starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Clients from different namespaces can ping each other. #394

New Issue
Closed
opened 2025-12-29 01:28:14 +01:00 by adam · 1 comment
adam commented 2025-12-29 01:28:14 +01:00
Owner
Copy Link

Originally created by @iamid0 on GitHub (Dec 14, 2022).

Bug description
Clients from different namespaces can ping each other.
I am not sure if this is a bug or not.

To Reproduce

Context info

  • Version of headscale, v0.17.1
  • Version of tailscale client, the latest, from AppStore and apt-get
  • OS: macOS 12.6.1, intel and M1; x86, Ubuntu 20.04.5

This is the config.yaml,

---
server_url: https://XXX.YYY:443
listen_addr: 0.0.0.0:443
metrics_listen_addr: 127.0.0.1:9090
private_key_path: /var/lib/headscale/private.key
noise:
  private_key_path: /var/lib/headscale/noise_private.key

ip_prefixes:
  - 100.211.0.0/16

derp:
  server:
    enabled: false
    region_id: 999
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"

    stun_listen_addr: "0.0.0.0:3478"

  urls:
    - https://controlplane.tailscale.com/derpmap/default

  # paths:
  #   - /etc/headscale/derp-example.yaml
  paths: []

  auto_update_enabled: true
  # How often should we check for DERP updates?
  update_frequency: 24h

disable_check_updates: true

# Time before an inactive ephemeral node is deleted?
ephemeral_node_inactivity_timeout: 30m

node_update_check_interval: 10s

# SQLite config
db_type: sqlite3
db_path: /var/lib/headscale/db.sqlite

### TLS configuration
#
# URL to ACME directory
acme_url: https://acme-v02.api.letsencrypt.org/directory

# Email to register with ACME provider
acme_email: ""

# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: "XXX.YYY"

tls_client_auth_mode: enforced

tls_letsencrypt_cache_dir: /var/lib/headscale/cache

# HTTP-01 or TLS-ALPN-01
# See [docs/tls.md](docs/tls.md) for more information
tls_letsencrypt_challenge_type: HTTP-01

tls_letsencrypt_listen: ":http"

log_level: info

## DNS
dns_config:
  # List of DNS servers to expose to clients.
  nameservers:
    - 114.114.114.114
  # Search domains to inject.
  domains: []

  magic_dns: true

  base_domain: login

unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"

# Logtail configuration
logtail:
  # Enable logtail for this headscales clients.
  # As there is currently no support for overriding the log server in headscale, this is
  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
  enabled: false

randomize_client_port: true

The headsacle server reports,

root@ip-172-26-14-89:~# headscale node list
ID | Hostname | Name    | NodeKey | Namespace | IP addresses  | Ephemeral | Last seen           | Online | Expired
1  | lab-itc  | lab-itc | [tUQ+L] | unit1     | 100.211.0.1,  | false     | 2022-12-14 02:09:30 | online | no
2  | miniM1   | minim1  | [otKjr] | unit1     | 100.211.0.2,  | false     | 2022-12-14 02:09:13 | online | no
3  | MacPro   | macpro  | [wwzDA] | unit2     | 100.211.0.3,  | false     | 2022-12-14 02:09:14 | online | no

Here are the ping tests.
From the mac M1,

miniM1 /tmp $ /Applications/Tailscale.app/Contents/MacOS/Tailscale ip
100.211.0.2
miniM1 /tmp $ ping 100.211.0.3
PING 100.211.0.3 (100.211.0.3): 56 data bytes
64 bytes from 100.211.0.3: icmp_seq=0 ttl=64 time=59.316 ms
64 bytes from 100.211.0.3: icmp_seq=1 ttl=64 time=56.493 ms

From Ubuntu,

[wang@lab-itc tmp]$ tailscale ip
100.211.0.1
[wang@lab-itc tmp]$ ping 100.211.0.3
PING 100.211.0.3 (100.211.0.3) 56(84) bytes of data.
64 bytes from 100.211.0.3: icmp_seq=1 ttl=64 time=242 ms
64 bytes from 100.211.0.3: icmp_seq=2 ttl=64 time=36.1 ms
64 bytes from 100.211.0.3: icmp_seq=3 ttl=64 time=36.4 ms
64 bytes from 100.211.0.3: icmp_seq=4 ttl=64 time=35.4 ms

I believe that the devices from the different namespaces cannot talk to each other.

Are there any configuration errors on my config.yaml file?
Or are there further configurations I should perform?

PS, I only replaced the domain name with XXX.YYY in the above config file.

By the way, the headsacle is fantastic.

Originally created by @iamid0 on GitHub (Dec 14, 2022). **Bug description** Clients from different namespaces can ping each other. I am not sure if this is a bug or not. **To Reproduce** <!-- Steps to reproduce the behavior. --> **Context info** - Version of headscale, v0.17.1 - Version of tailscale client, the latest, from AppStore and apt-get - OS: macOS 12.6.1, intel and M1; x86, Ubuntu 20.04.5 This is the config.yaml, ``` --- server_url: https://XXX.YYY:443 listen_addr: 0.0.0.0:443 metrics_listen_addr: 127.0.0.1:9090 private_key_path: /var/lib/headscale/private.key noise: private_key_path: /var/lib/headscale/noise_private.key ip_prefixes: - 100.211.0.0/16 derp: server: enabled: false region_id: 999 region_code: "headscale" region_name: "Headscale Embedded DERP" stun_listen_addr: "0.0.0.0:3478" urls: - https://controlplane.tailscale.com/derpmap/default # paths: # - /etc/headscale/derp-example.yaml paths: [] auto_update_enabled: true # How often should we check for DERP updates? update_frequency: 24h disable_check_updates: true # Time before an inactive ephemeral node is deleted? ephemeral_node_inactivity_timeout: 30m node_update_check_interval: 10s # SQLite config db_type: sqlite3 db_path: /var/lib/headscale/db.sqlite ### TLS configuration # # URL to ACME directory acme_url: https://acme-v02.api.letsencrypt.org/directory # Email to register with ACME provider acme_email: "" # Domain name to request a TLS certificate for: tls_letsencrypt_hostname: "XXX.YYY" tls_client_auth_mode: enforced tls_letsencrypt_cache_dir: /var/lib/headscale/cache # HTTP-01 or TLS-ALPN-01 # See [docs/tls.md](docs/tls.md) for more information tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_listen: ":http" log_level: info ## DNS dns_config: # List of DNS servers to expose to clients. nameservers: - 114.114.114.114 # Search domains to inject. domains: [] magic_dns: true base_domain: login unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" # Logtail configuration logtail: # Enable logtail for this headscales clients. # As there is currently no support for overriding the log server in headscale, this is # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. enabled: false randomize_client_port: true ``` The headsacle server reports, ``` root@ip-172-26-14-89:~# headscale node list ID | Hostname | Name | NodeKey | Namespace | IP addresses | Ephemeral | Last seen | Online | Expired 1 | lab-itc | lab-itc | [tUQ+L] | unit1 | 100.211.0.1, | false | 2022-12-14 02:09:30 | online | no 2 | miniM1 | minim1 | [otKjr] | unit1 | 100.211.0.2, | false | 2022-12-14 02:09:13 | online | no 3 | MacPro | macpro | [wwzDA] | unit2 | 100.211.0.3, | false | 2022-12-14 02:09:14 | online | no ``` Here are the ping tests. From the mac M1, ``` miniM1 /tmp $ /Applications/Tailscale.app/Contents/MacOS/Tailscale ip 100.211.0.2 miniM1 /tmp $ ping 100.211.0.3 PING 100.211.0.3 (100.211.0.3): 56 data bytes 64 bytes from 100.211.0.3: icmp_seq=0 ttl=64 time=59.316 ms 64 bytes from 100.211.0.3: icmp_seq=1 ttl=64 time=56.493 ms ``` From Ubuntu, ``` [wang@lab-itc tmp]$ tailscale ip 100.211.0.1 [wang@lab-itc tmp]$ ping 100.211.0.3 PING 100.211.0.3 (100.211.0.3) 56(84) bytes of data. 64 bytes from 100.211.0.3: icmp_seq=1 ttl=64 time=242 ms 64 bytes from 100.211.0.3: icmp_seq=2 ttl=64 time=36.1 ms 64 bytes from 100.211.0.3: icmp_seq=3 ttl=64 time=36.4 ms 64 bytes from 100.211.0.3: icmp_seq=4 ttl=64 time=35.4 ms ``` I believe that the devices from the different namespaces cannot talk to each other. Are there any configuration errors on my config.yaml file? Or are there further configurations I should perform? PS, I only replaced the domain name with XXX.YYY in the above config file. By the way, the headsacle is fantastic.
adam added the bug label 2025-12-29 01:28:14 +01:00
adam closed this issue 2025-12-29 01:28:14 +01:00
adam commented 2025-12-29 01:28:14 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Dec 15, 2022):

This is working as expected, there are no barriers between the namespace, think of them like users.

If you want to restrict them, you should use ACLs.

If you need help with ACLs, people are usually helpful and friendly in the Discord server. Thanks :)

@kradalby commented on GitHub (Dec 15, 2022): This is working as expected, there are no barriers between the namespace, think of them like users. If you want to restrict them, you should use ACLs. If you need help with ACLs, people are usually helpful and friendly in the Discord server. Thanks :)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#394
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?