From 25eeafde23beeb46a6d926f2d487839e235dabbf Mon Sep 17 00:00:00 2001 From: Brad Fitzpatrick Date: Wed, 19 Jun 2024 08:53:23 -0700 Subject: [PATCH] derp: don't verify mesh peers when --verify-clients is set Updates tailscale/corp#20654 Change-Id: I33c7ca3c7a3c4e492797b73c66eefb699376402c Signed-off-by: Brad Fitzpatrick --- derp/derp_server.go | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/derp/derp_server.go b/derp/derp_server.go index 889bede9d..4485b6a4a 100644 --- a/derp/derp_server.go +++ b/derp/derp_server.go @@ -751,7 +751,7 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem discoSendQueue: make(chan pkt, perClientSendQueueDepth), sendPongCh: make(chan [8]byte, 1), peerGone: make(chan peerGoneMsg), - canMesh: clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey, + canMesh: s.isMeshPeer(clientInfo), peerGoneLim: rate.NewLimiter(rate.Every(time.Second), 3), } @@ -1153,9 +1153,22 @@ func (c *sclient) requestMeshUpdate() { var localClient tailscale.LocalClient +// isMeshPeer reports whether the client is a trusted mesh peer +// node in the DERP region. +func (s *Server) isMeshPeer(info *clientInfo) bool { + return info != nil && info.MeshKey != "" && info.MeshKey == s.meshKey +} + // verifyClient checks whether the client is allowed to connect to the derper, // depending on how & whether the server's been configured to verify. func (s *Server) verifyClient(ctx context.Context, clientKey key.NodePublic, info *clientInfo, clientIP netip.Addr) error { + if s.isMeshPeer(info) { + // Trusted mesh peer. No need to verify further. In fact, verifying + // further wouldn't work: it's not part of the tailnet so tailscaled and + // likely the admission control URL wouldn't know about it. + return nil + } + // tailscaled-based verification: if s.verifyClientsLocalTailscaled { _, err := localClient.WhoIsNodeKey(ctx, clientKey)