TheArchive/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-07-18 20:38:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
headscale/development/ref/routes/index.html

89 lines
63 KiB
HTML
Raw Normal View History

Deployed 18d21d35 to development with MkDocs 1.6.1 and mike 2.1.3
2025-05-03 08:26:26 +00:00
<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=author content="Headscale authors"><link href=https://juanfont.github.io/headscale/development/ref/routes/ rel=canonical><link href=../oidc/ rel=prev><link href=../tls/ rel=next><link rel=icon href=../../assets/favicon.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.6.12"><title>Routes - Headscale</title><link rel=stylesheet href=../../assets/stylesheets/main.2afb09e1.min.css><link rel=stylesheet href=../../assets/stylesheets/palette.06af60db.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="Routes - Headscale"><meta property=og:description content="An open source, self-hosted implementation of the Tailscale control server."><meta property=og:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/routes.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://juanfont.github.io/headscale/development/ref/routes/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="Routes - Headscale"><meta name=twitter:description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=twitter:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/routes.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#routes class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../.. title=Headscale class="md-header__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Headscale </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> Routes </span> </div> </div> </div> <form class=md-header__option data-md-component=palette> <input class=md-option data-md-color-media data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo aria-label="Switch to dark mode" type=radio name=__palette id=__palette_0> <label class="md-header__button md-icon" title="Switch to dark mode" for=__palette_1 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.
</span></code></pre></div> <p>If the node is already registered, it can advertise new routes or update previously announced routes with:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-1-1><a id=__codelineno-1-1 name=__codelineno-1-1 href=#__codelineno-1-1></a><span class=gp>$ </span>sudo<span class=w> </span>tailscale<span class=w> </span><span class=nb>set</span><span class=w> </span>--advertise-routes<span class=o>=</span><span class=m>10</span>.0.0.0/8,192.168.0.0/24
</span></code></pre></div> <p>Finally, <a href=#enable-ip-forwarding>enable IP forwarding</a> to route traffic.</p> <h4 id=enable-the-subnet-router-on-the-control-server>Enable the subnet router on the control server<a class=headerlink href=#enable-the-subnet-router-on-the-control-server title="Permanent link">&para;</a></h4> <p>The routes of a tailnet can be displayed with the <code>headscale nodes list-routes</code> command. A subnet router with the hostname <code>myrouter</code> announced the IPv4 networks <code>10.0.0.0/8</code> and <code>192.168.0.0/24</code>. Those need to be approved before they can be used.</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-2-1><a id=__codelineno-2-1 name=__codelineno-2-1 href=#__codelineno-2-1></a><span class=gp>$ </span>headscale<span class=w> </span>nodes<span class=w> </span>list-routes
</span><span id=__span-2-2><a id=__codelineno-2-2 name=__codelineno-2-2 href=#__codelineno-2-2></a><span class=go>ID | Hostname | Approved | Available | Serving (Primary)</span>
</span><span id=__span-2-3><a id=__codelineno-2-3 name=__codelineno-2-3 href=#__codelineno-2-3></a><span class=go>1 | myrouter | | 10.0.0.0/8, 192.168.0.0/24 |</span>
</span></code></pre></div> <p>Approve all desired routes of a subnet router by specifying them as comma separated list:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-3-1><a id=__codelineno-3-1 name=__codelineno-3-1 href=#__codelineno-3-1></a><span class=gp>$ </span>headscale<span class=w> </span>nodes<span class=w> </span>approve-routes<span class=w> </span>--identifier<span class=w> </span><span class=m>1</span><span class=w> </span>--routes<span class=w> </span><span class=m>10</span>.0.0.0/8,192.168.0.0/24
</span><span id=__span-3-2><a id=__codelineno-3-2 name=__codelineno-3-2 href=#__codelineno-3-2></a><span class=go>Node updated</span>
</span></code></pre></div> <p>The node <code>myrouter</code> can now route the IPv4 networks <code>10.0.0.0/8</code> and <code>192.168.0.0/24</code> for the tailnet.</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-4-1><a id=__codelineno-4-1 name=__codelineno-4-1 href=#__codelineno-4-1></a><span class=gp>$ </span>headscale<span class=w> </span>nodes<span class=w> </span>list-routes
</span><span id=__span-4-2><a id=__codelineno-4-2 name=__codelineno-4-2 href=#__codelineno-4-2></a><span class=go>ID | Hostname | Approved | Available | Serving (Primary)</span>
</span><span id=__span-4-3><a id=__codelineno-4-3 name=__codelineno-4-3 href=#__codelineno-4-3></a><span class=go>1 | myrouter | 10.0.0.0/8, 192.168.0.0/24 | 10.0.0.0/8, 192.168.0.0/24 | 10.0.0.0/8, 192.168.0.0/24</span>
</span></code></pre></div> <h4 id=use-the-subnet-router>Use the subnet router<a class=headerlink href=#use-the-subnet-router title="Permanent link">&para;</a></h4> <p>To accept routes advertised by a subnet router on a node:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-5-1><a id=__codelineno-5-1 name=__codelineno-5-1 href=#__codelineno-5-1></a><span class=gp>$ </span>sudo<span class=w> </span>tailscale<span class=w> </span><span class=nb>set</span><span class=w> </span>--accept-routes
Deployed 833e0f66 to development with MkDocs 1.6.1 and mike 2.1.3
2025-05-05 13:25:33 +00:00
</span></code></pre></div> <p>Please refer to the official <a href=https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-devices>Tailscale documentation</a> for how to use a subnet router on different operating systems.</p> <h3 id=restrict-the-use-of-a-subnet-router-with-acl>Restrict the use of a subnet router with ACL<a class=headerlink href=#restrict-the-use-of-a-subnet-router-with-acl title="Permanent link">&para;</a></h3> <p>The routes announced by subnet routers are available to the nodes in a tailnet. By default, without an ACL enabled, all nodes can accept and use such routes. Configure an ACL to explicitly manage who can use routes.</p> <p>The ACL snippet below defines three hosts, a subnet router <code>router</code>, a regular node <code>node</code> and <code>service.example.net</code> as internal service that can be reached via a route on the subnet router <code>router</code>. It allows the node <code>node</code> to access <code>service.example.net</code> on port 80 and 443 which is reachable via the subnet router. Access to the subnet router itself is denied.</p> <div class="language-json highlight"><span class=filename>Access the routes of a subnet router without the subnet router itself</span><pre><span></span><code><span id=__span-6-1><a id=__codelineno-6-1 name=__codelineno-6-1 href=#__codelineno-6-1></a><span class=p>{</span>
Deployed 18d21d35 to development with MkDocs 1.6.1 and mike 2.1.3
2025-05-03 08:26:26 +00:00
</span><span id=__span-6-2><a id=__codelineno-6-2 name=__codelineno-6-2 href=#__codelineno-6-2></a><span class=w> </span><span class=nt>&quot;hosts&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
Deployed 833e0f66 to development with MkDocs 1.6.1 and mike 2.1.3
2025-05-05 13:25:33 +00:00
</span><span id=__span-6-3><a id=__codelineno-6-3 name=__codelineno-6-3 href=#__codelineno-6-3></a><span class=w> </span><span class=c1>// the router is not referenced but announces 192.168.0.0/24&quot;</span>
</span><span id=__span-6-4><a id=__codelineno-6-4 name=__codelineno-6-4 href=#__codelineno-6-4></a><span class=w> </span><span class=nt>&quot;router&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;100.64.0.1/32&quot;</span><span class=p>,</span>
</span><span id=__span-6-5><a id=__codelineno-6-5 name=__codelineno-6-5 href=#__codelineno-6-5></a><span class=w> </span><span class=nt>&quot;node&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;100.64.0.2/32&quot;</span><span class=p>,</span>
</span><span id=__span-6-6><a id=__codelineno-6-6 name=__codelineno-6-6 href=#__codelineno-6-6></a><span class=w> </span><span class=nt>&quot;service.example.net&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;192.168.0.1/32&quot;</span>
</span><span id=__span-6-7><a id=__codelineno-6-7 name=__codelineno-6-7 href=#__codelineno-6-7></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-6-8><a id=__codelineno-6-8 name=__codelineno-6-8 href=#__codelineno-6-8></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-6-9><a id=__codelineno-6-9 name=__codelineno-6-9 href=#__codelineno-6-9></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-6-10><a id=__codelineno-6-10 name=__codelineno-6-10 href=#__codelineno-6-10></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-6-11><a id=__codelineno-6-11 name=__codelineno-6-11 href=#__codelineno-6-11></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-6-12><a id=__codelineno-6-12 name=__codelineno-6-12 href=#__codelineno-6-12></a><span class=w> </span><span class=s2>&quot;node&quot;</span>
</span><span id=__span-6-13><a id=__codelineno-6-13 name=__codelineno-6-13 href=#__codelineno-6-13></a><span class=w> </span><span class=p>],</span>
</span><span id=__span-6-14><a id=__codelineno-6-14 name=__codelineno-6-14 href=#__codelineno-6-14></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-6-15><a id=__codelineno-6-15 name=__codelineno-6-15 href=#__codelineno-6-15></a><span class=w> </span><span class=s2>&quot;service.example.net:80,443&quot;</span>
</span><span id=__span-6-16><a id=__codelineno-6-16 name=__codelineno-6-16 href=#__codelineno-6-16></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-6-17><a id=__codelineno-6-17 name=__codelineno-6-17 href=#__codelineno-6-17></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-6-18><a id=__codelineno-6-18 name=__codelineno-6-18 href=#__codelineno-6-18></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-6-19><a id=__codelineno-6-19 name=__codelineno-6-19 href=#__codelineno-6-19></a><span class=p>}</span>
Deployed 18d21d35 to development with MkDocs 1.6.1 and mike 2.1.3
2025-05-03 08:26:26 +00:00
</span></code></pre></div> <h3 id=automatically-approve-routes-of-a-subnet-router>Automatically approve routes of a subnet router<a class=headerlink href=#automatically-approve-routes-of-a-subnet-router title="Permanent link">&para;</a></h3> <p>The initial setup of a subnet router usually requires manual approval of their announced routes on the control server before they can be used by a node in a tailnet. Headscale supports the <code>autoApprovers</code> section of an ACL to automate the approval of routes served with a subnet router.</p> <p>The ACL snippet below defines the tag <code>tag:router</code> owned by the user <code>alice</code>. This tag is used for <code>routes</code> in the <code>autoApprovers</code> section. The IPv4 route <code>192.168.0.0/24</code> is automatically approved once announced by a subnet router owned by the user <code>alice</code> and that also advertises the tag <code>tag:router</code>.</p> <div class="language-json highlight"><span class=filename>Subnet routers owned by alice and tagged with tag:router are automatically approved</span><pre><span></span><code><span id=__span-7-1><a id=__codelineno-7-1 name=__codelineno-7-1 href=#__codelineno-7-1></a><span class=p>{</span>
</span><span id=__span-7-2><a id=__codelineno-7-2 name=__codelineno-7-2 href=#__codelineno-7-2></a><span class=w> </span><span class=nt>&quot;tagOwners&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-7-3><a id=__codelineno-7-3 name=__codelineno-7-3 href=#__codelineno-7-3></a><span class=w> </span><span class=nt>&quot;tag:router&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-7-4><a id=__codelineno-7-4 name=__codelineno-7-4 href=#__codelineno-7-4></a><span class=w> </span><span class=s2>&quot;alice@&quot;</span>
</span><span id=__span-7-5><a id=__codelineno-7-5 name=__codelineno-7-5 href=#__codelineno-7-5></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-7-6><a id=__codelineno-7-6 name=__codelineno-7-6 href=#__codelineno-7-6></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-7-7><a id=__codelineno-7-7 name=__codelineno-7-7 href=#__codelineno-7-7></a><span class=w> </span><span class=nt>&quot;autoApprovers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-7-8><a id=__codelineno-7-8 name=__codelineno-7-8 href=#__codelineno-7-8></a><span class=w> </span><span class=nt>&quot;routes&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-7-9><a id=__codelineno-7-9 name=__codelineno-7-9 href=#__codelineno-7-9></a><span class=w> </span><span class=nt>&quot;192.168.0.0/24&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-7-10><a id=__codelineno-7-10 name=__codelineno-7-10 href=#__codelineno-7-10></a><span class=w> </span><span class=s2>&quot;tag:router&quot;</span>
</span><span id=__span-7-11><a id=__codelineno-7-11 name=__codelineno-7-11 href=#__codelineno-7-11></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-7-12><a id=__codelineno-7-12 name=__codelineno-7-12 href=#__codelineno-7-12></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-7-13><a id=__codelineno-7-13 name=__codelineno-7-13 href=#__codelineno-7-13></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-7-14><a id=__codelineno-7-14 name=__codelineno-7-14 href=#__codelineno-7-14></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-7-15><a id=__codelineno-7-15 name=__codelineno-7-15 href=#__codelineno-7-15></a><span class=w> </span><span class=c1>// more rules</span>
</span><span id=__span-7-16><a id=__codelineno-7-16 name=__codelineno-7-16 href=#__codelineno-7-16></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-7-17><a id=__codelineno-7-17 name=__codelineno-7-17 href=#__codelineno-7-17></a><span class=p>}</span>
</span></code></pre></div> <p>Advertise the route <code>192.168.0.0/24</code> from a subnet router that also advertises the tag <code>tag:router</code> when joining the tailnet:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-8-1><a id=__codelineno-8-1 name=__codelineno-8-1 href=#__codelineno-8-1></a><span class=gp>$ </span>sudo<span class=w> </span>tailscale<span class=w> </span>up<span class=w> </span>--login-server<span class=w> </span>&lt;YOUR_HEADSCALE_URL&gt;<span class=w> </span>--advertise-tags<span class=w> </span>tag:router<span class=w> </span>--advertise-routes<span class=w> </span><span class=m>192</span>.168.0.0/24
</span></code></pre></div> <p>Please see the <a href=https://tailscale.com/kb/1337/acl-syntax#autoapprovers>official Tailscale documentation</a> for more information on auto approvers.</p> <h2 id=exit-node>Exit node<a class=headerlink href=#exit-node title="Permanent link">&para;</a></h2> <p>The setup of an exit node requires double opt-in, once from an exit node and once on the control server to allow its use within the tailnet. Optionally, use <a href=#automatically-approve-an-exit-node-with-auto-approvers><code>autoApprovers</code> to automatically approve an exit node</a>.</p> <h3 id=setup-an-exit-node>Setup an exit node<a class=headerlink href=#setup-an-exit-node title="Permanent link">&para;</a></h3> <h4 id=configure-a-node-as-exit-node>Configure a node as exit node<a class=headerlink href=#configure-a-node-as-exit-node title="Permanent link">&para;</a></h4> <p>Register a node and make it advertise itself as an exit node:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-9-1><a id=__codelineno-9-1 name=__codelineno-9-1 href=#__codelineno-9-1></a><span class=gp>$ </span>sudo<span class=w> </span>tailscale<span class=w> </span>up<span class=w> </span>--login-server<span class=w> </span>&lt;YOUR_HEADSCALE_URL&gt;<span class=w> </span>--advertise-exit-node
</span></code></pre></div> <p>If the node is already registered, it can advertise exit capabilities like this:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-10-1><a id=__codelineno-10-1 name=__codelineno-10-1 href=#__codelineno-10-1></a><span class=gp>$ </span>sudo<span class=w> </span>tailscale<span class=w> </span><span class=nb>set</span><span class=w> </span>--advertise-exit-node
</span></code></pre></div> <p>Finally, <a href=#enable-ip-forwarding>enable IP forwarding</a> to route traffic.</p> <h4 id=enable-the-exit-node-on-the-control-server>Enable the exit node on the control server<a class=headerlink href=#enable-the-exit-node-on-the-control-server title="Permanent link">&para;</a></h4> <p>The routes of a tailnet can be displayed with the <code>headscale nodes list-routes</code> command. An exit node can be recognized by its announced routes: <code>0.0.0.0/0</code> for IPv4 and <code>::/0</code> for IPv6. The exit node with the hostname <code>myexit</code> is already available, but needs to be approved:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-11-1><a id=__codelineno-11-1 name=__codelineno-11-1 href=#__codelineno-11-1></a><span class=gp>$ </span>headscale<span class=w> </span>nodes<span class=w> </span>list-routes
</span><span id=__span-11-2><a id=__codelineno-11-2 name=__codelineno-11-2 href=#__codelineno-11-2></a><span class=go>ID | Hostname | Approved | Available | Serving (Primary)</span>
</span><span id=__span-11-3><a id=__codelineno-11-3 name=__codelineno-11-3 href=#__codelineno-11-3></a><span class=go>1 | myexit | | 0.0.0.0/0, ::/0 |</span>
</span></code></pre></div> <p>For exit nodes, it is sufficient to approve either the IPv4 or IPv6 route. The other will be approved automatically.</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-12-1><a id=__codelineno-12-1 name=__codelineno-12-1 href=#__codelineno-12-1></a><span class=gp>$ </span>headscale<span class=w> </span>nodes<span class=w> </span>approve-routes<span class=w> </span>--identifier<span class=w> </span><span class=m>1</span><span class=w> </span>--routes<span class=w> </span><span class=m>0</span>.0.0.0/0
</span><span id=__span-12-2><a id=__codelineno-12-2 name=__codelineno-12-2 href=#__codelineno-12-2></a><span class=go>Node updated</span>
</span></code></pre></div> <p>The node <code>myexit</code> is now approved as exit node for the tailnet:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-13-1><a id=__codelineno-13-1 name=__codelineno-13-1 href=#__codelineno-13-1></a><span class=gp>$ </span>headscale<span class=w> </span>nodes<span class=w> </span>list-routes
</span><span id=__span-13-2><a id=__codelineno-13-2 name=__codelineno-13-2 href=#__codelineno-13-2></a><span class=go>ID | Hostname | Approved | Available | Serving (Primary)</span>
</span><span id=__span-13-3><a id=__codelineno-13-3 name=__codelineno-13-3 href=#__codelineno-13-3></a><span class=go>1 | myexit | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0</span>
</span></code></pre></div> <h4 id=use-the-exit-node>Use the exit node<a class=headerlink href=#use-the-exit-node title="Permanent link">&para;</a></h4> <p>The exit node can now be used on a node with:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-14-1><a id=__codelineno-14-1 name=__codelineno-14-1 href=#__codelineno-14-1></a><span class=gp>$ </span>sudo<span class=w> </span>tailscale<span class=w> </span><span class=nb>set</span><span class=w> </span>--exit-node<span class=w> </span>myexit
</span></code></pre></div> <p>Please refer to the official <a href=https://tailscale.com/kb/1103/exit-nodes#use-the-exit-node>Tailscale documentation</a> for how to use an exit node on different operating systems.</p> <h3 id=restrict-the-use-of-an-exit-node-with-acl>Restrict the use of an exit node with ACL<a class=headerlink href=#restrict-the-use-of-an-exit-node-with-acl title="Permanent link">&para;</a></h3> <p>An exit node is offered to all nodes in a tailnet. By default, without an ACL enabled, all nodes in a tailnet can select and use an exit node. Configure <code>autogroup:internet</code> in an ACL rule to restrict who can use <em>any</em> of the available exit nodes.</p> <div class="language-json highlight"><span class=filename>Example use of autogroup:internet</span><pre><span></span><code><span id=__span-15-1><a id=__codelineno-15-1 name=__codelineno-15-1 href=#__codelineno-15-1></a><span class=p>{</span>
</span><span id=__span-15-2><a id=__codelineno-15-2 name=__codelineno-15-2 href=#__codelineno-15-2></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-15-3><a id=__codelineno-15-3 name=__codelineno-15-3 href=#__codelineno-15-3></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-15-4><a id=__codelineno-15-4 name=__codelineno-15-4 href=#__codelineno-15-4></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-15-5><a id=__codelineno-15-5 name=__codelineno-15-5 href=#__codelineno-15-5></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-15-6><a id=__codelineno-15-6 name=__codelineno-15-6 href=#__codelineno-15-6></a><span class=w> </span><span class=s2>&quot;...&quot;</span>
</span><span id=__span-15-7><a id=__codelineno-15-7 name=__codelineno-15-7 href=#__codelineno-15-7></a><span class=w> </span><span class=p>],</span>
</span><span id=__span-15-8><a id=__codelineno-15-8 name=__codelineno-15-8 href=#__codelineno-15-8></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-15-9><a id=__codelineno-15-9 name=__codelineno-15-9 href=#__codelineno-15-9></a><span class=w> </span><span class=s2>&quot;autogroup:internet:*&quot;</span>
</span><span id=__span-15-10><a id=__codelineno-15-10 name=__codelineno-15-10 href=#__codelineno-15-10></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-15-11><a id=__codelineno-15-11 name=__codelineno-15-11 href=#__codelineno-15-11></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-15-12><a id=__codelineno-15-12 name=__codelineno-15-12 href=#__codelineno-15-12></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-15-13><a id=__codelineno-15-13 name=__codelineno-15-13 href=#__codelineno-15-13></a><span class=p>}</span>
</span></code></pre></div> <h3 id=automatically-approve-an-exit-node-with-auto-approvers>Automatically approve an exit node with auto approvers<a class=headerlink href=#automatically-approve-an-exit-node-with-auto-approvers title="Permanent link">&para;</a></h3> <p>The initial setup of an exit node usually requires manual approval on the control server before it can be used by a node in a tailnet. Headscale supports the <code>autoApprovers</code> section of an ACL to automate the approval of a new exit node as soon as it joins the tailnet.</p> <p>The ACL snippet below defines the tag <code>tag:exit</code> owned by the user <code>alice</code>. This tag is used for <code>exitNode</code> in the <code>autoApprovers</code> section. A new exit node which is owned by the user <code>alice</code> and that also advertises the tag <code>tag:exit</code> is automatically approved:</p> <div class="language-json highlight"><span class=filename>Exit nodes owned by alice and tagged with tag:exit are automatically approved</span><pre><span></span><code><span id=__span-16-1><a id=__codelineno-16-1 name=__codelineno-16-1 href=#__codelineno-16-1></a><span class=p>{</span>
</span><span id=__span-16-2><a id=__codelineno-16-2 name=__codelineno-16-2 href=#__codelineno-16-2></a><span class=w> </span><span class=nt>&quot;tagOwners&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-16-3><a id=__codelineno-16-3 name=__codelineno-16-3 href=#__codelineno-16-3></a><span class=w> </span><span class=nt>&quot;tag:exit&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-16-4><a id=__codelineno-16-4 name=__codelineno-16-4 href=#__codelineno-16-4></a><span class=w> </span><span class=s2>&quot;alice@&quot;</span>
</span><span id=__span-16-5><a id=__codelineno-16-5 name=__codelineno-16-5 href=#__codelineno-16-5></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-16-6><a id=__codelineno-16-6 name=__codelineno-16-6 href=#__codelineno-16-6></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-16-7><a id=__codelineno-16-7 name=__codelineno-16-7 href=#__codelineno-16-7></a><span class=w> </span><span class=nt>&quot;autoApprovers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-16-8><a id=__codelineno-16-8 name=__codelineno-16-8 href=#__codelineno-16-8></a><span class=w> </span><span class=nt>&quot;exitNode&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-16-9><a id=__codelineno-16-9 name=__codelineno-16-9 href=#__codelineno-16-9></a><span class=w> </span><span class=s2>&quot;tag:exit&quot;</span>
</span><span id=__span-16-10><a id=__codelineno-16-10 name=__codelineno-16-10 href=#__codelineno-16-10></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-16-11><a id=__codelineno-16-11 name=__codelineno-16-11 href=#__codelineno-16-11></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-16-12><a id=__codelineno-16-12 name=__codelineno-16-12 href=#__codelineno-16-12></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-16-13><a id=__codelineno-16-13 name=__codelineno-16-13 href=#__codelineno-16-13></a><span class=w> </span><span class=c1>// more rules</span>
</span><span id=__span-16-14><a id=__codelineno-16-14 name=__codelineno-16-14 href=#__codelineno-16-14></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-16-15><a id=__codelineno-16-15 name=__codelineno-16-15 href=#__codelineno-16-15></a><span class=p>}</span>
</span></code></pre></div> <p>Advertise a node as exit node and also advertise the tag <code>tag:exit</code> when joining the tailnet:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-17-1><a id=__codelineno-17-1 name=__codelineno-17-1 href=#__codelineno-17-1></a><span class=gp>$ </span>sudo<span class=w> </span>tailscale<span class=w> </span>up<span class=w> </span>--login-server<span class=w> </span>&lt;YOUR_HEADSCALE_URL&gt;<span class=w> </span>--advertise-tags<span class=w> </span>tag:exit<span class=w> </span>--advertise-exit-node
</span></code></pre></div> <p>Please see the <a href=https://tailscale.com/kb/1337/acl-syntax#autoapprovers>official Tailscale documentation</a> for more information on auto approvers.</p> <h2 id=high-availability>High availability<a class=headerlink href=#high-availability title="Permanent link">&para;</a></h2> <p>Headscale has limited support for high availability routing. Multiple subnet routers with overlapping routes or multiple exit nodes can be used to provide high availability for users. If one router node goes offline, another one can serve the same routes to clients. Please see the official <a href=https://tailscale.com/kb/1115/high-availability#subnet-router-high-availability>Tailscale documentation on high availability</a> for details.</p> <div class="admonition bug"> <p class=admonition-title>Bug</p> <p>In certain situations it might take up to 16 minutes for Headscale to detect a node as offline. A failover node might not be selected fast enough, if such a node is used as subnet router or exit node causing service interruptions for clients. See <a href=https://github.com/juanfont/headscale/issues/2129>issue 2129</a> for more information.</p> </div> <h2 id=troubleshooting>Troubleshooting<a class=headerlink href=#troubleshooting title="Permanent link">&para;</a></h2> <h3 id=enable-ip-forwarding>Enable IP forwarding<a class=headerlink href=#enable-ip-forwarding title="Permanent link">&para;</a></h3> <p>A subnet router or exit node is routing traffic on behalf of other nodes and thus requires IP forwarding. Check the official <a href="https://tailscale.com/kb/1019/subnets/?tab=linux#enable-ip-forwarding">Tailscale documentation</a> for how to enable IP forwarding.</p> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> <button type=button class="md-top md-icon" data-md-component=top hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg> Back to top </button> </main> <footer class=md-footer> <nav class="md-footer__inner md-grid" aria-label=Footer> <a href=../oidc/ class="md-footer__link md-footer__link--prev" aria-label="Previous: OIDC authentication"> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class=md-footer__title> <span class=md-footer__direction> Previous </span> <div class=md-ellipsis> OIDC authentication </div> </div> </a> <a href=../tls/ class="md-footer__link md-footer__link--next" aria-label="Next: TLS"> <div class=md-footer__title> <span class=md-footer__direction> Next </span> <div class=md-ellipsis> TLS </div> </div> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> <div class=md-copyright__highlight> Copyright &copy; 2025 Headscale authors </div> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> <div class=md-social> <a href=https://github.com/juanfont/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 496 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9
Reference in New Issue Copy Permalink