[Feature] Add Taildrop-Flag to Config #965

New Issue

adam · 2025-12-29T02:26:47+01:00

adam commented

2025-12-29 02:26:47 +01:00

Originally created by @lukaslindnermusic on GitHub (Mar 4, 2025).

Use case

If you don't want to use the feature, it might be better to just disable it as it bypasses ACLs.
There are usecases, where you want connections to be ONLY possible how defined in the ACLs whatsoever.

Description

Taildrop is currently activated by default and I think there is no way to disable it in Headscale.
However, the Tailscale Admin Console offers a toggle to disable it, so I think the best place to add this feature in headscale is the config file.

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

I think, the best place for this setting might be the headscale config file.
It could be a simple flag, such as: enable_taildrop = true/false.

Originally created by @lukaslindnermusic on GitHub (Mar 4, 2025). ### Use case If you don't want to use the feature, it might be better to just disable it as it bypasses ACLs. There are usecases, where you want connections to be ONLY possible how defined in the ACLs whatsoever. ### Description Taildrop is currently activated by default and I think there is no way to disable it in Headscale. However, the Tailscale Admin Console offers a toggle to disable it, so I think the best place to add this feature in headscale is the config file. ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? I think, the best place for this setting might be the headscale config file. It could be a simple flag, such as: `enable_taildrop = true/false`.

adam added the enhancement no-stale-bot labels 2025-12-29 02:26:47 +01:00

adam closed this issue

2025-12-29 02:26:47 +01:00

adam commented

2025-12-29 02:26:48 +01:00

@github-actions[bot] commented on GitHub (Jun 3, 2025):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Jun 3, 2025): This issue is stale because it has been open for 90 days with no activity.

adam commented

2025-12-29 02:26:48 +01:00

@lukaslindnermusic commented on GitHub (Jun 3, 2025):

No, please no stale label 😢

It still would be really nice, and maybe it even is in line with the planned changes regarding ACLs and tags, which also includes an issue where tagged devices can taildrop to user devices and vice-versa?

@lukaslindnermusic commented on GitHub (Jun 3, 2025): No, please no stale label 😢 It still would be really nice, and maybe it even is in line with the planned changes regarding ACLs and tags, which also includes an issue where tagged devices can taildrop to user devices and vice-versa?

adam commented

2025-12-29 02:26:48 +01:00

@lukaslindnermusic commented on GitHub (Jun 3, 2025):

I also think that this is quite some problem.

If my tag:prod-server-tagged server can send files to my personal macbook, even if according to ACLs it should not be allowed to talk to anything by itself, and as Taildrop on macOS currently just blindly accepts what ever comes via Taildrop and just puts that in the Downloads folder automatically, I think this is quite a big issue.

@lukaslindnermusic commented on GitHub (Jun 3, 2025): I also think that this is quite some problem. If my `tag:prod-server`-tagged server can send files to my personal macbook, even if according to ACLs it should not be allowed to talk to anything by itself, and as Taildrop on macOS currently just blindly accepts what ever comes via Taildrop and just puts that in the Downloads folder automatically, I think this is quite a big issue.

adam commented

2025-12-29 02:26:48 +01:00

@Volterxien commented on GitHub (Jul 4, 2025):

Bumping because I'd also like this to be both configurable and opt-in (disabled by default)

@Volterxien commented on GitHub (Jul 4, 2025): Bumping because I'd also like this to be both configurable and opt-in (disabled by default)

adam commented

2025-12-29 02:26:48 +01:00

@nblock commented on GitHub (Dec 12, 2025):

Fixed via 642073f4b8

@nblock commented on GitHub (Dec 12, 2025): Fixed via 642073f4b87ccd1767ebe601fd18e0ef3d026b7b

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#965