tailcfg,wgengine: add initial support for WireGuard only peers

A peer can have IsWireGuardOnly, which means it will not support DERP or Disco, and it must have Endpoints filled in order to be usable. In the present implementation only the first Endpoint will be used as the bestAddr. Updates tailscale/corp#10351 Co-authored-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: James Tucker <james@tailscale.com>
2025-08-11 21:27:31 +00:00 · 2023-04-05 17:28:28 -07:00
parent 6cfcb3cae4
commit c573bef0aa
8 changed files with 254 additions and 36 deletions
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -96,7 +96,8 @@ type CapabilityVersion int
 //   - 57: 2023-01-25: Client understands CapabilityBindToInterfaceByRoute
 //   - 58: 2023-03-10: Client retries lite map updates before restarting map poll.
 //   - 59: 2023-03-16: Client understands Peers[].SelfNodeV4MasqAddrForThisPeer
-const CurrentCapabilityVersion CapabilityVersion = 59
+//   - 60: 2023-04-06: Client understands IsWireGuardOnly
+const CurrentCapabilityVersion CapabilityVersion = 60

 type StableID string

@@ -289,6 +290,12 @@ type Node struct {
 	// peer or any of its subnets. Traffic originating from subnet routes will
 	// not be masqueraded (e.g. in case of --snat-subnet-routes).
 	SelfNodeV4MasqAddrForThisPeer netip.Addr `json:",omitempty"`
+
+	// IsWireGuardOnly indicates that this is a non-Tailscale WireGuard peer, it
+	// is not expected to speak Disco or DERP, and it must have Endpoints in
+	// order to be reachable. TODO(#7826): 2023-04-06: only the first parseable
+	// Endpoint is used, see #7826 for updates.
+	IsWireGuardOnly bool `json:",omitempty"`
 }

 // DisplayName returns the user-facing name for a node which should
@@ -1715,7 +1722,8 @@ func (n *Node) Equal(n2 *Node) bool {
 		n.ComputedNameWithHost == n2.ComputedNameWithHost &&
 		eqStrings(n.Tags, n2.Tags) &&
 		n.Expired == n2.Expired &&
-		n.SelfNodeV4MasqAddrForThisPeer == n2.SelfNodeV4MasqAddrForThisPeer
+		n.SelfNodeV4MasqAddrForThisPeer == n2.SelfNodeV4MasqAddrForThisPeer &&
+		n.IsWireGuardOnly == n2.IsWireGuardOnly
 }

 func eqBoolPtr(a, b *bool) bool {
--- a/tailcfg/tailcfg_clone.go
+++ b/tailcfg/tailcfg_clone.go
@@ -99,6 +99,7 @@ var _NodeCloneNeedsRegeneration = Node(struct {
 	DataPlaneAuditLogID           string
 	Expired                       bool
 	SelfNodeV4MasqAddrForThisPeer netip.Addr
+	IsWireGuardOnly               bool
 }{})

 // Clone makes a deep copy of Hostinfo.
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -350,6 +350,7 @@ func TestNodeEqual(t *testing.T) {
 		"UnsignedPeerAPIOnly",
 		"ComputedName", "computedHostIfDifferent", "ComputedNameWithHost",
 		"DataPlaneAuditLogID", "Expired", "SelfNodeV4MasqAddrForThisPeer",
+		"IsWireGuardOnly",
 	}
 	if have := fieldsOf(reflect.TypeOf(Node{})); !reflect.DeepEqual(have, nodeHandles) {
 		t.Errorf("Node.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
--- a/tailcfg/tailcfg_view.go
+++ b/tailcfg/tailcfg_view.go
@@ -179,6 +179,7 @@ func (v NodeView) Expired() bool                     { return v.ж.Expired }
 func (v NodeView) SelfNodeV4MasqAddrForThisPeer() netip.Addr {
 	return v.ж.SelfNodeV4MasqAddrForThisPeer
 }
+func (v NodeView) IsWireGuardOnly() bool  { return v.ж.IsWireGuardOnly }
 func (v NodeView) Equal(v2 NodeView) bool { return v.ж.Equal(v2.ж) }

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
@@ -214,6 +215,7 @@ var _NodeViewNeedsRegeneration = Node(struct {
 	DataPlaneAuditLogID           string
 	Expired                       bool
 	SelfNodeV4MasqAddrForThisPeer netip.Addr
+	IsWireGuardOnly               bool
 }{})

 // View returns a readonly view of Hostinfo.