starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

ACLs not working with IPV6 (reopening of #809) #582

New Issue
Closed
opened 2025-12-29 02:20:44 +01:00 by adam · 6 comments
adam commented 2025-12-29 02:20:44 +01:00
Owner
Copy Link

Originally created by @paladincorners on GitHub (Nov 16, 2023).

Bug description

In ACLs, if using an IPV6 address, e.g. "2000::/3:*" in the "dest" field (to allow access to the internet through IPv6 through exit nodes), you get the following error:
FTL Could not load the ACL policy error="failed to parse destination, tokens [2000 /3 *]: invalid port format"

This is akin to the issue in #809. Although I am on headscale v0.22.3, I cannot upgrade to v0.23 due to possibly related issue #1604. I did check the commit history though for the fix for #809 and the fix should have been incorporated in v0.22.2 already.

Note that the solution of adding the IPv6 as a host first did not work for me and resulted in another error.

Environment

  • Version of headscale used: 0.22.3
  • Version of tailscale client: 1.52
  • OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: Ubuntu server
  • [ No] Headscale is behind a (reverse) proxy
  • [ No] Headscale runs in a container

To Reproduce

  1. Add following rule to ACL (rule should enable all IPv4 and IPv6 traffic to internet through exit nodes):
{
      "action": "accept",
      "src": ["*"],
      "dst": ["0.0.0.0/5:*", "8.0.0.0/7:*", "11.0.0.0/8:*", "12.0.0.0/6:*", "16.0.0.0/4:*", "32.0.0.0/3:*", "64.0.0.0/3:*", "96.0.0.0/6:*", "100.0.0.0/10:*", "100.128.0.0/9:*", "101.0.0.0/8:*", "102.0.0.0/7:*", "104.0.0.0/5:*", "112.0.0.0/4:*", "128.0.0.0/3:*", "160.0.0.0/5:*", "168.0.0.0/8:*", "169.0.0.0/9:*", "169.128.0.0/10:*", "169.192.0.0/11:*", "169.224.0.0/12:*", "169.240.0.0/13:*", "169.248.0.0/14:*", "169.252.0.0/15:*", "169.255.0.0/16:*", "170.0.0.0/7:*", "172.0.0.0/12:*", "172.32.0.0/11:*", "172.64.0.0/10:*", "172.128.0.0/9:*", "173.0.0.0/8:*", "174.0.0.0/7:*", "176.0.0.0/4:*", "192.0.0.0/9:*", "192.128.0.0/11:*", "192.160.0.0/13:*", "192.169.0.0/16:*", "192.170.0.0/15:*", "192.172.0.0/14:*", "192.176.0.0/12:*", "192.192.0.0/10:*", "193.0.0.0/8:*", "194.0.0.0/7:*", "196.0.0.0/6:*", "200.0.0.0/5:*", "208.0.0.0/4:*", "2000::/3"],
    },
  1. Run headscale serve
  2. Get error
Originally created by @paladincorners on GitHub (Nov 16, 2023). <!-- Before posting a bug report, discuss the behaviour you are expecting with the Discord community to make sure that it is truly a bug. The issue tracker is not the place to ask for support or how to set up Headscale. Bug reports without the sufficient information will be closed. Headscale is a multinational community across the globe. Our language is English. All bug reports needs to be in English. --> ## Bug description <!-- A clear and concise description of what the bug is. Describe the expected bahavior and how it is currently different. If you are unsure if it is a bug, consider discussing it on our Discord server first. --> In ACLs, if using an IPV6 address, e.g. "2000::/3:*" in the "dest" field (to allow access to the internet through IPv6 through exit nodes), you get the following error: `FTL Could not load the ACL policy error="failed to parse destination, tokens [2000 /3 *]: invalid port format"` This is akin to the issue in #809. Although I am on headscale v0.22.3, I cannot upgrade to v0.23 due to possibly related issue #1604. I did check the commit history though for the fix for #809 and the fix should have been incorporated in v0.22.2 already. Note that the solution of adding the IPv6 as a host first did not work for me and resulted in another error. ## Environment <!-- Please add relevant information about your system. For example: - Version of headscale used: 0.22.3 - Version of tailscale client: 1.52 - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: Linux server, clients not relevant as server does not launch - Kernel version - The relevant config parameters you used - Log output --> - Version of headscale used: 0.22.3 - Version of tailscale client: 1.52 - OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version: Ubuntu server <!-- We do not support running Headscale in a container nor behind a (reverse) proxy. If either of these are true for your environment, ask the community in Discord instead of filing a bug report. --> - [ No] Headscale is behind a (reverse) proxy - [ No] Headscale runs in a container ## To Reproduce 1. Add following rule to ACL (rule should enable all IPv4 and IPv6 traffic to internet through exit nodes): ``` { "action": "accept", "src": ["*"], "dst": ["0.0.0.0/5:*", "8.0.0.0/7:*", "11.0.0.0/8:*", "12.0.0.0/6:*", "16.0.0.0/4:*", "32.0.0.0/3:*", "64.0.0.0/3:*", "96.0.0.0/6:*", "100.0.0.0/10:*", "100.128.0.0/9:*", "101.0.0.0/8:*", "102.0.0.0/7:*", "104.0.0.0/5:*", "112.0.0.0/4:*", "128.0.0.0/3:*", "160.0.0.0/5:*", "168.0.0.0/8:*", "169.0.0.0/9:*", "169.128.0.0/10:*", "169.192.0.0/11:*", "169.224.0.0/12:*", "169.240.0.0/13:*", "169.248.0.0/14:*", "169.252.0.0/15:*", "169.255.0.0/16:*", "170.0.0.0/7:*", "172.0.0.0/12:*", "172.32.0.0/11:*", "172.64.0.0/10:*", "172.128.0.0/9:*", "173.0.0.0/8:*", "174.0.0.0/7:*", "176.0.0.0/4:*", "192.0.0.0/9:*", "192.128.0.0/11:*", "192.160.0.0/13:*", "192.169.0.0/16:*", "192.170.0.0/15:*", "192.172.0.0/14:*", "192.176.0.0/12:*", "192.192.0.0/10:*", "193.0.0.0/8:*", "194.0.0.0/7:*", "196.0.0.0/6:*", "200.0.0.0/5:*", "208.0.0.0/4:*", "2000::/3"], }, ``` 2. Run `headscale serve` 3. Get error <!-- Steps to reproduce the behavior. -->
adam added the stalebug labels 2025-12-29 02:20:44 +01:00
adam closed this issue 2025-12-29 02:20:45 +01:00
adam commented 2025-12-29 02:20:45 +01:00
Author
Owner
Copy Link

@Sh4d commented on GitHub (Nov 17, 2023):

You're missing the port, and I think you need square brackets around your IP

See: https://tailscale.com/kb/1018/acls/

Tailscale IP | 100.101.102.103 | Only the device that owns the given Tailscale IP. IPv6 addresses must follow the format [1:2:3::4]:80.

Try using "[2000::/3]:*"

@Sh4d commented on GitHub (Nov 17, 2023): You're missing the port, and I think you need square brackets around your IP See: https://tailscale.com/kb/1018/acls/ > Tailscale IP | 100.101.102.103 | Only the device that owns the given Tailscale IP. IPv6 addresses must follow the format [1:2:3::4]:80. Try using `"[2000::/3]:*"`
adam commented 2025-12-29 02:20:46 +01:00
Author
Owner
Copy Link

@paladincorners commented on GitHub (Nov 19, 2023):

Hi, thank you for the advice. Your suggestion appears to work if I add the IPv6 IP "[2000::/3]:*" as a host first and then used the host name in the ACL rule. However, using the IP directly in the rule, with the format you specified, still did not work.

@paladincorners commented on GitHub (Nov 19, 2023): Hi, thank you for the advice. Your suggestion appears to work if I add the IPv6 IP "[2000::/3]:*" as a host first and then used the host name in the ACL rule. However, using the IP directly in the rule, with the format you specified, still did not work.
adam commented 2025-12-29 02:20:46 +01:00
Author
Owner
Copy Link

@Sh4d commented on GitHub (Nov 19, 2023):

Looks like that's a client limitation. See https://github.com/tailscale/tailscale/issues/4727

@Sh4d commented on GitHub (Nov 19, 2023): Looks like that's a client limitation. See https://github.com/tailscale/tailscale/issues/4727
adam commented 2025-12-29 02:20:46 +01:00
Author
Owner
Copy Link

@neeythann commented on GitHub (Nov 25, 2023):

See c72401a99b

@neeythann commented on GitHub (Nov 25, 2023): See https://github.com/juanfont/headscale/commit/c72401a99b4cdf49655b08b2f4d5c3a49ae116c2
adam commented 2025-12-29 02:20:46 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Feb 24, 2024):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Feb 24, 2024): This issue is stale because it has been open for 90 days with no activity.
adam commented 2025-12-29 02:20:46 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Mar 2, 2024):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Mar 2, 2024): This issue was closed because it has been inactive for 14 days since being marked as stale.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#582
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?