Headscale behind pfSense + HAProxy + Tailscale package

Wanted to have this setup working

I can only connect to the Headscale control server on my LAN, which is basically pointless for most use cases. The HAProxy part seems to be working (can connect with certs to nginx if i start that on the same port, and can also access the web server that is started with Headscale containing the command you are suppose to run in Headscale to add the machine as a node). The problem is that I am not able to reach the server for login through the public IP. It does work if I open port 80, but not if only 443 is opened. Is this even something that should be possible with Headscale as it is now? In the Headscale config I changed only the listening port, so it should listen to all IPs at that port. Have already learned a lot in investigating this, but hoping for even more insight to networking. Any suggestions would really be appreciated.

I am not sure that Headscale will work with HAProxy, not something I have tested as it has it’s own system for setting up certificates.

I did hope it would be as simple as running Headscale without certs on the homeserver and letting pfSense (Acme + HAProxy) deal with certs. Might do some packet capturing to see if I can get some more info.

I just needed to configure websockets i HAProxy for this to work. Similar to what was disscussed in

https://forum.netgate.com/topic/158983/websockets-configuration-in-haproxy

I have a similar setup as you and also have a problem configuring haproxy on my pfsense to handle headscale socket. Have you solved this problem?

I got it working, but cannot remember the details. Moved over to another box and found that a site to site Wireguard setup was better suited for my needs. So I don’t have the configuration anymore. I just followed Tom’s guide on HAProxy and web socket information from the link, and then it worked.

Thanks. I got it working. Cloudflare proxy is the culprit. I have to turn Cloudflare proxy off for my headscale subdomain!

I would post how I made Haproxy support WebSocket that works with my Headscale, just in case others may have had the same difficulty figuring it out.

Frontend

frontend_acl649×591 65.9 KB

Backend

backend1154×2101 179 KB

@bthoven Thanks for posting this! Helped me a lot.

@bthoven Thank you, it helped me a lot too.
I tested your solution with Headscale v0.22.3 and it worked perfectly.

But I tryed today to install the lastest version (0.23.0-beta3) with the same config and it gives these errors:

sept. 05 19:05:15 headscale headscale[92463]: 2024-09-05T19:05:15+01:00 ERR noise upgrade failed error="noise handshake failed: decrypting machine key: chacha20poly1305: message authentication failed"
sept. 05 19:05:15 headscale headscale[92463]: 2024/09/05 19:05:15 http: response.WriteHeader on hijacked connection from github.com/juanfont/headscale/hscontrol.(*Headscale).NoiseUpgradeHandler (noise.go:84)
sept. 05 19:05:15 headscale headscale[92463]: 2024/09/05 19:05:15 http: response.Write on hijacked connection from fmt.Fprintln (print.go:305)

Do you have any idea how to fix it?

Benoit.

Sorry, I’m still at 0.22.3 stable version. I know that the beta needs a different config setting. You need to look at the changelog for differences.
Releases · juanfont/headscale (github.com)

Thanks, I rolled back to v0.22.3. I’ll try it again when the final v0.23 will be out. (Sorry I wasn’t clear, I was talking about the config of HAProxy that I didn’t change, but I changed the config of headscale as explained in the docs).

Just to let you know I’ve just upgraded headscale to 0.23.0. So far so good.