[Bug] failed to bind to TCP address: listen tcp 0.0.0.0:443: bind: permission denied #782

New Issue

Closed

opened 2025-12-29 02:23:57 +01:00 by adam · 4 comments

adam commented 2025-12-29 02:23:57 +01:00

Owner

Copy Link

Originally created by @tirenparo on GitHub (Aug 31, 2024).

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I'm running headscale on Alpinelinux.

rc-service headscale start logs the following on /var/log/headscale.log:

An updated version of Headscale has been found (0.23.0-beta3 vs. your current v0.22.3). Check it out https://github.com/juanfont/headscale/releases
2024-08-31T05:26:44Z INF Setting up a DERPMap update worker frequency=86400000
2024-08-31T05:26:44Z FTL github.com/juanfont/headscale/cmd/headscale/cli/server.go:26 > Error starting server error="failed to bind to TCP address: listen tcp 0.0.0.0:443: bind: permission denied"
An updated version of Headscale has been found (0.23.0-beta3 vs. your current v0.22.3). Check it out https://github.com/juanfont/headscale/releases
2024-08-31T05:26:47Z INF Setting up a DERPMap update worker frequency=86400000
2024-08-31T05:26:47Z FTL github.com/juanfont/headscale/cmd/headscale/cli/server.go:26 > Error starting server error="failed to bind to TCP address: listen tcp 0.0.0.0:443: bind: permission denied"

The only changes in my config.yaml:

server_url: http://127.0.0.1:443
listen_addr: 0.0.0.0:443

Using headscale serve doesn't hit the error.

Expected Behavior

rc-service headscale start should start the service without errors.

Steps To Reproduce

apk add headscale --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing

vi /etc/headscale/config.yaml # change port to 443 on server_url and listen_addr

rc-service headscale start

Environment

- OS: Alpinelinux x86_64
- Headscale version: 0.22.3
- Tailscale version: -

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

No response

Originally created by @tirenparo on GitHub (Aug 31, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior I'm running headscale on Alpinelinux. `rc-service headscale start` logs the following on /var/log/headscale.log: ``` An updated version of Headscale has been found (0.23.0-beta3 vs. your current v0.22.3). Check it out https://github.com/juanfont/headscale/releases 2024-08-31T05:26:44Z INF Setting up a DERPMap update worker frequency=86400000 2024-08-31T05:26:44Z FTL github.com/juanfont/headscale/cmd/headscale/cli/server.go:26 > Error starting server error="failed to bind to TCP address: listen tcp 0.0.0.0:443: bind: permission denied" An updated version of Headscale has been found (0.23.0-beta3 vs. your current v0.22.3). Check it out https://github.com/juanfont/headscale/releases 2024-08-31T05:26:47Z INF Setting up a DERPMap update worker frequency=86400000 2024-08-31T05:26:47Z FTL github.com/juanfont/headscale/cmd/headscale/cli/server.go:26 > Error starting server error="failed to bind to TCP address: listen tcp 0.0.0.0:443: bind: permission denied" ``` The only changes in my config.yaml: ```yml server_url: http://127.0.0.1:443 listen_addr: 0.0.0.0:443 ``` Using `headscale serve` doesn't hit the error. ### Expected Behavior `rc-service headscale start` should start the service without errors. ### Steps To Reproduce ``` apk add headscale --repository=https://dl-cdn.alpinelinux.org/alpine/edge/testing vi /etc/headscale/config.yaml # change port to 443 on server_url and listen_addr rc-service headscale start ``` ### Environment ```markdown - OS: Alpinelinux x86_64 - Headscale version: 0.22.3 - Tailscale version: - ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Anything else? _No response_

adam added the bug label 2025-12-29 02:23:57 +01:00

adam closed this issue 2025-12-29 02:23:57 +01:00

adam commented 2025-12-29 02:23:58 +01:00

Author

Owner

Copy Link

@tirenparo commented on GitHub (Aug 31, 2024):

hi bro, to fix your trouble try this fix, i see it in another issue,

This is obviously phishing.

@tirenparo commented on GitHub (Aug 31, 2024): > hi bro, to fix your trouble try this fix, i see it in another issue, This is obviously phishing.

adam commented 2025-12-29 02:23:58 +01:00

Author

Owner

Copy Link

@juanfont commented on GitHub (Aug 31, 2024):

I have deleted both comments.

@juanfont commented on GitHub (Aug 31, 2024): I have deleted both comments.

adam commented 2025-12-29 02:23:58 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Aug 31, 2024):

This sounds like the

rc-service headscale start

Service code is ran with a user or as a process that lack the capability to bind to the ports typically requiring root etc.

Since this is packaged by the alpine people, it's out of our control, so you will need to raise it with them.

You can confirm my theory by trying to run headscale serve as root with your config

@kradalby commented on GitHub (Aug 31, 2024): This sounds like the rc-service headscale start Service code is ran with a user or as a process that lack the capability to bind to the ports typically requiring root etc. Since this is packaged by the alpine people, it's out of our control, so you will need to raise it with them. You can confirm my theory by trying to run headscale serve as root with your config

adam commented 2025-12-29 02:23:58 +01:00

Author

Owner

Copy Link

@tirenparo commented on GitHub (Sep 2, 2024):

Yes, the problem was that the rc-service is running headscale with user headscale so unprivileged ports work fine. There are several ways to workaround this, I choose to use a port forwarding rule.

doas iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443

You can also stick to use a custom port https://your-domain:8443, use nginx or other reverse proxy, or grant low-numbered port access to the headscale process.

@tirenparo commented on GitHub (Sep 2, 2024): Yes, the problem was that the rc-service is running headscale with user `headscale` so unprivileged ports work fine. There are several ways to workaround this, I choose to use a [port forwarding rule](https://superuser.com/a/1334552). ``` doas iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 443 -j REDIRECT --to-ports 8443 ``` You can also stick to use a custom port https://your-domain:8443, use nginx or other reverse proxy, or grant low-numbered port access to the headscale process.

adam referenced this issue 2025-12-29 02:31:03 +01:00

[PR #782] [CLOSED] docs(README): update contributors #1643

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#782