[Bug] test #852

New Issue

adam · 2025-12-29T02:24:49+01:00

adam commented

2025-12-29 02:24:49 +01:00

Originally created by @maxpain on GitHub (Nov 8, 2024).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

I have deployed Tailscale as a subnet router (--advertise-routes=10.99.0.0/16) in my Kubernetes cluster to give access to my developers to postgres server 10.99.0.2.

Our developers can't access 10.99.0.2 when using 10.99.0.2/32:* rule.

The developer machine:
ts-netmap-exact-address.json

tailscale status
100.64.0.1      maxpain-macbook      m.csgo.com   macOS   -

The subnet router on the Kubernetes side:

tailscale status
100.64.0.3      subnet-router        admin        linux   -

But 10.99.0.0/16:* works.

The developer machine:
ts-netmap-slash-16-subnet.json

tailscale status
100.64.0.1      maxpain-macbook      m.csgo.com   macOS   -
100.64.0.3      subnet-router        admin        linux   active; direct

The subnet router on the Kubernetes side:

tailscale status
100.64.0.3      subnet-router        admin        linux   -
100.64.0.1      maxpain-macbook      m.csgo.com   macOS   active; direct

ACL configuration:

{
	"groups": {
		"group:admin": [],
		"group:test-project": ["m.csgo.com"]
	},
	"tagOwners": {
		"tag:test-project": ["group:admin"]
	},
	"acls": [{
		"action": "accept",
		"src": ["group:test-project"],
		"dst": [
			// "10.99.0.0/16:*" // Works
			"10.99.0.2/32:*" // Doesn't work
		]
	}]
}

Expected Behavior

10.99.0.2/32:* acl rule should work.

Steps To Reproduce

Run tailscale subnet router:

tailscale up --login-server=https://headscale.example.com --advertise-routes=10.99.0.0/16 --auth-key=REDACTED --hostname=subnet-router

Run tailscale on client machine

Environment

- OS: Ubuntu 24.04
- Headscale version: 0.23.0
- Tailscale version: 1.76.6

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Anything else?

No response

Originally created by @maxpain on GitHub (Nov 8, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior I have deployed Tailscale as a subnet router (`--advertise-routes=10.99.0.0/16`) in my Kubernetes cluster to give access to my developers to postgres server `10.99.0.2`. **Our developers can't access `10.99.0.2` when using `10.99.0.2/32:*` rule.** The developer machine: [ts-netmap-exact-address.json](https://github.com/user-attachments/files/17683795/ts-netmap-exact-address.json) ``` tailscale status 100.64.0.1 maxpain-macbook m.csgo.com macOS - ``` The subnet router on the Kubernetes side: ``` tailscale status 100.64.0.3 subnet-router admin linux - ``` **But `10.99.0.0/16:*` works.** The developer machine: [ts-netmap-slash-16-subnet.json](https://github.com/user-attachments/files/17683791/ts-netmap-slash-16-subnet.json) ``` tailscale status 100.64.0.1 maxpain-macbook m.csgo.com macOS - 100.64.0.3 subnet-router admin linux active; direct ``` The subnet router on the Kubernetes side: ``` tailscale status 100.64.0.3 subnet-router admin linux - 100.64.0.1 maxpain-macbook m.csgo.com macOS active; direct ``` **ACL configuration:** ```json { "groups": { "group:admin": [], "group:test-project": ["m.csgo.com"] }, "tagOwners": { "tag:test-project": ["group:admin"] }, "acls": [{ "action": "accept", "src": ["group:test-project"], "dst": [ // "10.99.0.0/16:*" // Works "10.99.0.2/32:*" // Doesn't work ] }] } ``` ### Expected Behavior `10.99.0.2/32:*` acl rule should work. ### Steps To Reproduce 1. Run tailscale subnet router: ```bash tailscale up --login-server=https://headscale.example.com --advertise-routes=10.99.0.0/16 --auth-key=REDACTED --hostname=subnet-router ``` 2. Run tailscale on client machine ### Environment ```markdown - OS: Ubuntu 24.04 - Headscale version: 0.23.0 - Tailscale version: 1.76.6 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_

adam added the bug label 2025-12-29 02:24:49 +01:00

adam closed this issue

2025-12-29 02:24:49 +01:00

adam referenced this issue

2025-12-29 02:31:12 +01:00

[PR #852] [MERGED] Update document about reverse-proxy #1684

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#852