Comments (22)
In case it's relevant, registration has been done using authkeys.
from headscale.
Can you add the output for this:
headscale -n viqWORKS nodes list -o json
from headscale.
headscale# headscale -n viqWORKS nodes list -o json
[
{
"ID": 6,
"MachineKey": "6594a17c9e61cd05571e10493228fe16277608228fa94b5f72764840333d8317",
"NodeKey": "43363646d947038c6f6b556868e7657aac75e8031c143fdaf1ed25fc2a8f4b53",
"DiscoKey": "4ee08d2740640e2ebed0dcd12d083ffe5c32c58a879406c2b7f8da0d010eee5a",
"IPAddress": "100.87.15.215",
"Name": "innernet-test",
"NamespaceID": 1,
"Namespace": {
"ID": 0,
"CreatedAt": "0001-01-01T00:00:00Z",
"UpdatedAt": "0001-01-01T00:00:00Z",
"DeletedAt": null,
"Name": ""
},
"Registered": true,
"RegisterMethod": "authKey",
"AuthKeyID": 4,
"AuthKey": {
"ID": 4,
"Key": "ad8f0662366b2a8f25c793fa9c47ff6c2a34ebbf006c9edb",
"NamespaceID": 1,
"Namespace": {
"ID": 0,
"CreatedAt": "0001-01-01T00:00:00Z",
"UpdatedAt": "0001-01-01T00:00:00Z",
"DeletedAt": null,
"Name": ""
},
"Reusable": true,
"Ephemeral": false,
"CreatedAt": "2021-07-17T17:02:28.22417+02:00",
"Expiration": "2021-07-17T17:32:28.22072+02:00"
},
"LastSeen": "2021-07-17T19:16:17.82462+02:00",
"Expiry": "0001-01-01T01:24:00+01:24",
"HostInfo": {
"OS": "openbsd",
"GoArch": "amd64",
"NetInfo": {
"PCP": false,
"PMP": false,
"UPnP": false,
"WorkingUDP": true,
"DERPLatency": {
"1-v4": 0.102038515,
"2-v4": 0.17486828,
"3-v4": 0.262211003,
"4-v4": 0.020722566,
"5-v4": 0.289097232,
"6-v4": 0.166939259,
"7-v4": 0.268397717,
"8-v4": 0.037278815,
"9-v4": 0.137691975
},
"HairPinning": false,
"WorkingIPv6": false,
"PreferredDERP": 4,
"MappingVariesByDestIP": true
},
"Hostname": "innernet-test",
"Services": [
{
"Port": 47775,
"Proto": "peerapi4"
}
],
"IPNVersion": "date.20210603",
"BackendLogID": "ee6414f1b608db52193ac3e35f185522bc0ce6528ee16a49bab8c6a8c2060618"
},
"Endpoints": [
"51.75.32.28:57997",
"192.168.135.48:22735"
],
"EnabledRoutes": null,
"CreatedAt": "2021-07-17T17:04:17.881506+02:00",
"UpdatedAt": "2021-07-17T19:16:17.832448+02:00",
"DeletedAt": null
},
{
"ID": 5,
"MachineKey": "8c9e29df0f628d41d480e8951331f1d5d621b47d3019214e3db0c1eac661f839",
"NodeKey": "5b081928375c477f3303eb7f35591673ff0a37dd6460017cfcc1e0bec045b93a",
"DiscoKey": "d52bb11973f8889bbe5bbfdb0deacff1d1cdea7c22755e42a5c140f105cfdc0c",
"IPAddress": "100.99.59.105",
"Name": "headscale",
"NamespaceID": 1,
"Namespace": {
"ID": 0,
"CreatedAt": "0001-01-01T00:00:00Z",
"UpdatedAt": "0001-01-01T00:00:00Z",
"DeletedAt": null,
"Name": ""
},
"Registered": true,
"RegisterMethod": "authKey",
"AuthKeyID": 4,
"AuthKey": {
"ID": 4,
"Key": "ad8f0662366b2a8f25c793fa9c47ff6c2a34ebbf006c9edb",
"NamespaceID": 1,
"Namespace": {
"ID": 0,
"CreatedAt": "0001-01-01T00:00:00Z",
"UpdatedAt": "0001-01-01T00:00:00Z",
"DeletedAt": null,
"Name": ""
},
"Reusable": true,
"Ephemeral": false,
"CreatedAt": "2021-07-17T17:02:28.22417+02:00",
"Expiration": "2021-07-17T17:32:28.22072+02:00"
},
"LastSeen": "2021-07-17T19:16:58.522021+02:00",
"Expiry": "0001-01-01T01:24:00+01:24",
"HostInfo": {
"OS": "openbsd",
"GoArch": "amd64",
"NetInfo": {
"PCP": false,
"PMP": false,
"UPnP": false,
"WorkingUDP": true,
"DERPLatency": {
"1-v4": 0.1011065,
"2-v4": 0.180232352,
"3-v4": 0.299721761,
"4-v4": 0.038514911,
"5-v4": 0.299863107,
"6-v4": 0.173342277,
"7-v4": 0.272282242,
"8-v4": 0.03836486,
"9-v4": 0.161534457
},
"HairPinning": false,
"WorkingIPv6": false,
"PreferredDERP": 8,
"MappingVariesByDestIP": false
},
"Hostname": "headscale",
"Services": [
{
"Port": 39599,
"Proto": "peerapi4"
}
],
"IPNVersion": "date.20210603",
"BackendLogID": "684e0fca0c5f487084b120b5dbe9bd2711ccffd8987b1fd88ed91205a4e2b573"
},
"Endpoints": [
"51.75.32.29:22502"
],
"EnabledRoutes": null,
"CreatedAt": "2021-07-17T17:03:35.956224+02:00",
"UpdatedAt": "2021-07-17T19:16:58.533797+02:00",
"DeletedAt": null
}
]
from headscale.
How does the http connection work? Looking at tcpdump, I see a bunch of Connection: close
between nginx and headscale, but not when tailscaled and headscale are talking directly. Maybe nginx needs some tuning for long polling or whatnot?
from headscale.
OK, so seems like some of the settings from https://help.hcltechsw.com/connections/v65/admin/install/inst_post_nginx.html may have helped...
from headscale.
Currently seems to work with the below settings, I'll poke at it some more at a later time.
server {
listen 443 ssl;
server_name headscale.viq.vc;
ssl_certificate /etc/ssl/headscale.viq.vc.fullchain.pem;
ssl_certificate_key /etc/ssl/private/headscale.viq.vc.key;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:1m;
ssl_ciphers HIGH:!aNULL:!MD5:!RC4;
ssl_prefer_server_ciphers on;
client_body_timeout 5m;
client_header_timeout 5m;
location / {
proxy_read_timeout 6m;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Upgrade $http_upgrade;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
}
}
from headscale.
from headscale.
Update: currently 2 vhosts, headscale.viq.vc
with "broken" config as previously, and testscale.viq.vc
with I think working config:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
server_name testscale.viq.vc;
ssl_certificate /etc/ssl/headscale.viq.vc.fullchain.pem;
ssl_certificate_key /etc/ssl/private/headscale.viq.vc.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
client_body_timeout 5m;
client_header_timeout 5m;
location / {
proxy_read_timeout 6m;
proxy_http_version 1.1;
#proxy_set_header Connection "";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_no_cache "always";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
}
}
You still have access, feel free to poke around.
from headscale.
Hm, looks like with those settings I need to restart headscale
for nodes (either new, or after being restarted) to see each other.
from headscale.
I have been finally able to replicate this π
I will check nginx configs now...
from headscale.
Can you check with this config in nginx?
https://github.com/juanfont/headscale/wiki/nginx-configuration
from headscale.
Switched my config over to nginx, this seems to resolve it for me - I am able to ping hosts and ssh to them!
from headscale.
It seems that after a while though things break down. I was adding hosts to a namespace and now tailscale up --login-server ....
just hangs.
I see Client is registered and we have the current NodeKey. All clear to /map
and then a POST to /machine/ID
, but nothing after that.
from headscale.
With following config
server {
listen 80;
server_name testscale.viq.vc;
client_body_timeout 3m;
client_header_timeout 3m;
location / {
proxy_read_timeout 3m;
#proxy_http_version 1.1;
#proxy_set_header Connection "";
#proxy_set_header Upgrade $http_upgrade;
proxy_ignore_client_abort off;
#proxy_set_header Connection $connection_upgrade;
#proxy_set_header Connection upgrade;
proxy_buffering off;
proxy_cache off;
proxy_cache_bypass "always";
proxy_no_cache "always";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8000;
}
}
(disabling websocket related things one by one; finally proxy_http_version
seemed to make a difference) after a couple restarts of various things I was still able to register clients, without the issues @qbit is describing (I would see them sometimes otherwise; might still as it's not necessarily 100% repeatable). But adding a new (ephemeral) node to headscale, none of the two so far connected nodes see it without restarting things. Which I guess is the same state as we started with...
from headscale.
I'm now retrying with exactly your set of options.
from headscale.
Specifically:
server {
listen 80;
server_name testscale.viq.vc;
client_body_timeout 3m;
client_header_timeout 3m;
location / {
proxy_read_timeout 3m;
proxy_ignore_client_abort off;
proxy_request_buffering off;
proxy_buffering off;
proxy_no_cache "always";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
and I'm apparently seeing what you described, i.e. headscale
seeing clients closting the connections, but nginx and tailscaled believing they are still open.
from headscale.
It seems that after a while though things break down. I was adding hosts to a namespace and now
tailscale up --login-server ....
just hangs.I see
Client is registered and we have the current NodeKey. All clear to /map
and then a POST to/machine/ID
, but nothing after that.
Can you send us the logs from the tailscaled daemons failing to connect?
from headscale.
Ya, i'll try and get some more details today - It looks like the same behavior as #50 though.
from headscale.
@qbit @viq Can you please try with v0.5.0? https://github.com/juanfont/headscale/releases/tag/v0.5.0
from headscale.
It fixed the issue i had and it is now working, thanks for the work of this project
from headscale.
@viq @qbit can you check 0.7? This issue should be solved now.
from headscale.
Can confirm! Currently running just fine!
from headscale.
Related Issues (20)
- [Bug] v0.23 does not work with PostgreSQL HOT 1
- [Bug] ACLs although going one way, are discoverable by the "dst". HOT 1
- [Bug] Can't always connect to Heascale through data (lte/4g) without passing via wifi first HOT 2
- [Bug] dns_config.domains only works if override_local_dns is enabled HOT 3
- [Feature] Improve docu development
- [Bug] Node Connection Issues(~600 nodes) in v0.23.0-alpha12 HOT 7
- headscale docker keep restarting HOT 10
- [Bug] systemctl stop headscale is very slow! HOT 3
- [Bug] Issues with OIDC, Authelia and Nix Agenix together HOT 5
- Inter-controlplane federation
- [Feature] Filter output of cli commands
- [Bug] Method βHosts.UnmarshalYAML does not add CIDR notation
- [Feature] provide docker containers with two standard tags "latest" and "production"
- [Feature] OIDC DisplayName and ProfilePicURL support
- [Bug] GetDERPMap tls failed to verify certificate
- [Feature] Use SQLite in WAL mode by default HOT 2
- [Bug] TLS internal error when attempting to login HOT 1
- [Feature] OIDC with permanent ID HOT 3
- [Feature] Add option to associate an api key to a specific user HOT 2
- New release? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from headscale.