Only clients initiate wireguard handshakes

spikecurtis · spikecurtis · commit 07df3abae938 · 2023-07-14T13:00:43.000Z
Signed-off-by: Spike Curtis &lt;spike@coder.com&gt;
diff --git a/agent/agent.go b/agent/agent.go
@@ -702,7 +702,7 @@ func (a *agent) trackConnGoroutine(fn func()) error {
 }
 
 func (a *agent) createTailnet(ctx context.Context, agentID uuid.UUID, derpMap *tailcfg.DERPMap, disableDirectConnections bool) (_ *tailnet.Conn, err error) {
-	network, err := tailnet.NewConn(&tailnet.Options{
+	network, err := tailnet.NewConn(tailnet.ConnTypeAgent, &tailnet.Options{
 		Addresses:      a.wireguardAddresses(agentID),
 		DERPMap:        derpMap,
 		Logger:         a.logger.Named("tailnet"),
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -1914,7 +1914,7 @@ func setupAgent(t *testing.T, metadata agentsdk.Manifest, ptyTimeout time.Durati
 	t.Cleanup(func() {
 		_ = closer.Close()
 	})
-	conn, err := tailnet.NewConn(&tailnet.Options{
+	conn, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		DERPMap:   metadata.DERPMap,
 		Logger:    logger.Named("client"),
diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -65,15 +65,18 @@ func TestDERP(t *testing.T) {
 			},
 		},
 	}
+	// it's a bit arbitrary which is the client and which is the agent,
+	// but, we need one of each because the client initiates the wireguard
+	// connection.
 	w1IP := tailnet.IP()
-	w1, err := tailnet.NewConn(&tailnet.Options{
+	w1, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(w1IP, 128)},
 		Logger:    logger.Named("w1"),
 		DERPMap:   derpMap,
 	})
 	require.NoError(t, err)
 
-	w2, err := tailnet.NewConn(&tailnet.Options{
+	w2, err := tailnet.NewConn(tailnet.ConnTypeAgent, &tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		Logger:    logger.Named("w2"),
 		DERPMap:   derpMap,
diff --git a/coderd/tailnet.go b/coderd/tailnet.go
@@ -45,7 +45,7 @@ func NewServerTailnet(
 	cache *wsconncache.Cache,
 ) (*ServerTailnet, error) {
 	logger = logger.Named("servertailnet")
-	conn, err := tailnet.NewConn(&tailnet.Options{
+	conn, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		DERPMap:   derpMap,
 		Logger:    logger,
diff --git a/coderd/tailnet_test.go b/coderd/tailnet_test.go
@@ -160,7 +160,7 @@ func setupAgent(t *testing.T, agentAddresses []netip.Prefix) (uuid.UUID, agent.A
 	}, testutil.WaitShort, testutil.IntervalFast)
 
 	cache := wsconncache.New(func(id uuid.UUID) (*codersdk.WorkspaceAgentConn, error) {
-		conn, err := tailnet.NewConn(&tailnet.Options{
+		conn, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 			Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 			DERPMap:   manifest.DERPMap,
 			Logger:    logger.Named("client"),
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -734,7 +734,7 @@ func (api *API) workspaceAgentListeningPorts(rw http.ResponseWriter, r *http.Req
 // See: https://github.com/coder/coder/issues/8218
 func (api *API) _dialWorkspaceAgentTailnet(agentID uuid.UUID) (*codersdk.WorkspaceAgentConn, error) {
 	clientConn, serverConn := net.Pipe()
-	conn, err := tailnet.NewConn(&tailnet.Options{
+	conn, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 		Addresses:      []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		DERPMap:        api.DERPMap,
 		Logger:         api.Logger.Named("tailnet"),
diff --git a/coderd/wsconncache/wsconncache_test.go b/coderd/wsconncache/wsconncache_test.go
@@ -178,7 +178,7 @@ func setupAgent(t *testing.T, manifest agentsdk.Manifest, ptyTimeout time.Durati
 	t.Cleanup(func() {
 		_ = closer.Close()
 	})
-	conn, err := tailnet.NewConn(&tailnet.Options{
+	conn, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		DERPMap:   manifest.DERPMap,
 		Logger:    slogtest.Make(t, nil).Named("tailnet").Leveled(slog.LevelDebug),
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -246,7 +246,7 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti
 	if ok {
 		header = headerTransport.Header()
 	}
-	conn, err := tailnet.NewConn(&tailnet.Options{
+	conn, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 		Addresses:      []netip.Prefix{netip.PrefixFrom(ip, 128)},
 		DERPMap:        connInfo.DERPMap,
 		DERPHeader:     &header,
diff --git a/tailnet/conn.go b/tailnet/conn.go
@@ -74,6 +74,17 @@ func init() {
 	envknob.Setenv("TS_DEBUG_TRIM_WIREGUARD", "false")
 }
 
+// ConnType identifies the type of tailnet connection.  This determines whether the connection actively establishes
+// the wireguard handshake (client) or passively waits for a handshake (agent).  The reason this matters is that if they
+// both initiate the handshake, the handshakes can cross in the network, and they have to try again with a backoff,
+// which can add significant time to establish the connection
+type ConnType int
+
+const (
+	ConnTypeClient ConnType = iota
+	ConnTypeAgent
+)
+
 type Options struct {
 	Addresses  []netip.Prefix
 	DERPMap    *tailcfg.DERPMap
@@ -87,7 +98,7 @@ type Options struct {
 }
 
 // NewConn constructs a new Wireguard server that will accept connections from the addresses provided.
-func NewConn(options *Options) (conn *Conn, err error) {
+func NewConn(connType ConnType, options *Options) (conn *Conn, err error) {
 	if options == nil {
 		options = &Options{}
 	}
@@ -238,6 +249,7 @@ func NewConn(options *Options) (conn *Conn, err error) {
 
 	dialContext, dialCancel := context.WithCancel(context.Background())
 	server := &Conn{
+		connType:                 connType,
 		blockEndpoints:           options.BlockEndpoints,
 		dialContext:              dialContext,
 		dialCancel:               dialCancel,
@@ -346,6 +358,7 @@ func IPFromUUID(uid uuid.UUID) netip.Addr {
 
 // Conn is an actively listening Wireguard connection.
 type Conn struct {
+	connType       ConnType
 	dialContext    context.Context
 	dialCancel     context.CancelFunc
 	mutex          sync.Mutex
@@ -483,7 +496,7 @@ func (c *Conn) UpdateNodes(nodes []*Node, replacePeers bool) error {
 			Endpoints:  node.Endpoints,
 			DERP:       fmt.Sprintf("%s:%d", tailcfg.DerpMagicIP, node.PreferredDERP),
 			Hostinfo:   hostinfo.New().View(),
-			KeepAlive:  true,
+			KeepAlive:  c.connType == ConnTypeClient,
 		}
 		if c.blockEndpoints {
 			peerNode.Endpoints = nil
diff --git a/tailnet/conn_test.go b/tailnet/conn_test.go
@@ -26,7 +26,7 @@ func TestTailnet(t *testing.T) {
 	derpMap, _ := tailnettest.RunDERPAndSTUN(t)
 	t.Run("InstantClose", func(t *testing.T) {
 		t.Parallel()
-		conn, err := tailnet.NewConn(&tailnet.Options{
+		conn, err := tailnet.NewConn(tailnet.ConnTypeAgent, &tailnet.Options{
 			Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 			Logger:    logger.Named("w1"),
 			DERPMap:   derpMap,
@@ -39,15 +39,16 @@ func TestTailnet(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
+		// we make w1 the agent and w2 the client because we call AwaitReachable() from w2
 		w1IP := tailnet.IP()
-		w1, err := tailnet.NewConn(&tailnet.Options{
+		w1, err := tailnet.NewConn(tailnet.ConnTypeAgent, &tailnet.Options{
 			Addresses: []netip.Prefix{netip.PrefixFrom(w1IP, 128)},
 			Logger:    logger.Named("w1"),
 			DERPMap:   derpMap,
 		})
 		require.NoError(t, err)
 
-		w2, err := tailnet.NewConn(&tailnet.Options{
+		w2, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 			Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 			Logger:    logger.Named("w2"),
 			DERPMap:   derpMap,
@@ -107,15 +108,15 @@ func TestTailnet(t *testing.T) {
 
 		w1IP := tailnet.IP()
 		derpMap := tailnettest.RunDERPOnlyWebSockets(t)
-		w1, err := tailnet.NewConn(&tailnet.Options{
+		w1, err := tailnet.NewConn(tailnet.ConnTypeAgent, &tailnet.Options{
 			Addresses:      []netip.Prefix{netip.PrefixFrom(w1IP, 128)},
 			Logger:         logger.Named("w1"),
 			DERPMap:        derpMap,
 			BlockEndpoints: true,
 		})
 		require.NoError(t, err)
 
-		w2, err := tailnet.NewConn(&tailnet.Options{
+		w2, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{
 			Addresses:      []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 			Logger:         logger.Named("w2"),
 			DERPMap:        derpMap,
@@ -177,7 +178,7 @@ func TestConn_PreferredDERP(t *testing.T) {
 	defer cancel()
 	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
 	derpMap, _ := tailnettest.RunDERPAndSTUN(t)
-	conn, err := tailnet.NewConn(&tailnet.Options{
+	conn, err := tailnet.NewConn(tailnet.ConnTypeAgent, &tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		Logger:    logger.Named("w1"),
 		DERPMap:   derpMap,

Original file line number	Diff line number	Diff line change
`@@ -702,7 +702,7 @@ func (a *agent) trackConnGoroutine(fn func()) error {`
`702`	`702`	`}`
`703`	`703`
`704`	`704`	`func (a agent) createTailnet(ctx context.Context, agentID uuid.UUID, derpMap tailcfg.DERPMap, disableDirectConnections bool) (_ *tailnet.Conn, err error) {`
`705`		`- network, err := tailnet.NewConn(&tailnet.Options{`
	`705`	`+ network, err := tailnet.NewConn(tailnet.ConnTypeAgent, &tailnet.Options{`
`706`	`706`	`Addresses: a.wireguardAddresses(agentID),`
`707`	`707`	`DERPMap: derpMap,`
`708`	`708`	`Logger: a.logger.Named("tailnet"),`
Original file line number	Diff line number	Diff line change
`@@ -246,7 +246,7 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti`
`246`	`246`	`if ok {`
`247`	`247`	`header = headerTransport.Header()`
`248`	`248`	`}`
`249`		`- conn, err := tailnet.NewConn(&tailnet.Options{`
	`249`	`+ conn, err := tailnet.NewConn(tailnet.ConnTypeClient, &tailnet.Options{`
`250`	`250`	`Addresses: []netip.Prefix{netip.PrefixFrom(ip, 128)},`
`251`	`251`	`DERPMap: connInfo.DERPMap,`
`252`	`252`	`DERPHeader: &header,`