301 lines
8.2 KiB
Go
301 lines
8.2 KiB
Go
// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Relaynode is the old Linux Tailscale daemon.
|
|
//
|
|
// Deprecated: this program will be soon deleted. The replacement is
|
|
// cmd/tailscaled.
|
|
package main // import "tailscale.com/cmd/relaynode"
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"log"
|
|
"net/http"
|
|
"net/http/pprof"
|
|
"os"
|
|
"os/signal"
|
|
"strings"
|
|
"syscall"
|
|
"time"
|
|
|
|
"github.com/apenwarr/fixconsole"
|
|
"github.com/google/go-cmp/cmp"
|
|
"github.com/klauspost/compress/zstd"
|
|
"github.com/pborman/getopt/v2"
|
|
"github.com/tailscale/wireguard-go/wgcfg"
|
|
"tailscale.com/atomicfile"
|
|
"tailscale.com/control/controlclient"
|
|
"tailscale.com/control/policy"
|
|
"tailscale.com/logpolicy"
|
|
"tailscale.com/version"
|
|
"tailscale.com/wgengine"
|
|
"tailscale.com/wgengine/filter"
|
|
"tailscale.com/wgengine/magicsock"
|
|
)
|
|
|
|
func main() {
|
|
err := fixconsole.FixConsoleIfNeeded()
|
|
if err != nil {
|
|
log.Printf("fixConsoleOutput: %v\n", err)
|
|
}
|
|
config := getopt.StringLong("config", 'f', "", "path to config file")
|
|
server := getopt.StringLong("server", 's', "https://login.tailscale.com", "URL to tailcontrol server")
|
|
listenport := getopt.Uint16Long("port", 'p', magicsock.DefaultPort, "WireGuard port (0=autoselect)")
|
|
tunname := getopt.StringLong("tun", 0, "wg0", "tunnel interface name")
|
|
alwaysrefresh := getopt.BoolLong("always-refresh", 0, "force key refresh at startup")
|
|
fake := getopt.BoolLong("fake", 0, "fake tunnel+routing instead of tuntap")
|
|
nuroutes := getopt.BoolLong("no-single-routes", 'N', "disallow (non-subnet) routes to single nodes")
|
|
rroutes := getopt.BoolLong("remote-routes", 'R', "allow routing subnets to remote nodes")
|
|
droutes := getopt.BoolLong("default-routes", 'D', "allow default route on remote node")
|
|
routes := getopt.StringLong("routes", 0, "", "list of IP ranges this node can relay")
|
|
aclfile := getopt.StringLong("acl-file", 0, "", "restrict traffic relaying according to json ACL file")
|
|
derp := getopt.BoolLong("derp", 0, "enable bypass via Detour Encrypted Routing Protocol (DERP)", "false")
|
|
debug := getopt.StringLong("debug", 0, "", "Address of debug server")
|
|
getopt.Parse()
|
|
if len(getopt.Args()) > 0 {
|
|
log.Fatalf("too many non-flag arguments: %#v", getopt.Args()[0])
|
|
}
|
|
uflags := controlclient.UFlagsHelper(!*nuroutes, *rroutes, *droutes)
|
|
if *config == "" {
|
|
log.Fatal("no --config file specified")
|
|
}
|
|
if *tunname == "" {
|
|
log.Printf("Warning: no --tun device specified; routing disabled.\n")
|
|
}
|
|
|
|
pol := logpolicy.New("tailnode.log.tailscale.io", *config)
|
|
|
|
logf := wgengine.RusagePrefixLog(log.Printf)
|
|
|
|
// The wgengine takes a wireguard configuration produced by the
|
|
// controlclient, and runs the actual tunnels and packets.
|
|
var e wgengine.Engine
|
|
if *fake {
|
|
e, err = wgengine.NewFakeUserspaceEngine(logf, *listenport, *derp)
|
|
} else {
|
|
e, err = wgengine.NewUserspaceEngine(logf, *tunname, *listenport, *derp)
|
|
}
|
|
if err != nil {
|
|
log.Fatalf("Error starting wireguard engine: %v\n", err)
|
|
}
|
|
|
|
e = wgengine.NewWatchdog(e)
|
|
var lastacljson string
|
|
var p *policy.Policy
|
|
|
|
if *aclfile == "" {
|
|
e.SetFilter(nil)
|
|
} else {
|
|
lastacljson = readOrFatal(*aclfile)
|
|
p = installFilterOrFatal(e, *aclfile, lastacljson, nil)
|
|
}
|
|
|
|
var lastNetMap *controlclient.NetworkMap
|
|
var lastUserMap map[string][]filter.IP
|
|
statusFunc := func(new controlclient.Status) {
|
|
if new.URL != "" {
|
|
fmt.Fprintf(os.Stderr, "To authenticate, visit:\n\n\t%s\n\n", new.URL)
|
|
return
|
|
}
|
|
if new.Err != "" {
|
|
log.Print(new.Err)
|
|
return
|
|
}
|
|
if new.Persist != nil {
|
|
if err := saveConfig(*config, *new.Persist); err != nil {
|
|
log.Println(err)
|
|
}
|
|
}
|
|
|
|
if m := new.NetMap; m != nil {
|
|
if lastNetMap != nil {
|
|
s1 := strings.Split(lastNetMap.Concise(), "\n")
|
|
s2 := strings.Split(new.NetMap.Concise(), "\n")
|
|
logf("netmap diff:\n%v\n", cmp.Diff(s1, s2))
|
|
}
|
|
lastNetMap = m
|
|
|
|
if m.Equal(&controlclient.NetworkMap{}) {
|
|
return
|
|
}
|
|
|
|
wgcfg, err := m.WGCfg(uflags, m.DNS)
|
|
if err != nil {
|
|
log.Fatalf("Error getting wg config: %v\n", err)
|
|
}
|
|
err = e.Reconfig(wgcfg, m.DNSDomains)
|
|
if err != nil {
|
|
log.Fatalf("Error reconfiguring engine: %v\n", err)
|
|
}
|
|
lastUserMap = m.UserMap()
|
|
if p != nil {
|
|
matches, err := p.Expand(lastUserMap)
|
|
if err != nil {
|
|
log.Fatalf("Error expanding ACLs: %v\n", err)
|
|
}
|
|
e.SetFilter(filter.New(matches))
|
|
}
|
|
}
|
|
}
|
|
|
|
cfg, err := loadConfig(*config)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
hi := controlclient.NewHostinfo()
|
|
hi.FrontendLogID = pol.PublicID.String()
|
|
hi.BackendLogID = pol.PublicID.String()
|
|
if *routes != "" {
|
|
for _, routeStr := range strings.Split(*routes, ",") {
|
|
cidr, err := wgcfg.ParseCIDR(routeStr)
|
|
if err != nil {
|
|
log.Fatalf("--routes: not an IP range: %s", routeStr)
|
|
}
|
|
hi.RoutableIPs = append(hi.RoutableIPs, *cidr)
|
|
}
|
|
}
|
|
|
|
c, err := controlclient.New(controlclient.Options{
|
|
Persist: cfg,
|
|
ServerURL: *server,
|
|
Hostinfo: &hi,
|
|
NewDecompressor: func() (controlclient.Decompressor, error) {
|
|
return zstd.NewReader(nil)
|
|
},
|
|
KeepAlive: true,
|
|
})
|
|
c.SetStatusFunc(statusFunc)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
lf := controlclient.LoginDefault
|
|
if *alwaysrefresh {
|
|
lf |= controlclient.LoginInteractive
|
|
}
|
|
c.Login(nil, lf)
|
|
|
|
// Print the wireguard status when we get an update.
|
|
e.SetStatusCallback(func(s *wgengine.Status, err error) {
|
|
if err != nil {
|
|
log.Fatalf("Wireguard engine status error: %v\n", err)
|
|
}
|
|
var ss []string
|
|
for _, p := range s.Peers {
|
|
if p.LastHandshake.IsZero() {
|
|
ss = append(ss, "x")
|
|
} else {
|
|
ss = append(ss, fmt.Sprintf("%d/%d", p.RxBytes, p.TxBytes))
|
|
}
|
|
}
|
|
logf("v%v peers: %v\n", version.LONG, strings.Join(ss, " "))
|
|
c.UpdateEndpoints(0, s.LocalAddrs)
|
|
})
|
|
|
|
if *debug != "" {
|
|
go runDebugServer(*debug)
|
|
}
|
|
|
|
sigCh := make(chan os.Signal, 1)
|
|
signal.Notify(sigCh, os.Interrupt)
|
|
signal.Notify(sigCh, syscall.SIGTERM)
|
|
|
|
t := time.NewTicker(5 * time.Second)
|
|
loop:
|
|
for {
|
|
select {
|
|
case <-t.C:
|
|
// For the sake of curiosity, request a status
|
|
// update periodically.
|
|
e.RequestStatus()
|
|
|
|
// check if aclfile has changed.
|
|
// TODO(apenwarr): use fsnotify instead of polling?
|
|
if *aclfile != "" {
|
|
json := readOrFatal(*aclfile)
|
|
if json != lastacljson {
|
|
logf("ACL file (%v) changed. Reloading filter.\n", *aclfile)
|
|
lastacljson = json
|
|
p = installFilterOrFatal(e, *aclfile, json, lastUserMap)
|
|
}
|
|
}
|
|
case <-sigCh:
|
|
logf("signal received, exiting")
|
|
t.Stop()
|
|
break loop
|
|
}
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
|
|
defer cancel()
|
|
|
|
e.Close()
|
|
pol.Shutdown(ctx)
|
|
}
|
|
|
|
func loadConfig(path string) (cfg controlclient.Persist, err error) {
|
|
b, err := ioutil.ReadFile(path)
|
|
if os.IsNotExist(err) {
|
|
log.Printf("config %s does not exist", path)
|
|
return controlclient.Persist{}, nil
|
|
}
|
|
if err := json.Unmarshal(b, &cfg); err != nil {
|
|
return controlclient.Persist{}, fmt.Errorf("load config: %v", err)
|
|
}
|
|
return cfg, nil
|
|
}
|
|
|
|
func saveConfig(path string, cfg controlclient.Persist) error {
|
|
b, err := json.MarshalIndent(cfg, "", "\t")
|
|
if err != nil {
|
|
return fmt.Errorf("save config: %v", err)
|
|
}
|
|
if err := atomicfile.WriteFile(path, b, 0666); err != nil {
|
|
return fmt.Errorf("save config: %v", err)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func readOrFatal(filename string) string {
|
|
b, err := ioutil.ReadFile(filename)
|
|
if err != nil {
|
|
log.Fatalf("%v: ReadFile: %v\n", filename, err)
|
|
}
|
|
return string(b)
|
|
}
|
|
|
|
func installFilterOrFatal(e wgengine.Engine, filename, acljson string, usermap map[string][]filter.IP) *policy.Policy {
|
|
p, err := policy.Parse(acljson)
|
|
if err != nil {
|
|
log.Fatalf("%v: json filter: %v\n", filename, err)
|
|
}
|
|
|
|
matches, err := p.Expand(usermap)
|
|
if err != nil {
|
|
log.Fatalf("%v: json filter: %v\n", filename, err)
|
|
}
|
|
|
|
e.SetFilter(filter.New(matches))
|
|
return p
|
|
}
|
|
|
|
func runDebugServer(addr string) {
|
|
mux := http.NewServeMux()
|
|
mux.HandleFunc("/debug/pprof/", pprof.Index)
|
|
mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
|
|
mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
|
|
mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
|
|
mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
|
|
srv := http.Server{
|
|
Addr: addr,
|
|
Handler: mux,
|
|
}
|
|
if err := srv.ListenAndServe(); err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
}
|