Subnet router ACL's broken on 0.23.0-alpha1 #581

New Issue

Closed

opened 2025-12-29 02:20:44 +01:00 by adam · 22 comments

adam commented 2025-12-29 02:20:44 +01:00

Owner

Copy Link

Originally created by @Sh4d on GitHub (Nov 15, 2023).

Bug description

If you define an ACL on 0.23.0-alpha1, it breaks subnet routing. It works if you allow access to 0.0.0.0/0, but anything more specific just breaks traffic.

Environment

Ubuntu server with headscale 0.23.0-alpha1 on public IP space
Ubuntu server with exit / subnet router on 1.52.1 on internal IP space
Windows test machine on 1.52.1

To Reproduce

1. Bring linux subnet router online with:

 tailscale up --advertise-routes=10.33.0.0/16 --login-server=https://XXXXX --hostname=Test-Exit --reset

2. Enable the route on the headscale server + make sure ipforwarding is enabled on test-exit
3. Configure this ACL:

{
  "groups": {
    "group:admins": ["user1"],
  },
  "acls": [
    { "action": "accept", "src": ["group:admins"], "dst": ["group:admins:*"] },
    { "action": "accept", "src": ["group:admins"], "dst": ["10.33.0.0/16:*"] },
    { "action": "accept", "src": ["group:admins"], "dst": ["0.0.0.0/0:*"] },
  ]
}

4. Ping 10.33.10.10 from the windows test machine, confirm it works
5. Comment out the allow 0.0.0.0/0, and kill -HUP headscaled
6. See ping stops working
7. Uncomment 0.0.0.0/0 again, kill -HUP, ping starts working

This exact same config works fine on 0.22.3.

Originally created by @Sh4d on GitHub (Nov 15, 2023). ## Bug description If you define an ACL on 0.23.0-alpha1, it breaks subnet routing. It works if you allow access to 0.0.0.0/0, but anything more specific just breaks traffic. ## Environment Ubuntu server with headscale 0.23.0-alpha1 on public IP space Ubuntu server with exit / subnet router on 1.52.1 on internal IP space Windows test machine on 1.52.1 ## To Reproduce 1. Bring linux subnet router online with: ``` tailscale up --advertise-routes=10.33.0.0/16 --login-server=https://XXXXX --hostname=Test-Exit --reset ``` 2. Enable the route on the headscale server + make sure ipforwarding is enabled on test-exit 3. Configure this ACL: ``` { "groups": { "group:admins": ["user1"], }, "acls": [ { "action": "accept", "src": ["group:admins"], "dst": ["group:admins:*"] }, { "action": "accept", "src": ["group:admins"], "dst": ["10.33.0.0/16:*"] }, { "action": "accept", "src": ["group:admins"], "dst": ["0.0.0.0/0:*"] }, ] } ``` 4. Ping 10.33.10.10 from the windows test machine, confirm it works 5. Comment out the allow 0.0.0.0/0, and kill -HUP headscaled 6. See ping stops working 7. Uncomment 0.0.0.0/0 again, kill -HUP, ping starts working This exact same config works fine on 0.22.3.

adam added the bug label 2025-12-29 02:20:44 +01:00

adam closed this issue 2025-12-29 02:20:44 +01:00

adam commented 2025-12-29 02:20:45 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Dec 10, 2023):

0.23.0-alpha2 addresses a series of issues with node synchronisation, online status and subnet routers, please test this release and report back if the issue still persist.

@kradalby commented on GitHub (Dec 10, 2023): [0.23.0-alpha2](https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha2) addresses a series of issues with node synchronisation, online status and subnet routers, please test this release and report back if the issue still persist.

adam commented 2025-12-29 02:20:45 +01:00

Author

Owner

Copy Link

@winterheart commented on GitHub (Dec 13, 2023):

Hello, seems 0.23.0-alpha2 still has this issue. I've just updated and reverted back to 0.22.3 mine deployment due inability to use subnet routers. On 0.22.3 all works as expected.

@winterheart commented on GitHub (Dec 13, 2023): Hello, seems 0.23.0-alpha2 still has this issue. I've just updated and reverted back to 0.22.3 mine deployment due inability to use subnet routers. On 0.22.3 all works as expected.

adam commented 2025-12-29 02:20:45 +01:00

Author

Owner

Copy Link

@jwischka commented on GitHub (Dec 19, 2023):

I think this may be related to the ACLs - I have an alpha2 where subnet routes are working properly (albeit I have not tested with nodes that are exit nodes).

@jwischka commented on GitHub (Dec 19, 2023): I think this may be related to the ACLs - I have an alpha2 where subnet routes are working properly (albeit I have not tested with nodes that are exit nodes).

adam commented 2025-12-29 02:20:45 +01:00

Author

Owner

Copy Link

@kfkawalec commented on GitHub (Dec 19, 2023):

@jwischka Can you share your ACL? I have the same problem, only ACL with "*:0" helps but its not what I want.

@kfkawalec commented on GitHub (Dec 19, 2023): @jwischka Can you share your ACL? I have the same problem, only ACL with "*:0" helps but its not what I want.

adam commented 2025-12-29 02:20:46 +01:00

Author

Owner

Copy Link

@jwischka commented on GitHub (Dec 20, 2023):

Mine are basically a series of:

{
  "acls": [
    {
      "action": "accept",
      "src": ["user1"],
      "dst": ["*:*"],
    },
    {
      "action": "accept",
      "src": ["user2"],
      "dst": ["user2:*"],
    },
    {
      "action": "accept",
      "src": ["user3"],
      "dst": ["user2:*"],
    },
  ],
  "disableIPv4": false,
  "randomizeClientPort": true,
}

@jwischka commented on GitHub (Dec 20, 2023): Mine are basically a series of: ``` { "acls": [ { "action": "accept", "src": ["user1"], "dst": ["*:*"], }, { "action": "accept", "src": ["user2"], "dst": ["user2:*"], }, { "action": "accept", "src": ["user3"], "dst": ["user2:*"], }, ], "disableIPv4": false, "randomizeClientPort": true, } ```

adam commented 2025-12-29 02:20:46 +01:00

Author

Owner

Copy Link

@kfkawalec commented on GitHub (Dec 20, 2023):

In my case:

• if user1 is the router, then user2 and user3 can connect through the router
• if user2 is the router, user1 can connet (:) but user3 cannot

@kfkawalec commented on GitHub (Dec 20, 2023): In my case: - if user1 is the router, then user2 and user3 can connect through the router - if user2 is the router, user1 can connet (*:*) but user3 cannot

adam commented 2025-12-29 02:20:46 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Jan 3, 2024):

@Sh4d @kfkawalec

Could you please get me a copy of the netmap from the nodes from both version 0.23.0-alpha2 and 0.22.3 so I can compare them?

You can do that with tailscale debug netmap > netmap.json for each node. I recon the most interesting node is the one that can no longer ping.

@kradalby commented on GitHub (Jan 3, 2024): @Sh4d @kfkawalec Could you please get me a copy of the netmap from the nodes from both version 0.23.0-alpha2 and 0.22.3 so I can compare them? You can do that with `tailscale debug netmap > netmap.json` for each node. I recon the most interesting node is the one that can no longer ping.

adam commented 2025-12-29 02:20:46 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Jan 3, 2024):

I think I have fixed this in https://github.com/juanfont/headscale/pull/1673, could you try that PR?

@kradalby commented on GitHub (Jan 3, 2024): I think I have fixed this in https://github.com/juanfont/headscale/pull/1673, could you try that PR?

adam commented 2025-12-29 02:20:47 +01:00

Author

Owner

Copy Link

@kfkawalec commented on GitHub (Jan 5, 2024):

At the moment I do not have a 0.23.0-alpha2 installation.

@kfkawalec commented on GitHub (Jan 5, 2024): At the moment I do not have a 0.23.0-alpha2 installation.

adam commented 2025-12-29 02:20:47 +01:00

Author

Owner

Copy Link

@sniff122 commented on GitHub (Jan 8, 2024):

Not sure if its entirely related, however I am seeing broken subnet routes when setting an ACL.

I have the following ACL:

"acls": [
            {
                "action": "accept",
                "src": [
                        "group:developers"
                ],
                "dst": [
                        "test-server"
                ]
            },
            {
                "action": "accept",
                "src": [
                        "group:developers"
                ],
                "dst": [
                        "group:developers:*"
                ]
            },
            {
                "action": "accept",
                "src": [
                    "*",
                    "group:internal-exitnode"
                ],
                "dst": [
                    "group:internal-exitnode:*"
                ]
            }
    ]

the test-server is defined as a host and is on the same subnet as a the "exit node" advertising the route for the subnet, it is enabled.

With this ACL config, i am not seeing the subnet route in the PacketFilterRules under DstPorts (still seeing the other 2 rules though).

When setting a wildcard dst for the developer group, i am able to ping everything on the subnet and can see the wildcard in DstPorts in the PacketFilterRules.

I have also tried @kradalby's #1673 with the same result.

Tried on MacOS, Windows and Linux clients with the exact same result, running a packet capture on the client for the tailscale interface shows the ICMP with no response found, running a wireshark sshdump on tailscale0 of the subnet route server, i see no ICMP packets

@sniff122 commented on GitHub (Jan 8, 2024): Not sure if its entirely related, however I am seeing broken subnet routes when setting an ACL. I have the following ACL: ``` "acls": [ { "action": "accept", "src": [ "group:developers" ], "dst": [ "test-server" ] }, { "action": "accept", "src": [ "group:developers" ], "dst": [ "group:developers:*" ] }, { "action": "accept", "src": [ "*", "group:internal-exitnode" ], "dst": [ "group:internal-exitnode:*" ] } ] ``` the test-server is defined as a host and is on the same subnet as a the "exit node" advertising the route for the subnet, it is enabled. With this ACL config, i am not seeing the subnet route in the PacketFilterRules under DstPorts (still seeing the other 2 rules though). When setting a wildcard dst for the developer group, i am able to ping everything on the subnet and can see the wildcard in DstPorts in the PacketFilterRules. I have also tried @kradalby's #1673 with the same result. Tried on MacOS, Windows and Linux clients with the exact same result, running a packet capture on the client for the tailscale interface shows the ICMP with no response found, running a wireshark sshdump on tailscale0 of the subnet route server, i see no ICMP packets

adam commented 2025-12-29 02:20:47 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Jan 8, 2024):

@sniff122 does it work with 0.22.3? I just want to understand if it is already broken or a regression.

@kradalby commented on GitHub (Jan 8, 2024): @sniff122 does it work with 0.22.3? I just want to understand if it is already broken or a regression.

adam commented 2025-12-29 02:20:47 +01:00

Author

Owner

Copy Link

@sniff122 commented on GitHub (Jan 8, 2024):

@kradalby I believe I was having the issue that was fixed by #1564 which is in 0.23.0-alpha2, i shall try 0.22.3 again

@sniff122 commented on GitHub (Jan 8, 2024): @kradalby I believe I was having the issue that was fixed by #1564 which is in 0.23.0-alpha2, i shall try 0.22.3 again

adam commented 2025-12-29 02:20:47 +01:00

Author

Owner

Copy Link

@sniff122 commented on GitHub (Jan 8, 2024):

It doesnt look like i have a recent snapshot of my VM with 0.22.3 however with 0.23.0-alpha1 the issues are still present

@sniff122 commented on GitHub (Jan 8, 2024): It doesnt look like i have a recent snapshot of my VM with 0.22.3 however with 0.23.0-alpha1 the issues are still present

adam commented 2025-12-29 02:20:47 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Jan 9, 2024):

ok, I it would be ideal to get that tested as it will indicate if it is a new issue or an already existing one.

If it is a new issue (since 0.22.3), it will block the new release, but if it is an existing issue, then we should create a separate issue and solve it after 0.23.0 goes out.

@kradalby commented on GitHub (Jan 9, 2024): ok, I it would be ideal to get that tested as it will indicate if it is a new issue or an already existing one. If it is a new issue (since 0.22.3), it will block the new release, but if it is an existing issue, then we should create a separate issue and solve it after 0.23.0 goes out.

adam commented 2025-12-29 02:20:48 +01:00

Author

Owner

Copy Link

@Sh4d commented on GitHub (Jan 9, 2024):

I just tested and confirmed this issue still exists on headscale_0.23.0-alpha2_linux_amd64.deb

@Sh4d commented on GitHub (Jan 9, 2024): I just tested and confirmed this issue still exists on headscale_0.23.0-alpha2_linux_amd64.deb

adam commented 2025-12-29 02:20:48 +01:00

Author

Owner

Copy Link

@Sh4d commented on GitHub (Jan 9, 2024):

Here's a (slightly scrubbed) netmap from the client while broken. I was using the exact ACL at the top of this issue with just the allow 0.0.0.0 removed.

netmap.txt

@Sh4d commented on GitHub (Jan 9, 2024): Here's a (slightly scrubbed) netmap from the client while broken. I was using the exact ACL at the top of this issue with just the allow 0.0.0.0 removed. [netmap.txt](https://github.com/juanfont/headscale/files/13877293/netmap.txt)

adam commented 2025-12-29 02:20:48 +01:00

Author

Owner

Copy Link

@sniff122 commented on GitHub (Jan 15, 2024):

ok, I it would be ideal to get that tested as it will indicate if it is a new issue or an already existing one.

If it is a new issue (since 0.22.3), it will block the new release, but if it is an existing issue, then we should create a separate issue and solve it after 0.23.0 goes out.

@kradalby

Just tested with 0.22.3, found an older backup and it ACLs appear to be working fine

@sniff122 commented on GitHub (Jan 15, 2024): > ok, I it would be ideal to get that tested as it will indicate if it is a new issue or an already existing one. > > If it is a new issue (since 0.22.3), it will block the new release, but if it is an existing issue, then we should create a separate issue and solve it after 0.23.0 goes out. @kradalby Just tested with 0.22.3, found an older backup and it ACLs appear to be working fine

adam commented 2025-12-29 02:20:48 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Jan 18, 2024):

Could you give 0.23.0-alpha3 a go and report back?

@kradalby commented on GitHub (Jan 18, 2024): Could you give 0.23.0-alpha3 a go and report back?

adam commented 2025-12-29 02:20:48 +01:00

Author

Owner

Copy Link

@Sh4d commented on GitHub (Jan 19, 2024):

My install is prod now unfortunately so I'll need to spin up a test environment. Hopefully can do that next week.

@Sh4d commented on GitHub (Jan 19, 2024): My install is prod now unfortunately so I'll need to spin up a test environment. Hopefully can do that next week.

adam commented 2025-12-29 02:20:49 +01:00

Author

Owner

Copy Link

@oneingan commented on GitHub (Jan 24, 2024):

I am having the same problem with 0.23.0-alpha3. Let me know if I can help debugging it in some way.

@oneingan commented on GitHub (Jan 24, 2024): I am having the same problem with 0.23.0-alpha3. Let me know if I can help debugging it in some way.

adam commented 2025-12-29 02:20:49 +01:00

Author

Owner

Copy Link

@TotoTheDragon commented on GitHub (Feb 8, 2024):

Have checked into this, it seems the user connecting to the subnet needs 'access' to the device/user the subnet is on.
Cannot ping when acl is

acls:
  - action: accept
    src: 
      - "group:admin"
    dst:
      - "10.0.0.0/16:*"

Can ping when acl is

acls:
 - action: accept
   src: 
     - "group:admin"
   dst:
     - "10.0.0.0/16:*"
     - "node:0"

TL;DR peers are not inferred by advertised routes
Is this intended @kradalby ?

@TotoTheDragon commented on GitHub (Feb 8, 2024): Have checked into this, it seems the user connecting to the subnet needs 'access' to the device/user the subnet is on. Cannot ping when acl is ```yaml acls: - action: accept src: - "group:admin" dst: - "10.0.0.0/16:*" ``` Can ping when acl is ```yaml acls: - action: accept src: - "group:admin" dst: - "10.0.0.0/16:*" - "node:0" ``` TL;DR peers are not inferred by advertised routes Is this intended @kradalby ?

adam commented 2025-12-29 02:20:49 +01:00

Author

Owner

Copy Link

@TotoTheDragon commented on GitHub (Feb 8, 2024):

Related netmap when not working

{
  "PacketFilter": [
    {
      "IPProto": [
        6,
        17,
        1,
        58
      ],
      "Srcs": [
        "100.64.0.1/32",
        "fd7a:115c:a1e0::1/128"
      ],
      "Dsts": [
        {
          "Net": "10.0.0.0/16",
          "Ports": {
            "First": 0,
            "Last": 65535
          }
        }
      ],
      "Caps": []
    }
  ],
  "PacketFilterRules": [
    {
      "SrcIPs": [
        "100.64.0.1/32",
        "fd7a:115c:a1e0::1/128"
      ],
      "DstPorts": [
        {
          "IP": "10.0.0.0/16",
          "Bits": null,
          "Ports": {
            "First": 0,
            "Last": 65535
          }
        }
      ]
    }
  ]
}

Related netmap when working

{
  "PacketFilter": [
    {
      "IPProto": [
        6,
        17,
        1,
        58
      ],
      "Srcs": [
        "100.64.0.1/32",
        "fd7a:115c:a1e0::1/128"
      ],
      "Dsts": [
        {
          "Net": "10.0.0.0/16",
          "Ports": {
            "First": 0,
            "Last": 65535
          }
        },
        {
          "Net": "100.64.0.2/32",
          "Ports": {
            "First": 0,
            "Last": 0
          }
        },
        {
          "Net": "fd7a:115c:a1e0::2/128",
          "Ports": {
            "First": 0,
            "Last": 0
          }
        }
      ],
      "Caps": []
    }
  ],
  "PacketFilterRules": [
    {
      "SrcIPs": [
        "100.64.0.1/32",
        "fd7a:115c:a1e0::1/128"
      ],
      "DstPorts": [
        {
          "IP": "10.0.0.0/16",
          "Bits": null,
          "Ports": {
            "First": 0,
            "Last": 65535
          }
        },
        {
          "IP": "100.64.0.2/32",
          "Bits": null,
          "Ports": {
            "First": 0,
            "Last": 0
          }
        },
        {
          "IP": "fd7a:115c:a1e0::2/128",
          "Bits": null,
          "Ports": {
            "First": 0,
            "Last": 0
          }
        }
      ]
    }
  ]
}

@TotoTheDragon commented on GitHub (Feb 8, 2024): Related netmap when not working ```json { "PacketFilter": [ { "IPProto": [ 6, 17, 1, 58 ], "Srcs": [ "100.64.0.1/32", "fd7a:115c:a1e0::1/128" ], "Dsts": [ { "Net": "10.0.0.0/16", "Ports": { "First": 0, "Last": 65535 } } ], "Caps": [] } ], "PacketFilterRules": [ { "SrcIPs": [ "100.64.0.1/32", "fd7a:115c:a1e0::1/128" ], "DstPorts": [ { "IP": "10.0.0.0/16", "Bits": null, "Ports": { "First": 0, "Last": 65535 } } ] } ] } ``` Related netmap when working ```json { "PacketFilter": [ { "IPProto": [ 6, 17, 1, 58 ], "Srcs": [ "100.64.0.1/32", "fd7a:115c:a1e0::1/128" ], "Dsts": [ { "Net": "10.0.0.0/16", "Ports": { "First": 0, "Last": 65535 } }, { "Net": "100.64.0.2/32", "Ports": { "First": 0, "Last": 0 } }, { "Net": "fd7a:115c:a1e0::2/128", "Ports": { "First": 0, "Last": 0 } } ], "Caps": [] } ], "PacketFilterRules": [ { "SrcIPs": [ "100.64.0.1/32", "fd7a:115c:a1e0::1/128" ], "DstPorts": [ { "IP": "10.0.0.0/16", "Bits": null, "Ports": { "First": 0, "Last": 65535 } }, { "IP": "100.64.0.2/32", "Bits": null, "Ports": { "First": 0, "Last": 0 } }, { "IP": "fd7a:115c:a1e0::2/128", "Bits": null, "Ports": { "First": 0, "Last": 0 } } ] } ] } ```

adam referenced this issue 2025-12-29 02:30:17 +01:00

[PR #581] [CLOSED] added cli options to output ACLs #1497

adam referenced this issue 2025-12-29 02:30:56 +01:00

[PR #743] [CLOSED] docs(proposals): add proposal for the ACL API #1613

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#581