Allow multicast traffic to flow through the network #653

New Issue

adam · 2025-12-29T02:21:39+01:00

adam commented

2025-12-29 02:21:39 +01:00

Originally created by @WhyNotHugo on GitHub (Feb 27, 2024).

Why

Currently clients connect using headscale/tailscale cannot route multicast traffic to each other, which means standard protocols like mDNS don't work. The result is that clients cannot discover each other as if they were in the same network.

Bespoke discovery protocols, like syncthing's local discovery (also done over multicast) can't work, and device can't find each other when on the same network. In the case of syncthing, it resorts to global discovery (using public discovery servers), and devices connect to each other over the Internet.

From a general discovery point of view, it's as if devices were not on the same network.

Description

WireGuard itself supports multicast traffic fine, and discovery works normally as if devices were on the same network. Tailscale client seems to use a tun-type device rather than a wireguard-type device, so Wireguard's native support is of no use for this case.

A tun-type device routes at layer 3 traffic and usually results in multicast packets not travelling through to other endpoints. A tap-type device needs to be used instead.

As a potential solution, I'd like to configure my own clients will create a tap network device rather than a tun type network device, so that my clients can discover each other and interact with each other as if they were on the same physical network.

Do you think this is feasible?

Additional context

There's a feature request for this on Tailscale's issue tracker too, thought the whole thread does not add any additional information.

Originally created by @WhyNotHugo on GitHub (Feb 27, 2024). ## Why Currently clients connect using headscale/tailscale cannot route multicast traffic to each other, which means standard protocols like mDNS don't work. The result is that clients cannot discover each other as if they were in the same network. Bespoke discovery protocols, like syncthing's local discovery (also done over multicast) can't work, and device can't find each other when on the same network. In the case of syncthing, it resorts to global discovery (using public discovery servers), and devices connect to each other over the Internet. From a general discovery point of view, it's as if devices were not on the same network. ## Description WireGuard itself supports multicast traffic fine, and discovery works normally as if devices were on the same network. Tailscale client seems to use a `tun`-type device rather than a `wireguard`-type device, so Wireguard's native support is of no use for this case. A `tun`-type device routes at layer 3 traffic and usually results in multicast packets not travelling through to other endpoints. A `tap`-type device needs to be used instead. As a potential solution, I'd like to configure my own clients will create a `tap` network device rather than a `tun` type network device, so that my clients can discover each other and interact with each other as if they were on the same physical network. Do you think this is feasible? ## Additional context There's [a feature request](https://github.com/tailscale/tailscale/issues/1013) for this on Tailscale's issue tracker too, thought the whole thread does not add any additional information.

adam added the enhancement label 2025-12-29 02:21:39 +01:00

adam closed this issue

2025-12-29 02:21:39 +01:00

adam commented

2025-12-29 02:21:40 +01:00

@WhyNotHugo commented on GitHub (Feb 27, 2024):

I'm actually starting to think that this wouldn't require changes on the server side. At least for an experimental approach, if the clients behave consistently with one another, the server doesn't need to care about these details since it's not part of the network itself... right?

@WhyNotHugo commented on GitHub (Feb 27, 2024): I'm actually starting to think that this wouldn't require changes on the server side. At least for an experimental approach, if the clients behave consistently with one another, the server doesn't need to care about these details since it's not part of the network itself... right?

adam commented

2025-12-29 02:21:40 +01:00

@kradalby commented on GitHub (Mar 4, 2024):

Hi,

This is sadly nothing we can fix, has to be done quite a few levels lower in the stack. Wireguard also has problems with this and as you mention, a tun device per now doesnt support this, and we cannot change that.

I'm personally interested in this and also tracking the mentioned Tailscale issue, and there is no reason that when that is solved, then we should also be able to have it.

@kradalby commented on GitHub (Mar 4, 2024): Hi, This is sadly nothing we can fix, has to be done quite a few levels lower in the stack. Wireguard also has problems with this and as you mention, a tun device per now doesnt support this, and we cannot change that. I'm personally interested in this and also tracking the mentioned Tailscale issue, and there is no reason that when that is solved, then we should also be able to have it.

adam commented

2025-12-29 02:21:40 +01:00

@WhyNotHugo commented on GitHub (Mar 4, 2024):

Yup, further researching this led to the same conclusion: nothing to do here for now.

I think experimenting with clients is feasible (as long as they all behave the same), but that doesn't require support from the control plane AFAIK (unless you want to mix tun and tap clients).

@WhyNotHugo commented on GitHub (Mar 4, 2024): Yup, further researching this led to the same conclusion: nothing to do here for now. I think experimenting with clients is feasible (as long as they all behave the same), but that doesn't require support from the control plane AFAIK (unless you want to mix tun and tap clients).

adam referenced this issue

2025-12-29 02:31:01 +01:00

[PR #768] [MERGED] toggle json logging via config #1632

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#653