", "users": ["nico-mbp"], "ports": [ "ec2-dev:0", // Allow nico-mbp to go through ec2-dev without accessing any ports "10.0.0.0/16:*", // allow traffic to go to destination on all ports ], }, ] } ```

adam commented

2025-12-29 01:24:38 +01:00

@reynico commented on GitHub (Mar 17, 2022):

Hi! ec2-dev acts as a router.

Cool, by adding "ec2-dev:0", the routing works as expected. Thank you!

@kradalby should we add some information under the ACLs doc?

@reynico commented on GitHub (Mar 17, 2022): Hi! `ec2-dev` acts as a router. Cool, by adding `"ec2-dev:0", ` the routing works as expected. Thank you! @kradalby should we add some information under the ACLs doc?

adam commented

2025-12-29 01:24:38 +01:00

@kradalby commented on GitHub (Mar 17, 2022):

Yes please

@kradalby commented on GitHub (Mar 17, 2022): Yes please

adam commented

2025-12-29 01:24:40 +01:00

@restanrm commented on GitHub (May 14, 2022):

Can we close this issue ?

@restanrm commented on GitHub (May 14, 2022): Can we close this issue ?

adam commented

2025-12-29 01:24:40 +01:00

@reynico commented on GitHub (May 14, 2022):

@restanrm what do you think about https://github.com/juanfont/headscale/pull/510?

@reynico commented on GitHub (May 14, 2022): @restanrm what do you think about https://github.com/juanfont/headscale/pull/510?

adam commented

2025-12-29 01:24:40 +01:00

@restanrm commented on GitHub (May 16, 2022):

Sorry I didn't looked through the documentation. It's a good addition !!

@restanrm commented on GitHub (May 16, 2022): Sorry I didn't looked through the documentation. It's a good addition !!

adam referenced this issue

2025-12-29 02:29:44 +01:00

[PR #236] [MERGED] fix(derp-example): change regionid in node #1334

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#236