Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logout and login back got different IP address #1054

Closed
awsong opened this issue Dec 8, 2022 · 4 comments · Fixed by #1058
Closed

Logout and login back got different IP address #1054

awsong opened this issue Dec 8, 2022 · 4 comments · Fixed by #1058
Labels
bug Something isn't working

Comments

@awsong
Copy link

awsong commented Dec 8, 2022
edited
Loading

Bug description
I use latest code with a 3rd party OIDC connection. I found that if I logout and login again with the same user, Tailscale client will get a different IP address.

I think it's related to TS2021 protocol. The reason is that after logout, the content of /var/lib/tailscale/tailscaled.state file is like this:

{
  "_current-profile": "cHJvZmlsZS0yZjFh",
  "_machinekey": "cHJpdmtleTpjMGQzNzNlMGVmYzRhNjc5MTgyMTNkMGE1NzgzYWNkMGRhZTUyMGI5NzBhYjMxODQyYTExNzQxNDRmMDc1ODUz",
  "_profiles": "e30=",
  "profile-2f1a": null
}

When logging back in, the only anchor left in state file is machine key, which is set to all 0 when using TS2021, so Headscale is not able to relate this machine to any previous record.

It looks very like the problem lies in Tailscale client, which should preserve nodekey and rotate it as old nodekey after logout. But the same Tailscale client, if I connect to Tailscale control server, logout and login again, it will get back same IP address. Logout behaviour related to state file is the same (only machine key is remained after logout).

To Reproduce

  1. rm -rf /var/lib/tailscale
  2. start tailscaled
  3. tailscale up --login-server http://my.login.server
  4. finish login process
  5. tailscale status, show IP address
  6. tailscale logout
  7. tailscale up --login-server http://my.login.server
  8. finish login process
  9. tailscale status, the IP address is different from step 5 above.
    Context info
@awsong awsong added the bug Something isn't working label Dec 8, 2022
@juanfont
Copy link
Owner

juanfont commented Dec 8, 2022

@awsong indeed. I am afraid here Headscale is working as intended.

TS2021 basically deprecates MachineKey (not used anymore in the protocol), so for us this is a completely new client - hence the new IP address.

@awsong
Copy link
Author

awsong commented Dec 8, 2022

What I'm confused about is that Tailscale client seems also use TS2021 connecting to tailscale control server, yet it can preserve same IP address.

@awsong
Copy link
Author

awsong commented Dec 8, 2022

I found that noiseConn.Peer() field contains Tailscale client's machine key.

Maybe Tailscale server takes advantage of this information. We could do the same thing, just not sure whether it's a good way to go.

@juanfont
Copy link
Owner

juanfont commented Dec 9, 2022

@awsong you are absolutely right. I got that part of the protocol wrong. I did not find the Peer() method, so assume they deprecated MachineKey :(

I am preparing a PR to fix this.

@juanfont juanfont mentioned this issue Dec 9, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix duplicate nodes due to incorrect implementation of the protocol juanfont/headscale
2 participants
@juanfont @awsong