ACL issue: specifing CIDR from subnet doesn't work #457

New Issue

adam · 2025-12-29T01:29:40+01:00

adam commented

2025-12-29 01:29:40 +01:00

Originally created by @realkarmakun on GitHub (Apr 1, 2023).

Bug description
Specifiying CIDR from subnet (not tailscale networks) in ACL doesn't allow access to specified ports.

To Reproduce
Setup tailscale node as subnet router and specify ACL similar to the below one.

        "hosts": {
                "ovh-vrack": "10.0.1.0/24",
        },

        "acls": [
                {
                        "action": "accept",
                        "src":    ["group:panel"],
                        "dst":    ["ovh-vrack:80,443"],
                },

This will not allow access to 10.0.1.0/24 network from group:panel. But if we adjust this to following:

        "hosts": {
                "ovh-vrack": "10.0.1.0/24",
        },

        "acls": [
                {
                        "action": "accept",
                        "src":    ["group:panel"],
                        "dst":    ["*:80,443"],
                },

It will work. Specifying subnet CIDR in this way works with original Tailscale ACLs but not with headscale

Context info
Version of headscale used 0.21.0

Originally created by @realkarmakun on GitHub (Apr 1, 2023). **Bug description** Specifiying CIDR from subnet (not tailscale networks) in ACL doesn't allow access to specified ports. **To Reproduce** Setup tailscale node as subnet router and specify ACL similar to the below one. ```json "hosts": { "ovh-vrack": "10.0.1.0/24", }, "acls": [ { "action": "accept", "src": ["group:panel"], "dst": ["ovh-vrack:80,443"], }, ``` This will not allow access to 10.0.1.0/24 network from group:panel. But if we adjust this to following: ```json "hosts": { "ovh-vrack": "10.0.1.0/24", }, "acls": [ { "action": "accept", "src": ["group:panel"], "dst": ["*:80,443"], }, ``` It will work. Specifying subnet CIDR in this way works with original Tailscale ACLs but not with headscale **Context info** Version of headscale used 0.21.0

adam added the stale bug labels 2025-12-29 01:29:40 +01:00

adam closed this issue

2025-12-29 01:29:40 +01:00

adam commented

2025-12-29 01:29:41 +01:00

@github-actions[bot] commented on GitHub (Sep 29, 2023):

This issue is stale because it has been open for 180 days with no activity.

@github-actions[bot] commented on GitHub (Sep 29, 2023): This issue is stale because it has been open for 180 days with no activity.

adam commented

2025-12-29 01:29:41 +01:00

@github-actions[bot] commented on GitHub (Oct 13, 2023):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Oct 13, 2023): This issue was closed because it has been inactive for 14 days since being marked as stale.

adam commented

2025-12-29 01:29:42 +01:00

@realkarmakun commented on GitHub (Oct 16, 2023):

I believe this is still relevant.

@realkarmakun commented on GitHub (Oct 16, 2023): I believe this is still relevant.

adam commented

2025-12-29 01:29:42 +01:00

@Jenjen1324 commented on GitHub (Nov 2, 2023):

I'm unable to configure ACLs with non-tailnets at all. Regardless if it's a whole subnet or IP address. The only thing I found that works is if I allow everything as stated here.
Did anyone have any luck with this?

@Jenjen1324 commented on GitHub (Nov 2, 2023): I'm unable to configure ACLs with non-tailnets at all. Regardless if it's a whole subnet or IP address. The only thing I found that works is if I allow everything as stated here. Did anyone have any luck with this?

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#457