suspected bug with ipv4/ipv6 #456

New Issue

Closed

opened 2025-12-29 01:29:36 +01:00 by adam · 3 comments

adam commented 2025-12-29 01:29:36 +01:00

Owner

Copy Link

Originally created by @MaxMatti on GitHub (Mar 30, 2023).

Bug description

After setting up headscale as a systemd service according to the documentation with a listen_addr: 0.0.0.0:16000, netstat reports port 16000 only being open on ip ::, not on 0.0.0.0. The port is also not reachable from other devices. Unfortunately due to my network config I am unable to test whether the ipv6 port is reachable from other devices.

To Reproduce

full config file:

---
server_url: http://[...]:16000
listen_addr: 0.0.0.0:16000
metrics_listen_addr: 127.0.0.1:9090
grpc_listen_addr: 127.0.0.1:50443
grpc_allow_insecure: false
private_key_path: /var/lib/headscale/private.key
noise:
  private_key_path: /var/lib/headscale/noise_private.key
ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10
derp:
  server:
    enabled: false
    region_id: 999
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
    stun_listen_addr: "0.0.0.0:3478"
  urls:
    - https://controlplane.tailscale.com/derpmap/default
  paths: []
  auto_update_enabled: true
  update_frequency: 24h
disable_check_updates: false
ephemeral_node_inactivity_timeout: 30m
node_update_check_interval: 10s
db_type: sqlite3
db_path: /var/lib/headscale/db.sqlite
acme_url: https://acme-v02.api.letsencrypt.org/directory
acme_email: ""
tls_letsencrypt_hostname: ""
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_listen: ":http"
tls_cert_path: ""
tls_key_path: ""
log:
  format: text
  level: info
acl_policy_path: ""
dns_config:
  override_local_dns: true
  nameservers:
    - 9.9.9.9
    - 1.1.1.1
    - 8.8.8.8
  domains: []
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
logtail:
  enabled: false
randomize_client_port: false

Context info

• Version of headscale used: v0.21.0
• OS version:

Oracle Linux Server release 8.7
NAME="Oracle Linux Server"
VERSION="8.7"
ID="ol"
ID_LIKE="fedora"
VARIANT="Server"
VARIANT_ID="server"
VERSION_ID="8.7"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Oracle Linux Server 8.7"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:oracle:linux:8:7:server"
HOME_URL="https://linux.oracle.com/"
BUG_REPORT_URL="https://bugzilla.oracle.com/"

ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8"
ORACLE_BUGZILLA_PRODUCT_VERSION=8.7
ORACLE_SUPPORT_PRODUCT="Oracle Linux"
ORACLE_SUPPORT_PRODUCT_VERSION=8.7
Red Hat Enterprise Linux release 8.7 (Ootpa)
Oracle Linux Server release 8.7

(fresh install)

• Kernel version: Linux instance-20230329-2333 5.15.0-6.80.3.1.el8uek.x86_64 #2 SMP Tue Jan 10 11:28:16 PST 2023 x86_64 x86_64 x86_64 GNU/Linux
• Log output:

Mar 29 22:25:36 instance-20230329-2333 systemd[1]: Stopped headscale controller.
Mar 29 22:25:36 instance-20230329-2333 systemd[1]: Started headscale controller.
Mar 29 22:25:37 instance-20230329-2333 headscale[14722]: 2023-03-29T22:25:37Z INF Setting up a DERPMap update worker frequency=86400000
Mar 29 22:25:37 instance-20230329-2333 headscale[14722]: 2023-03-29T22:25:37Z INF listening and serving HTTP on: 0.0.0.0:16000
Mar 29 22:25:37 instance-20230329-2333 headscale[14722]: 2023-03-29T22:25:37Z INF listening and serving metrics on: 127.0.0.1:9090

Originally created by @MaxMatti on GitHub (Mar 30, 2023). **Bug description** After setting up headscale [as a systemd service](https://github.com/juanfont/headscale/blob/main/docs/running-headscale-linux.md#running-headscale-in-the-background-with-systemd) according to [the documentation](https://github.com/juanfont/headscale/blob/main/docs/running-headscale-linux.md) with a `listen_addr: 0.0.0.0:16000`, netstat reports port 16000 only being open on ip `::`, not on `0.0.0.0`. The port is also not reachable from other devices. Unfortunately due to my network config I am unable to test whether the ipv6 port is reachable from other devices. **To Reproduce** full config file: ```yaml --- server_url: http://[...]:16000 listen_addr: 0.0.0.0:16000 metrics_listen_addr: 127.0.0.1:9090 grpc_listen_addr: 127.0.0.1:50443 grpc_allow_insecure: false private_key_path: /var/lib/headscale/private.key noise: private_key_path: /var/lib/headscale/noise_private.key ip_prefixes: - fd7a:115c:a1e0::/48 - 100.64.0.0/10 derp: server: enabled: false region_id: 999 region_code: "headscale" region_name: "Headscale Embedded DERP" stun_listen_addr: "0.0.0.0:3478" urls: - https://controlplane.tailscale.com/derpmap/default paths: [] auto_update_enabled: true update_frequency: 24h disable_check_updates: false ephemeral_node_inactivity_timeout: 30m node_update_check_interval: 10s db_type: sqlite3 db_path: /var/lib/headscale/db.sqlite acme_url: https://acme-v02.api.letsencrypt.org/directory acme_email: "" tls_letsencrypt_hostname: "" tls_letsencrypt_cache_dir: /var/lib/headscale/cache tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_listen: ":http" tls_cert_path: "" tls_key_path: "" log: format: text level: info acl_policy_path: "" dns_config: override_local_dns: true nameservers: - 9.9.9.9 - 1.1.1.1 - 8.8.8.8 domains: [] unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" logtail: enabled: false randomize_client_port: false ``` **Context info** - Version of headscale used: v0.21.0 - OS version: ``` Oracle Linux Server release 8.7 NAME="Oracle Linux Server" VERSION="8.7" ID="ol" ID_LIKE="fedora" VARIANT="Server" VARIANT_ID="server" VERSION_ID="8.7" PLATFORM_ID="platform:el8" PRETTY_NAME="Oracle Linux Server 8.7" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:oracle:linux:8:7:server" HOME_URL="https://linux.oracle.com/" BUG_REPORT_URL="https://bugzilla.oracle.com/" ORACLE_BUGZILLA_PRODUCT="Oracle Linux 8" ORACLE_BUGZILLA_PRODUCT_VERSION=8.7 ORACLE_SUPPORT_PRODUCT="Oracle Linux" ORACLE_SUPPORT_PRODUCT_VERSION=8.7 Red Hat Enterprise Linux release 8.7 (Ootpa) Oracle Linux Server release 8.7 ``` (fresh install) - Kernel version: `Linux instance-20230329-2333 5.15.0-6.80.3.1.el8uek.x86_64 #2 SMP Tue Jan 10 11:28:16 PST 2023 x86_64 x86_64 x86_64 GNU/Linux` - Log output: ``` Mar 29 22:25:36 instance-20230329-2333 systemd[1]: Stopped headscale controller. Mar 29 22:25:36 instance-20230329-2333 systemd[1]: Started headscale controller. Mar 29 22:25:37 instance-20230329-2333 headscale[14722]: 2023-03-29T22:25:37Z INF Setting up a DERPMap update worker frequency=86400000 Mar 29 22:25:37 instance-20230329-2333 headscale[14722]: 2023-03-29T22:25:37Z INF listening and serving HTTP on: 0.0.0.0:16000 Mar 29 22:25:37 instance-20230329-2333 headscale[14722]: 2023-03-29T22:25:37Z INF listening and serving metrics on: 127.0.0.1:9090 ```

adam added the bug label 2025-12-29 01:29:36 +01:00

adam closed this issue 2025-12-29 01:29:36 +01:00

adam commented 2025-12-29 01:29:37 +01:00

Author

Owner

Copy Link

@PikuZheng commented on GitHub (Apr 1, 2023):

[::]:16000 include 0.0.0.0:16000 if you mean

@PikuZheng commented on GitHub (Apr 1, 2023): [::]:16000 include 0.0.0.0:16000 if you mean

adam commented 2025-12-29 01:29:37 +01:00

Author

Owner

Copy Link

@dunnl commented on GitHub (May 29, 2023):

If a service is listening on the same port on ipv4 and ipv6, it is common for netstat to show a single entry for tcp6 (or upd6). Basically the ipv6 stack internally is able to handle ipv4 traffic as well. I think you should elaborate on what problem you're experiencing, and what you want to happen, because it's unclear from the report. Since you say The port is also not reachable from other devices., you may just have a problem with your firewall configuration.

By the way, netstat has been deprecated for 10+ years I believe. The modern program is ss although the behavior will be similar.

@dunnl commented on GitHub (May 29, 2023): If a service is listening on the same port on ipv4 and ipv6, it is common for `netstat` to show a single entry for `tcp6` (or `upd6`). Basically the ipv6 stack internally is able to handle ipv4 traffic as well. I think you should elaborate on what problem you're experiencing, and what you want to happen, because it's unclear from the report. Since you say `The port is also not reachable from other devices.`, you may just have a problem with your firewall configuration. By the way, `netstat` has been deprecated for 10+ years I believe. The modern program is `ss` although the behavior will be similar.

adam commented 2025-12-29 01:29:37 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Jun 19, 2023):

Hi

Can you try with the official .deb package, or the .rpm repo provided at copr.fedorainfracloud.org/coprs/jonathanspw/headscale?

It sounds like a Linux thing, and not Headscale.

@kradalby commented on GitHub (Jun 19, 2023): Hi Can you try with the official `.deb` package, or the `.rpm` repo provided at [copr.fedorainfracloud.org/coprs/jonathanspw/headscale](https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/)? It sounds like a Linux thing, and not Headscale.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#456