From d21956436a7e463c17329326a0aa036f892ba6b0 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Tue, 10 Nov 2020 10:31:07 -0800
Subject: [PATCH] ipn, tailcfg: change Windows subnet disabling behavior w/
 WPAD

In 1.0, subnet relays were not specially handled when WPAD+PAC was
present on the network.

In 1.2, on Windows, subnet relays were disabled if WPAD+PAC was
present. That was what some users wanted, but not others.

This makes it configurable per domain, reverting back to the 1.0
default state of them not being special. Users who want that behavior
can then enable it.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 ipn/local.go       | 9 ++-------
 tailcfg/tailcfg.go | 4 ++++
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/ipn/local.go b/ipn/local.go
index a6e1ad0f6..58db16565 100644
--- a/ipn/local.go
+++ b/ipn/local.go
@@ -1154,6 +1154,7 @@ func (b *LocalBackend) authReconfig() {
 	uc := b.prefs
 	nm := b.netMap
 	hasPAC := b.prevIfState.HasPAC()
+	disableSubnetsIfPAC := nm != nil && nm.Debug != nil && nm.Debug.DisableSubnetsIfPAC.EqualBool(true)
 	b.mu.Unlock()
 
 	if blocked {
@@ -1178,13 +1179,7 @@ func (b *LocalBackend) authReconfig() {
 	if uc.AllowSingleHosts {
 		flags |= controlclient.AllowSingleHosts
 	}
-	if hasPAC {
-		// TODO(bradfitz): make this policy configurable per
-		// domain, flesh out all the edge cases where subnet
-		// routes might shadow corp HTTP proxies, DNS servers,
-		// domain controllers, etc. For now we just want
-		// Tailscale to stay enabled while laptops roam
-		// between corp & non-corp networks.
+	if hasPAC && disableSubnetsIfPAC {
 		if flags&controlclient.AllowSubnetRoutes != 0 {
 			b.logf("authReconfig: have PAC; disabling subnet routes")
 			flags &^= controlclient.AllowSubnetRoutes
diff --git a/tailcfg/tailcfg.go b/tailcfg/tailcfg.go
index 377fcc3a9..3bb1bba6c 100644
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -673,6 +673,10 @@ type Debug struct {
 	// TrimWGConfig controls whether Tailscale does lazy, on-demand
 	// wireguard configuration of peers.
 	TrimWGConfig opt.Bool `json:",omitempty"`
+
+	// DisableSubnetsIfPAC controls whether subnet routers should be
+	// disabled if WPAD is present on the network.
+	DisableSubnetsIfPAC opt.Bool `json:",omitempty"`
 }
 
 func (k MachineKey) String() string                   { return fmt.Sprintf("mkey:%x", k[:]) }