-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add DERP generate_204 endpoint for captive portal detection. #1600
base: main
Are you sure you want to change the base?
Conversation
Is there a way we can have an integration test for this? |
@tomtom5152 Could you rebase this? |
Sorry, only just seen this as been having to put my attentions elsewhere. I don't have time to rebase currently, but I see there was some force push just. I also looked at adding tests but couldn't figure out how best to do this with the current repo structure. If you've got any hints I |
hmm, I wonder if I have seen an error message referring to the generate_204 endpoint when running
I would appreciate if you have a go, if not, at somepoint I might have time, but that could be weeks to months these days. I greatly appreciate this addition, but it is a feature that is hard to debug if it is wrong, so I am extra conservative for these kind of things. |
Signed-off-by: Kristoffer Dalby <[email protected]>
Signed-off-by: Kristoffer Dalby <[email protected]>
I've added a testcase as I've described for endpoint, it is currently failing, and I have not had time to investigate, feel free to take a look @tomtom5152. cc @TotoTheDragon since we talked about this the other day. |
The DERP report looks as follows: {
"Info": [
"Region 999 == \"headscale\""
],
"Warnings": [
"Having only a single DERP region (i.e. removing the default Tailscale-provided regions) is a single point of failure and could hamper connectivity",
"Error making request to the captive portal check \"http://headscale/generate_204\"; is port 80 blocked?"
],
"Errors": [
"Error connecting to node \"headscale\" @ \"headscale:80\" over IPv4: dial tcp4: lookup headscale on 100.100.100.100:53: no such host",
"Error connecting to node \"headscale\" @ \"headscale:80\" over IPv6: dial tcp6: lookup headscale on 100.100.100.100:53: no such host"
]
} I recon we might need to listen specifically on port 80 for that endpoint. |
Signed-off-by: Kristoffer Dalby <[email protected]>
I am not sure if the tailscale client actually uses this. But within DERPNode, there is a field called CanPort80. Maybe we should look into setting that field? |
It sounds useful, but searching the clients code it doesnt look like it is used. |
Looks like tailscale client falls back to tailscale servers without this feature in headscale DERP servers. Ref: tailscale/tailscale#13788 (comment) |
There has been some work on the DERP integration tests to fix the verify client url and websockets, this might be helpful for these tests, anyone able to pick this up again? |
Not sure if anyone plans to pick up this PR again since it's already fairly old, but I skimmed over the code and I see a potential issue. In there it says that "[the listening port] is not configurable as captive portal busting requires http/80." And then it hardcodes the listen address to be 0.0.0.0:80; and that will break IPv6 setups. Can this be replaced with [::]:80 and a dual-stack-capable socket so it works for both IPv4 and IPv6 setups? Or two separate sockets for IPv4 and IPv6? Headscale has quite a few places where it's currently only using IPv4 by default, but they can all be fixed by replacing "0.0.0.0" with "[::]" and "127.0.0.1" with "[::1]" in the config file. Please don't add another hardcoded dependency for IPv4 that can't be changed by the user. Or is there a compelling reason why this endpoint should only be reachable over IPv4? Same issue also applies to the other PR (#1768). |
When connecting to a DERP server the client makes a request to
/generate_204
endpoint with the headerX-Tailscale-Challenge
. In order to pass the captive portal test, the server must provider a 204 NoContent response withX-Tailscale-Response
set.The source for this simple endpoint was taken directly from Derper source at the time of commit