fix: never use STUN latency for DERP region netcheck (#29)

deansheather · deansheather · commit 3292f1f3c9c1 · 2023-07-31T10:53:34.000Z
Changes the STUN probe to still run as usual, but avoid storing the
latency in the region report. This was causing Google STUN to
artificially make the default region have an extremely low latency.

Also fixes HTTPS latency check to work on ForceHTTP nodes.
diff --git a/derp/derphttp/derphttp_client.go b/derp/derphttp/derphttp_client.go
@@ -399,7 +399,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		tcpConn, err = c.dialURL(ctx)
 	default:
 		c.logf("%s: connecting to derp-%d (%v)", caller, reg.RegionID, reg.RegionCode)
-		tcpConn, node, err = c.dialRegion(ctx, reg)
+		tcpConn, node, err = c.DialRegion(ctx, reg)
 	}
 	if err != nil {
 		return nil, 0, err
@@ -612,10 +612,10 @@ func (c *Client) dialURL(ctx context.Context) (net.Conn, error) {
 	return tcpConn, nil
 }
 
-// dialRegion returns a TCP connection to the provided region, trying
+// DialRegion returns a TCP connection to the provided region, trying
 // each node in order (with dialNode) until one connects or ctx is
 // done.
-func (c *Client) dialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.Conn, *tailcfg.DERPNode, error) {
+func (c *Client) DialRegion(ctx context.Context, reg *tailcfg.DERPRegion) (net.Conn, *tailcfg.DERPNode, error) {
 	if len(reg.Nodes) == 0 {
 		return nil, nil, fmt.Errorf("no nodes for %s", c.targetString(reg))
 	}
@@ -663,7 +663,7 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 // in the DERP map. TLS is initiated on the first node where a socket is
 // established.
 func (c *Client) DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (tlsConn *tls.Conn, connClose io.Closer, node *tailcfg.DERPNode, err error) {
-	tcpConn, node, err := c.dialRegion(ctx, reg)
+	tcpConn, node, err := c.DialRegion(ctx, reg)
 	if err != nil {
 		return nil, nil, nil, err
 	}
diff --git a/net/netcheck/netcheck.go b/net/netcheck/netcheck.go
@@ -7,7 +7,7 @@ package netcheck
 import (
 	"bufio"
 	"context"
-	"crypto/tls"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -678,7 +678,9 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netip.AddrPort
 	ret := rs.report
 
 	ret.UDP = true
-	updateLatency(ret.RegionLatency, node.RegionID, d)
+
+	// Coder: don't actually store the latency.
+	//updateLatency(ret.RegionLatency, node.RegionID, d)
 
 	// Once we've heard from enough regions (3), start a timer to
 	// give up on the other ones. The timer's duration is a
@@ -696,13 +698,13 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netip.AddrPort
 
 	switch {
 	case ipp.Addr().Is6():
-		updateLatency(ret.RegionV6Latency, node.RegionID, d)
+		//updateLatency(ret.RegionV6Latency, node.RegionID, d)
 		ret.IPv6 = true
 		ret.GlobalV6 = ipPortStr
 		// TODO: track MappingVariesByDestIP for IPv6
 		// too? Would be sad if so, but who knows.
 	case ipp.Addr().Is4():
-		updateLatency(ret.RegionV4Latency, node.RegionID, d)
+		//updateLatency(ret.RegionV4Latency, node.RegionID, d)
 		ret.IPv4 = true
 		if rs.gotEP4 == "" {
 			rs.gotEP4 = ipPortStr
@@ -1016,7 +1018,9 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 	// Try HTTPS and ICMP latency check if all STUN probes failed due to
 	// UDP presumably being blocked.
 	// TODO: this should be moved into the probePlan, using probeProto probeHTTPS.
-	if !rs.anyUDP() && ctx.Err() == nil {
+	// Coder: always run this because we don't store STUN latency in the report.
+	//if !rs.anyUDP() && ctx.Err() == nil {
+	if ctx.Err() == nil {
 		var wg sync.WaitGroup
 		var need []*tailcfg.DERPRegion
 		for rid, reg := range dm.Regions {
@@ -1039,13 +1043,14 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 			}()
 
 			wg.Add(len(need))
-			c.logf("netcheck: UDP is blocked, trying HTTPS")
+			// Coder: this is misleading because we always log it.
+			//c.logf("netcheck: UDP is blocked, trying HTTPS")
 		}
 		for _, reg := range need {
 			go func(reg *tailcfg.DERPRegion) {
 				defer wg.Done()
-				if d, ip, err := c.measureHTTPSLatency(ctx, reg); err != nil {
-					c.logf("[v1] netcheck: measuring HTTPS latency of %v (%d): %v", reg.RegionCode, reg.RegionID, err)
+				if d, ip, err := c.measureHTTPLatency(ctx, reg); err != nil {
+					c.logf("[v1] netcheck: measuring HTTP(S) latency of %v (%d): %v", reg.RegionCode, reg.RegionID, err)
 				} else {
 					rs.mu.Lock()
 					if l, ok := rs.report.RegionLatency[reg.RegionID]; !ok {
@@ -1216,7 +1221,9 @@ func (c *Client) runHTTPOnlyChecks(ctx context.Context, last *Report, rs *report
 	return nil
 }
 
-func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegion) (time.Duration, netip.Addr, error) {
+// measureHTTPLatency measures the latency to the given DERP region over HTTP
+// or HTTPS.
+func (c *Client) measureHTTPLatency(ctx context.Context, reg *tailcfg.DERPRegion) (time.Duration, netip.Addr, error) {
 	metricHTTPSend.Add(1)
 	var result httpstat.Result
 	ctx, cancel := context.WithTimeout(httpstat.WithHTTPStat(ctx, &result), overallProbeTimeout)
@@ -1227,28 +1234,60 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	dc := derphttp.NewNetcheckClient(c.logf)
 	defer dc.Close()
 
-	tlsConn, tcpConn, node, err := dc.DialRegionTLS(ctx, reg)
+	var hasForceHTTPNode = false
+	for _, node := range reg.Nodes {
+		if node.STUNOnly {
+			continue
+		}
+		if node.ForceHTTP {
+			hasForceHTTPNode = true
+			break
+		}
+	}
+
+	var (
+		conn   net.Conn
+		closer io.Closer
+		node   *tailcfg.DERPNode
+		err    error
+	)
+	if hasForceHTTPNode {
+		conn, node, err = dc.DialRegion(ctx, reg)
+		closer = conn
+	} else {
+		conn, closer, node, err = dc.DialRegionTLS(ctx, reg)
+	}
 	if err != nil {
 		return 0, ip, err
 	}
-	defer tcpConn.Close()
-
-	if ta, ok := tlsConn.RemoteAddr().(*net.TCPAddr); ok {
+	defer closer.Close()
+	if ta, ok := conn.RemoteAddr().(*net.TCPAddr); ok {
 		ip, _ = netip.AddrFromSlice(ta.IP)
 		ip = ip.Unmap()
 	}
 	if ip == (netip.Addr{}) {
-		return 0, ip, fmt.Errorf("no unexpected RemoteAddr %#v", tlsConn.RemoteAddr())
+		return 0, ip, fmt.Errorf("no unexpected RemoteAddr %#v", conn.RemoteAddr())
 	}
 
-	connc := make(chan *tls.Conn, 1)
-	connc <- tlsConn
+	connc := make(chan net.Conn, 1)
+	connc <- conn
 
 	tr := &http.Transport{
 		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
-			return nil, errors.New("unexpected DialContext dial")
+			if !hasForceHTTPNode {
+				return nil, errors.New("unexpected DialContext dial")
+			}
+			select {
+			case nc := <-connc:
+				return nc, nil
+			default:
+				return nil, errors.New("only one conn expected")
+			}
 		},
 		DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			if hasForceHTTPNode {
+				return nil, errors.New("unexpected DialTLSContext dial")
+			}
 			select {
 			case nc := <-connc:
 				return nc, nil
@@ -1530,6 +1569,12 @@ func (rs *reportState) runProbe(ctx context.Context, dm *tailcfg.DERPMap, probe
 		return
 	}
 
+	// Coder: The address below won't be valid if the node doesn't have a
+	// STUNPort.
+	if node.STUNPort < 1 {
+		return
+	}
+
 	addr := c.nodeAddr(ctx, node, probe.proto)
 	if !addr.IsValid() {
 		return
@@ -1542,7 +1587,16 @@ func (rs *reportState) runProbe(ctx context.Context, dm *tailcfg.DERPMap, probe
 
 	rs.mu.Lock()
 	rs.inFlight[txID] = func(ipp netip.AddrPort) {
+		// Coder: we don't want to store the latency of STUN netchecks because
+		// Coder doesn't contain a built-in STUN server and customers often use
+		// Google STUN which has extremely low latency everywhere on the planet.
+		// This means that latency checks to any regions containing the Google
+		// STUN server will always muddy that region's latency results.
+		//
+		// rs.addNodeLatency has been updated to not store latency but will
+		// still set the approapriate values in the report.
 		rs.addNodeLatency(node, ipp, time.Since(sent))
+		c.logf("netcheck.runProbe: got STUN response for %s from %s (%s) in %s", node.Name, ipp.String(), hex.EncodeToString(txID[:]), time.Since(sent).String())
 		cancelSet() // abort other nodes in this set
 	}
 	rs.mu.Unlock()
