[Bug] No exit node and device route don't work

[DevOpsPop]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Exit nodes on client are empty and no access to 34.160.111.145/32

docker exec headscale headscale routes ls
ID | Node  | Prefix            | Advertised | Enabled | Primary
4  | vpn-2 | 0.0.0.0/0         | true       | false   | -
5  | vpn-2 | ::/0              | true       | false   | -
6  | vpn-2 | 34.160.111.145/32 | true       | true    | true

root@vpn-2:~# docker exec headscale headscale nodes ls
ID | Hostname     | Name         | MachineKey | NodeKey | User     | IP addresses                  | Ephemeral | Last seen           | Expiration          | Connected | Expired
4  | vpn-2        | vpn-2        | [E11Vi]    | [OQu3J] | test     | 100.64.0.5, fd7a:115c:a1e0::5 | false     | 2025-03-21 15:49:57 | N/A                 | online    | no
8  | test         | test         | [CVZ+T]    | [mOo3g] |          | 100.64.0.9, fd7a:115c:a1e0::9 | false     | 2025-03-21 15:56:02 | 2025-09-17 15:50:38 | online    | no

Expected Behavior

Exit nodes aren't empty and access to 34.160.111.145/32

Steps To Reproduce

1. docker compose

version: "3.7"

services:
  headscale:
    image: headscale/headscale:v0.25.1
    restart: unless-stopped
    container_name: headscale
    ports:
      - 8080
      - 9090
    volumes:
      # Please set <HEADSCALE_PATH> to the absolute path
      # of the previously created headscale directory.
      - /root/headscale/config:/etc/headscale
      - /root/headscale/lib:/var/lib/headscale
      - /root/headscale/run:/var/run/headscale
    command: serve
  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    restart: unless-stopped
    container_name: headscale-ui
    environment:
     - HTTPS_PORT=8443
     - HTTP_PORT=8080
    volumes:
      - /root/Caddyfile:/data/Caddyfile
    ports:
      - 80:8080
      - 443:8443

2. create user and authkey
3. setup exit-node on server
   tailscale up --login-server=https://hs.dev --authkey <> --advertise-exit-node --advertise-routes=34.160.111.145/32 --reset --force-reauth
4. login on client
   tailscale up --login-server https://hs.dev

Environment

- OS: client windows11, server linux 22.04
- Headscale version:v0.25.1
- Tailscale version: 1.80.2

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Debug information

net.ipv4.conf.all.forwarding = 1
net.ipv6.conf.all.forwarding = 1

[andrpp]

I've noticed the same issue. Version v0.24.3 works fine, while on versions v0.25.0 I don't see the routes at all, on version v0.25.1 the routes appear but they are not auto-approved anymore.

here is the output from the tests on the mentioned versions:

v0.24.3 - routes are available and auto approved - all good

docker exec headscale headscale node ls
ID | Hostname       | Name           | MachineKey | NodeKey | User           | IP addresses  | Ephemeral | Last seen           | Expiration          | Connected | Expired
1  | headscale-node | headscale-node | [fK61Q]    | [f5ClF] | headscale-user | 100.90.70.1,  | false     | 2025-03-21 15:54:42 | 0001-01-01 00:00:00 | online    | no     


docker exec headscale headscale route ls
ID | Node           | Prefix        | Advertised | Enabled | Primary
1  | headscale-node | ::/0          | true       | true    | -      
2  | headscale-node | 10.11.0.0/16  | true       | true    | true   
3  | headscale-node | 172.17.0.0/22 | true       | true    | true   
4  | headscale-node | 172.17.4.0/23 | true       | true    | true   
5  | headscale-node | 0.0.0.0/0     | true       | true    | -      

v0.25.0 - routes are not available

docker exec headscale headscale node ls
ID | Hostname       | Name           | MachineKey | NodeKey | User           | IP addresses  | Ephemeral | Last seen           | Expiration | Connected | Expired
1  | headscale-node | headscale-node | [IEaPg]    | [uGpW3] | headscale-user | 100.90.70.1,  | false     | 2025-03-21 18:17:40 | N/A        | online    | no     

docker exec headscale headscale route ls
ID | Node | Prefix | Advertised | Enabled | Primary

v0.25.0 - routes are available, but not auto-approved

docker exec headscale headscale node ls
ID | Hostname       | Name           | MachineKey | NodeKey | User           | IP addresses  | Ephemeral | Last seen           | Expiration | Connected | Expired
1  | headscale-node | headscale-node | [p68AT]    | [69Woy] | headscale-user | 100.90.70.1,  | false     | 2025-03-21 18:29:37 | N/A        | online    | no     

docker exec headscale headscale route ls
ID | Node           | Prefix        | Advertised | Enabled | Primary
1  | headscale-node | 10.11.0.0/16  | true       | false   | false  
2  | headscale-node | 172.17.0.0/22 | true       | false   | false  
3  | headscale-node | 172.17.4.0/23 | true       | false   | false  
4  | headscale-node | 0.0.0.0/0     | true       | false   | -      
5  | headscale-node | ::/0          | true       | false   | -     

I am using the same acl.json for all the tests:

{
  "groups": {
    "group:infra": ["headscale-user"],
    "group:use_exit_node": ["user1"],
    "group:internal": ["headscale-user","user1"]
  },
  "tagOwners": {
    "tag:infra": ["group:infra"]
  },
  "autoApprovers": {
    "routes": {
      "10.11.0.0/16": ["group:infra"],
      "172.17.0.0/22": ["group:infra"],
      "172.17.4.0/23": ["group:infra"]
    },
    "exitNode": ["tag:infra","group:infra"]
  },

  "acls": [
    { 
      "action": "accept",
      "src": ["*"],
      "dst": ["tag:infra:*"]
    },
    {
      "action": "accept",
      "src": ["group:internal"],
      "dst": ["10.11.0.0/16:*","172.17.0.0/22:*","172.17.4.0/23:*"]
    },
    {
      "action": "accept",
      "src": ["group:use_exit_node"],
      "dst": ["autogroup:internet:*"]
    }
  ]
}

command to start tailscale on headscale-node:

tailscale up --login-server https://hs.com --auth-key mykey --advertise-exit-node --advertise-routes=172.17.0.0/22,172.17.4.0/23,10.11.0.0/16

[andrpp]

I confirm that the workaround/solution mentioned in #2485 solves my issue.
The routes are approved if I disconnect from tailscale, connect without advertising routes, disconnect and connect again advertising routes.