From 210264f9422ea3da7113df0332c07d4a730ced1e Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 26 Jun 2024 19:22:00 -0700 Subject: [PATCH] cmd/derper: clarify that derper and tailscaled need to be in sync Fixes #12617 Change-Id: Ifc87b7d9cf699635087afb57febd01fb9a6d11b7 Signed-off-by: Brad Fitzpatrick --- cmd/derper/README.md | 4 +++- derp/derp_server.go | 4 ++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/cmd/derper/README.md b/cmd/derper/README.md index 907a2988b..8638db72b 100644 --- a/cmd/derper/README.md +++ b/cmd/derper/README.md @@ -30,7 +30,9 @@ If you've decided or been advised to run your own `derper`, then read on. * You must build and update the `cmd/derper` binary yourself. There are no packages. Use `go install tailscale.com/cmd/derper@latest` with the latest version of Go. You should update this binary approximately as regularly as - you update Tailscale nodes. + you update Tailscale nodes. If using `--verify-clients`, the `derper` binary + and `tailscaled` binary on the machine must be built from the same git revision. + (It might work otherwise, but they're developed and only tested together.) * The DERP protocol does a protocol switch inside TLS from HTTP to a custom bidirectional binary protocol. It is thus incompatible with many HTTP proxies. diff --git a/derp/derp_server.go b/derp/derp_server.go index 005374e0c..c033e42e7 100644 --- a/derp/derp_server.go +++ b/derp/derp_server.go @@ -1187,6 +1187,10 @@ func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, inf return fmt.Errorf("peer %v not authorized (not found in local tailscaled)", clientKey) } if err != nil { + if strings.Contains(err.Error(), "invalid 'addr' parameter") { + // Issue 12617 + return errors.New("tailscaled version is too old (out of sync with derper binary)") + } return fmt.Errorf("failed to query local tailscaled status for %v: %w", clientKey, err) } }