Skip to content

[Bug] autoApprove does not work from start #2547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 of 4 tasks
spymobilfon opened this issue Apr 24, 2025 · 1 comment
Open
3 of 4 tasks

[Bug] autoApprove does not work from start #2547

spymobilfon opened this issue Apr 24, 2025 · 1 comment
Labels
bug Something isn't working well described ❤️ Issues that are well described and researched, making it easier for maintainers.
Milestone
v0.26.0

Comments

@spymobilfon
Copy link

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Hello!
Sorry to bother but I think this fix did not help 2506

I was running Tailscale v1.82.5 on a Linux instance and Headscale which was builded from main branch (commit 9a4d0e1) as a controller on Linux as well.

My workaround for auto-approve looks like in this issue 2485:

the tailscale client was started with --advertise-exit-node
then was started without (--advertise-exit-node=false)
then was started again with --advertise-exit-node

the first run the routes list looks like this

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   |                 | 0.0.0.0/0, ::/0 |

without advertise exit node

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   |                 |                 |

again with advertise exit node

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0

Expected Behavior

have the routes auto-enabled from start

ID   | Hostname    | Approved        | Available       | Serving (Primary)
2412 | exit-node   | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0

Steps To Reproduce

config

---
server_url: https://hs.example.org
listen_addr: 127.0.0.1:8080
metrics_listen_addr: 127.0.0.1:9090
grpc_listen_addr: 127.0.0.1:50443
grpc_allow_insecure: false

noise:
  private_key_path: /var/lib/headscale/noise_private.key

prefixes:
  v4: 100.64.0.0/10
  v6: fd7a:115c:a1e0::/48
  allocation: sequential

derp:
  server:
    enabled: false
    region_id: 999
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
    stun_listen_addr: "0.0.0.0:3478"
    private_key_path: /var/lib/headscale/derp_server_private.key
    automatically_add_embedded_derp_region: true
    ipv4: 1.2.3.4
    ipv6: 2001:db8::1
  urls:
    - https://controlplane.tailscale.com/derpmap/default
  paths: []
  auto_update_enabled: true
  update_frequency: 24h

disable_check_updates: true
ephemeral_node_inactivity_timeout: 30m

database:
  type: postgres
  gorm:
    prepare_stmt: true
    parameterized_queries: true
    skip_err_record_not_found: true
    slow_threshold: 1000

  postgres:
    host: localhost
    port: 5432
    name: headscale
    user: headscale
    pass: xxxxxxxxxx
    max_open_conns: 10
    max_idle_conns: 10
    conn_max_idle_time_secs: 3600

acme_url: https://acme-v02.api.letsencrypt.org/directory
acme_email: [email protected]

tls_letsencrypt_hostname: ""
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_listen: ":http"
tls_cert_path: ""
tls_key_path: ""

log:
  format: text
  level: debug

policy:
  mode: file
  path: /etc/headscale/acl.hujson

dns:
  magic_dns: false
  base_domain: vpn

  nameservers:
    global:
      - 1.1.1.1
    split:
      {}
  search_domains: []
  extra_records: []

unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"

oidc:
  only_start_if_oidc_is_available: true
  issuer: https://issuer.example.org
  client_id: headscale
  client_secret: xxxxxxxxxx
  expiry: 1d
  use_expiry_from_token: false
  scope: ["openid", "profile", "email"]
  allowed_domains:
    - example.org

logtail:
  enabled: false

randomize_client_port: false

policy

{
  "groups": {
    "group:exit-nodes": [
      "exit-node"
    ]
  },
  "tagOwners": {
    "tag:exit-nodes": [
      "group:exit-nodes"
    ]
  },
  "autoApprovers": {
    "routes": {},
    "exitNode": [
      "tag:exit-nodes"
    ]
  },
  "acls": [
    {
      "action": "accept",
      "src": [
        "*"
      ],
      "dst": [
        "group:exit-nodes:0",
        "autogroup:internet:*"
      ]
    }
  ]
}

tailscale

tailscale up --login-server https://hs.example.org --hostname=exit-node --advertise-exit-node --accept-routes=false --accept-dns --snat-subnet-routes --advertise-tags=tag:exit-nodes

Environment

- OS: Ubuntu 24.04
- Headscale version: main branch (commit 9a4d0e1a99a5020d6198cf6751de89ff0b595792)
- Tailscale version: v1.82.5

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Debug information

route management is not logged
only this debug messages

Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG Expanding alias=group:exit-nodes
Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG Expanding alias=group:exit-nodes
Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
Apr 24 17:35:27 xxxxxxxxxx headscale[1072116]: message repeated 2 times: [ 2025-04-24T17:35:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]]
Apr 24 17:35:33 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:35:33Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=group:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=group:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=tag:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG Expanding alias=tag:exit-nodes
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:24Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
Apr 24 17:37:24 xxxxxxxxxx headscale[1072116]: message repeated 2 times: [ 2025-04-24T17:37:24Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]]
Apr 24 17:37:27 xxxxxxxxxx headscale[1072116]: 2025-04-24T17:37:27Z DBG tags provided by policy authorised_tags=["tag:exit-nodes"] node.id=2412 unauthorised_tags=[]
@spymobilfon spymobilfon added the bug Something isn't working label Apr 24, 2025
@nblock
Copy link
Collaborator

nblock commented Apr 24, 2025

Thx for your report, a fix is in the works: #2528

@nblock nblock added the well described ❤️ Issues that are well described and researched, making it easier for maintainers. label Apr 25, 2025
@nblock nblock added this to the v0.26.0 milestone Apr 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working well described ❤️ Issues that are well described and researched, making it easier for maintainers.
Projects
None yet
Milestone
v0.26.0
Development

No branches or pull requests
2 participants
@nblock @spymobilfon