starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Issue]Route is not pushed on client machine #772

New Issue
Closed
opened 2025-12-29 02:23:49 +01:00 by adam · 8 comments
adam commented 2025-12-29 02:23:49 +01:00
Owner
Copy Link

Originally created by @Tekchanddagar on GitHub (Aug 22, 2024).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

We are using digitalocean droplet for headscale server. Below is the headescale config.yaml file:

---
# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
#
# - `/etc/headscale`
# - `~/.headscale`
# - current working directory

# The url clients will connect to.
# Typically this will be a domain like:
#
# https://myheadscale.example.com:443
#
server_url: http://26.19.1.9:8080

# Address to listen to / bind to on the server
#
# For production:
# listen_addr: 0.0.0.0:8080
listen_addr: 26.19.1.9:8080

# Address to listen to /metrics, you may want
# to keep this endpoint private to your internal
# network
#
metrics_listen_addr: 26.19.1.9:9090

# Address to listen for gRPC.
# gRPC is used for controlling a headscale server
# remotely with the CLI
# Note: Remote access _only_ works if you have
# valid certificates.
#
# For production:
# grpc_listen_addr: 0.0.0.0:50443
grpc_listen_addr: 127.0.0.1:50443

# Allow the gRPC admin interface to run in INSECURE
# mode. This is not recommended as the traffic will
# be unencrypted. Only enable if you know what you
# are doing.
grpc_allow_insecure: false

# Private key used to encrypt the traffic between headscale
# and Tailscale clients.
# The private key file will be autogenerated if it's missing.
#
private_key_path: /var/lib/headscale/private.key

# The Noise section includes specific configuration for the
# TS2021 Noise protocol
noise:
  # The Noise private key is used to encrypt the
  # traffic between headscale and Tailscale clients when
  # using the new Noise-based protocol. It must be different
  # from the legacy private key.
  private_key_path: /var/lib/headscale/noise_private.key

# List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash.
# It must be within IP ranges supported by the Tailscale
# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
# See below:
# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
# Any other range is NOT supported, and it will cause unexpected issues.
ip_prefixes:
  #- fd7a:115c:a1e0::/48
  - 100.64.0.0/10

# DERP is a relay system that Tailscale uses when a direct
# connection cannot be established.
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
#
# headscale needs a list of DERP servers that can be presented
# to the clients.
derp:
  server:
    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
    enabled: false

    # Region ID to use for the embedded DERP server.
    # The local DERP prevails if the region ID collides with other region ID coming from
    # the regular DERP config.
    region_id: 999

    # Region code and name are displayed in the Tailscale UI to identify a DERP region
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"

    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
    stun_listen_addr: "0.0.0.0:3478"

  # List of externally available DERP maps encoded in JSON
  urls:
    - https://controlplane.tailscale.com/derpmap/default

  # Locally available DERP map files encoded in YAML
  #
  # This option is mostly interesting for people hosting
  # their own DERP servers:
  # https://tailscale.com/kb/1118/custom-derp-servers/
  #
  # paths:
  #   - /etc/headscale/derp-example.yaml
  paths: []

  # If enabled, a worker will be set up to periodically
  # refresh the given sources and update the derpmap
  # will be set up.
  auto_update_enabled: true

  # How often should we check for DERP updates?
  update_frequency: 24h

# Disables the automatic check for headscale updates on startup
disable_check_updates: false

# Time before an inactive ephemeral node is deleted?
ephemeral_node_inactivity_timeout: 30m

# Period to check for node updates within the tailnet. A value too low will severely affect
# CPU consumption of Headscale. A value too high (over 60s) will cause problems
# for the nodes, as they won't get updates or keep alive messages frequently enough.
# In case of doubts, do not touch the default 10s.
node_update_check_interval: 10s

# SQLite config
db_type: sqlite3

# For production:
db_path: /var/lib/headscale/db.sqlite

# # Postgres config
# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
# db_type: postgres
# db_host: localhost
# db_port: 5432
# db_name: headscale
# db_user: foo
# db_pass: bar

# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
# db_ssl: false

### TLS configuration
#
## Let's encrypt / ACME
#
# headscale supports automatically requesting and setting up
# TLS for a domain with Let's Encrypt.
#
# URL to ACME directory
acme_url: https://acme-v02.api.letsencrypt.org/directory

# Email to register with ACME provider
acme_email: ""

# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: ""

# Path to store certificates and metadata needed by
# letsencrypt
# For production:
tls_letsencrypt_cache_dir: /var/lib/headscale/cache

# Type of ACME challenge to use, currently supported types:
# HTTP-01 or TLS-ALPN-01
# See [docs/tls.md](docs/tls.md) for more information
tls_letsencrypt_challenge_type: HTTP-01
# When HTTP-01 challenge is chosen, letsencrypt must set up a
# verification endpoint, and it will be listening on:
# :http = port 80
tls_letsencrypt_listen: ":http"

## Use already defined certificates:
tls_cert_path: ""
tls_key_path: ""

log:
  # Output formatting for logs: text or json
  format: text
  level: info

# Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/
acl_policy_path: "/etc/headscale/acl.yaml"

## DNS
#
# headscale supports Tailscale's DNS configuration and MagicDNS.
# Please have a look to their KB to better understand the concepts:
#
# - https://tailscale.com/kb/1054/dns/
# - https://tailscale.com/kb/1081/magicdns/
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
#
dns_config:
  # Whether to prefer using Headscale provided DNS or use local.
  override_local_dns: true

  # List of DNS servers to expose to clients.
  nameservers:
    - 1.1.1.1

  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
  # "abc123" is example NextDNS ID, replace with yours.
  #
  # With metadata sharing:
  # nameservers:
  #   - https://dns.nextdns.io/abc123
  #
  # Without metadata sharing:
  # nameservers:
  #   - 2a07:a8c0::ab:c123
  #   - 2a07:a8c1::ab:c123

  # Split DNS (see https://tailscale.com/kb/1054/dns/),
  # list of search domains and the DNS to query for each one.
  #
  # restricted_nameservers:
  #   foo.bar.com:
  #     - 1.1.1.1
  #   darp.headscale.net:
  #     - 1.1.1.1
  #     - 8.8.8.8

  # Search domains to inject.
  domains: []

  # Extra DNS records
  # so far only A-records are supported (on the tailscale side)
  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
  # extra_records:
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
  #     value: "100.64.0.3"
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }

  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
  # Only works if there is at least a nameserver defined.
  magic_dns: true

  # Defines the base domain to create the hostnames for MagicDNS.
  # `base_domain` must be a FQDNs, without the trailing dot.
  # The FQDN of the hosts will be
  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
  base_domain: example.com

# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
#
# headscale supports experimental OpenID connect support,
# it is still being tested and might have some bugs, please
# help us test it.
# OpenID Connect
# oidc:
#   only_start_if_oidc_is_available: true
#   issuer: "https://your-oidc.issuer.com/path"
#   client_id: "your-oidc-client-id"
#   client_secret: "your-oidc-client-secret"
#   # Alternatively, set `client_secret_path` to read the secret from the file.
#   # It resolves environment variables, making integration to systemd's
#   # `LoadCredential` straightforward:
#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
#   # client_secret and client_secret_path are mutually exclusive.
#
#   # The amount of time from a node is authenticated with OpenID until it
#   # expires and needs to reauthenticate.
#   # Setting the value to "0" will mean no expiry.
#   expiry: 180d
#
#   # Use the expiry from the token received from OpenID when the user logged
#   # in, this will typically lead to frequent need to reauthenticate and should
#   # only been enabled if you know what you are doing.
#   # Note: enabling this will cause `oidc.expiry` to be ignored.
#   use_expiry_from_token: false
#
#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
#
#   scope: ["openid", "profile", "email", "custom"]
#   extra_params:
#     domain_hint: example.com
#
#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
#   # authentication request will be rejected.
#
#   allowed_domains:
#     - example.com
#   # Note: Groups from keycloak have a leading '/'
#   allowed_groups:
#     - /headscale
#   allowed_users:
#     - alice@example.com
#
#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
#   user: `first-name.last-name.example.com`
#
#   strip_email_domain: true

# Logtail configuration
# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
# to instruct tailscale nodes to log their activity to a remote server.
logtail:
  # Enable logtail for this headscales clients.
  # As there is currently no support for overriding the log server in headscale, this is
  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
  enabled: false

# Enabling this option makes devices prefer a random port for WireGuard traffic over the
# default static port 41641. This option is intended as a workaround for some buggy
# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
randomize_client_port: false

## Routes Defined by Devops team
routes:
  - route: 10.133.0.0/16
enable_route_advertisement: true

#acls:
#  - action: accept
#    users: ['*']
#    ports: ['*:*']

node_attributes:
  - target: ['*']
    advertise_routes: ['10.133.0.0/16']

Below is my acl.yml file:

# Define user groups
groups:
  group:all:
    - tek

# Define ACL rules
acls:
  - action: accept
    users: ["*"]
    ports: ["*:*"]

# Define tag owners (in this case, we're giving the route tag to all users)
tagOwners:
  tag:route: ["group:all"]

# Define auto approvers for routes
autoApprovers:
  routes:
    "10.133.0.0/16": ["tag:route"]

We have used the below sets of commands:

headscale users create tekdagar
headscale --user tekdagar preauthkeys create --reusable --expiration 24h
tailscale up --login-server http://26.19.1.9:8080 --authkey eb463f1e22b78cfdb454a14e674e65481ca9828d23901468 (which we get in previous step)
tailscale up --advertise-routes 10.133.0.0/16 --login-server http://26.19.1.9:8080
headscale routes list <Node_Name>
headscale routes enable <node-name> -r <route id> <subnet IP> 
tailscale up --accept-routes --login-server http://26.19.1.9:8080

Now the client is registerd with headscale server and tailscale tunnel is also up on client side.

Expected Behavior

Tailscale is up on client side and route should be pushed on client for subnet 10.133.0.0/16

You can see tunnel is up on my client:

root@chand:/etc/sysctl.d# ifconfig | grep -A 8 "tailscale0"
tailscale0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1280
        inet 100.64.0.1  netmask 255.255.255.255  destination 100.64.0.1
        inet6 fe80::47c3:8dfd:a876:5509  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 27021  bytes 4102286 (4.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 30026  bytes 2341200 (2.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

But when i am checking route on my client there is no route for 10.133.0.0/16 subnet on client machine.

root@chand:/etc/sysctl.d# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.5.50.1       0.0.0.0         UG    600    0        0 wlp0s20f3
10.5.48.0       0.0.0.0         255.255.252.0   U     600    0        0 wlp0s20f3
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 docker0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0

I have checked the doc but unable to find the solution for this problem. Can you please help me to find out what mistake i am doing here?

Thank You

Steps To Reproduce

Environment

- OS:Ubuntu 24.04
- Headscale version: v0.22.3
- Tailscale version: 1.72.0

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response

Originally created by @Tekchanddagar on GitHub (Aug 22, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior We are using digitalocean droplet for headscale server. Below is the headescale `config.yaml` file: ``` --- # headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: # # - `/etc/headscale` # - `~/.headscale` # - current working directory # The url clients will connect to. # Typically this will be a domain like: # # https://myheadscale.example.com:443 # server_url: http://26.19.1.9:8080 # Address to listen to / bind to on the server # # For production: # listen_addr: 0.0.0.0:8080 listen_addr: 26.19.1.9:8080 # Address to listen to /metrics, you may want # to keep this endpoint private to your internal # network # metrics_listen_addr: 26.19.1.9:9090 # Address to listen for gRPC. # gRPC is used for controlling a headscale server # remotely with the CLI # Note: Remote access _only_ works if you have # valid certificates. # # For production: # grpc_listen_addr: 0.0.0.0:50443 grpc_listen_addr: 127.0.0.1:50443 # Allow the gRPC admin interface to run in INSECURE # mode. This is not recommended as the traffic will # be unencrypted. Only enable if you know what you # are doing. grpc_allow_insecure: false # Private key used to encrypt the traffic between headscale # and Tailscale clients. # The private key file will be autogenerated if it's missing. # private_key_path: /var/lib/headscale/private.key # The Noise section includes specific configuration for the # TS2021 Noise protocol noise: # The Noise private key is used to encrypt the # traffic between headscale and Tailscale clients when # using the new Noise-based protocol. It must be different # from the legacy private key. private_key_path: /var/lib/headscale/noise_private.key # List of IP prefixes to allocate tailaddresses from. # Each prefix consists of either an IPv4 or IPv6 address, # and the associated prefix length, delimited by a slash. # It must be within IP ranges supported by the Tailscale # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. # See below: # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 # Any other range is NOT supported, and it will cause unexpected issues. ip_prefixes: #- fd7a:115c:a1e0::/48 - 100.64.0.0/10 # DERP is a relay system that Tailscale uses when a direct # connection cannot be established. # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp # # headscale needs a list of DERP servers that can be presented # to the clients. derp: server: # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place enabled: false # Region ID to use for the embedded DERP server. # The local DERP prevails if the region ID collides with other region ID coming from # the regular DERP config. region_id: 999 # Region code and name are displayed in the Tailscale UI to identify a DERP region region_code: "headscale" region_name: "Headscale Embedded DERP" # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. # When the embedded DERP server is enabled stun_listen_addr MUST be defined. # # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ stun_listen_addr: "0.0.0.0:3478" # List of externally available DERP maps encoded in JSON urls: - https://controlplane.tailscale.com/derpmap/default # Locally available DERP map files encoded in YAML # # This option is mostly interesting for people hosting # their own DERP servers: # https://tailscale.com/kb/1118/custom-derp-servers/ # # paths: # - /etc/headscale/derp-example.yaml paths: [] # If enabled, a worker will be set up to periodically # refresh the given sources and update the derpmap # will be set up. auto_update_enabled: true # How often should we check for DERP updates? update_frequency: 24h # Disables the automatic check for headscale updates on startup disable_check_updates: false # Time before an inactive ephemeral node is deleted? ephemeral_node_inactivity_timeout: 30m # Period to check for node updates within the tailnet. A value too low will severely affect # CPU consumption of Headscale. A value too high (over 60s) will cause problems # for the nodes, as they won't get updates or keep alive messages frequently enough. # In case of doubts, do not touch the default 10s. node_update_check_interval: 10s # SQLite config db_type: sqlite3 # For production: db_path: /var/lib/headscale/db.sqlite # # Postgres config # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. # db_type: postgres # db_host: localhost # db_port: 5432 # db_name: headscale # db_user: foo # db_pass: bar # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need # in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. # db_ssl: false ### TLS configuration # ## Let's encrypt / ACME # # headscale supports automatically requesting and setting up # TLS for a domain with Let's Encrypt. # # URL to ACME directory acme_url: https://acme-v02.api.letsencrypt.org/directory # Email to register with ACME provider acme_email: "" # Domain name to request a TLS certificate for: tls_letsencrypt_hostname: "" # Path to store certificates and metadata needed by # letsencrypt # For production: tls_letsencrypt_cache_dir: /var/lib/headscale/cache # Type of ACME challenge to use, currently supported types: # HTTP-01 or TLS-ALPN-01 # See [docs/tls.md](docs/tls.md) for more information tls_letsencrypt_challenge_type: HTTP-01 # When HTTP-01 challenge is chosen, letsencrypt must set up a # verification endpoint, and it will be listening on: # :http = port 80 tls_letsencrypt_listen: ":http" ## Use already defined certificates: tls_cert_path: "" tls_key_path: "" log: # Output formatting for logs: text or json format: text level: info # Path to a file containg ACL policies. # ACLs can be defined as YAML or HUJSON. # https://tailscale.com/kb/1018/acls/ acl_policy_path: "/etc/headscale/acl.yaml" ## DNS # # headscale supports Tailscale's DNS configuration and MagicDNS. # Please have a look to their KB to better understand the concepts: # # - https://tailscale.com/kb/1054/dns/ # - https://tailscale.com/kb/1081/magicdns/ # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ # dns_config: # Whether to prefer using Headscale provided DNS or use local. override_local_dns: true # List of DNS servers to expose to clients. nameservers: - 1.1.1.1 # NextDNS (see https://tailscale.com/kb/1218/nextdns/). # "abc123" is example NextDNS ID, replace with yours. # # With metadata sharing: # nameservers: # - https://dns.nextdns.io/abc123 # # Without metadata sharing: # nameservers: # - 2a07:a8c0::ab:c123 # - 2a07:a8c1::ab:c123 # Split DNS (see https://tailscale.com/kb/1054/dns/), # list of search domains and the DNS to query for each one. # # restricted_nameservers: # foo.bar.com: # - 1.1.1.1 # darp.headscale.net: # - 1.1.1.1 # - 8.8.8.8 # Search domains to inject. domains: [] # Extra DNS records # so far only A-records are supported (on the tailscale side) # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations # extra_records: # - name: "grafana.myvpn.example.com" # type: "A" # value: "100.64.0.3" # # # you can also put it in one line # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). # Only works if there is at least a nameserver defined. magic_dns: true # Defines the base domain to create the hostnames for MagicDNS. # `base_domain` must be a FQDNs, without the trailing dot. # The FQDN of the hosts will be # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). base_domain: example.com # Unix socket used for the CLI to connect without authentication # Note: for production you will want to set this to something like: unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" # # headscale supports experimental OpenID connect support, # it is still being tested and might have some bugs, please # help us test it. # OpenID Connect # oidc: # only_start_if_oidc_is_available: true # issuer: "https://your-oidc.issuer.com/path" # client_id: "your-oidc-client-id" # client_secret: "your-oidc-client-secret" # # Alternatively, set `client_secret_path` to read the secret from the file. # # It resolves environment variables, making integration to systemd's # # `LoadCredential` straightforward: # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" # # client_secret and client_secret_path are mutually exclusive. # # # The amount of time from a node is authenticated with OpenID until it # # expires and needs to reauthenticate. # # Setting the value to "0" will mean no expiry. # expiry: 180d # # # Use the expiry from the token received from OpenID when the user logged # # in, this will typically lead to frequent need to reauthenticate and should # # only been enabled if you know what you are doing. # # Note: enabling this will cause `oidc.expiry` to be ignored. # use_expiry_from_token: false # # # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query # # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". # # scope: ["openid", "profile", "email", "custom"] # extra_params: # domain_hint: example.com # # # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the # # authentication request will be rejected. # # allowed_domains: # - example.com # # Note: Groups from keycloak have a leading '/' # allowed_groups: # - /headscale # allowed_users: # - alice@example.com # # # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. # # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` # # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following # user: `first-name.last-name.example.com` # # strip_email_domain: true # Logtail configuration # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel # to instruct tailscale nodes to log their activity to a remote server. logtail: # Enable logtail for this headscales clients. # As there is currently no support for overriding the log server in headscale, this is # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. enabled: false # Enabling this option makes devices prefer a random port for WireGuard traffic over the # default static port 41641. This option is intended as a workaround for some buggy # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. randomize_client_port: false ## Routes Defined by Devops team routes: - route: 10.133.0.0/16 enable_route_advertisement: true #acls: # - action: accept # users: ['*'] # ports: ['*:*'] node_attributes: - target: ['*'] advertise_routes: ['10.133.0.0/16'] ``` Below is my `acl.yml` file: ``` # Define user groups groups: group:all: - tek # Define ACL rules acls: - action: accept users: ["*"] ports: ["*:*"] # Define tag owners (in this case, we're giving the route tag to all users) tagOwners: tag:route: ["group:all"] # Define auto approvers for routes autoApprovers: routes: "10.133.0.0/16": ["tag:route"] ``` We have used the below sets of commands: ``` headscale users create tekdagar headscale --user tekdagar preauthkeys create --reusable --expiration 24h tailscale up --login-server http://26.19.1.9:8080 --authkey eb463f1e22b78cfdb454a14e674e65481ca9828d23901468 (which we get in previous step) tailscale up --advertise-routes 10.133.0.0/16 --login-server http://26.19.1.9:8080 headscale routes list <Node_Name> headscale routes enable <node-name> -r <route id> <subnet IP> tailscale up --accept-routes --login-server http://26.19.1.9:8080 ``` Now the client is registerd with headscale server and tailscale tunnel is also up on client side. ### Expected Behavior Tailscale is up on client side and route should be pushed on client for subnet `10.133.0.0/16` You can see tunnel is up on my client: ``` root@chand:/etc/sysctl.d# ifconfig | grep -A 8 "tailscale0" tailscale0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1280 inet 100.64.0.1 netmask 255.255.255.255 destination 100.64.0.1 inet6 fe80::47c3:8dfd:a876:5509 prefixlen 64 scopeid 0x20<link> unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC) RX packets 27021 bytes 4102286 (4.1 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 30026 bytes 2341200 (2.3 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ``` But when i am checking route on my client there is no route for `10.133.0.0/16` subnet on client machine. ``` root@chand:/etc/sysctl.d# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.5.50.1 0.0.0.0 UG 600 0 0 wlp0s20f3 10.5.48.0 0.0.0.0 255.255.252.0 U 600 0 0 wlp0s20f3 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 docker0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 ``` I have checked the doc but unable to find the solution for this problem. Can you please help me to find out what mistake i am doing here? Thank You ### Steps To Reproduce ### ### Environment ```markdown - OS:Ubuntu 24.04 - Headscale version: v0.22.3 - Tailscale version: 1.72.0 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Anything else? _No response_
adam added the bug label 2025-12-29 02:23:49 +01:00
adam closed this issue 2025-12-29 02:23:49 +01:00
adam commented 2025-12-29 02:23:50 +01:00
Author
Owner
Copy Link

@Tekchanddagar commented on GitHub (Aug 23, 2024):

Hello Team,
Can you please help me on the above issue or point me whats wrong i am doing here?

Thank You

@Tekchanddagar commented on GitHub (Aug 23, 2024): Hello Team, Can you please help me on the above issue or point me whats wrong i am doing here? Thank You
adam commented 2025-12-29 02:23:50 +01:00
Author
Owner
Copy Link

@strandundmeer commented on GitHub (Aug 26, 2024):

hi @Tekchanddagar ,

while I am not from the development team, I would say that you are doing the query on the wrong routing table.

Did you check the output of:

ip route show table 52

Hope this helps!

@strandundmeer commented on GitHub (Aug 26, 2024): hi @Tekchanddagar , while I am not from the development team, I would say that you are doing the query on the wrong routing table. Did you check the output of: `ip route show table 52` Hope this helps!
adam commented 2025-12-29 02:23:50 +01:00
Author
Owner
Copy Link

@Tekchanddagar commented on GitHub (Aug 27, 2024):

@strandundmeer , Thank you for your answer. Please find the output of command which is suggested by you:

image

But i am pushing the route for 10.133.0.0/16 subnet and was expecting same route here.

Sorry, my understanding might be wrong because i am new to headscale but trying to understand it and wana complete the setup at my end.

Thank You

@Tekchanddagar commented on GitHub (Aug 27, 2024): @strandundmeer , Thank you for your answer. Please find the output of command which is suggested by you: ![image](https://github.com/user-attachments/assets/51cb7b93-8762-40bf-b543-c1c702822a83) But i am pushing the route for 10.133.0.0/16 subnet and was expecting same route here. Sorry, my understanding might be wrong because i am new to headscale but trying to understand it and wana complete the setup at my end. Thank You
adam commented 2025-12-29 02:23:51 +01:00
Author
Owner
Copy Link

@strandundmeer commented on GitHub (Aug 27, 2024):

@Tekchanddagar, this is strange.

I tested this with the latest beta as well as the stable, and it works for me.
The routes get pushed as configured.
However, I don't know why you are using the autoapprove settings in your ACL as you are approving it via the headscale command.
The following is not needed, and I am not sure if this is causing the problems:

node_attributes:
  - target: ['*']
    advertise_routes: ['10.133.0.0/16']

I would delete all the routing stuff from your config and acl and then do:

On the machine which should be the gateway for the route:
tailscale -set --advertise-routes 10.133.0.0/16

on your headscale server:
headscale routes enable -r [ID OF THE ROUTE]

on your client:
tailscale set --accept-routes

taking a look at the route table 52 should show the routes, if not, I would suggest you start with a fresh config.

cheers

@strandundmeer commented on GitHub (Aug 27, 2024): @Tekchanddagar, this is strange. I tested this with the latest beta as well as the stable, and it works for me. The routes get pushed as configured. However, I don't know why you are using the autoapprove settings in your ACL as you are approving it via the headscale command. The following is not needed, and I am not sure if this is causing the problems: ``` node_attributes: - target: ['*'] advertise_routes: ['10.133.0.0/16'] ``` I would delete all the routing stuff from your config and acl and then do: On the machine which should be the gateway for the route: `tailscale -set --advertise-routes 10.133.0.0/16` on your headscale server: `headscale routes enable -r [ID OF THE ROUTE]` on your client: `tailscale set --accept-routes` taking a look at the route table 52 should show the routes, if not, I would suggest you start with a fresh config. cheers
adam commented 2025-12-29 02:23:51 +01:00
Author
Owner
Copy Link

@Tekchanddagar commented on GitHub (Aug 27, 2024):

@strandundmeer , Thank You for quick response.

I have one more question:

On the machine which should be the gateway for the route:
tailscale -set --advertise-routes 10.133.0.0/16

Do we need to use separate server for this? Because i am using only headscale as VPN server and it will work as gateway also.

Sorry my question can be bullshit and flooding your inbox. But it will help me to clear my doubts. Please suggest.

Thank You

@Tekchanddagar commented on GitHub (Aug 27, 2024): @strandundmeer , Thank You for quick response. I have one more question: > On the machine which should be the gateway for the route: > `tailscale -set --advertise-routes 10.133.0.0/16` Do we need to use separate server for this? Because i am using only headscale as VPN server and it will work as gateway also. Sorry my question can be bullshit and flooding your inbox. But it will help me to clear my doubts. Please suggest. Thank You
adam commented 2025-12-29 02:23:51 +01:00
Author
Owner
Copy Link

@strandundmeer commented on GitHub (Aug 27, 2024):

@Tekchanddagar,

Your headscale server is not part of the network, you would need to install tailscale on it, too, to get this working.
For anything to work you will need 2 tailscale client installations, the 2nd one can be on the same server as the headscale daemon is running.
If this is your gateway, you would need to run:
tailscale -set --advertise-routes 10.133.0.0/16
there.

@strandundmeer commented on GitHub (Aug 27, 2024): @Tekchanddagar, Your headscale server is not part of the network, you would need to install tailscale on it, too, to get this working. For anything to work you will need 2 tailscale client installations, the 2nd one can be on the same server as the headscale daemon is running. If this is your gateway, you would need to run: `tailscale -set --advertise-routes 10.133.0.0/16` there.
adam commented 2025-12-29 02:23:51 +01:00
Author
Owner
Copy Link

@Tekchanddagar commented on GitHub (Aug 28, 2024):

@strandundmeer , Thanks a lot for your time and help.

Now i can see the route for 10.133.0.0/16 subnet on client side. And can access the servers of 10.133.0.0/16 subnet from client laptop.

Your headscale server is not part of the network, you would need to install tailscale on it, too, to get this working.

I was not doing this and its was the root cause of problem at my side. Somehow unable to find it in doc also.

Now i will play around group and acl. Because we want to push specific routes for specific users.

Thanks again for your helping hands. :)

@Tekchanddagar commented on GitHub (Aug 28, 2024): @strandundmeer , Thanks a lot for your time and help. Now i can see the route for `10.133.0.0/16` subnet on client side. And can access the servers of `10.133.0.0/16` subnet from client laptop. > Your headscale server is not part of the network, you would need to install tailscale on it, too, to get this working. I was not doing this and its was the root cause of problem at my side. Somehow unable to find it in doc also. Now i will play around group and acl. Because we want to push specific routes for specific users. Thanks again for your helping hands. :)
adam commented 2025-12-29 02:23:51 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Aug 28, 2024):

Great that you got this resolved, if you have any other issues that are likely more support than technical issues, please use Discord as per readme.

@kradalby commented on GitHub (Aug 28, 2024): Great that you got this resolved, if you have any other issues that are likely more support than technical issues, please use Discord as per readme.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#772
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?