From 959ce90623e004f8fed962f870882b3c067d0f19 Mon Sep 17 00:00:00 2001
From: Andrew Dunham <andrew@du.nham.ca>
Date: Fri, 19 Apr 2024 15:35:34 -0400
Subject: [PATCH] wgengine/wgcfg/nmcfg: skip expired peers

Updates tailscale/corp#19315

Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I1ad0c8796efe3dd456280e51efaf81f6d2049772
---
 wgengine/wgcfg/nmcfg/nmcfg.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/wgengine/wgcfg/nmcfg/nmcfg.go b/wgengine/wgcfg/nmcfg/nmcfg.go
index 229512d4c..d4cb8b042 100644
--- a/wgengine/wgcfg/nmcfg/nmcfg.go
+++ b/wgengine/wgcfg/nmcfg/nmcfg.go
@@ -91,6 +91,14 @@ func WGCfg(nm *netmap.NetworkMap, logf logger.Logf, flags netmap.WGConfigFlags,
 			logf("[v1] wgcfg: skipped peer %s, doesn't offer DERP or disco", peer.Key().ShortString())
 			continue
 		}
+		// Skip expired peers; we'll end up failing to connect to them
+		// anyway, since control intentionally breaks node keys for
+		// expired peers so that we can't discover endpoints via DERP.
+		if peer.Expired() {
+			logf("[v1] wgcfg: skipped expired peer %s", peer.Key().ShortString())
+			continue
+		}
+
 		cfg.Peers = append(cfg.Peers, wgcfg.Peer{
 			PublicKey: peer.Key(),
 			DiscoKey:  peer.DiscoKey(),