starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] peers are not propagated to tagged nodes #920

New Issue
Closed
opened 2025-12-29 02:26:00 +01:00 by adam · 7 comments
adam commented 2025-12-29 02:26:00 +01:00
Owner
Copy Link

Originally created by @bartishv on GitHub (Jan 24, 2025).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Given headscale 0.24.0, two tailscale 1.78.3 nodes one tagged as tag:device and the other as tag:proxy, and ACL

{
  "tagOwners": {
    "tag:device": [],
    "tag:proxy": []
  },
  "acls": [
    {
      "action": "accept",
      "src": ["tag:device"],
      "dst": ["tag:proxy:*"]
    }
  ]
}

tailscale nodes tagged as tag:device do not receive peers. Meaning tailscale status returns only one record of the node itself.

Changing ACL to use users or groups instead of tags - works like a charm.

Expected Behavior

nodes tagged as tag:device should receive a peer tagged as tag:proxy

Steps To Reproduce

  1. define ACLs as in "Current behavior" in a policy file.
  2. start headscale
  3. add two users
  4. generate two pre-auth keys - 1 for each user
  5. start two tailscale nodes, specifying pre-auth keys generated above
  6. in headscale terminal tag one node as described in "current behavior"

Environment

- Docker compose
- Headscale version: 0.24.0
- Tailscale version: 1.78.3

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

Similar problem was reported in https://github.com/juanfont/headscale/issues/809

Originally created by @bartishv on GitHub (Jan 24, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Given headscale 0.24.0, two tailscale 1.78.3 nodes one tagged as `tag:device` and the other as `tag:proxy`, and ACL ``` { "tagOwners": { "tag:device": [], "tag:proxy": [] }, "acls": [ { "action": "accept", "src": ["tag:device"], "dst": ["tag:proxy:*"] } ] } ``` tailscale nodes tagged as `tag:device` do not receive peers. Meaning `tailscale status` returns only one record of the node itself. Changing ACL to use users or groups instead of tags - works like a charm. ### Expected Behavior nodes tagged as `tag:device` should receive a peer tagged as `tag:proxy` ### Steps To Reproduce 1. define ACLs as in "Current behavior" in a policy file. 2. start headscale 3. add two users 4. generate two pre-auth keys - 1 for each user 5. start two tailscale nodes, specifying pre-auth keys generated above 6. in headscale terminal tag one node as described in "current behavior" ### Environment ```markdown - Docker compose - Headscale version: 0.24.0 - Tailscale version: 1.78.3 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Anything else? Similar problem was reported in https://github.com/juanfont/headscale/issues/809
adam added the bugno-stale-botpolicy 📝tags labels 2025-12-29 02:26:00 +01:00
adam closed this issue 2025-12-29 02:26:00 +01:00
adam commented 2025-12-29 02:26:01 +01:00
Author
Owner
Copy Link

@DevId-E commented on GitHub (Jan 24, 2025):

I can confirm this. As soon as tags are removed peering defined in acls work as expected.

@DevId-E commented on GitHub (Jan 24, 2025): I can confirm this. As soon as tags are removed peering defined in acls work as expected.
adam commented 2025-12-29 02:26:01 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (May 1, 2025):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (May 1, 2025): This issue is stale because it has been open for 90 days with no activity.
adam commented 2025-12-29 02:26:01 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (May 7, 2025):

While tags has not been focused on in this release, it might have been touched up and I would be grateful to hear feedback if the current beta changed anything for this issue.

@kradalby commented on GitHub (May 7, 2025): While tags has not been focused on in this release, it might have been touched up and I would be grateful to hear feedback if the current beta changed anything for this issue.
adam commented 2025-12-29 02:26:01 +01:00
Author
Owner
Copy Link

@bartishv commented on GitHub (May 9, 2025):

@kradalby hey, thanks! I'll give it a try and get back to you in a couple of days.

@bartishv commented on GitHub (May 9, 2025): @kradalby hey, thanks! I'll give it a try and get back to you in a couple of days.
adam commented 2025-12-29 02:26:02 +01:00
Author
Owner
Copy Link

@bartishv commented on GitHub (May 12, 2025):

Greetings @kradalby. I have finally found some time to test this out with v0.25.1 (and v0.26.0-beta.2) and tailscale version 1.82.5. So here some scenarios I've tried:

  1. exact STRs from the bug report (tagging using headscale node tag) - still does not work as expected
  2. instead of tagging nodes as described in original report, I've tagged preauth keys. This way ACLs work as expected.

Ain't sure if this matters but I am generating preauth keys as ephemeral.

@bartishv commented on GitHub (May 12, 2025): Greetings @kradalby. I have finally found some time to test this out with v0.25.1 (and v0.26.0-beta.2) and tailscale version 1.82.5. So here some scenarios I've tried: 1. exact STRs from the bug report (tagging using `headscale node tag`) - still does not work as expected 2. instead of tagging nodes as described in original report, I've tagged preauth keys. This way ACLs work as expected. Ain't sure if this matters but I am generating preauth keys as ephemeral.
adam commented 2025-12-29 02:26:02 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (May 21, 2025):

Just to understand this issue, I see in your example that the tagOwners are empty, how come?

Could you show the output of headscale nodes list --tags for this setup? just so I can build a map in my head of the node topology you have?

@kradalby commented on GitHub (May 21, 2025): Just to understand this issue, I see in your example that the tagOwners are empty, how come? Could you show the output of `headscale nodes list --tags` for this setup? just so I can build a map in my head of the node topology you have?
adam commented 2025-12-29 02:26:02 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Dec 12, 2025):

I'm gonna close this as dupe/related to #2389

@kradalby commented on GitHub (Dec 12, 2025): I'm gonna close this as dupe/related to #2389
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug no-stale-bot policy 📝 tags
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#920
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?