prober,derp/derphttp: make dev-mode DERP probes work without TLS (#14347)

Make dev-mode DERP probes work without TLS. Properly dial port `3340` when not using HTTPS when dialing nodes in `derphttp_client`. Skip verifying TLS state in `newConn` if we are not running a prober. Updates tailscale/corp#24635 Signed-off-by: Percy Wegmann <percy@tailscale.com> Co-authored-by: Percy Wegmann <percy@tailscale.com>
2025-04-30 12:42:31 +00:00 · 2024-12-10 10:51:03 -07:00 · 2024-12-10 10:51:03 -07:00 · ea3d0bcfd4
commit ea3d0bcfd4
parent 24b243c194
2 changed files with 19 additions and 12 deletions
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@ -757,6 +757,9 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 			}
 			dst := cmp.Or(dstPrimary, n.HostName)
 			port := "443"
+			if !c.useHTTPS() {
+				port = "3340"
+			}
 			if n.DERPPort != 0 {
 				port = fmt.Sprint(n.DERPPort)
 			}
--- a/prober/derp.go
+++ b/prober/derp.go
@ -597,6 +597,9 @@ func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode, isPr
 	if err != nil {
 		return nil, err
 	}
+
+	// Only verify TLS state if this is a prober.
+	if isProber {
 		cs, ok := dc.TLSConnectionState()
 		if !ok {
 			dc.Close()
@ -610,6 +613,7 @@ func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode, isPr
 			dc.Close()
 			return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
 		}
+	}

 	errc := make(chan error, 1)
 	go func() {