tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	b1248442c3	all: update to Go 1.20, use strings.CutPrefix/Suffix instead of our fork Updates #7123 Updates #5309 Change-Id: I90bcd87a2fb85a91834a0dd4be6e03db08438672 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	1 year ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	1 year ago
Mihai Parparita	33520920c3	all: use strs.CutPrefix and strs.CutSuffix more Updates places where we use HasPrefix + TrimPrefix to use the combined function. Updates #5309 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	1 year ago
Mihai Parparita	b2855cfd86	derp/derphttp: fix nil pointer dereference when closing a netcheck client NewNetcheckClient only initializes a subset of fields of derphttp.Client, and the Close() call added by #5707 was result in a nil pointer dereference. Make Close() safe to call when using NewNetcheckClient() too. Fixes #5919 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Josh Soref	d4811f11a0	all: fix spelling mistakes Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2 years ago
Eng Zer Jun	f0347e841f	refactor: move from io/ioutil to io and os packages The io/ioutil package has been deprecated as of Go 1.16 [1]. This commit replaces the existing io/ioutil functions with their new definitions in io and os packages. Reference: https://golang.org/doc/go1.16#ioutil Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>	2 years ago
Maisem Ali	a9f6cd41fd	all: use syncs.AtomicValue Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6a396731eb	all: use various net/netip parse funcs directly Mechanical change with perl+goimports. Changed {Must,}Parse{IP,IPPrefix,IPPort} to their netip variants, then goimports -d . Finally, removed the net/netaddr wrappers, to prevent future use. Updates #5162 Change-Id: I59c0e38b5fbca5a935d701645789cddf3d7863ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Tom DNetto	c8f4dfc8c0	derp/derphttp,net/netcheck: improve netcheck behavior under MITM proxies In cases where tailscale is operating behind a MITM proxy, we need to consider that a lot more of the internals of our HTTP requests are visible and may be used as part of authorization checks. As such, we need to 'behave' as closely as possible to ideal. - Some proxies do authorization or consistency checks based the on Host header or HTTP URI, instead of just the IP/hostname/SNI. As such, we need to construct a `*http.Request` with a valid URI everytime HTTP is going to be used on the wire, even if its over TLS. Aside from the singular instance in net/netcheck, I couldn't find anywhere else a http.Request was constructed incorrectly. - Some proxies may deny requests, typically by returning a 403 status code. We should not consider these requests as a valid latency check, so netcheck semantics have been updated to consider >299 status codes as a failed probe. Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Brad Fitzpatrick	730aa1c89c	derp/derphttp, wgengine/magicsock: prefer IPv6 to DERPs when IPv6 works Fixes #3838 Change-Id: Ie47a2a30c7e8e431512824798d2355006d72fb6a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	70d71ba1e7	cmd/derpprobe: check derper TLS certs too Change-Id: If8c48e012b294570ebbb1a46bacdc58fafbfbcc5 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	41fd4eab5c	envknob: add new package for all the strconv.ParseBool(os.Getenv(..)) A new package can also later record/report which knobs are checked and set. It also makes the code cleaner & easier to grep for env knobs. Change-Id: Id8a123ab7539f1fadbd27e0cbeac79c2e4f09751 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	2c94e3c4ad	wgengine/magicsock: don't unconditionally close DERP connections on rebind Only if the source address isn't on the currently active interface or a ping of the DERP server fails. Updates #3619 Change-Id: I6bf06503cff4d781f518b437c8744ac29577acc8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	535b925d1b	derp/derphttp: add Client.Ping, SendPing methods Continuing work in `434af15a04`, to make it possible for magicsock to probe whether a DERP server is still there. Updates #3619 Change-Id: I366a77c27e93b876734e64f445b85ef01eb590f2 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	434af15a04	derp: support client->server ping (and server->client pong) In prep for a future change to have client ping derp connections when their state is questionable, rather than aggressively tearing them down and doing a heavy reconnect when their state is unknown. We already support ping/pong in the other direction (servers probing clients) so we already had the two frame types, but I'd never finished this direction. Updates #3619 Change-Id: I024b815d9db1bc57c20f82f80f95fb55fc9e2fcc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Josh Bleecher Snyder	758c37b83d	net/netns: thread logf into control functions So that darwin can log there without panicking during tests. Signed-off-by: Josh Bleecher Snyder <josh@tailscale.com>	3 years ago
David Anderson	37c150aee1	derp: use new node key type. Update #3206 Signed-off-by: David Anderson <danderson@tailscale.com>	3 years ago
Brad Fitzpatrick	505f844a43	cmd/derper, derp/derphttp: add websocket support Updates #3157 Change-Id: I337a919a3b350bc7bd9af567b49c4d5d6616abdd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7cf8ec8108	net/tlsdial: bake in LetsEncrypt's ISRG Root X1 root We still try the host's x509 roots first, but if that fails (like if the host is old), we fall back to using LetsEncrypt's root and retrying with that. tlsdial was used in the three main places: logs, control, DERP. But it was missing in dnsfallback. So added it there too, so we can run fine now on a machine with no DNS config and no root CAs configured. Also, move SSLKEYLOGFILE support out of DERP. tlsdial is the logical place for that support. Fixes #1609 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	e422e9f4c9	cmd/derper: mesh over VPC network Updates #2414 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	e299300b48	net/dnscache: cache all IPs per hostname Not yet used in the dialer, but plumbed around. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	05da2691a5	cmd/derper/derpprobe: add derp prober Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	7e7c4c1bbe	tailcfg: break DERPNode.DERPTestPort into DERPPort & InsecureForTests The DERPTestPort int meant two things before: which port to use, and whether to disable TLS verification. Users would like to set the port without disabling TLS, so break it into two options. Updates #1264 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	c81814e4f8	derp{,/derphttp},magicsock: tell DERP server when ping acks can be expected Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	79d8288f0a	wgengine/magicsock, derp, derp/derphttp: respond to DERP server->client pings No server support yet, but we want Tailscale 1.6 clients to be able to respond to them when the server can do it. Updates #1310 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	ca51529b81	derp/derphttp: return nicer errors from Recv on Close	3 years ago
Brad Fitzpatrick	66be052a70	net/dnscache: work on IPv6-only hosts (again) This fixes the regression where we had stopped working on IPv6-only hosts. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	1e0be5a458	tshttp, derphttp: send Proxy-Authorization, not Authorization, to proxies Whoops. But weirdly, sending Authorization sometimes worked?	4 years ago
Brad Fitzpatrick	28f9cd06f5	tshttpproxy, controlclient, derphttp, logpolicy: send Negotiate auth to proxies For Windows only, and only when built with Tailscale's Go tree. Updates tailscale/corp#583	4 years ago
Brad Fitzpatrick	e415991256	derp, derp/derphttp: remove one RTT from DERP setup * advertise server's DERP public key following its ServerHello * have client look for that DEPR public key in the response PeerCertificates * let client advertise it's going into a "fast start" mode if it finds it * modify server to support that fast start mode, just not sending the HTTP response header Cuts down another round trip, bringing the latency of being able to write our first DERP frame from SF to Bangalore from ~725ms (3 RTT) to ~481ms (2 RTT: TCP and TLS). Fixes #693 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	287522730d	derp/derphttp: support standard-ish SSLKEYLOGFILE environment variable For debugging.	4 years ago
Brad Fitzpatrick	c5eb57f4d6	net/tshttpproxy: new package, support WPAD/PAC proxies on Windows Updates tailscale/corp#553 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	69f3ceeb7c	derp/derphttp: don't return all nil from dialRegion when STUNOnly nodes	4 years ago
Brad Fitzpatrick	4732722b87	derp: add frameClosePeer to move around clients within a region For various reasons (mostly during rollouts or config changes on our side), nodes may end up connecting to a fallback DERP node in a region, rather than the primary one we tell them about in the DERP map. Connecting to the "wrong" node is fine, but it's in our best interest for all nodes in a domain to connect to the same node, to reduce intra-region packet forwarding. This adds a privileged frame type used by the control system that can kick off a client connection when they're connected to the wrong node in a region. Then they hopefully reconnect immediately to the correct location. (If not, we can leave them alone and stop closing them.) Updates tailscale/corp#372	4 years ago
Brad Fitzpatrick	abd79ea368	derp: reduce DERP memory use; don't require callers to pass in memory to use The magicsock derpReader was holding onto 65KB for each DERP connection forever, just in case. Make the derp{,http}.Client be in charge of memory instead. It can reuse its bufio.Reader buffer space.	4 years ago
Brad Fitzpatrick	1cb7dab881	cmd/derper: support forwarding packets amongst set of peer DERP servers Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	5e0ff494a5	derp: change NewClient constructor to an option pattern (The NewMeshClient constructor I added recently was gross in retrospect at call sites, especially when it wasn't obvious that a meshKey empty string meant a regular client)	4 years ago
Brad Fitzpatrick	4d599d194f	derp, derp/derphttp: add key accessors, add Client.RecvDetail Client.RecvDetail returns a connection generation so interested clients can detect when a reconnect happened. (Will be needed for #388)	4 years ago
Brad Fitzpatrick	484b7fc9a3	derp, cmd/derper: add frameWatchConns, framePeerPresent for inter-DERP routing This lets a trusted DERP client that knows a pre-shared key subscribe to the connection list. Upon subscribing, they get the current set of connected public keys, and then all changes over time. This lets a set of DERP server peers within a region all stay connected to each other and know which clients are connected to which nodes. Updates #388 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	24009241bf	net/netns: move SOCKS dialing to netns for now This lets control & logs also use SOCKS dials. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	cf0d19f0ab	net/tlsdial, derp/derphttp: finish DERPNode.CertName validation	4 years ago
Brad Fitzpatrick	7f68e097dd	net/netcheck: fix HTTPS fallback bug from earlier today My earlier `3fa58303d0` tried to implement the net/http.Tranhsport.DialTLSContext hook, but I didn't return a *tls.Conn, so we ended up sending a plaintext HTTP request to an HTTPS port. The response ended up being Go telling as such, not the /derp/latency-check handler's response (which is currently still a 404). But we didn't even get the 404. This happened to work well enough because Go's built-in error response was still a valid HTTP response that we can measure for timing purposes, but it's not a great answer. Notably, it means we wouldn't be able to get a future handler to run server-side and count those latency requests.	4 years ago
Brad Fitzpatrick	3fa58303d0	netcheck: address some HTTP fallback measurement TODOs	4 years ago
David Anderson	e9f7d01b91	derp/derphttp: make DERP client use netns for dial-outs.	4 years ago
Brad Fitzpatrick	e6b84f2159	all: make client use server-provided DERP map, add DERP region support Instead of hard-coding the DERP map (except for cmd/tailscale netcheck for now), get it from the control server at runtime. And make the DERP map support multiple nodes per region with clients picking the first one that's available. (The server will balance the order presented to clients for load balancing) This deletes the stunner package, merging it into the netcheck package instead, to minimize all the config hooks that would've been required. Also fix some test flakes & races. Fixes #387 (Don't hard-code the DERP map) Updates #388 (Add DERP region support) Fixes #399 (wgengine: flaky tests) Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	040a0d5121	derp/derphttp: don't use x/net/proxy for SOCKS on iOS We don't want those extra dependencies on iOS, at least yet. Especially since there's no way to set the relevant environment variables so it's just bloat with no benefits. Perhaps we'll need to do SOCKS on iOS later, but probably differently if/when so. Updates #227 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	e42ec4efba	derp/derphttp: use SOCKS/etc proxies for derphttp dials Updates #227 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	b6fa5a69be	net/tlsdial: add package for TLS dials, and make DERP & controlclient use it This will do the iOS-optimized cert checking in a following change.	4 years ago

1 2

65 Commits (b1248442c3e40371c34fdf5bd90138b3ece615a7)