starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Cannot Decode Message #350

New Issue
Closed
opened 2025-12-29 01:27:29 +01:00 by adam · 0 comments
adam commented 2025-12-29 01:27:29 +01:00
Owner
Copy Link

Originally created by @wsullv1234 on GitHub (Oct 14, 2022).

Headscale version 16.4

Cannot decrypt response

I am getting an error on my ubuntu 20.04 server thats running headscale 16.4, everytime I try to run headscale it gives mew this error

2022-10-14T14:37:00Z ERR ../../../../../home/runner/work/headscale/headscale/api.go:114 > Cannot decode message error="cannot decrypt response"

I am not even sure on where to begin with troublshooting this issue

below is my config.yaml

The url clients will connect to.

Typically this will be a domain.

server_url: http://150.220.137.99:443

Address to listen to / bind to on the server

listen_addr: 0.0.0.0:443

Address to listen to /metrics, you may want

to keep this endpoint private to your internal

network

metrics_listen_addr: 0.0.0.0:9090

Address to listen for gRPC.

gRPC is used for controlling a headscale server

remotely with the CLI

Note: Remote access only works if you have

valid certificates.

grpc_listen_addr: 0.0.0.0:50443 ^_ Go To Line M-E Redo

Allow the gRPC admin interface to run in INSECURE

mode. This is not recommended as the traffic will

be unencrypted. Only enable if you know what you

are doing.

grpc_allow_insecure: true

Path to WireGuard private key file

private_key_path: /usr/local/opt/headscale/config/private.key

noise:
private_key_path: /usr/local/opt/headscale/config/noise_private.key

ip_prefixes: 100.64.0.0/10

DERP is a relay system that Tailscale uses when a direct

connection cannot be established.

https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp

headscale needs a list of DERP servers that can be presented

to the clients.

derp:
server:
# If enabled, runs the embedded DERP server and
# merges it into the rest of the DERP config
# The Headscale server_url defined above MUST
# be using https, DERP requires TLS to be in place
enabled: false

# Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides
# with other region ID coming from
# the regular DERP config.
region_id: 999

# Region code and name are displayed in
# the Tailscale UI to identify a DERP region
region_code: "name01"
region_name: "Domain DERP 01"

# If enabled, also listens in UDP at the configured address
# for STUN connections to help on NAT traversal
# For more details on how this works
# check this great article: https://tailscale.com/blog/how-tailscale-works/
stun_listen_addr: "0.0.0.0:3478"

List of externally available DERP maps encoded in JSON

urls: https://controlplane.tailscale.com/derpmap/default

Locally available DERP map files encoded in YAML

This option is mostly interesting for people hosting

their own DERP servers:

https://tailscale.com/kb/1118/custom-derp-servers/

paths:

- /etc/headscale/derp-example.yaml

paths: []

If enabled, a worker will be set up to periodically

refresh the given sources and update the derpmap

will be set up.

auto_update_enabled: true

How often should we check for updates?

update_frequency: 24h

Disables the automatic check for updates on startup

disable_check_updates: false
ephemeral_node_inactivity_timeout: 30m

SQLite config

db_type: sqlite3
db_path: /usr/local/opt/headscale/config/db.sqlite

# Postgres config

db_type: postgres

db_host: localhost

db_port: 5432

db_name: headscale

db_user: foo

db_pass: bar

#acme_url: https://acme-v02.api.letsencrypt.org/directory
#acme_email: ""

#tls_letsencrypt_hostname: ""
#tls_letsencrypt_listen: ":http"
#tls_letsencrypt_cache_dir: ".cache"
#tls_letsencrypt_challenge_type: HTTP-01

#tls_cert_path: ""
#tls_key_path: ""

Path to a file containg ACL policies.

#acl_policy_path: "/opt/headscale/config/acls.yaml"
#acl_policy_path: "/opt/headscale/config/acls.hjson"

#dns_config:

# Upstream DNS servers

nameservers:

- 100.64.0.1

- 107.152.39.57

domains: []

magic_dns: true

base_domain: domain.com

Unix socket used for the CLI to connect without authentication

Note: for local development, you probably want to change this to:

unix_socket: ./headscale.sock

unix_socket: /usr/local/opt/headscale/config/headscale.sock
unix_socket_permission: "0770"

Originally created by @wsullv1234 on GitHub (Oct 14, 2022). Headscale version 16.4 Cannot decrypt response I am getting an error on my ubuntu 20.04 server thats running headscale 16.4, everytime I try to run headscale it gives mew this error 2022-10-14T14:37:00Z ERR ../../../../../home/runner/work/headscale/headscale/api.go:114 > Cannot decode message error="cannot decrypt response" I am not even sure on where to begin with troublshooting this issue below is my config.yaml --- # The url clients will connect to. # Typically this will be a domain. server_url: http://150.220.137.99:443 # Address to listen to / bind to on the server listen_addr: 0.0.0.0:443 # Address to listen to /metrics, you may want # to keep this endpoint private to your internal # network # metrics_listen_addr: 0.0.0.0:9090 # Address to listen for gRPC. # gRPC is used for controlling a headscale server # remotely with the CLI # Note: Remote access _only_ works if you have # valid certificates. grpc_listen_addr: 0.0.0.0:50443 ^_ Go To Line M-E Redo # Allow the gRPC admin interface to run in INSECURE # mode. This is not recommended as the traffic will # be unencrypted. Only enable if you know what you # are doing. grpc_allow_insecure: true # Path to WireGuard private key file private_key_path: /usr/local/opt/headscale/config/private.key noise: private_key_path: /usr/local/opt/headscale/config/noise_private.key ip_prefixes: 100.64.0.0/10 # DERP is a relay system that Tailscale uses when a direct # connection cannot be established. # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp # # headscale needs a list of DERP servers that can be presented # to the clients. derp: server: # If enabled, runs the embedded DERP server and # merges it into the rest of the DERP config # The Headscale server_url defined above MUST # be using https, DERP requires TLS to be in place enabled: false # Region ID to use for the embedded DERP server. # The local DERP prevails if the region ID collides # with other region ID coming from # the regular DERP config. region_id: 999 # Region code and name are displayed in # the Tailscale UI to identify a DERP region region_code: "name01" region_name: "Domain DERP 01" # If enabled, also listens in UDP at the configured address # for STUN connections to help on NAT traversal # For more details on how this works # check this great article: https://tailscale.com/blog/how-tailscale-works/ stun_listen_addr: "0.0.0.0:3478" # List of externally available DERP maps encoded in JSON urls: https://controlplane.tailscale.com/derpmap/default # Locally available DERP map files encoded in YAML # # This option is mostly interesting for people hosting # their own DERP servers: # https://tailscale.com/kb/1118/custom-derp-servers/ # # paths: # - /etc/headscale/derp-example.yaml paths: [] # If enabled, a worker will be set up to periodically # refresh the given sources and update the derpmap # will be set up. auto_update_enabled: true # How often should we check for updates? update_frequency: 24h # Disables the automatic check for updates on startup disable_check_updates: false ephemeral_node_inactivity_timeout: 30m # SQLite config db_type: sqlite3 db_path: /usr/local/opt/headscale/config/db.sqlite # # Postgres config # db_type: postgres # db_host: localhost # db_port: 5432 # db_name: headscale # db_user: foo # db_pass: bar #acme_url: https://acme-v02.api.letsencrypt.org/directory #acme_email: "" #tls_letsencrypt_hostname: "" #tls_letsencrypt_listen: ":http" #tls_letsencrypt_cache_dir: ".cache" #tls_letsencrypt_challenge_type: HTTP-01 #tls_cert_path: "" #tls_key_path: "" # Path to a file containg ACL policies. #acl_policy_path: "/opt/headscale/config/acls.yaml" #acl_policy_path: "/opt/headscale/config/acls.hjson" #dns_config: # # Upstream DNS servers # nameservers: # - 100.64.0.1 # - 107.152.39.57 # domains: [] # magic_dns: true # base_domain: domain.com # Unix socket used for the CLI to connect without authentication # Note: for local development, you probably want to change this to: # unix_socket: ./headscale.sock unix_socket: /usr/local/opt/headscale/config/headscale.sock unix_socket_permission: "0770"
adam added the bug label 2025-12-29 01:27:29 +01:00
adam closed this issue 2025-12-29 01:27:29 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#350
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?