Export OnlyTCP443

Author: nekohasekai

derp/derphttp/derphttp_client.go

@@ -668,7 +668,7 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 // DERP nodes for a region are tried in sequence according to their order
 // in the DERP map. TLS is initiated on the first node where a socket is
 // established.
-func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, node *tailcfg.DERPNode, err error) {
+func (c *Client) _DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, node *tailcfg.DERPNode, err error) {
 	tcpConn, node, err := c.dialRegion(ctx, reg)
 	if err != nil {
 		return nil, nil, nil, err

derp/derphttp/derphttp_client_mod.go

@@ -0,0 +1,122 @@
+package derphttp
+
+import (
+	"cmp"
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"github.com/sagernet/tailscale/net/sockstats"
+	tailcfg "github.com/sagernet/tailscale/tailcfg"
+	"io"
+	"net"
+	"net/netip"
+	"time"
+)
+
+func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, node *tailcfg.DERPNode, err error) {
+	if len(reg.Nodes) == 0 {
+		return nil, nil, nil, fmt.Errorf("no nodes for %s", c.targetString(reg))
+	}
+	var firstErr error
+	for _, n := range reg.Nodes {
+		if n.STUNOnly {
+			if firstErr == nil {
+				firstErr = fmt.Errorf("no non-STUNOnly nodes for %s", c.targetString(reg))
+			}
+			continue
+		}
+		c, err := c.dialNodeTLS(ctx, n)
+		if err == nil {
+			return c, c.NetConn(), n, nil
+		}
+		if firstErr == nil {
+			firstErr = err
+		}
+	}
+	return nil, nil, nil, firstErr
+}
+
+func (c *Client) dialNodeTLS(ctx context.Context, n *tailcfg.DERPNode) (*tls.Conn, error) {
+	type res struct {
+		c   *tls.Conn
+		err error
+	}
+	resc := make(chan res) // must be unbuffered
+	ctx, cancel := context.WithTimeout(ctx, dialNodeTimeout)
+	defer cancel()
+
+	ctx = sockstats.WithSockStats(ctx, sockstats.LabelDERPHTTPClient, c.logf)
+
+	nwait := 0
+	startDial := func(dstPrimary, proto string) {
+		nwait++
+		go func() {
+			if proto == "tcp4" && c.preferIPv6() {
+				t, tChannel := c.clock.NewTimer(200 * time.Millisecond)
+				select {
+				case <-ctx.Done():
+					// Either user canceled original context,
+					// it timed out, or the v6 dial succeeded.
+					t.Stop()
+					return
+				case <-tChannel:
+					// Start v4 dial
+				}
+			}
+			dst := cmp.Or(dstPrimary, n.HostName)
+			port := "443"
+			if !c.useHTTPS() {
+				port = "3340"
+			}
+			if n.DERPPort != 0 {
+				port = fmt.Sprint(n.DERPPort)
+			}
+			conn, err := c.dialContext(ctx, proto, net.JoinHostPort(dst, port))
+			if err != nil {
+				select {
+				case resc <- res{nil, err}:
+				case <-ctx.Done():
+				}
+				return
+			}
+			tlsConn := c.tlsClient(conn, n)
+			err = tlsConn.Handshake()
+			select {
+			case resc <- res{tlsConn, err}:
+			case <-ctx.Done():
+				if c != nil {
+					c.Close()
+				}
+			}
+		}()
+	}
+	if shouldDialProto(n.IPv4, netip.Addr.Is4) {
+		startDial(n.IPv4, "tcp4")
+	}
+	if shouldDialProto(n.IPv6, netip.Addr.Is6) {
+		startDial(n.IPv6, "tcp6")
+	}
+	if nwait == 0 {
+		return nil, errors.New("both IPv4 and IPv6 are explicitly disabled for node")
+	}
+
+	var firstErr error
+	for {
+		select {
+		case res := <-resc:
+			nwait--
+			if res.err == nil {
+				return res.c, nil
+			}
+			if firstErr == nil {
+				firstErr = res.err
+			}
+			if nwait == 0 {
+				return nil, firstErr
+			}
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
+	}
+}

ipn/ipnlocal/local.go

@@ -387,6 +387,7 @@ type LocalBackend struct {
 	needsCaptiveDetection chan bool
 
 	lookupHook dnscache.LookupHookFunc
+	onlyTCP443 bool
 }
 
 // HealthTracker returns the health tracker for the backend.
@@ -426,7 +427,7 @@ type clientGen func(controlclient.Options) (controlclient.Client, error)
 // but is not actually running.
 //
 // If dialer is nil, a new one is made.
-func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, loginFlags controlclient.LoginFlags, lookupHook dnscache.LookupHookFunc) (_ *LocalBackend, err error) {
+func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, loginFlags controlclient.LoginFlags, lookupHook dnscache.LookupHookFunc, onlyTCP443 bool) (_ *LocalBackend, err error) {
 	e := sys.Engine.Get()
 	store := sys.StateStore.Get()
 	dialer := sys.Dialer.Get()
@@ -493,6 +494,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 		captiveCancel:         nil, // so that we start checkCaptivePortalLoop when Running
 		needsCaptiveDetection: make(chan bool),
 		lookupHook:            lookupHook,
+		onlyTCP443:            onlyTCP443,
 	}
 	mConn.SetNetInfoCallback(b.setNetInfo)
 
@@ -1662,7 +1664,7 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 
 		b.e.SetNetworkMap(st.NetMap)
 		b.MagicConn().SetDERPMap(st.NetMap.DERPMap)
-		b.MagicConn().SetOnlyTCP443(st.NetMap.HasCap(tailcfg.NodeAttrOnlyTCP443))
+		b.MagicConn().SetOnlyTCP443(b.onlyTCP443 || st.NetMap.HasCap(tailcfg.NodeAttrOnlyTCP443))
 
 		// Update our cached DERP map
 		dnsfallback.UpdateCache(st.NetMap.DERPMap, b.logf)

tsnet/tsnet.go

@@ -126,6 +126,7 @@ type Server struct {
 
 	Dialer     N.Dialer
 	LookupHook dnscache.LookupHookFunc
+	OnlyTCP443 bool
 	DNS        dns.OSConfigurator
 	HTTPClient *http.Client
 
@@ -625,7 +626,7 @@ func (s *Server) start() (reterr error) {
 	if s.Ephemeral {
 		loginFlags = controlclient.LoginEphemeral
 	}
-	lb, err := ipnlocal.NewLocalBackend(tsLogf, s.logid, sys, loginFlags|controlclient.LocalBackendStartKeyOSNeutral, s.LookupHook)
+	lb, err := ipnlocal.NewLocalBackend(tsLogf, s.logid, sys, loginFlags|controlclient.LocalBackendStartKeyOSNeutral, s.LookupHook, s.OnlyTCP443)
 	if err != nil {
 		return fmt.Errorf("NewLocalBackend: %v", err)
 	}