cmd/derper, net/netcheck: add challenge/response to generate_204 endpoint

The Lufthansa in-flight wifi generates a synthetic 204 response to the DERP server's /generate_204 endpoint. This PR adds a basic challenge/response to the endpoint; something sufficiently complicated that it's unlikely to be implemented by a captive portal. We can then check for the expected response to verify whether we're being MITM'd. Follow-up to #5601 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I94a68c9a16a7be7290200eea6a549b64f02ff48f
2025-08-12 05:37:32 +00:00 · 2022-10-14 18:42:09 +02:00
parent d499afac78
commit 223126fe5b
3 changed files with 86 additions and 2 deletions
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -1116,13 +1116,20 @@ func (c *Client) checkCaptivePortal(ctx context.Context, dm *tailcfg.DERPMap, pr
 	if err != nil {
 		return false, err
 	}
+
+	chal := "tailscale " + node.HostName
+	req.Header.Set("X-Tailscale-Challenge", chal)
 	r, err := noRedirectClient.Do(req)
 	if err != nil {
 		return false, err
 	}
-	c.logf("[v2] checkCaptivePortal url=%q status_code=%d", req.URL.String(), r.StatusCode)
+	defer r.Body.Close()

-	return r.StatusCode != 204, nil
+	expectedResponse := "response " + chal
+	validResponse := r.Header.Get("X-Tailscale-Response") == expectedResponse
+
+	c.logf("[v2] checkCaptivePortal url=%q status_code=%d valid_response=%v", req.URL.String(), r.StatusCode, validResponse)
+	return r.StatusCode != 204 || !validResponse, nil
 }

 // runHTTPOnlyChecks is the netcheck done by environments that can