tailscale/cmd/derper/mesh.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package main

import (
	"context"
	"errors"
	"fmt"
	"log"
	"net"
	"strings"

	"tailscale.com/derp"
	"tailscale.com/derp/derphttp"
	"tailscale.com/net/netmon"
	"tailscale.com/types/logger"
)

func startMesh(s *derp.Server) error {
	if *meshWith == "" {
		return nil
	}
	if !s.HasMeshKey() {
		return errors.New("--mesh-with requires --mesh-psk-file")
	}
	for _, hostTuple := range strings.Split(*meshWith, ",") {
		if err := startMeshWithHost(s, hostTuple); err != nil {
			return err
		}
	}
	return nil
}

func startMeshWithHost(s *derp.Server, hostTuple string) error {
	var host string
	var dialHost string
	hostParts := strings.Split(hostTuple, "/")
	if len(hostParts) > 2 {
		return fmt.Errorf("too many components in host tuple %q", hostTuple)
	}
	host = hostParts[0]
	if len(hostParts) == 2 {
		dialHost = hostParts[1]
	} else {
		dialHost = hostParts[0]
	}

	logf := logger.WithPrefix(log.Printf, fmt.Sprintf("mesh(%q): ", host))
	netMon := netmon.NewStatic() // good enough for cmd/derper; no need for netns fanciness
	c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf, netMon)
	if err != nil {
		return err
	}
	c.MeshKey = s.MeshKey()
	c.WatchConnectionChanges = true

	logf("will dial %q for %q", dialHost, host)
	if dialHost != host {
		var d net.Dialer
		c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
			_, port, err := net.SplitHostPort(addr)
			if err != nil {
				logf("failed to split %q: %v", addr, err)
				return nil, err
			}
			dialAddr := net.JoinHostPort(dialHost, port)
			logf("dialing %q instead of %q", dialAddr, addr)
			return d.DialContext(ctx, network, dialAddr)
		})
	}

	add := func(m derp.PeerPresentMessage) { s.AddPacketForwarder(m.Key, c) }
	remove := func(m derp.PeerGoneMessage) { s.RemovePacketForwarder(m.Peer, c) }
	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
	return nil
}
all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com> 2023-01-27 13:37:20 -08:00			`// Copyright (c) Tailscale Inc & AUTHORS`
			`// SPDX-License-Identifier: BSD-3-Clause`
cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00
			`package main`

			`import (`
derp/derphttp: add a context and infoLogger option to RunWatchConnectionLoop 2021-02-12 10:58:43 -08:00			`"context"`
cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00			`"errors"`
			`"fmt"`
			`"log"`
cmd/derper: mesh over VPC network Updates #2414 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-07-29 10:45:07 -07:00			`"net"`
cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00			`"strings"`

			`"tailscale.com/derp"`
			`"tailscale.com/derp/derphttp"`
net/netns, net/dns/resolver, etc: make netmon required in most places The goal is to move more network state accessors to netmon.Monitor where they can be cheaper/cached. But first (this change and others) we need to make sure the one netmon.Monitor is plumbed everywhere. Some notable bits: * tsdial.NewDialer is added, taking a now-required netmon * because a tsdial.Dialer always has a netmon, anything taking both a Dialer and a NetMon is now redundant; take only the Dialer and get the NetMon from that if/when needed. * netmon.NewStatic is added, primarily for tests Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: I877f9cb87618c4eb037cee098241d18da9c01691 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-04-26 22:06:20 -07:00			`"tailscale.com/net/netmon"`
cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00			`"tailscale.com/types/logger"`
			`)`

			`func startMesh(s *derp.Server) error {`
			`if *meshWith == "" {`
			`return nil`
			`}`
			`if !s.HasMeshKey() {`
			`return errors.New("--mesh-with requires --mesh-psk-file")`
			`}`
cmd/derper: support explicit configuration of mesh dial hosts The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-01-07 05:34:07 -06:00			`for _, hostTuple := range strings.Split(*meshWith, ",") {`
			`if err := startMeshWithHost(s, hostTuple); err != nil {`
cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00			`return err`
			`}`
			`}`
			`return nil`
			`}`

cmd/derper: support explicit configuration of mesh dial hosts The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-01-07 05:34:07 -06:00			`func startMeshWithHost(s *derp.Server, hostTuple string) error {`
			`var host string`
			`var dialHost string`
			`hostParts := strings.Split(hostTuple, "/")`
			`if len(hostParts) > 2 {`
			`return fmt.Errorf("too many components in host tuple %q", hostTuple)`
			`}`
			`host = hostParts[0]`
			`if len(hostParts) == 2 {`
			`dialHost = hostParts[1]`
			`} else {`
			`dialHost = hostParts[0]`
			`}`

cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00			`logf := logger.WithPrefix(log.Printf, fmt.Sprintf("mesh(%q): ", host))`
net/netns, net/dns/resolver, etc: make netmon required in most places The goal is to move more network state accessors to netmon.Monitor where they can be cheaper/cached. But first (this change and others) we need to make sure the one netmon.Monitor is plumbed everywhere. Some notable bits: * tsdial.NewDialer is added, taking a now-required netmon * because a tsdial.Dialer always has a netmon, anything taking both a Dialer and a NetMon is now redundant; take only the Dialer and get the NetMon from that if/when needed. * netmon.NewStatic is added, primarily for tests Updates tailscale/corp#10910 Updates tailscale/corp#18960 Updates #7967 Updates #3299 Change-Id: I877f9cb87618c4eb037cee098241d18da9c01691 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-04-26 22:06:20 -07:00			`netMon := netmon.NewStatic() // good enough for cmd/derper; no need for netns fanciness`
			`c, err := derphttp.NewClient(s.PrivateKey(), "https://"+host+"/derp", logf, netMon)`
cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00			`if err != nil {`
			`return err`
			`}`
			`c.MeshKey = s.MeshKey()`
derp/derphttp: fix race in mesh watcher The derphttp client automatically reconnects upon failure. RunWatchConnectionLoop called derphttp.Client.WatchConnectionChanges once, but that wrapper method called the underlying derp.Client.WatchConnectionChanges exactly once on derphttp.Client's currently active connection. If there's a failure, we need to re-subscribe upon all reconnections. This removes the derphttp.Client.WatchConnectionChanges method, which was basically impossible to use correctly, and changes it to be a boolean field on derphttp.Client alongside MeshKey and IsProber. Then it moves the call to the underlying derp.Client.WatchConnectionChanges to derphttp's client connection code, so it's resubscribed on any reconnect. Some paranoia is then added to make sure people hold the API right, not calling derphttp.Client.RunWatchConnectionLoop on an already-started Client without having set the bool to true. (But still auto-setting it to true if that's the first method that's been called on that derphttp.Client, as is commonly the case, and prevents existing code from breaking) Fixes tailscale/corp#9916 Supercedes tailscale/tailscale#9719 Co-authored-by: Val <valerie@tailscale.com> Co-authored-by: Irbe Krumina <irbe@tailscale.com> Co-authored-by: Anton Tolchanov <anton@tailscale.com> Signed-off-by: Brad Fitzpatrick <brad@danga.com> 2023-10-25 11:59:06 -07:00			`c.WatchConnectionChanges = true`
cmd/derper: mesh over VPC network Updates #2414 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-07-29 10:45:07 -07:00
cmd/derper: support explicit configuration of mesh dial hosts The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-01-07 05:34:07 -06:00			`logf("will dial %q for %q", dialHost, host)`
			`if dialHost != host {`
cmd/derper: mesh over VPC network Updates #2414 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-07-29 10:45:07 -07:00			`var d net.Dialer`
cmd/derper: support explicit configuration of mesh dial hosts The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-01-07 05:34:07 -06:00			`c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {`
			`_, port, err := net.SplitHostPort(addr)`
cmd/derper: improve logging on derp mesh connect Include the mesh log prefix in all mesh connection setup. Updates tailscale/corp#25653 Signed-off-by: James Tucker <james@tailscale.com> 2025-01-06 15:39:41 -08:00			`if err != nil {`
cmd/derper: support explicit configuration of mesh dial hosts The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-01-07 05:34:07 -06:00			`logf("failed to split %q: %v", addr, err)`
			`return nil, err`
cmd/derper: improve logging on derp mesh connect Include the mesh log prefix in all mesh connection setup. Updates tailscale/corp#25653 Signed-off-by: James Tucker <james@tailscale.com> 2025-01-06 15:39:41 -08:00			`}`
cmd/derper: support explicit configuration of mesh dial hosts The --mesh-with flag now supports the specification of hostname tuples like derp1a.tailscale.com/derp1a-vpc.tailscale.com, which instructs derp to mesh with host 'derp1a.tailscale.com' but dial TCP connections to 'derp1a-vpc.tailscale.com'. For backwards compatibility, --mesh-with still supports individual hostnames. The logic which attempts to auto-discover '[host]-vpc.tailscale.com' dial hosts has been removed. Updates tailscale/corp#25653 Signed-off-by: Percy Wegmann <percy@tailscale.com> 2025-01-07 05:34:07 -06:00			`dialAddr := net.JoinHostPort(dialHost, port)`
			`logf("dialing %q instead of %q", dialAddr, addr)`
			`return d.DialContext(ctx, network, dialAddr)`
			`})`
			`}`
cmd/derper: mesh over VPC network Updates #2414 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2021-07-29 10:45:07 -07:00
derp: make RunConnectionLoop funcs take Messages, support PeerPresentFlags PeerPresentFlags was added in 5ffb2668ef but wasn't plumbed through to the RunConnectionLoop. Rather than add yet another parameter (as IP:port was added earlier), pass in the raw PeerPresentMessage and PeerGoneMessage struct values, which are the same things, plus two fields: PeerGoneReasonType for gone and the PeerPresentFlags from 5ffb2668ef. Updates tailscale/corp#17816 Change-Id: Ib19d9f95353651ada90656071fc3656cf58b7987 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2024-06-25 08:04:12 -07:00			`add := func(m derp.PeerPresentMessage) { s.AddPacketForwarder(m.Key, c) }`
			`remove := func(m derp.PeerGoneMessage) { s.RemovePacketForwarder(m.Peer, c) }`
derp/derphttp: add a context and infoLogger option to RunWatchConnectionLoop 2021-02-12 10:58:43 -08:00			`go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)`
cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com> 2020-06-03 14:42:20 -07:00			`return nil`
			`}`