relayd(8): no TLS relay to headscale (websockets) possible

Manuel Kuklinski Mon, 10 Nov 2025 13:27:51 -0800

Hi!

I've tried to get a TLS relay via relayd(8) to headscale working, but
failed. My (simplified) relayd.conf looks like this:


- - - - - - - - - - %< - - - - - - - - - -
vps-ams# cat /etc/relayd.con
log connection

table <vpn4> { 10.10.10.10 }

http protocol "https" {
        tls keypair "asdfghasdfgh.de"

        return error

        match request header set "Connection" value "close"

        match request header set "Host" value "$HOST"
        match request header set "X-Real-IP" value "$REMOTE_ADDR"
        match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
        match request header set "X-Forwarded-By" value 
"$SERVER_ADDR:$SERVER_PORT"
        match request header set "X-Forwarded-Port" value "$REMOTE_PORT"

        tcp { nodelay, sack, socket buffer 65536, backlog 100 }

        block
        match request header "Host" value "vpn.asdfghasdfgh.de" tag "vpn"
        pass request tagged "vpn" forward to <vpn4>

        http websockets
}

relay "https" {
        listen on 46.23.93.30 port https tls
        listen on 2a03:6000:93f1:620::30 port https tls
        protocol "https"
        forward to <vpn4> port 8080
}

- - - - - - - - - - %< - - - - - - - - - -

This leads to the following, if I try to connect to headscale via
"tailscale up --login-server https://vpn.asdfghasdfgh.de --reset
--force-reauth" on a client:

- - - - - - - - - - %< - - - - - - - - - -
vps-ams# relayd -dvv

[...]
relay_tls_transaction: session 1: scheduling on EV_READ
relay https, tls session 1 established (1 active)
relay https, session 1 (1 active), vpn, 109.250.122.74 -> 10.10.10.10:8080, 
last write (done), GET -> 10.10.10.10:8080;
relay_tls_transaction: session 2: scheduling on EV_READ
relay https, tls session 2 established (1 active)
relay https, session 2 (1 active), 0, 109.250.122.74 -> :0, Forbidden (403 
Forbidden), POST: Invalid argument
relay_close: sessions inflight decremented, now 0
relay_tls_transaction: session 3: scheduling on EV_READ
relay https, tls session 3 established (1 active)
relay https, session 3 (1 active), vpn, 109.250.122.74 -> 10.10.10.10:8080, 
last write (done), GET -> 10.10.10.10:8080;
relay_tls_transaction: session 1: scheduling on EV_READ
relay https, tls session 1 established (1 active)
relay https, session 1 (1 active), 0, 109.250.122.74 -> :0, Forbidden (403 
Forbidden), POST: Invalid argument
relay_close: sessions inflight decremented, now 0
relay_tls_transaction: session 2: scheduling on EV_READ
relay https, tls session 2 established (1 active)
relay https, session 2 (1 active), vpn, 109.250.122.74 -> 10.10.10.10:8080, 
last write (done), GET -> 10.10.10.10:8080;
relay_tls_transaction: session 1: scheduling on EV_READ
relay https, tls session 1 established (1 active)
relay https, session 1 (1 active), 0, 109.250.122.74 -> :0, Forbidden (403 
Forbidden), POST: Invalid argument
relay_close: sessions inflight decremented, now 0
relay_tls_transaction: session 2: scheduling on EV_READ
relay https, tls session 2 established (1 active)
relay https, session 2 (1 active), vpn, 109.250.122.74 -> 10.10.10.10:8080, 
last write (done), GET -> 10.10.10.10:8080;
relay_tls_transaction: session 3: scheduling on EV_READ
relay https, tls session 3 established (1 active)
relay https, session 3 (1 active), 0, 109.250.122.74 -> :0, Forbidden (403 
Forbidden), POST: Invalid argument
relay_close: sessions inflight decremented, now 0
relay_tls_transaction: session 4: scheduling on EV_READ
relay https, tls session 4 established (1 active)
relay https, session 4 (1 active), vpn, 109.250.122.74 -> 10.10.10.10:8080, 
last write (done), GET -> 10.10.10.10:8080;
relay_tls_transaction: session 1: scheduling on EV_READ
relay https, tls session 1 established (1 active)
relay https, session 1 (1 active), 0, 109.250.122.74 -> :0, Forbidden (403 
Forbidden), POST: Invalid argument
relay_close: sessions inflight decremented, now 0
relay_tls_transaction: session 2: scheduling on EV_READ
relay https, tls session 2 established (1 active)
relay https, session 2 (1 active), vpn, 109.250.122.74 -> 10.10.10.10:8080, 
last write (done), GET -> 10.10.10.10:8080;
relay_tls_transaction: session 3: scheduling on EV_READ
relay https, tls session 3 established (1 active)
relay https, session 3 (1 active), 0, 109.250.122.74 -> :0, Forbidden (403 
Forbidden), POST: Invalid argument
relay_close: sessions inflight decremented, now 0
[...]

- - - - - - - - - - %< - - - - - - - - - -

So far I've searched via a search engine, and discovered the following
articles, semi-official documentation from headscale and e-mails to the
mailing list:

* https://deftly.net/posts/2019-10-23-websockets-with-relayd.html
* https://headscale.net/0.27.0/ref/integration/reverse-proxy/
* https://www.mail-archive.com/[email protected]/msg189354.html
* https://www.mail-archive.com/[email protected]/msg20965.html

Theoretically this should work, after skimming through the messages,
despite the last e-mails to misc@ and bugs@ - now: does anyone have an
idea, how to get this working?

I'm willing to fetch the source (of relayd) and re-compile, eventually
without certain commits!

--
Mit besten Wünschen /
With best wishes,

Manuel Kuklinski

relayd(8): no TLS relay to headscale (websockets) possible

Reply via email to