From 34be10840c200491b3b78044e9005054a8a2a31b Mon Sep 17 00:00:00 2001 From: Anton Schubert Date: Thu, 9 Jun 2022 21:20:11 +0200 Subject: [PATCH 1/3] add ability to set randomizeClientPort --- api.go | 3 ++- cmd/headscale/headscale_test.go | 1 + config-example.yaml | 5 +++++ config.go | 8 ++++++-- 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/api.go b/api.go index 03f63cb7..45fd7793 100644 --- a/api.go +++ b/api.go @@ -279,7 +279,8 @@ func (h *Headscale) getMapResponse( DERPMap: h.DERPMap, UserProfiles: profiles, Debug: &tailcfg.Debug{ - DisableLogTail: !h.cfg.LogTail.Enabled, + DisableLogTail: !h.cfg.LogTail.Enabled, + RandomizeClientPort: h.cfg.RandomizeClientPort, }, } diff --git a/cmd/headscale/headscale_test.go b/cmd/headscale/headscale_test.go index 9ca4a2c3..8a872e90 100644 --- a/cmd/headscale/headscale_test.go +++ b/cmd/headscale/headscale_test.go @@ -68,6 +68,7 @@ func (*Suite) TestConfigLoading(c *check.C) { fs.FileMode(0o770), ) c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false) + c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false) } func (*Suite) TestDNSConfigLoading(c *check.C) { diff --git a/config-example.yaml b/config-example.yaml index 380db11a..9740f3ad 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -244,3 +244,8 @@ logtail: # As there is currently no support for overriding the log server in headscale, this is # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. enabled: false + +# Enabling this option makes devices prefer a random port for WireGuard traffic over the +# default static port 41641. This option is intended as a workaround for some buggy +# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. +randomize_client_port: false diff --git a/config.go b/config.go index 909a48c4..fdfa46a6 100644 --- a/config.go +++ b/config.go @@ -54,7 +54,8 @@ type Config struct { OIDC OIDCConfig - LogTail LogTailConfig + LogTail LogTailConfig + RandomizeClientPort bool CLI CLIConfig @@ -153,6 +154,7 @@ func LoadConfig(path string) error { viper.SetDefault("oidc.strip_email_domain", true) viper.SetDefault("logtail.enabled", false) + viper.SetDefault("randomize_client_port", false) if err := viper.ReadInConfig(); err != nil { return fmt.Errorf("fatal error reading config file: %w", err) @@ -385,6 +387,7 @@ func GetHeadscaleConfig() (*Config, error) { dnsConfig, baseDomain := GetDNSConfig() derpConfig := GetDERPConfig() logConfig := GetLogTailConfig() + randomizeClientPort := viper.GetBool("randomize_client_port") configuredPrefixes := viper.GetStringSlice("ip_prefixes") parsedPrefixes := make([]netaddr.IPPrefix, 0, len(configuredPrefixes)+1) @@ -490,7 +493,8 @@ func GetHeadscaleConfig() (*Config, error) { StripEmaildomain: viper.GetBool("oidc.strip_email_domain"), }, - LogTail: logConfig, + LogTail: logConfig, + RandomizeClientPort: randomizeClientPort, CLI: CLIConfig{ Address: viper.GetString("cli.address"), From 9ff09b73ad612d3cf256e6d6c7cf74547be8d43c Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Sat, 11 Jun 2022 13:49:17 +0100 Subject: [PATCH 2/3] Update Changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd25e317..6f78479c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,7 @@ - Use [Prometheus]'s duration parser, supporting days (`d`), weeks (`w`) and years (`y`) [#598](https://github.com/juanfont/headscale/pull/598) - Add support for reloading ACLs with SIGHUP [#601](https://github.com/juanfont/headscale/pull/601) - Add -c option to specify config file from command line [#285](https://github.com/juanfont/headscale/issues/285) [#612](https://github.com/juanfont/headscale/pull/601) +- Add configuration option to allow Tailscale clients to use a random WireGuard port. [kb/1181/firewalls](https://tailscale.com/kb/1181/firewalls) [#624](https://github.com/juanfont/headscale/pull/624) ## 0.15.0 (2022-03-20) From 6faf2d63d08a0094300ff39130c67c386dafb7b2 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Sat, 11 Jun 2022 13:31:30 +0000 Subject: [PATCH 3/3] Update integration dump tests --- integration_test/etc/alt-config.dump.gold.yaml | 2 +- integration_test/etc/config.dump.gold.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/integration_test/etc/alt-config.dump.gold.yaml b/integration_test/etc/alt-config.dump.gold.yaml index 5cc025cc..a3d7adb0 100644 --- a/integration_test/etc/alt-config.dump.gold.yaml +++ b/integration_test/etc/alt-config.dump.gold.yaml @@ -43,4 +43,4 @@ tls_letsencrypt_cache_dir: /var/www/.cache tls_letsencrypt_challenge_type: HTTP-01 unix_socket: /var/run/headscale.sock unix_socket_permission: "0o770" - +randomize_client_port: false diff --git a/integration_test/etc/config.dump.gold.yaml b/integration_test/etc/config.dump.gold.yaml index 0df651ed..4d03d74e 100644 --- a/integration_test/etc/config.dump.gold.yaml +++ b/integration_test/etc/config.dump.gold.yaml @@ -43,4 +43,4 @@ tls_letsencrypt_cache_dir: /var/www/.cache tls_letsencrypt_challenge_type: HTTP-01 unix_socket: /var/run/headscale.sock unix_socket_permission: "0o770" - +randomize_client_port: false