tailscale/net/captivedetection/captivedetection.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

// Package captivedetection provides a way to detect if the system is connected to a network that has
// a captive portal. It does this by making HTTP requests to known captive portal detection endpoints
// and checking if the HTTP responses indicate that a captive portal might be present.
package captivedetection

import (
	"context"
	"net"
	"net/http"
	"runtime"
	"strings"
	"sync"
	"syscall"
	"time"

	"tailscale.com/net/netmon"
	"tailscale.com/tailcfg"
	"tailscale.com/types/logger"
)

// Detector checks whether the system is behind a captive portal.
type Detector struct {

	// httpClient is the HTTP client that is used for captive portal detection. It is configured
	// to not follow redirects, have a short timeout and no keep-alive.
	httpClient *http.Client
	// currIfIndex is the index of the interface that is currently being used by the httpClient.
	currIfIndex int
	// mu guards currIfIndex.
	mu sync.Mutex
	// logf is the logger used for logging messages. If it is nil, log.Printf is used.
	logf logger.Logf
}

// NewDetector creates a new Detector instance for captive portal detection.
func NewDetector(logf logger.Logf) *Detector {
	d := &Detector{logf: logf}
	d.httpClient = &http.Client{
		// No redirects allowed
		CheckRedirect: func(req *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
		Transport: &http.Transport{
			DialContext:       d.dialContext,
			DisableKeepAlives: true,
		},
		Timeout: Timeout,
	}
	return d
}

// Timeout is the timeout for captive portal detection requests. Because the captive portal intercepting our requests
// is usually located on the LAN, this is a relatively short timeout.
const Timeout = 3 * time.Second

// Detect is the entry point to the API. It attempts to detect if the system is behind a captive portal
// by making HTTP requests to known captive portal detection Endpoints. If any of the requests return a response code
// or body that looks like a captive portal, Detect returns true. It returns false in all other cases, including when any
// error occurs during a detection attempt.
//
// This function might take a while to return, as it will attempt to detect a captive portal on all available interfaces
// by performing multiple HTTP requests. It should be called in a separate goroutine if you want to avoid blocking.
func (d *Detector) Detect(ctx context.Context, netMon *netmon.Monitor, derpMap *tailcfg.DERPMap, preferredDERPRegionID int) (found bool) {
	return d.detectCaptivePortalWithGOOS(ctx, netMon, derpMap, preferredDERPRegionID, runtime.GOOS)
}

func (d *Detector) detectCaptivePortalWithGOOS(ctx context.Context, netMon *netmon.Monitor, derpMap *tailcfg.DERPMap, preferredDERPRegionID int, goos string) (found bool) {
	ifState := netMon.InterfaceState()
	if !ifState.AnyInterfaceUp() {
		d.logf("[v2] DetectCaptivePortal: no interfaces up, returning false")
		return false
	}

	endpoints := availableEndpoints(derpMap, preferredDERPRegionID, d.logf, goos)

	// Here we try detecting a captive portal using *all* available interfaces on the system
	// that have a IPv4 address. We consider to have found a captive portal when any interface
	// reports one may exists. This is necessary because most systems have multiple interfaces,
	// and most importantly on macOS no default route interface is set until the user has accepted
	// the captive portal alert thrown by the system. If no default route interface is known,
	// we need to try with anything that might remotely resemble a Wi-Fi interface.
	for ifName, i := range ifState.Interface {
		if !i.IsUp() || i.IsLoopback() || interfaceNameDoesNotNeedCaptiveDetection(ifName, goos) {
			continue
		}
		addrs, err := i.Addrs()
		if err != nil {
			d.logf("[v1] DetectCaptivePortal: failed to get addresses for interface %s: %v", ifName, err)
			continue
		}
		if len(addrs) == 0 {
			continue
		}
		d.logf("[v2] attempting to do captive portal detection on interface %s", ifName)
		res := d.detectOnInterface(ctx, i.Index, endpoints)
		if res {
			d.logf("DetectCaptivePortal(found=true,ifName=%s)", ifName)
			return true
		}
	}

	d.logf("DetectCaptivePortal(found=false)")
	return false
}

// interfaceNameDoesNotNeedCaptiveDetection returns true if an interface does not require captive portal detection
// based on its name. This is useful to avoid making unnecessary HTTP requests on interfaces that are known to not
// require it. We also avoid making requests on the interface prefixes "pdp" and "rmnet", which are cellular data
// interfaces on iOS and Android, respectively, and would be needlessly battery-draining.
func interfaceNameDoesNotNeedCaptiveDetection(ifName string, goos string) bool {
	ifName = strings.ToLower(ifName)
	excludedPrefixes := []string{"tailscale", "tun", "tap", "docker", "kube", "wg", "ipsec"}
	if goos == "windows" {
		excludedPrefixes = append(excludedPrefixes, "loopback", "tunnel", "ppp", "isatap", "teredo", "6to4")
	} else if goos == "darwin" || goos == "ios" {
		excludedPrefixes = append(excludedPrefixes, "pdp", "awdl", "bridge", "ap", "utun", "tap", "llw", "anpi", "lo", "stf", "gif", "xhc", "pktap")
	} else if goos == "android" {
		excludedPrefixes = append(excludedPrefixes, "rmnet", "p2p", "dummy", "sit")
	}
	for _, prefix := range excludedPrefixes {
		if strings.HasPrefix(ifName, prefix) {
			return true
		}
	}
	return false
}

// detectOnInterface reports whether or not we think the system is behind a
// captive portal, detected by making a request to a URL that we know should
// return a "204 No Content" response and checking if that's what we get.
//
// The boolean return is whether we think we have a captive portal.
func (d *Detector) detectOnInterface(ctx context.Context, ifIndex int, endpoints []Endpoint) bool {
	defer d.httpClient.CloseIdleConnections()

	d.logf("[v2] %d available captive portal detection endpoints: %v", len(endpoints), endpoints)

	// We try to detect the captive portal more quickly by making requests to multiple endpoints concurrently.
	var wg sync.WaitGroup
	resultCh := make(chan bool, len(endpoints))

	for i, e := range endpoints {
		if i >= 5 {
			// Try a maximum of 5 endpoints, break out (returning false) if we run of attempts.
			break
		}
		wg.Add(1)
		go func(endpoint Endpoint) {
			defer wg.Done()
			found, err := d.verifyCaptivePortalEndpoint(ctx, endpoint, ifIndex)
			if err != nil {
				d.logf("[v1] checkCaptivePortalEndpoint failed with endpoint %v: %v", endpoint, err)
				return
			}
			if found {
				resultCh <- true
			}
		}(e)
	}

	go func() {
		wg.Wait()
		close(resultCh)
	}()

	for result := range resultCh {
		if result {
			// If any of the endpoints seems to be a captive portal, we consider the system to be behind one.
			return true
		}
	}

	return false
}

// verifyCaptivePortalEndpoint checks if the given Endpoint is a captive portal by making an HTTP request to the
// given Endpoint URL using the interface with index ifIndex, and checking if the response looks like a captive portal.
func (d *Detector) verifyCaptivePortalEndpoint(ctx context.Context, e Endpoint, ifIndex int) (found bool, err error) {
	ctx, cancel := context.WithTimeout(ctx, Timeout)
	defer cancel()

	req, err := http.NewRequestWithContext(ctx, "GET", e.URL.String(), nil)
	if err != nil {
		return false, err
	}

	// Attach the Tailscale challenge header if the endpoint supports it. Not all captive portal detection endpoints
	// support this, so we only attach it if the endpoint does.
	if e.SupportsTailscaleChallenge {
		// Note: the set of valid characters in a challenge and the total
		// length is limited; see isChallengeChar in cmd/derper for more
		// details.
		chal := "ts_" + e.URL.Host
		req.Header.Set("X-Tailscale-Challenge", chal)
	}

	d.mu.Lock()
	d.currIfIndex = ifIndex
	d.mu.Unlock()

	// Make the actual request, and check if the response looks like a captive portal or not.
	r, err := d.httpClient.Do(req)
	if err != nil {
		return false, err
	}

	return e.responseLooksLikeCaptive(r, d.logf), nil
}

func (d *Detector) dialContext(ctx context.Context, network, addr string) (net.Conn, error) {
	d.mu.Lock()
	defer d.mu.Unlock()

	ifIndex := d.currIfIndex

	dl := &net.Dialer{
		Timeout: Timeout,
		Control: func(network, address string, c syscall.RawConn) error {
			return setSocketInterfaceIndex(c, ifIndex, d.logf)
		},
	}

	return dl.DialContext(ctx, network, addr)
}