diff --git a/cli/server.go b/cli/server.go
index e7fad1ea45d7b..a3b19b88e5788 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -390,6 +390,19 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
if !cfg.DERP.Server.Enable {
defaultRegion = nil
}
+
+ // HACK: see https://github.com/coder/coder/issues/6791.
+ for _, addr := range cfg.DERP.Server.STUNAddresses {
+ if addr != "disable" {
+ continue
+ }
+ err := cfg.DERP.Server.STUNAddresses.Replace(nil)
+ if err != nil {
+ panic(err)
+ }
+ break
+ }
+
derpMap, err := tailnet.NewDERPMap(
ctx, defaultRegion, cfg.DERP.Server.STUNAddresses,
cfg.DERP.Config.URL.String(), cfg.DERP.Config.Path.String(),
diff --git a/cli/server_test.go b/cli/server_test.go
index 1cece2995cd24..dca1b3322c642 100644
--- a/cli/server_test.go
+++ b/cli/server_test.go
@@ -1491,6 +1491,31 @@ func TestServer(t *testing.T) {
w.RequireSuccess()
})
})
+ t.Run("DisableDERP", func(t *testing.T) {
+ t.Parallel()
+
+ // Make sure that $CODER_DERP_SERVER_STUN_ADDRESSES can be set to
+ // disable STUN.
+
+ inv, cfg := clitest.New(t,
+ "server",
+ "--in-memory",
+ "--http-address", ":0",
+ "--access-url", "https://example.com",
+ )
+ inv.Environ.Set("CODER_DERP_SERVER_STUN_ADDRESSES", "disable")
+ ptytest.New(t).Attach(inv)
+ clitest.Start(t, inv)
+ gotURL := waitAccessURL(t, cfg)
+ client := codersdk.New(gotURL)
+
+ ctx := testutil.Context(t, testutil.WaitMedium)
+ _ = coderdtest.CreateFirstUser(t, client)
+ gotConfig, err := client.DeploymentConfig(ctx)
+ require.NoError(t, err)
+
+ require.Len(t, gotConfig.Values.DERP.Server.STUNAddresses, 0)
+ })
}
func generateTLSCertificate(t testing.TB, commonName ...string) (certPath, keyPath string) {
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
index 446539df00d4c..6e3de2eabfae5 100644
--- a/cli/testdata/coder_server_--help.golden
+++ b/cli/testdata/coder_server_--help.golden
@@ -168,8 +168,8 @@ backed by Tailscale and WireGuard.
Region name that for the embedded DERP server.
--derp-server-stun-addresses string-array, $CODER_DERP_SERVER_STUN_ADDRESSES (default: stun.l.google.com:19302)
- Addresses for STUN servers to establish P2P connections. Set empty to
- disable P2P connections.
+ Addresses for STUN servers to establish P2P connections. Use special
+ value 'disable' to turn off STUN.
�[1mNetworking / HTTP Options�[0m
--disable-password-auth bool, $CODER_DISABLE_PASSWORD_AUTH
diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden
index 99e22f3dcbd72..a05cdbfac60c6 100644
--- a/cli/testdata/server-config.yaml.golden
+++ b/cli/testdata/server-config.yaml.golden
@@ -105,8 +105,8 @@ networking:
# Region name that for the embedded DERP server.
# (default: Coder Embedded Relay, type: string)
regionName: Coder Embedded Relay
- # Addresses for STUN servers to establish P2P connections. Set empty to disable
- # P2P connections.
+ # Addresses for STUN servers to establish P2P connections. Use special value
+ # 'disable' to turn off STUN.
# (default: stun.l.google.com:19302, type: string-array)
stunAddresses:
- stun.l.google.com:19302
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
index dee95504e97eb..d4a61072f0f26 100644
--- a/codersdk/deployment.go
+++ b/codersdk/deployment.go
@@ -666,7 +666,7 @@ when required by your organization's security policy.`,
},
{
Name: "DERP Server STUN Addresses",
- Description: "Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.",
+ Description: "Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.",
Flag: "derp-server-stun-addresses",
Env: "CODER_DERP_SERVER_STUN_ADDRESSES",
Default: "stun.l.google.com:19302",
diff --git a/docs/cli/server.md b/docs/cli/server.md
index e9a382dc598dd..3cbcafe9bbc35 100644
--- a/docs/cli/server.md
+++ b/docs/cli/server.md
@@ -171,7 +171,7 @@ An HTTP URL that is accessible by other replicas to relay DERP traffic. Required
| YAML | networking.derp.stunAddresses |
| Default | stun.l.google.com:19302 |
-Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.
+Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.
### --disable-owner-workspace-access