cmd/derper: clarify that derper and tailscaled need to be in sync

Fixes #12617

Change-Id: Ifc87b7d9cf699635087afb57febd01fb9a6d11b7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

cmd/derper/README.md

@@ -30,7 +30,9 @@ If you've decided or been advised to run your own `derper`, then read on.
 * You must build and update the `cmd/derper` binary yourself. There are no
   packages. Use `go install tailscale.com/cmd/derper@latest` with the latest
   version of Go. You should update this binary approximately as regularly as
-  you update Tailscale nodes.
+  you update Tailscale nodes. If using `--verify-clients`, the `derper` binary
+  and `tailscaled` binary on the machine must be built from the same git revision.
+  (It might work otherwise, but they're developed and only tested together.)
 
 * The DERP protocol does a protocol switch inside TLS from HTTP to a custom
   bidirectional binary protocol. It is thus incompatible with many HTTP proxies.

derp/derp_server.go

@@ -1187,6 +1187,10 @@ func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, inf
 			return fmt.Errorf("peer %v not authorized (not found in local tailscaled)", clientKey)
 		}
 		if err != nil {
+			if strings.Contains(err.Error(), "invalid 'addr' parameter") {
+				// Issue 12617
+				return errors.New("tailscaled version is too old (out of sync with derper binary)")
+			}
 			return fmt.Errorf("failed to query local tailscaled status for %v: %w", clientKey, err)
 		}
 	}