starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] ACLs with exact ip addresses don't work #821

New Issue
Closed
opened 2025-12-29 02:24:26 +01:00 by adam · 5 comments
adam commented 2025-12-29 02:24:26 +01:00
Owner
Copy Link

Originally created by @maxpain on GitHub (Oct 8, 2024).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have deployed Tailscale as a subnet router (--advertise-routes=10.99.0.0/16) in my Kubernetes cluster to give access to my developers to postgres server 10.99.0.2.

Our developers can't access 10.99.0.2 when using 10.99.0.2/32:* rule.

The developer machine:
ts-netmap-exact-address.json

tailscale status
100.64.0.1      maxpain-macbook      m.csgo.com   macOS   -

The subnet router on the Kubernetes side:

tailscale status
100.64.0.3      subnet-router        admin        linux   -

But 10.99.0.0/16:* works.

The developer machine:
ts-netmap-slash-16-subnet.json

tailscale status
100.64.0.1      maxpain-macbook      m.csgo.com   macOS   -
100.64.0.3      subnet-router        admin        linux   active; direct

The subnet router on the Kubernetes side:

tailscale status
100.64.0.3      subnet-router        admin        linux   -
100.64.0.1      maxpain-macbook      m.csgo.com   macOS   active; direct

ACL configuration:

{
	"groups": {
		"group:admin": [],
		"group:test-project": ["m.csgo.com"]
	},
	"tagOwners": {
		"tag:test-project": ["group:admin"]
	},
	"acls": [{
		"action": "accept",
		"src": ["group:test-project"],
		"dst": [
			// "10.99.0.0/16:*" // Works
			"10.99.0.2/32:*" // Doesn't work
		]
	}]
}

Expected Behavior

10.99.0.2/32:* acl rule should work.

Steps To Reproduce

  1. Run tailscale subnet router:
tailscale up --login-server=https://headscale.example.com --advertise-routes=10.99.0.0/16 --auth-key=REDACTED --hostname=subnet-router
  1. Run tailscale on client machine

Environment

- OS: Ubuntu 24.04
- Headscale version: 0.23.0
- Tailscale version: 1.76.6

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response

Originally created by @maxpain on GitHub (Oct 8, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior I have deployed Tailscale as a subnet router (`--advertise-routes=10.99.0.0/16`) in my Kubernetes cluster to give access to my developers to postgres server `10.99.0.2`. **Our developers can't access `10.99.0.2` when using `10.99.0.2/32:*` rule.** The developer machine: [ts-netmap-exact-address.json](https://github.com/user-attachments/files/17683795/ts-netmap-exact-address.json) ``` tailscale status 100.64.0.1 maxpain-macbook m.csgo.com macOS - ``` The subnet router on the Kubernetes side: ``` tailscale status 100.64.0.3 subnet-router admin linux - ``` **But `10.99.0.0/16:*` works.** The developer machine: [ts-netmap-slash-16-subnet.json](https://github.com/user-attachments/files/17683791/ts-netmap-slash-16-subnet.json) ``` tailscale status 100.64.0.1 maxpain-macbook m.csgo.com macOS - 100.64.0.3 subnet-router admin linux active; direct ``` The subnet router on the Kubernetes side: ``` tailscale status 100.64.0.3 subnet-router admin linux - 100.64.0.1 maxpain-macbook m.csgo.com macOS active; direct ``` **ACL configuration:** ```json { "groups": { "group:admin": [], "group:test-project": ["m.csgo.com"] }, "tagOwners": { "tag:test-project": ["group:admin"] }, "acls": [{ "action": "accept", "src": ["group:test-project"], "dst": [ // "10.99.0.0/16:*" // Works "10.99.0.2/32:*" // Doesn't work ] }] } ``` ### Expected Behavior `10.99.0.2/32:*` acl rule should work. ### Steps To Reproduce 1. Run tailscale subnet router: ```bash tailscale up --login-server=https://headscale.example.com --advertise-routes=10.99.0.0/16 --auth-key=REDACTED --hostname=subnet-router ``` 2. Run tailscale on client machine ### Environment ```markdown - OS: Ubuntu 24.04 - Headscale version: 0.23.0 - Tailscale version: 1.76.6 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_
adam added the bugno-stale-botpolicy 📝 labels 2025-12-29 02:24:26 +01:00
adam closed this issue 2025-12-29 02:24:26 +01:00
adam commented 2025-12-29 02:24:26 +01:00
Author
Owner
Copy Link

@nblock commented on GitHub (Oct 9, 2024):

Can you try with "dst": ["10.126.0.2/32:5432"], (adding /32 after the IP address), please?

@nblock commented on GitHub (Oct 9, 2024): Can you try with `"dst": ["10.126.0.2/32:5432"],` (adding `/32` after the IP address), please?
adam commented 2025-12-29 02:24:27 +01:00
Author
Owner
Copy Link

@maxpain commented on GitHub (Oct 9, 2024):

Can you try with "dst": ["10.126.0.2/32:5432"], (adding /32 after the IP address), please?

Already tried. Doesn’t work.

@maxpain commented on GitHub (Oct 9, 2024): > Can you try with `"dst": ["10.126.0.2/32:5432"],` (adding `/32` after the IP address), please? Already tried. Doesn’t work.
adam commented 2025-12-29 02:24:27 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Oct 12, 2024):

Hi @maxpain, we have an issue template asking for a series of information and proposing debug information for us to be able to debug this quicker and making our life easier as maintainers. Please follow it and fill it out.

We need to see the output of certain things to figure out what is happening and it saves us a great deal of time if you help us since you have the setup already instead of us having to replicate it.

If you would have followed the template, it would have proposed to use tailscale debug netmap to help us with info we need.
image

Please go back and fill out all the information and provide a netmap dump from the relevant clients with the two different settings, the working one and the broken one. If not all the information is filled out, we will have to close the issue, thank you.

@kradalby commented on GitHub (Oct 12, 2024): Hi @maxpain, we have an issue template asking for a series of information and proposing debug information for us to be able to debug this quicker and making our life easier as maintainers. Please follow it and fill it out. We need to see the output of certain things to figure out what is happening and it saves us a great deal of time if you help us since you have the setup already instead of us having to replicate it. If you would have followed the template, it would have proposed to use `tailscale debug netmap` to help us with info we need. <img width="588" alt="image" src="https://github.com/user-attachments/assets/9529358a-0453-4148-9336-4c5eff87d865"> Please go back and fill out all the information and provide a netmap dump from the relevant clients with the two different settings, the working one and the broken one. If not all the information is filled out, we will have to close the issue, thank you.
adam commented 2025-12-29 02:24:27 +01:00
Author
Owner
Copy Link

@maxpain commented on GitHub (Nov 8, 2024):

@kradalby, sorry about this. I've updated the issue.

@maxpain commented on GitHub (Nov 8, 2024): @kradalby, sorry about this. I've updated the issue.
adam commented 2025-12-29 02:24:27 +01:00
Author
Owner
Copy Link

@nblock commented on GitHub (May 2, 2025):

Tested with 93afb03f67 and could reproduce it (with a slightly simplified ACL):

$ headscale user list
ID | Name | Username | Email | Created            
1  |      | admin    |       | 2025-05-02 12:23:59
2  |      | user     |       | 2025-05-02 12:24:00

$ headscale nodes list
ID | Hostname | Name   | MachineKey | NodeKey | User  | IP addresses                  | Ephemeral | Last seen | Expiration | Connected | Expired
1  | router   | router | [lPNFs]    | [CT9dL] | admin | 100.64.0.1, fd7a:115c:a1e0::1 | false     |           | N/A        | online    | no     
2  | node     | node   | [XC7jE]    | [nLKKr] | user  | 100.64.0.2, fd7a:115c:a1e0::2 | false     |           | N/A        | online    | no   

$ headscale nodes  list-routes
ID | Hostname | Approved     | Available    | Serving (Primary)
1  | router   | 10.99.0.0/16 | 10.99.0.0/16 | 10.99.0.0/16   

{
  "groups": {
    "group:test-project": [
      "user@"
    ]
  },
  "acls": [
    {
      "action": "accept",
      "src": [
        "*"
      ],
      "dst": [
        "router:0"
      ]
    },
    {
      "action": "accept",
      "src": [
        "group:test-project"
      ],
      "dst": [
        "10.99.0.0/16:*"     // works
        // "10.99.0.2/32:*"  // does not work
      ]
    }
  ]
}

A service listening on 10.99.0.2:8000 is reachable from node when the destination is 10.99.0.0/16:*. Access is no longer possible if the destination is changed to 10.99.0.2/32:*.

A dummy interface can be used to simulate a service:

$ ip link add dummy0 type dummy
$ ip addr add 10.99.0.2/16 dev dummy0
$ ip link set dummy0 up
$ python3 -m http.server -b 10.99.0.2
@nblock commented on GitHub (May 2, 2025): Tested with 93afb03f6756983d85fe3f39666d21430a886dae and could reproduce it (with a slightly simplified ACL): ```console $ headscale user list ID | Name | Username | Email | Created 1 | | admin | | 2025-05-02 12:23:59 2 | | user | | 2025-05-02 12:24:00 ``` ```console $ headscale nodes list ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired 1 | router | router | [lPNFs] | [CT9dL] | admin | 100.64.0.1, fd7a:115c:a1e0::1 | false | | N/A | online | no 2 | node | node | [XC7jE] | [nLKKr] | user | 100.64.0.2, fd7a:115c:a1e0::2 | false | | N/A | online | no ``` ```console $ headscale nodes list-routes ID | Hostname | Approved | Available | Serving (Primary) 1 | router | 10.99.0.0/16 | 10.99.0.0/16 | 10.99.0.0/16 ``` ```json5 { "groups": { "group:test-project": [ "user@" ] }, "acls": [ { "action": "accept", "src": [ "*" ], "dst": [ "router:0" ] }, { "action": "accept", "src": [ "group:test-project" ], "dst": [ "10.99.0.0/16:*" // works // "10.99.0.2/32:*" // does not work ] } ] } ``` A service listening on `10.99.0.2:8000` is reachable from `node` when the destination is `10.99.0.0/16:*`. Access is no longer possible if the destination is changed to `10.99.0.2/32:*`. A dummy interface can be used to simulate a service: ```console $ ip link add dummy0 type dummy $ ip addr add 10.99.0.2/16 dev dummy0 $ ip link set dummy0 up $ python3 -m http.server -b 10.99.0.2 ``` * [`tailscale debug netmap` on router with 16 dst](https://github.com/user-attachments/files/20013546/debug_netmap_policy_has_slash_16.json) * [`tailscale debug netmap` on router with 32 dst](https://github.com/user-attachments/files/20013545/debug_netmap_policy_has_slash_32.json)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug no-stale-bot policy 📝
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#821
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?