starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] No exit node and device route don't work #984

New Issue
Closed
opened 2025-12-29 02:27:02 +01:00 by adam · 2 comments
adam commented 2025-12-29 02:27:02 +01:00
Owner
Copy Link

Originally created by @DevOpsPop on GitHub (Mar 21, 2025).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Exit nodes on client are empty and no access to 34.160.111.145/32

docker exec headscale headscale routes ls
ID | Node  | Prefix            | Advertised | Enabled | Primary
4  | vpn-2 | 0.0.0.0/0         | true       | false   | -
5  | vpn-2 | ::/0              | true       | false   | -
6  | vpn-2 | 34.160.111.145/32 | true       | true    | true

root@vpn-2:~# docker exec headscale headscale nodes ls
ID | Hostname     | Name         | MachineKey | NodeKey | User     | IP addresses                  | Ephemeral | Last seen           | Expiration          | Connected | Expired
4  | vpn-2        | vpn-2        | [E11Vi]    | [OQu3J] | test     | 100.64.0.5, fd7a:115c:a1e0::5 | false     | 2025-03-21 15:49:57 | N/A                 | online    | no
8  | test         | test         | [CVZ+T]    | [mOo3g] |          | 100.64.0.9, fd7a:115c:a1e0::9 | false     | 2025-03-21 15:56:02 | 2025-09-17 15:50:38 | online    | no

Expected Behavior

Exit nodes aren't empty and access to 34.160.111.145/32

Steps To Reproduce

  1. docker compose

version: "3.7"

services:
  headscale:
    image: headscale/headscale:v0.25.1
    restart: unless-stopped
    container_name: headscale
    ports:
      - 8080
      - 9090
    volumes:
      # Please set <HEADSCALE_PATH> to the absolute path
      # of the previously created headscale directory.
      - /root/headscale/config:/etc/headscale
      - /root/headscale/lib:/var/lib/headscale
      - /root/headscale/run:/var/run/headscale
    command: serve
  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    restart: unless-stopped
    container_name: headscale-ui
    environment:
     - HTTPS_PORT=8443
     - HTTP_PORT=8080
    volumes:
      - /root/Caddyfile:/data/Caddyfile
    ports:
      - 80:8080
      - 443:8443
  1. create user and authkey
  2. setup exit-node on server
    tailscale up --login-server=https://hs.dev --authkey <> --advertise-exit-node --advertise-routes=34.160.111.145/32 --reset --force-reauth
  3. login on client
    tailscale up --login-server https://hs.dev

Environment

- OS: client windows11, server linux 22.04
- Headscale version:v0.25.1
- Tailscale version: 1.80.2

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Debug information

net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1
Image

Originally created by @DevOpsPop on GitHub (Mar 21, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Exit nodes on client are empty and no access to `34.160.111.145/32` ``` docker exec headscale headscale routes ls ID | Node | Prefix | Advertised | Enabled | Primary 4 | vpn-2 | 0.0.0.0/0 | true | false | - 5 | vpn-2 | ::/0 | true | false | - 6 | vpn-2 | 34.160.111.145/32 | true | true | true root@vpn-2:~# docker exec headscale headscale nodes ls ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired 4 | vpn-2 | vpn-2 | [E11Vi] | [OQu3J] | test | 100.64.0.5, fd7a:115c:a1e0::5 | false | 2025-03-21 15:49:57 | N/A | online | no 8 | test | test | [CVZ+T] | [mOo3g] | | 100.64.0.9, fd7a:115c:a1e0::9 | false | 2025-03-21 15:56:02 | 2025-09-17 15:50:38 | online | no ``` ### Expected Behavior Exit nodes aren't empty and access to `34.160.111.145/32` ### Steps To Reproduce 1. docker compose version: "3.7" ``` services: headscale: image: headscale/headscale:v0.25.1 restart: unless-stopped container_name: headscale ports: - 8080 - 9090 volumes: # Please set <HEADSCALE_PATH> to the absolute path # of the previously created headscale directory. - /root/headscale/config:/etc/headscale - /root/headscale/lib:/var/lib/headscale - /root/headscale/run:/var/run/headscale command: serve headscale-ui: image: ghcr.io/gurucomputing/headscale-ui:latest restart: unless-stopped container_name: headscale-ui environment: - HTTPS_PORT=8443 - HTTP_PORT=8080 volumes: - /root/Caddyfile:/data/Caddyfile ports: - 80:8080 - 443:8443 ``` 2. create user and authkey 3. setup exit-node on server `tailscale up --login-server=https://hs.dev --authkey <> --advertise-exit-node --advertise-routes=34.160.111.145/32 --reset --force-reauth` 4. login on client `tailscale up --login-server https://hs.dev` ### Environment ```markdown - OS: client windows11, server linux 22.04 - Headscale version:v0.25.1 - Tailscale version: 1.80.2 ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Debug information net.ipv4.conf.all.forwarding = 1 net.ipv6.conf.all.forwarding = 1 ![Image](https://github.com/user-attachments/assets/39cbf913-c274-47d2-a44e-0a75c3e2206f)
adam added the bug label 2025-12-29 02:27:02 +01:00
adam closed this issue 2025-12-29 02:27:02 +01:00
adam commented 2025-12-29 02:27:02 +01:00
Author
Owner
Copy Link

@andrpp commented on GitHub (Mar 21, 2025):

I've noticed the same issue. Version v0.24.3 works fine, while on versions v0.25.0 I don't see the routes at all, on version v0.25.1 the routes appear but they are not auto-approved anymore.

here is the output from the tests on the mentioned versions:

v0.24.3 - routes are available and auto approved - all good

docker exec headscale headscale node ls
ID | Hostname       | Name           | MachineKey | NodeKey | User           | IP addresses  | Ephemeral | Last seen           | Expiration          | Connected | Expired
1  | headscale-node | headscale-node | [fK61Q]    | [f5ClF] | headscale-user | 100.90.70.1,  | false     | 2025-03-21 15:54:42 | 0001-01-01 00:00:00 | online    | no     


docker exec headscale headscale route ls
ID | Node           | Prefix        | Advertised | Enabled | Primary
1  | headscale-node | ::/0          | true       | true    | -      
2  | headscale-node | 10.11.0.0/16  | true       | true    | true   
3  | headscale-node | 172.17.0.0/22 | true       | true    | true   
4  | headscale-node | 172.17.4.0/23 | true       | true    | true   
5  | headscale-node | 0.0.0.0/0     | true       | true    | -

v0.25.0 - routes are not available

docker exec headscale headscale node ls
ID | Hostname       | Name           | MachineKey | NodeKey | User           | IP addresses  | Ephemeral | Last seen           | Expiration | Connected | Expired
1  | headscale-node | headscale-node | [IEaPg]    | [uGpW3] | headscale-user | 100.90.70.1,  | false     | 2025-03-21 18:17:40 | N/A        | online    | no     

docker exec headscale headscale route ls
ID | Node | Prefix | Advertised | Enabled | Primary

v0.25.0 - routes are available, but not auto-approved

docker exec headscale headscale node ls
ID | Hostname       | Name           | MachineKey | NodeKey | User           | IP addresses  | Ephemeral | Last seen           | Expiration | Connected | Expired
1  | headscale-node | headscale-node | [p68AT]    | [69Woy] | headscale-user | 100.90.70.1,  | false     | 2025-03-21 18:29:37 | N/A        | online    | no     

docker exec headscale headscale route ls
ID | Node           | Prefix        | Advertised | Enabled | Primary
1  | headscale-node | 10.11.0.0/16  | true       | false   | false  
2  | headscale-node | 172.17.0.0/22 | true       | false   | false  
3  | headscale-node | 172.17.4.0/23 | true       | false   | false  
4  | headscale-node | 0.0.0.0/0     | true       | false   | -      
5  | headscale-node | ::/0          | true       | false   | -

I am using the same acl.json for all the tests:

{
  "groups": {
    "group:infra": ["headscale-user"],
    "group:use_exit_node": ["user1"],
    "group:internal": ["headscale-user","user1"]
  },
  "tagOwners": {
    "tag:infra": ["group:infra"]
  },
  "autoApprovers": {
    "routes": {
      "10.11.0.0/16": ["group:infra"],
      "172.17.0.0/22": ["group:infra"],
      "172.17.4.0/23": ["group:infra"]
    },
    "exitNode": ["tag:infra","group:infra"]
  },

  "acls": [
    { 
      "action": "accept",
      "src": ["*"],
      "dst": ["tag:infra:*"]
    },
    {
      "action": "accept",
      "src": ["group:internal"],
      "dst": ["10.11.0.0/16:*","172.17.0.0/22:*","172.17.4.0/23:*"]
    },
    {
      "action": "accept",
      "src": ["group:use_exit_node"],
      "dst": ["autogroup:internet:*"]
    }
  ]
}

command to start tailscale on headscale-node:

tailscale up --login-server https://hs.com --auth-key mykey --advertise-exit-node --advertise-routes=172.17.0.0/22,172.17.4.0/23,10.11.0.0/16
@andrpp commented on GitHub (Mar 21, 2025): I've noticed the same issue. Version `v0.24.3` works fine, while on versions `v0.25.0` I don't see the routes at all, on version `v0.25.1` the routes appear but they are not auto-approved anymore. here is the output from the tests on the mentioned versions: #### v0.24.3 - routes are available and auto approved - all good ``` docker exec headscale headscale node ls ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired 1 | headscale-node | headscale-node | [fK61Q] | [f5ClF] | headscale-user | 100.90.70.1, | false | 2025-03-21 15:54:42 | 0001-01-01 00:00:00 | online | no docker exec headscale headscale route ls ID | Node | Prefix | Advertised | Enabled | Primary 1 | headscale-node | ::/0 | true | true | - 2 | headscale-node | 10.11.0.0/16 | true | true | true 3 | headscale-node | 172.17.0.0/22 | true | true | true 4 | headscale-node | 172.17.4.0/23 | true | true | true 5 | headscale-node | 0.0.0.0/0 | true | true | - ``` #### v0.25.0 - routes are not available ``` docker exec headscale headscale node ls ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired 1 | headscale-node | headscale-node | [IEaPg] | [uGpW3] | headscale-user | 100.90.70.1, | false | 2025-03-21 18:17:40 | N/A | online | no docker exec headscale headscale route ls ID | Node | Prefix | Advertised | Enabled | Primary ``` #### v0.25.0 - routes are available, but not auto-approved ``` docker exec headscale headscale node ls ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Connected | Expired 1 | headscale-node | headscale-node | [p68AT] | [69Woy] | headscale-user | 100.90.70.1, | false | 2025-03-21 18:29:37 | N/A | online | no docker exec headscale headscale route ls ID | Node | Prefix | Advertised | Enabled | Primary 1 | headscale-node | 10.11.0.0/16 | true | false | false 2 | headscale-node | 172.17.0.0/22 | true | false | false 3 | headscale-node | 172.17.4.0/23 | true | false | false 4 | headscale-node | 0.0.0.0/0 | true | false | - 5 | headscale-node | ::/0 | true | false | - ``` I am using the same `acl.json` for all the tests: ``` { "groups": { "group:infra": ["headscale-user"], "group:use_exit_node": ["user1"], "group:internal": ["headscale-user","user1"] }, "tagOwners": { "tag:infra": ["group:infra"] }, "autoApprovers": { "routes": { "10.11.0.0/16": ["group:infra"], "172.17.0.0/22": ["group:infra"], "172.17.4.0/23": ["group:infra"] }, "exitNode": ["tag:infra","group:infra"] }, "acls": [ { "action": "accept", "src": ["*"], "dst": ["tag:infra:*"] }, { "action": "accept", "src": ["group:internal"], "dst": ["10.11.0.0/16:*","172.17.0.0/22:*","172.17.4.0/23:*"] }, { "action": "accept", "src": ["group:use_exit_node"], "dst": ["autogroup:internet:*"] } ] } ``` command to start tailscale on `headscale-node`: ``` tailscale up --login-server https://hs.com --auth-key mykey --advertise-exit-node --advertise-routes=172.17.0.0/22,172.17.4.0/23,10.11.0.0/16 ```
adam commented 2025-12-29 02:27:03 +01:00
Author
Owner
Copy Link

@andrpp commented on GitHub (Mar 22, 2025):

I confirm that the workaround/solution mentioned in https://github.com/juanfont/headscale/issues/2485 solves my issue.
The routes are approved if I disconnect from tailscale, connect without advertising routes, disconnect and connect again advertising routes.

@andrpp commented on GitHub (Mar 22, 2025): I confirm that the workaround/solution mentioned in https://github.com/juanfont/headscale/issues/2485 solves my issue. The routes are approved if I disconnect from tailscale, connect without advertising routes, disconnect and connect again advertising routes.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#984
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?