[Bug] Failed to read headscale configuration error="server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node." #771

New Issue

Closed

opened 2025-12-29 02:23:48 +01:00 by adam · 4 comments

adam commented 2025-12-29 02:23:48 +01:00

Owner

Copy Link

Originally created by @super-ben on GitHub (Aug 21, 2024).

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Since upgrading to v0.23.0-beta2, if I have, say headscale.mydomain.com in both server_url and base_domain, I get the error 'Failed to read headscale configuration error="server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node."', and the headscale server cannot even start.

While on some level I can understand the issue, on beta1 and earlier versions I had both set up with the same domain and worked like a charm. I'm also not against changing it, for testing purposes I've changed the base_domain back to example.com, because it failed to work even with mydomain.com, so it works now but at this point I'm unsure how to set these to values if I only have headscale.mydomain.com (as a sub-domain) and mydomain.com.

Expected Behavior

I would be happy if it either worked like before or accepted my domain (mydomain.com), as I don't really have anything in between and wouldn't want to use some bogus domain (like example.com, while doesn't cause an operational issue, I don't like it's optics).

Steps To Reproduce

1. On Ubuntu 22.04
2. Using Docker and Docker Compose
3. I've upgraded to 0.23-beta2 from 0.23-beta1
4. Also downloaded the latest config.yaml, changing only my relevant strings (server_url, base_domain, listening_port)

Environment

- OS: Ubuntu 22.04.1
- Headscale version: v0.23-beta2
- Tailscale version:1.72.0

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

2024-08-21T08:29:02Z FTL Failed to read headscale configuration error="server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node."

Originally created by @super-ben on GitHub (Aug 21, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior Since upgrading to v0.23.0-beta2, if I have, say headscale.mydomain.com in both server_url and base_domain, I get the error 'Failed to read headscale configuration error="server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node."', and the headscale server cannot even start. While on some level I can understand the issue, on beta1 and earlier versions I had both set up with the same domain and worked like a charm. I'm also not against changing it, for testing purposes I've changed the base_domain back to example.com, because it failed to work even with mydomain.com, so it works now but at this point I'm unsure how to set these to values if I only have headscale.mydomain.com (as a sub-domain) and mydomain.com. ### Expected Behavior I would be happy if it either worked like before or accepted my domain (mydomain.com), as I don't really have anything in between and wouldn't want to use some bogus domain (like example.com, while doesn't cause an operational issue, I don't like it's optics). ### Steps To Reproduce 1. On Ubuntu 22.04 2. Using Docker and Docker Compose 3. I've upgraded to 0.23-beta2 from 0.23-beta1 4. Also downloaded the latest config.yaml, changing only my relevant strings (server_url, base_domain, listening_port) ### Environment ```markdown - OS: Ubuntu 22.04.1 - Headscale version: v0.23-beta2 - Tailscale version:1.72.0 ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? 2024-08-21T08:29:02Z FTL Failed to read headscale configuration error="server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node."

adam added the bug label 2025-12-29 02:23:48 +01:00

adam closed this issue 2025-12-29 02:23:48 +01:00

adam commented 2025-12-29 02:23:48 +01:00

Author

Owner

Copy Link

@mitchellkellett commented on GitHub (Aug 21, 2024):

This isn't a bug; this was a deliberate change. The below pull in the change log is the cause.

ac8491efec Redo DNS configuration (https://github.com/juanfont/headscale/pull/2034)

TLDR; you need to have your tailnet different to the URL for headscale.

eg.
server_url = example.com
base_domain = clients.example.com

@mitchellkellett commented on GitHub (Aug 21, 2024): This isn't a bug; this was a deliberate change. The below pull in the change log is the cause. https://github.com/juanfont/headscale/commit/ac8491efec4b5ed088ce90e48d14136a1fe228da Redo DNS configuration (https://github.com/juanfont/headscale/pull/2034) TLDR; you need to have your tailnet different to the URL for headscale. eg. server_url = example.com base_domain = clients.example.com

adam commented 2025-12-29 02:23:49 +01:00

Author

Owner

Copy Link

@super-ben commented on GitHub (Aug 21, 2024):

Alright, thanks, will do this, then. I wasn't aware of the mentioned PR.

@super-ben commented on GitHub (Aug 21, 2024): Alright, thanks, will do this, then. I wasn't aware of the mentioned PR.

adam commented 2025-12-29 02:23:49 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Aug 21, 2024):

Thanks @mitchellkellett, this is intentional and there is longer explanations in the comment of the code and that pr.

@kradalby commented on GitHub (Aug 21, 2024): Thanks @mitchellkellett, this is intentional and there is longer explanations in the comment of the code and that pr.

adam commented 2025-12-29 02:23:49 +01:00

Author

Owner

Copy Link

@renne commented on GitHub (Jan 10, 2025):

Is the possible name conflict between Headscale server and a Tailscale node the only reason for not allowing
Headscale server: server.example.com
Base domain: example.com
or are there other reasons for this decision?

It's quite annoying to have to use another 2nd-level domain for the Headscale server or an additional subdomain for the Tailscale nodes.

If it is just the possible name collision, reserving the hostname of the Headscale server would do the trick.

In my case it is a more complex Split-DNS setup for a DNS query to make TLS certificates usable in the LAN:

1. Return static A/AAAA/HTTPS records for some hosts

2a. if subnet is 10.0.0.0/24, 192.168.178.0/24, aaaa:bbbb:cccc:dddd::/64 or aaaa:bbbb:eeee:ffff::/64 rewrite suffix example.com to fritz.box and forward fritz.box to 10.0.0.1 on NXDOMAIN forward example.com to 100.100.100.100

2b. if subnet is 100.64.0.0/10 or fd7a:115c:a1e0::/48 forward example.com to 100.100.100.100 on NXDOMAIN rewrite suffix example.com to fritz.box and forward fritz.box to 10.0.0.1

3. on NXDOMAIN forward example.com to authoritative nameservers of example.com

Using an additional sub-domain means additional rewrites and queries.

@renne commented on GitHub (Jan 10, 2025): Is the possible name conflict between Headscale server and a Tailscale node the only reason for not allowing Headscale server: `server.example.com` Base domain: `example.com` or are there other reasons for this decision? It's quite annoying to have to use another 2nd-level domain for the Headscale server or an additional subdomain for the Tailscale nodes. If it is just the possible name collision, reserving the hostname of the Headscale server would do the trick. In my case it is a more complex Split-DNS setup for a DNS query to make TLS certificates usable in the LAN: ``` 1. Return static A/AAAA/HTTPS records for some hosts 2a. if subnet is 10.0.0.0/24, 192.168.178.0/24, aaaa:bbbb:cccc:dddd::/64 or aaaa:bbbb:eeee:ffff::/64 rewrite suffix example.com to fritz.box and forward fritz.box to 10.0.0.1 on NXDOMAIN forward example.com to 100.100.100.100 2b. if subnet is 100.64.0.0/10 or fd7a:115c:a1e0::/48 forward example.com to 100.100.100.100 on NXDOMAIN rewrite suffix example.com to fritz.box and forward fritz.box to 10.0.0.1 3. on NXDOMAIN forward example.com to authoritative nameservers of example.com ``` Using an additional sub-domain means additional rewrites and queries.

adam referenced this issue 2025-12-29 02:31:01 +01:00

[PR #771] [MERGED] Random suffix only on hostname collision in namespace. #1635

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#771