2020-02-18 19:07:44 +00:00
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// The derper binary is a simple DERP server.
package main // import "tailscale.com/cmd/derper"
import (
2020-03-02 16:55:44 +00:00
"context"
2020-08-18 22:32:32 +00:00
"crypto/tls"
2020-02-18 19:07:44 +00:00
"encoding/json"
2020-03-02 16:55:44 +00:00
"errors"
2020-02-21 17:35:53 +00:00
"expvar"
2020-02-18 19:07:44 +00:00
"flag"
"io"
"io/ioutil"
"log"
2020-02-27 03:11:14 +00:00
"net"
2020-02-18 19:07:44 +00:00
"net/http"
"os"
"path/filepath"
2020-03-02 16:55:44 +00:00
"regexp"
2020-06-01 22:19:41 +00:00
"strings"
2020-02-27 03:11:14 +00:00
"time"
2020-02-18 19:07:44 +00:00
"tailscale.com/atomicfile"
"tailscale.com/derp"
"tailscale.com/derp/derphttp"
2020-02-21 15:52:40 +00:00
"tailscale.com/logpolicy"
2020-03-04 20:24:07 +00:00
"tailscale.com/metrics"
2020-05-25 16:15:50 +00:00
"tailscale.com/net/stun"
2020-02-25 16:07:41 +00:00
"tailscale.com/tsweb"
2020-02-18 19:07:44 +00:00
"tailscale.com/types/key"
2020-12-30 01:22:56 +00:00
"tailscale.com/types/wgkey"
2020-02-18 19:07:44 +00:00
)
var (
2020-02-21 17:35:53 +00:00
dev = flag . Bool ( "dev" , false , "run in localhost development mode" )
2020-02-21 15:52:40 +00:00
addr = flag . String ( "a" , ":443" , "server address" )
configPath = flag . String ( "c" , "" , "config file path" )
2021-09-08 23:50:34 +00:00
certMode = flag . String ( "certmode" , "letsencrypt" , "mode for getting a cert. possible options: manual, letsencrypt" )
2020-02-25 16:07:41 +00:00
certDir = flag . String ( "certdir" , tsweb . DefaultCertDir ( "derper-certs" ) , "directory to store LetsEncrypt certs, if addr's port is :443" )
2020-02-21 15:52:40 +00:00
hostname = flag . String ( "hostname" , "derp.tailscale.com" , "LetsEncrypt host name, if addr's port is :443" )
logCollection = flag . String ( "logcollection" , "" , "If non-empty, logtail collection to log to" )
2020-02-27 03:11:14 +00:00
runSTUN = flag . Bool ( "stun" , false , "also run a STUN server" )
2020-06-01 22:19:41 +00:00
meshPSKFile = flag . String ( "mesh-psk-file" , defaultMeshPSKFile ( ) , "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed." )
2020-06-04 15:26:05 +00:00
meshWith = flag . String ( "mesh-with" , "" , "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list" )
2021-02-26 16:28:31 +00:00
bootstrapDNS = flag . String ( "bootstrap-dns-names" , "" , "optional comma-separated list of hostnames to make available at /bootstrap-dns" )
2021-06-24 20:31:05 +00:00
verifyClients = flag . Bool ( "verify-clients" , false , "verify clients to this DERP server through a local tailscaled instance." )
2020-02-18 19:07:44 +00:00
)
type config struct {
2020-12-30 01:22:56 +00:00
PrivateKey wgkey . Private
2020-02-18 19:07:44 +00:00
}
func loadConfig ( ) config {
2020-02-21 17:35:53 +00:00
if * dev {
return config { PrivateKey : mustNewKey ( ) }
}
2020-02-18 19:07:44 +00:00
if * configPath == "" {
2021-07-14 22:20:38 +00:00
if os . Getuid ( ) == 0 {
* configPath = "/var/lib/derper/derper.key"
} else {
2021-07-15 00:29:06 +00:00
log . Fatalf ( "derper: -c <config path> not specified" )
2021-07-14 22:20:38 +00:00
}
log . Printf ( "no config path specified; using %s" , * configPath )
2020-02-18 19:07:44 +00:00
}
b , err := ioutil . ReadFile ( * configPath )
switch {
2020-11-02 16:33:34 +00:00
case errors . Is ( err , os . ErrNotExist ) :
2020-02-18 19:07:44 +00:00
return writeNewConfig ( )
case err != nil :
log . Fatal ( err )
panic ( "unreachable" )
default :
var cfg config
if err := json . Unmarshal ( b , & cfg ) ; err != nil {
log . Fatalf ( "derper: config: %v" , err )
}
return cfg
}
}
2020-12-30 01:22:56 +00:00
func mustNewKey ( ) wgkey . Private {
key , err := wgkey . NewPrivate ( )
2020-02-18 19:07:44 +00:00
if err != nil {
log . Fatal ( err )
}
2020-02-21 17:35:53 +00:00
return key
}
2020-02-18 19:07:44 +00:00
2020-02-21 17:35:53 +00:00
func writeNewConfig ( ) config {
key := mustNewKey ( )
2020-02-18 19:07:44 +00:00
if err := os . MkdirAll ( filepath . Dir ( * configPath ) , 0777 ) ; err != nil {
log . Fatal ( err )
}
cfg := config {
PrivateKey : key ,
}
b , err := json . MarshalIndent ( cfg , "" , "\t" )
if err != nil {
log . Fatal ( err )
}
2021-01-12 03:16:14 +00:00
if err := atomicfile . WriteFile ( * configPath , b , 0600 ) ; err != nil {
2020-02-18 19:07:44 +00:00
log . Fatal ( err )
}
return cfg
}
func main ( ) {
flag . Parse ( )
2020-02-21 17:35:53 +00:00
if * dev {
* logCollection = ""
* addr = ":3340" // above the keys DERP
log . Printf ( "Running in dev mode." )
2020-03-03 19:33:22 +00:00
tsweb . DevMode = true
2020-02-21 17:35:53 +00:00
}
2021-09-02 17:42:27 +00:00
listenHost , _ , err := net . SplitHostPort ( * addr )
if err != nil {
log . Fatalf ( "invalid server address: %v" , err )
}
2020-02-21 15:52:40 +00:00
var logPol * logpolicy . Policy
if * logCollection != "" {
logPol = logpolicy . New ( * logCollection )
log . SetOutput ( logPol . Logtail )
}
2020-02-18 19:07:44 +00:00
cfg := loadConfig ( )
2021-09-08 23:50:34 +00:00
serveTLS := tsweb . IsProd443 ( * addr )
2020-02-18 19:07:44 +00:00
s := derp . NewServer ( key . Private ( cfg . PrivateKey ) , log . Printf )
2021-06-24 20:31:05 +00:00
s . SetVerifyClient ( * verifyClients )
2020-06-01 22:19:41 +00:00
if * meshPSKFile != "" {
b , err := ioutil . ReadFile ( * meshPSKFile )
if err != nil {
log . Fatal ( err )
}
key := strings . TrimSpace ( string ( b ) )
if matched , _ := regexp . MatchString ( ` (?i)^[0-9a-f] { 64,}$ ` , key ) ; ! matched {
log . Fatalf ( "key in %s must contain 64+ hex digits" , * meshPSKFile )
}
s . SetMeshKey ( key )
log . Printf ( "DERP mesh key configured" )
}
2020-06-03 21:42:20 +00:00
if err := startMesh ( s ) ; err != nil {
log . Fatalf ( "startMesh: %v" , err )
}
2020-02-21 17:35:53 +00:00
expvar . Publish ( "derp" , s . ExpVar ( ) )
2020-02-18 19:07:44 +00:00
2021-06-16 06:38:19 +00:00
mux := http . NewServeMux ( )
2020-02-18 19:07:44 +00:00
mux . Handle ( "/derp" , derphttp . Handler ( s ) )
2021-02-26 16:28:31 +00:00
go refreshBootstrapDNSLoop ( )
mux . HandleFunc ( "/bootstrap-dns" , handleBootstrapDNS )
2020-02-18 19:07:44 +00:00
mux . Handle ( "/" , http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
2020-02-21 17:35:53 +00:00
w . Header ( ) . Set ( "Content-Type" , "text/html; charset=utf-8" )
2020-02-18 19:07:44 +00:00
w . WriteHeader ( 200 )
2020-02-21 17:35:53 +00:00
io . WriteString ( w , ` < html > < body >
< h1 > DERP < / h1 >
< p >
This is a
< a href = "https://tailscale.com/" > Tailscale < / a >
2021-02-26 16:14:13 +00:00
< a href = "https://pkg.go.dev/tailscale.com/derp" > DERP < / a >
2020-02-21 17:35:53 +00:00
server .
< / p >
` )
2020-02-25 16:07:41 +00:00
if tsweb . AllowDebugAccess ( r ) {
2020-02-21 17:35:53 +00:00
io . WriteString ( w , "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n" )
}
2020-02-18 19:07:44 +00:00
} ) )
2021-06-16 06:38:19 +00:00
debug := tsweb . Debugger ( mux )
debug . KV ( "TLS hostname" , * hostname )
debug . KV ( "Mesh key" , s . HasMeshKey ( ) )
debug . Handle ( "check" , "Consistency check" , http . HandlerFunc ( func ( w http . ResponseWriter , r * http . Request ) {
err := s . ConsistencyCheck ( )
if err != nil {
http . Error ( w , err . Error ( ) , 500 )
} else {
io . WriteString ( w , "derp.Server ConsistencyCheck okay" )
}
} ) )
2021-06-18 04:34:01 +00:00
debug . Handle ( "traffic" , "Traffic check" , http . HandlerFunc ( s . ServeDebugTraffic ) )
2020-02-18 19:07:44 +00:00
2020-02-27 03:11:14 +00:00
if * runSTUN {
2021-09-02 17:42:27 +00:00
go serveSTUN ( listenHost )
2020-02-27 03:11:14 +00:00
}
2020-02-18 19:07:44 +00:00
httpsrv := & http . Server {
Addr : * addr ,
Handler : mux ,
2021-08-31 17:18:36 +00:00
// Set read/write timeout. For derper, this basically
// only affects TLS setup, as read/write deadlines are
// cleared on Hijack, which the DERP server does. But
// without this, we slowly accumulate stuck TLS
// handshake goroutines forever. This also affects
// /debug/ traffic, but 30 seconds is plenty for
// Prometheus/etc scraping.
ReadTimeout : 30 * time . Second ,
WriteTimeout : 30 * time . Second ,
2020-02-18 19:07:44 +00:00
}
2021-09-08 23:50:34 +00:00
if serveTLS {
2020-02-18 19:07:44 +00:00
log . Printf ( "derper: serving on %s with TLS" , * addr )
2021-09-09 00:00:52 +00:00
var certManager certProvider
certManager , err = certProviderByCertMode ( * certMode , * certDir , * hostname )
2021-09-08 23:50:34 +00:00
if err != nil {
log . Fatalf ( "derper: can not start cert provider: %v" , err )
2020-03-02 16:55:44 +00:00
}
2020-02-18 19:07:44 +00:00
httpsrv . TLSConfig = certManager . TLSConfig ( )
2021-09-08 23:50:34 +00:00
getCert := httpsrv . TLSConfig . GetCertificate
2020-08-18 22:32:32 +00:00
httpsrv . TLSConfig . GetCertificate = func ( hi * tls . ClientHelloInfo ) ( * tls . Certificate , error ) {
2021-09-08 23:50:34 +00:00
cert , err := getCert ( hi )
2020-08-18 22:32:32 +00:00
if err != nil {
return nil , err
}
cert . Certificate = append ( cert . Certificate , s . MetaCert ( ) )
return cert , nil
}
2020-02-18 19:07:44 +00:00
go func ( ) {
2021-09-01 04:13:59 +00:00
port80srv := & http . Server {
2021-09-02 17:49:14 +00:00
Addr : net . JoinHostPort ( listenHost , "80" ) ,
Handler : certManager . HTTPHandler ( tsweb . Port80Handler { Main : mux } ) ,
ReadTimeout : 30 * time . Second ,
// Crank up WriteTimeout a bit more than usually
// necessary just so we can do long CPU profiles
// and not hit net/http/pprof's "profile
// duration exceeds server's WriteTimeout".
WriteTimeout : 5 * time . Minute ,
2021-09-01 04:13:59 +00:00
}
err := port80srv . ListenAndServe ( )
2020-02-18 19:07:44 +00:00
if err != nil {
if err != http . ErrServerClosed {
log . Fatal ( err )
}
}
} ( )
err = httpsrv . ListenAndServeTLS ( "" , "" )
} else {
log . Printf ( "derper: serving on %s" , * addr )
err = httpsrv . ListenAndServe ( )
}
if err != nil && err != http . ErrServerClosed {
log . Fatalf ( "derper: %v" , err )
}
}
2020-02-21 17:35:53 +00:00
2021-09-02 17:42:27 +00:00
func serveSTUN ( host string ) {
pc , err := net . ListenPacket ( "udp" , net . JoinHostPort ( host , "3478" ) )
2020-02-27 03:11:14 +00:00
if err != nil {
log . Fatalf ( "failed to open STUN listener: %v" , err )
}
log . Printf ( "running STUN server on %v" , pc . LocalAddr ( ) )
2020-03-04 20:24:07 +00:00
2020-02-27 03:11:14 +00:00
var (
2020-03-04 20:24:07 +00:00
stats = new ( metrics . Set )
stunDisposition = & metrics . LabelMap { Label : "disposition" }
stunAddrFamily = & metrics . LabelMap { Label : "family" }
stunReadError = stunDisposition . Get ( "read_error" )
stunNotSTUN = stunDisposition . Get ( "not_stun" )
stunWriteError = stunDisposition . Get ( "write_error" )
stunSuccess = stunDisposition . Get ( "success" )
stunIPv4 = stunAddrFamily . Get ( "ipv4" )
stunIPv6 = stunAddrFamily . Get ( "ipv6" )
2020-02-27 03:11:14 +00:00
)
2020-03-04 20:24:07 +00:00
stats . Set ( "counter_requests" , stunDisposition )
stats . Set ( "counter_addrfamily" , stunAddrFamily )
expvar . Publish ( "stun" , stats )
2020-02-27 03:11:14 +00:00
var buf [ 64 << 10 ] byte
for {
n , addr , err := pc . ReadFrom ( buf [ : ] )
if err != nil {
log . Printf ( "STUN ReadFrom: %v" , err )
time . Sleep ( time . Second )
2020-03-04 20:24:07 +00:00
stunReadError . Add ( 1 )
2020-02-27 03:11:14 +00:00
continue
}
ua , ok := addr . ( * net . UDPAddr )
if ! ok {
log . Printf ( "STUN unexpected address %T %v" , addr , addr )
2020-03-04 20:24:07 +00:00
stunReadError . Add ( 1 )
2020-02-27 03:11:14 +00:00
continue
}
pkt := buf [ : n ]
if ! stun . Is ( pkt ) {
2020-03-04 20:24:07 +00:00
stunNotSTUN . Add ( 1 )
2020-02-27 03:11:14 +00:00
continue
}
txid , err := stun . ParseBindingRequest ( pkt )
if err != nil {
2020-03-04 20:24:07 +00:00
stunNotSTUN . Add ( 1 )
2020-02-27 03:11:14 +00:00
continue
}
if ua . IP . To4 ( ) != nil {
2020-03-04 20:24:07 +00:00
stunIPv4 . Add ( 1 )
2020-02-27 03:11:14 +00:00
} else {
2020-03-04 20:24:07 +00:00
stunIPv6 . Add ( 1 )
2020-02-27 03:11:14 +00:00
}
res := stun . Response ( txid , ua . IP , uint16 ( ua . Port ) )
_ , err = pc . WriteTo ( res , addr )
if err != nil {
2020-03-04 20:24:07 +00:00
stunWriteError . Add ( 1 )
2020-02-27 03:11:14 +00:00
} else {
2020-03-04 20:24:07 +00:00
stunSuccess . Add ( 1 )
2020-02-27 03:11:14 +00:00
}
}
}
2020-03-02 16:55:44 +00:00
2020-06-01 22:19:41 +00:00
var validProdHostname = regexp . MustCompile ( ` ^derp([^.]*)\.tailscale\.com\.?$ ` )
2020-03-02 16:55:44 +00:00
func prodAutocertHostPolicy ( _ context . Context , host string ) error {
if validProdHostname . MatchString ( host ) {
return nil
}
return errors . New ( "invalid hostname" )
}
2020-06-01 22:19:41 +00:00
func defaultMeshPSKFile ( ) string {
2020-06-04 15:19:30 +00:00
try := [ ] string {
"/home/derp/keys/derp-mesh.key" ,
filepath . Join ( os . Getenv ( "HOME" ) , "keys" , "derp-mesh.key" ) ,
}
for _ , p := range try {
if _ , err := os . Stat ( p ) ; err == nil {
return p
}
2020-06-01 22:19:41 +00:00
}
return ""
}