node in exit-node mode not forwarding traffic to same network which belongs external interface #589

New Issue

adam · 2025-12-29T02:20:54+01:00

adam commented

2025-12-29 02:20:54 +01:00

Originally created by @winterheart on GitHub (Dec 8, 2023).

Bug description

I have two nodes in headscale/tailscale network, one of them is exit-node with external IP:

node1 (exit-node):

Internal IP: 10.1.0.2/24, External IP: 88.88.88.2/24

node2 (client)

Internal IP 10.2.0.2/24

When I try use node1 as exit-node, it works as expected except that fact I cannot access to any IP address of external subnet 88.88.88.0/24 (same network for node1):

ping -c1 88.88.88.3 # OK
ping -c1 8.8.8.8 # OK, any other external IP
tailscale up --exit-node=node1 --accept-routes --login-server=https://vpn.example.com
ping -c1 88.88.88.3 # FAIL, no response
ping -c1 8.8.8.8 # Still OK

After switch to exit-node there no any traffic on tailscale0 interface on node1 related to 88.88.88.3, but any other external traffic from node2 to the Internet goes without any problems.

Environment

headscale v0.22.3
tailscale 1.50.1-ERR-BuildInfo
OS Linux on both clients, kernel 6.1.*

Exit node has -A POSTROUTING -o tailscale0 -j MASQUERADE iptables rule in nat table.

ACL related to exit-nodes (user in admins and exitpoints groups, node1 has exitpoints tag):

  - action: accept
    src:
      - group:admins
      - group:exitpoints
    dst:
      - tag:exitpoints:*
      # Ugly list in abscese of autogroup:internet :( https://github.com/juanfont/headscale/issues/657
      - 0.0.0.0/5:*
      - 8.0.0.0/7:*
      - 11.0.0.0/8:*
      - 12.0.0.0/6:*
      - 16.0.0.0/4:*
      - 32.0.0.0/3:*
      - 64.0.0.0/3:*
      - 96.0.0.0/6:*
      - 100.0.0.0/10:*
      - 100.128.0.0/9:*
      - 101.0.0.0/8:*
      - 102.0.0.0/7:*
      - 104.0.0.0/5:*
      - 112.0.0.0/5:*
      - 120.0.0.0/6:*
      - 124.0.0.0/7:*
      - 126.0.0.0/8:*
      - 128.0.0.0/3:*
      - 160.0.0.0/5:*
      - 168.0.0.0/6:*
      - 172.0.0.0/12:*
      - 172.32.0.0/11:*
      - 172.64.0.0/10:*
      - 172.128.0.0/9:*
      - 173.0.0.0/8:*
      - 174.0.0.0/7:*
      - 176.0.0.0/4:*
      - 192.0.0.0/9:*
      - 192.128.0.0/11:*
      - 192.160.0.0/13:*
      - 192.169.0.0/16:*
      - 192.170.0.0/15:*
      - 192.172.0.0/14:*
      - 192.176.0.0/12:*
      - 192.192.0.0/10:*
      - 193.0.0.0/8:*
      - 194.0.0.0/7:*
      - 196.0.0.0/6:*
      - 200.0.0.0/5:*
      - 208.0.0.0/4:*

Headscale is behind a (reverse) proxy
Headscale runs in a container

To Reproduce

Run two clients, one as exit-node with external interface. Add relevant ACL to allow using exit-node. Enable exit-node on second client and try to access to any IP from exit-node external subnet.

Originally created by @winterheart on GitHub (Dec 8, 2023). ## Bug description I have two nodes in headscale/tailscale network, one of them is exit-node with external IP: node1 (exit-node): * Internal IP: 10.1.0.2/24, External IP: 88.88.88.2/24 node2 (client) * Internal IP 10.2.0.2/24 When I try use node1 as exit-node, it works as expected except that fact I cannot access to any IP address of external subnet 88.88.88.0/24 (same network for node1): ``` ping -c1 88.88.88.3 # OK ping -c1 8.8.8.8 # OK, any other external IP tailscale up --exit-node=node1 --accept-routes --login-server=https://vpn.example.com ping -c1 88.88.88.3 # FAIL, no response ping -c1 8.8.8.8 # Still OK ``` After switch to exit-node there no any traffic on `tailscale0` interface on node1 related to 88.88.88.3, but any other external traffic from node2 to the Internet goes without any problems. ## Environment * headscale v0.22.3 * tailscale 1.50.1-ERR-BuildInfo * OS Linux on both clients, kernel 6.1.* Exit node has `-A POSTROUTING -o tailscale0 -j MASQUERADE` iptables rule in nat table. ACL related to exit-nodes (user in `admins` and `exitpoints` groups, node1 has `exitpoints` tag): ``` - action: accept src: - group:admins - group:exitpoints dst: - tag:exitpoints:* # Ugly list in abscese of autogroup:internet :( https://github.com/juanfont/headscale/issues/657 - 0.0.0.0/5:* - 8.0.0.0/7:* - 11.0.0.0/8:* - 12.0.0.0/6:* - 16.0.0.0/4:* - 32.0.0.0/3:* - 64.0.0.0/3:* - 96.0.0.0/6:* - 100.0.0.0/10:* - 100.128.0.0/9:* - 101.0.0.0/8:* - 102.0.0.0/7:* - 104.0.0.0/5:* - 112.0.0.0/5:* - 120.0.0.0/6:* - 124.0.0.0/7:* - 126.0.0.0/8:* - 128.0.0.0/3:* - 160.0.0.0/5:* - 168.0.0.0/6:* - 172.0.0.0/12:* - 172.32.0.0/11:* - 172.64.0.0/10:* - 172.128.0.0/9:* - 173.0.0.0/8:* - 174.0.0.0/7:* - 176.0.0.0/4:* - 192.0.0.0/9:* - 192.128.0.0/11:* - 192.160.0.0/13:* - 192.169.0.0/16:* - 192.170.0.0/15:* - 192.172.0.0/14:* - 192.176.0.0/12:* - 192.192.0.0/10:* - 193.0.0.0/8:* - 194.0.0.0/7:* - 196.0.0.0/6:* - 200.0.0.0/5:* - 208.0.0.0/4:* ``` - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ## To Reproduce Run two clients, one as exit-node with external interface. Add relevant ACL to allow using exit-node. Enable exit-node on second client and try to access to any IP from exit-node external subnet.

adam added the stale bug labels 2025-12-29 02:20:54 +01:00

adam closed this issue

2025-12-29 02:20:54 +01:00

adam commented

2025-12-29 02:20:54 +01:00

@kradalby commented on GitHub (Dec 10, 2023):

0.23.0-alpha2 addresses a series of issues with node synchronisation, online status and subnet routers, please test this release and report back if the issue still persist.

@kradalby commented on GitHub (Dec 10, 2023): [0.23.0-alpha2](https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha2) addresses a series of issues with node synchronisation, online status and subnet routers, please test this release and report back if the issue still persist.

adam commented

2025-12-29 02:20:55 +01:00

@winterheart commented on GitHub (Dec 13, 2023):

Hello. Cannot verify 0.23.0-alpha2 due #1604 issue. Seems subnet router feature broken on old configuration and new version.

@winterheart commented on GitHub (Dec 13, 2023): Hello. Cannot verify 0.23.0-alpha2 due #1604 issue. Seems subnet router feature broken on old configuration and new version.

adam commented

2025-12-29 02:20:55 +01:00

@r1s1us commented on GitHub (Dec 25, 2023):

Hello, I have the same problem, because of which I can't use the application in the enterprise(can't get acl and exit-node to work) how to fix this problem? On 0.23.0-alpha2 the problem remains(

@r1s1us commented on GitHub (Dec 25, 2023): Hello, I have the same problem, because of which I can't use the application in the enterprise(can't get acl and exit-node to work) how to fix this problem? On 0.23.0-alpha2 the problem remains(

adam commented

2025-12-29 02:20:55 +01:00

@kradalby commented on GitHub (Jan 3, 2024):

@winterheart am I correct to understand that this is a problem in versions prior to the new 0.23.0 alpha releases?

@kradalby commented on GitHub (Jan 3, 2024): @winterheart am I correct to understand that this is a problem in versions prior to the new 0.23.0 alpha releases?

adam commented

2025-12-29 02:20:55 +01:00

@winterheart commented on GitHub (Jan 3, 2024):

Yes, problem occurs in current stable 0.22.3.

@winterheart commented on GitHub (Jan 3, 2024): Yes, problem occurs in current stable 0.22.3.

adam commented

2025-12-29 02:20:55 +01:00

@kradalby commented on GitHub (Jan 3, 2024):

@winterheart could you attempt to run this again with https://github.com/juanfont/headscale/pull/1673? It fixes the subnet router for 0.23.0.

If that does not fix it, we will move on with 0.23.0 first, as this is not a new bug (present in 0.22.3) and then fix it in future versions, not holding up 0.23.0 any longer.

@kradalby commented on GitHub (Jan 3, 2024): @winterheart could you attempt to run this again with https://github.com/juanfont/headscale/pull/1673? It fixes the subnet router for 0.23.0. If that does not fix it, we will move on with 0.23.0 first, as this is not a new bug (present in 0.22.3) and then fix it in future versions, not holding up 0.23.0 any longer.

adam commented

2025-12-29 02:20:55 +01:00

@ChibangLW commented on GitHub (Feb 20, 2024):

@winterheart tailscale has the flag --exit-node-allow-lan-access which is disabled by default. Did you used that flag?

Given that 10.1.0.2/24 is not in your ACL it should not be accessible to node1 via headscale. Doesn't really matter in this case as it is directly connected anyway.

@ChibangLW commented on GitHub (Feb 20, 2024): @winterheart tailscale has the flag `--exit-node-allow-lan-access` which is disabled by default. Did you used that flag? Given that 10.1.0.2/24 is not in your ACL it should not be accessible to node1 via headscale. Doesn't really matter in this case as it is directly connected anyway.

adam commented

2025-12-29 02:20:56 +01:00

@winterheart commented on GitHub (Mar 25, 2024):

@winterheart tailscale has the flag --exit-node-allow-lan-access which is disabled by default. Did you used that flag?

Given that 10.1.0.2/24 is not in your ACL it should not be accessible to node1 via headscale. Doesn't really matter in this case as it is directly connected anyway.

I've retested with 0.23.0-alpha5 and --exit-node-allow-lan-access on node2 and still same problem, no access to external IP of node1.

@winterheart commented on GitHub (Mar 25, 2024): > @winterheart tailscale has the flag `--exit-node-allow-lan-access` which is disabled by default. Did you used that flag? > > Given that 10.1.0.2/24 is not in your ACL it should not be accessible to node1 via headscale. Doesn't really matter in this case as it is directly connected anyway. I've retested with 0.23.0-alpha5 and `--exit-node-allow-lan-access` on node2 and still same problem, no access to external IP of node1.

adam commented

2025-12-29 02:20:56 +01:00

@ChibangLW commented on GitHub (Mar 25, 2024):

I've retested with 0.23.0-alpha5 and --exit-node-allow-lan-access on node2 and still same problem, no access to external IP of node1.

From my understanding to option should be used on node1, because you try to connect to the directly connected network on node1 from node2. It's an option for the exit-node.

@ChibangLW commented on GitHub (Mar 25, 2024): > I've retested with 0.23.0-alpha5 and `--exit-node-allow-lan-access` on node2 and still same problem, no access to external IP of node1. From my understanding to option should be used on node1, because you try to connect to the directly connected network on node1 from node2. It's an option for the exit-node.

adam commented

2025-12-29 02:20:56 +01:00

@winterheart commented on GitHub (Mar 25, 2024):

--exit-node-allow-lan-access can be used only with --exit-node=<node> so I really no idea how use it on exit node but not in node that tries connect to.

@winterheart commented on GitHub (Mar 25, 2024): `--exit-node-allow-lan-access` can be used only with `--exit-node=<node>` so I really no idea how use it on exit node but not in node that tries connect to.

adam commented

2025-12-29 02:20:56 +01:00

@ChibangLW commented on GitHub (Mar 25, 2024):

Okay never mind, I misunderstood the option.

EDIT: for clarification from the source code:

// ExitNodeAllowLANAccess indicates whether locally accessible subnets should be
// routed directly or via the exit node.

@ChibangLW commented on GitHub (Mar 25, 2024): Okay never mind, I misunderstood the option. EDIT: for clarification from the source code: ``` // ExitNodeAllowLANAccess indicates whether locally accessible subnets should be // routed directly or via the exit node. ```

adam commented

2025-12-29 02:20:56 +01:00

@ElyasAsmad commented on GitHub (Mar 30, 2024):

Any update on this matter? I have been tinkering around with WireGuard & OpenVPN because of this issue and by far only headscale meets my requirement

@ElyasAsmad commented on GitHub (Mar 30, 2024): Any update on this matter? I have been tinkering around with WireGuard & OpenVPN because of this issue and by far only headscale meets my requirement

adam commented

2025-12-29 02:20:56 +01:00

@winterheart commented on GitHub (May 14, 2024):

Retested on 0.23.0-alpha11, problem still occurs.

@winterheart commented on GitHub (May 14, 2024): Retested on 0.23.0-alpha11, problem still occurs.

adam commented

2025-12-29 02:20:56 +01:00

@github-actions[bot] commented on GitHub (Aug 13, 2024):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Aug 13, 2024): This issue is stale because it has been open for 90 days with no activity.

adam commented

2025-12-29 02:20:57 +01:00

@github-actions[bot] commented on GitHub (Aug 21, 2024):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Aug 21, 2024): This issue was closed because it has been inactive for 14 days since being marked as stale.

adam commented

2025-12-29 02:20:57 +01:00

@arthur-lbchn commented on GitHub (Jul 14, 2025):

Hi, I'm facing exactly the same issue as the original reporter. While connected to the exit node with a public IP address from a /27 network, I cannot reach any other hosts in this /27 network. I don't have any ACLs configured. The hosts are reachable when not connected to the exit node and are also reachable from the exit node itself.

@arthur-lbchn commented on GitHub (Jul 14, 2025): Hi, I'm facing exactly the same issue as the original reporter. While connected to the exit node with a public IP address from a /27 network, I cannot reach any other hosts in this /27 network. I don't have any ACLs configured. The hosts are reachable when not connected to the exit node and are also reachable from the exit node itself.

adam referenced this issue

2025-12-29 02:30:19 +01:00

[PR #589] [CLOSED] Adding DataDog tracer #1504

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#589