[Feature Request] Support for IP Sets and "Via" in Headscale ACL #939

New Issue

adam · 2025-12-29T02:26:27+01:00

adam commented

2025-12-29 02:26:27 +01:00

Originally created by @aradng on GitHub (Feb 6, 2025).

Use case

Currently, I have implemented these features manually using complex ipset and iptables configurations on the client side. Native support for these in Headscale ACL would be highly beneficial, particularly for:

Restricting access to external services that allow only specific whitelisted IPs or regions/countries.
Enabling conditional routing in high-availability (HA) database and backend environments that are frequently migrating.
Optimizing client-side routing for improved network performance.

Description

Since Tailscale clients already support custom routing configurations, would it be possible to implement similar functionality within Headscale ACL? Specifically:

IP Sets: [Tailscale Docs](https://tailscale.com/kb/1387/ipsets)
"Via" Routing: [Tailscale Docs](https://tailscale.com/kb/1378/via)

Both of these are already available in Tailscale’s control plane ACL grants. Adding them to Headscale ACL would greatly enhance flexibility and ease of use for users managing self-hosted deployments.

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

No response

Originally created by @aradng on GitHub (Feb 6, 2025). ### Use case Currently, I have implemented these features manually using complex `ipset` and `iptables` configurations on the client side. Native support for these in Headscale ACL would be highly beneficial, particularly for: - Restricting access to external services that allow only specific whitelisted IPs or regions/countries. - Enabling conditional routing in high-availability (HA) database and backend environments that are frequently migrating. - Optimizing client-side routing for improved network performance. ### Description Since Tailscale clients already support custom routing configurations, would it be possible to implement similar functionality within Headscale ACL? Specifically: - **IP Sets:** [[Tailscale Docs](https://tailscale.com/kb/1387/ipsets)](https://tailscale.com/kb/1387/ipsets) - **"Via" Routing:** [[Tailscale Docs](https://tailscale.com/kb/1378/via)](https://tailscale.com/kb/1378/via) Both of these are already available in Tailscale’s control plane ACL grants. Adding them to Headscale ACL would greatly enhance flexibility and ease of use for users managing self-hosted deployments. ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? _No response_

adam added the enhancement no-stale-bot policy 📝 labels 2025-12-29 02:26:27 +01:00

adam commented

2025-12-29 02:26:28 +01:00

@kradalby commented on GitHub (Feb 6, 2025):

I have added no stale to this so it sticks around.

I want to managed expectations by saying that currently our ACL implementation part of the policy is severely lacking, which I aim to work on. There are currently no plans in the future to work on implementing grants, that doesnt mean we will not add them, but that there are a lot of other things to work on first (fixing Tags comes to mind and reworking the very hard to maintain routing system, as well as our large backlog of bugs).

I think it would be years before we are able to have the right building blocks in place (working ACLs, then autogroups, fixing routes/exits, then grants) before we can even consider starting on some of this work.

But, we can remain optimistic, open source projects are for the long run.

@kradalby commented on GitHub (Feb 6, 2025): I have added no stale to this so it sticks around. I want to managed expectations by saying that currently our ACL implementation part of the policy is severely lacking, which I aim to work on. There are currently no plans in the future to work on implementing `grants`, that doesnt mean we will not add them, but that there are a lot of other things to work on first (fixing [Tags](https://github.com/juanfont/headscale/issues/1369) comes to mind and reworking the very hard to maintain routing system, as well as our large backlog of bugs). I think it would be years before we are able to have the right building blocks in place (working ACLs, then autogroups, fixing routes/exits, then grants) before we can even consider starting on some of this work. But, we can remain optimistic, open source projects are for the long run.

adam commented

2025-12-29 02:26:28 +01:00

@anuragbhatia commented on GitHub (Mar 31, 2025):

+1 would be great to have this feature.

@anuragbhatia commented on GitHub (Mar 31, 2025): +1 would be great to have this feature.

adam commented

2025-12-29 02:26:28 +01:00

@yumork commented on GitHub (May 30, 2025):

+1 Очень нужно ограничение прав на выход

@yumork commented on GitHub (May 30, 2025): +1 Очень нужно ограничение прав на выход

adam commented

2025-12-29 02:26:28 +01:00

@dblanque commented on GitHub (Sep 16, 2025):

+1 would be a good feature addition!

@dblanque commented on GitHub (Sep 16, 2025): +1 would be a good feature addition!

adam commented

2025-12-29 02:26:28 +01:00

@benidk commented on GitHub (Oct 23, 2025):

+1

@benidk commented on GitHub (Oct 23, 2025): +1

adam commented

2025-12-29 02:26:29 +01:00

@kradalby commented on GitHub (Oct 23, 2025):

+1 are not helpful. It gives everyone who has subscribed to this issue a notification and it sends the wrong signal since it is not worked on.

@kradalby commented on GitHub (Oct 23, 2025): +1 are not helpful. It gives everyone who has subscribed to this issue a notification and it sends the wrong signal since it is not worked on.

adam referenced this issue

2025-12-29 02:31:33 +01:00

[PR #940] [MERGED] Add support for NextDNS resolver #1751

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#939