Commit Graph

98 Commits

Author SHA1 Message Date
Andrew Dunham
223126fe5b cmd/derper, net/netcheck: add challenge/response to generate_204 endpoint
The Lufthansa in-flight wifi generates a synthetic 204 response to the
DERP server's /generate_204 endpoint. This PR adds a basic
challenge/response to the endpoint; something sufficiently complicated
that it's unlikely to be implemented by a captive portal. We can then
check for the expected response to verify whether we're being MITM'd.

Follow-up to #5601

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I94a68c9a16a7be7290200eea6a549b64f02ff48f
2022-10-19 11:10:18 -04:00
Mihai Parparita
9d04ffc782 net/wsconn: add back custom wrapper for turning a websocket.Conn into a net.Conn
We removed it in #4806 in favor of the built-in functionality from the
nhooyr.io/websocket package. However, it has an issue with deadlines
that has not been fixed yet (see nhooyr/websocket#350). Temporarily
go back to using a custom wrapper (using the fix from our fork) so that
derpers will stop closing connections too aggressively.

Updates #5921

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-10-18 15:39:32 -07:00
Josh Soref
d4811f11a0 all: fix spelling mistakes
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
2022-09-29 13:36:13 -07:00
Aaron Klotz
44f13d32d7 cmd/tailscaled, util/winutil: log Windows service diagnostics when the wintun device fails to install
I added new functions to winutil to obtain the state of a service and all
its depedencies, serialize them to JSON, and write them to a Logf.

When tstun.New returns a wrapped ERROR_DEVICE_NOT_AVAILABLE, we know that wintun
installation failed. We then log the service graph rooted at "NetSetupSvc".
We are interested in that specific service because network devices will not
install if that service is not running.

Updates https://github.com/tailscale/tailscale/issues/5531

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
2022-09-28 16:09:10 -06:00
Tom DNetto
e9b98dd2e1 control/controlclient,ipn/ipnlocal: wire tka enable/disable
Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-09-21 12:57:59 -07:00
Eng Zer Jun
f0347e841f refactor: move from io/ioutil to io and os packages
The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Reference: https://golang.org/doc/go1.16#ioutil
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
2022-09-15 21:45:53 -07:00
Mihai Parparita
1ce0e558a7 cmd/derper, control/controlhttp: disable WebSocket compression
The data that we send over WebSockets is encrypted and thus not
compressible. Additionally, Safari has a broken implementation of compression
(see nhooyr/websocket#218) that makes enabling it actively harmful.

Fixes tailscale/corp#6943

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-09-15 15:35:49 -07:00
Andrew Dunham
eb5939289c cmd/derper: add /generate_204 endpoint (#5601)
For captive portal detection.

Signed-off-by: Andrew Dunham <andrew@tailscale.com>
2022-09-12 13:43:50 -04:00
Brad Fitzpatrick
89fee056d3 cmd/derper: add robots.txt to disallow all
Fixes #5565

Change-Id: I5626ec2116d9be451caef651dc301b7a82e35550
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-09 10:29:46 -07:00
Andrew Dunham
c9961b8b95 cmd/derper: filter out useless HTTP error logs (#5563)
These errors aren't actionable and just fill up logs with useless data.
See the following Go issue for more details:
  https://golang.org/issue/26918

Signed-off-by: Andrew Dunham <andrew@tailscale.com>
2022-09-07 16:31:06 -04:00
Brad Fitzpatrick
02de34fb10 cmd/derper: add flag to run derper in bootstrap-dns-only mode
Change-Id: Iba128e94464afa605bc9df1f06a91d296380eed0
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-09-03 19:51:00 -07:00
Andrew Dunham
a0bae4dac8 cmd/derper: add support for unpublished bootstrap DNS entries (#5529)
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
2022-09-02 14:48:30 -04:00
Tom DNetto
facafd8819 client,cmd/tailscale,ipn,tka,types: implement tka initialization flow
This PR implements the client-side of initializing network-lock with the
Coordination server.

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-08-22 11:35:16 -07:00
Tom DNetto
18edd79421 control/controlclient,tailcfg: [capver 40] create KeySignature field in tailcfg.Node
We calve out a space to put the node-key signature (used on tailnets where network lock is enabled).

Signed-off-by: Tom DNetto <tom@tailscale.com>
2022-08-22 11:25:41 -07:00
Kris Brandow
8f38afbf8e net/stun: convert to use net/netip.AddrPort
Convert ParseResponse and Response to use netip.AddrPort instead of
net.IP and separate port.

Fixes #5281

Signed-off-by: Kris Brandow <kris.brandow@gmail.com>
2022-08-15 12:46:01 -04:00
Brad Fitzpatrick
090033ede5 cmd/derper: fix data race & server panic in manual cert mode
(Thanks for debugging, Roland!)

Fixes #4082

Change-Id: I400a64001c3c58899bb570b759b08e745abc0be1
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-08-10 15:14:09 -07:00
Brad Fitzpatrick
ec9d13bce5 hostinfo, net/netcheck: use CutPrefix
Updates #5309

Change-Id: I37e594cfd245784bf810c493de68a66d3ff20677
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-08-05 15:17:44 -07:00
David Crawshaw
93324cc7b3 cmd/derper: add depaware.txt
Signed-off-by: David Crawshaw <crawshaw@tailscale.com>
2022-08-05 11:38:10 -07:00
Maisem Ali
a9f6cd41fd all: use syncs.AtomicValue
Signed-off-by: Maisem Ali <maisem@tailscale.com>
2022-08-04 11:52:16 -07:00
Joe Tsai
b905db7a56 cmd/derper: remove support for logtail logging (#5248)
There aren't really any useful logs produced by derper.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-08-01 14:36:55 -07:00
Charlotte Brandhorst-Satzkorn
4c0feba38e derp: plumb '/derp' request context through (#5083)
This change is required to implement tracing for derp.

Signed-off-by: Charlotte Brandhorst-Satzkorn <charlotte@tailscale.com>
2022-07-18 15:43:03 -07:00
Mihai Parparita
edc90ebc61 net/wsconn: remove homegrown wrapper for turning a websocket.Conn into a net.Conn
The one from the nhooyr/websocket package seems to work equally well.

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-07 09:28:56 -07:00
Mihai Parparita
a9f32656f5 control/controlhttp: allow client and server to communicate over WebSockets
We can't do Noise-over-HTTP in Wasm/JS (because we don't have bidirectional
communication), but we should be able to do it over WebSockets. Reuses
derp WebSocket support that allows us to turn a WebSocket connection
into a net.Conn.

Updates #3157

Signed-off-by: Mihai Parparita <mihai@tailscale.com>
2022-06-02 21:20:54 -07:00
Brad Fitzpatrick
740e3c006c cmd/derper: add --stun-port flag
And flesh out docs on the --http-port flag.

Change-Id: If9d42665f67409082081cb9a25ad74e98869337b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-03-08 07:19:33 -08:00
Brad Fitzpatrick
a80cef0c13 cmd/derper: fix regression from bootstrap DNS optimization
The commit b9c92b90db earlier today
caused a regression of serving an empty map always, as it was
JSON marshalling an atomic.Value instead of the DNS entries map
it just built.

Change-Id: I9da3eeca132c6324462dedeaa7d002908557384b
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-02-11 15:28:38 -08:00
Josh Bleecher Snyder
84046d6f7c Revert "cmd/derper: stop setting content header in handleBootstrapDNS"
Didn't help enough. We are setting another header anyway. Restore it.

This reverts commit 60abeb027b.

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-02-11 14:15:28 -08:00
Josh Bleecher Snyder
ec62217f52 cmd/derper: close connections once bootstrap DNS has been served
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-02-11 14:08:43 -08:00
Josh Bleecher Snyder
60abeb027b cmd/derper: stop setting content header in handleBootstrapDNS
No one really cares. Its cost outweighs its usefulness.

name                   old time/op    new time/op    delta
HandleBootstrapDNS-10     105ns ± 4%      65ns ± 2%   -37.68%  (p=0.000 n=15+14)

name                   old alloc/op   new alloc/op   delta
HandleBootstrapDNS-10      416B ± 0%        0B       -100.00%  (p=0.000 n=15+15)

name                   old allocs/op  new allocs/op  delta
HandleBootstrapDNS-10      3.00 ± 0%      0.00       -100.00%  (p=0.000 n=15+15)

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-02-11 12:43:19 -08:00
Josh Bleecher Snyder
b9c92b90db cmd/derper: optimize handleBootstrapDNS
Do json formatting once, rather than on every request.

Use an atomic.Value.

name                   old time/op    new time/op    delta
HandleBootstrapDNS-10    6.35µs ± 0%    0.10µs ± 4%  -98.35%  (p=0.000 n=14+15)

name                   old alloc/op   new alloc/op   delta
HandleBootstrapDNS-10    3.20kB ± 0%    0.42kB ± 0%  -86.99%  (p=0.000 n=12+15)

name                   old allocs/op  new allocs/op  delta
HandleBootstrapDNS-10      41.0 ± 0%       3.0 ± 0%  -92.68%  (p=0.000 n=15+15)

Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-02-11 12:43:19 -08:00
Josh Bleecher Snyder
e206a3663f cmd/derper: add BenchmarkHandleBootstrapDNS
Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>
2022-02-11 12:43:19 -08:00
Joe Tsai
0173a50bf0 cmd/derper: add a rate limiter for accepting new connection (#3908)
A large influx of new connections can bring down DERP
since it spins off a new goroutine for each connection,
where each routine may do significant amount of work
(e.g., allocating memory and crunching numbers for TLS crypto).
The momentary spike can cause the process to OOM.

This commit sets the groundwork for limiting connections,
but leaves the limit at infinite by default.

Signed-off-by: Joe Tsai <joetsai@digital-static.net>
2022-02-11 12:02:38 -08:00
Brad Fitzpatrick
fa612c28cf cmd/derper: make --stun default to on, flesh out flag docs
Change-Id: I49e80c61ab19e78e4c8b4bc9012bb70cfe3bfa75
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-31 17:42:45 -08:00
David Anderson
f5ec916214 cmd/derper: disable TLS 1.0 and 1.1.
Updates tailscale/corp#3568

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-28 01:13:30 +00:00
David Anderson
508f332bb2 cmd/derper: export TLS vars with derper_ prefix, not stun_
Updates tailscale/corp#3568

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-25 18:57:30 +00:00
David Anderson
ff3442d92d cmd/derper: record TLS versions used for requests.
Surveying the fleet prior to turning off old/unused/insecure
TLS versions.

Updates tailscale/corp#3615

Signed-off-by: David Anderson <danderson@tailscale.com>
2022-01-22 02:35:55 +00:00
Brad Fitzpatrick
b8ad90c2bf cmd/derper: in manual cert mode, don't discard error from VerifyHostname
Updates #3701

Change-Id: If8ca5104bd8221c99cc390ca49ee3401aff09b62
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2022-01-11 08:40:42 -08:00
Arnaud Dezandee
656809e4ee cmd/derper: allow http port configuration
Signed-off-by: Arnaud Dezandee <dezandee.arnaud@gmail.com>
2021-12-08 08:58:30 -08:00
David Anderson
db800ddeac cmd/derper: set Content-Security-Policy on DERPs.
It's a basic "deny everything" policy, since DERP's HTTP
server is very uninteresting from a browser POV. But it
stops every security scanner under the sun from reporting
"dangerously configured" HTTP servers.

Updates tailscale/corp#3119

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-11-26 11:00:44 -08:00
David Anderson
9a217ec841 cmd/derper: increase HSTS cache lifetime to 2 years.
Fixes #3373.

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-11-22 11:59:01 -08:00
David Anderson
937e96f43d cmd/derper: enable HSTS when serving over HTTPS.
Starting with a short lifetime, to verify nothing breaks.

Updates #3373

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-11-22 09:57:34 -08:00
oocococo
3a2b0fc36c cmd/derper: support custom TLS port when in manual mode (#3231)
Fixes #3232

Change-Id: I8dae5c01f9dfdfd6d45e34e4ca3534b642ae5c8e
Signed-off-by: oocococo <mercurial.lx@gmail.com>
2021-10-31 18:31:49 -07:00
David Anderson
37c150aee1 derp: use new node key type.
Update #3206

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-10-28 16:02:11 -07:00
David Anderson
a47158e14d cmd/derper: use new node key type.
Updates #3206

Signed-off-by: David Anderson <danderson@tailscale.com>
2021-10-28 09:39:23 -07:00
Brad Fitzpatrick
b0b0a80318 net/netcheck: implement netcheck for js/wasm clients
And the derper change to add a CORS endpoint for latency measurement.

And a little magicsock change to cut down some log spam on js/wasm.

Updates #3157

Change-Id: I5fd9e6f5098c815116ddc8ac90cbcd0602098a48
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-27 09:59:31 -07:00
Brad Fitzpatrick
505f844a43 cmd/derper, derp/derphttp: add websocket support
Updates #3157

Change-Id: I337a919a3b350bc7bd9af567b49c4d5d6616abdd
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-10-22 12:51:30 -07:00
Brad Fitzpatrick
0be26599ca cmd/derper: refactor STUN path for testing, add serverSTUN benchmark
Real goal is to eliminate some allocs in the STUN path, but that requires
work in the standard library.

See comments in #2783.

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-13 10:12:32 -07:00
Brad Fitzpatrick
d5851d2e06 cmd/derper: fix real staticcheck failure from prior commit
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-08 17:00:56 -07:00
Silver Bullet
d8c5d00ecb cmd/derper: support manual TLS certificate mode (#2793)
Add a mode control for derp server, and add a "manual" mode
to get derp server certificate. Under manual mode, certificate
is searched in the directory given by "--cert-dir". Certificate
should in PEM format, and use "hostname.{key,crt}" as filename.
If no hostname is used, search by the hostname given for listen.

Fixes #2794

Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
2021-09-08 16:50:34 -07:00
Brad Fitzpatrick
5d800152d9 cmd/derper: increase port 80's WriteTimeout to permit longer CPU profiles
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-09-02 10:49:14 -07:00
Chuangbo Li
e4e4d336d9 cmd/derper: listen on host of flag server addr for port 80 and 3478 (#2768)
cmd/derper: listen on host of flag server addr for port 80 and 3478

When using custom derp on the server with multiple IP addresses,
we would like to bind derp 80, 443 and stun 3478 to a certain IP.

derp command provides flag `-a` to customize which address to bind
for port 443. But port :80 and :3478 were hard-coded.

Fixes #2767

Signed-off-by: Li Chuangbo <im@chuangbo.li>
2021-09-02 10:42:27 -07:00