coder
diff --git a/‎.vscode/settings.json
Lines changed: 2 additions & 0 deletions b/‎.vscode/settings.json
Lines changed: 2 additions & 0 deletions
diff --git a/‎agent/agent.go
Lines changed: 27 additions & 9 deletions b/‎agent/agent.go
Lines changed: 27 additions & 9 deletions
diff --git a/‎agent/conn.go
Lines changed: 3 additions & 4 deletions b/‎agent/conn.go
Lines changed: 3 additions & 4 deletions
diff --git a/‎cli/root.go
Lines changed: 0 additions & 1 deletion b/‎cli/root.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 71 additions & 4 deletions b/‎cli/server.go
Lines changed: 71 additions & 4 deletions
diff --git a/‎cli/ssh.go
Lines changed: 26 additions & 75 deletions b/‎cli/ssh.go
Lines changed: 26 additions & 75 deletions
@@ -38,6 +38,7 @@
     "idtoken",
     "Iflag",
     "incpatch",
+    "ipnstate",
     "isatty",
     "Jobf",
     "Keygen",
@@ -52,6 +53,7 @@
     "namesgenerator",
     "namespacing",
     "netaddr",
+    "netip",
     "netmap",
     "netns",
     "netstack",
 
@@ -51,6 +51,15 @@ const (
 	MagicSessionErrorCode = 229
 )
 
+var (
+	// tailnetIP is a static IPv6 address with the Tailscale prefix that is used to route
+	// connections from clients to this node. A dynamic address is not required because a Tailnet
+	// client only dials a single agent at a time.
+	tailnetIP                  = netip.MustParseAddr("fd7a:115c:a1e0:49d6:b259:b7ac:b1b2:48f4")
+	tailnetSSHPort             = 1
+	tailnetReconnectingPTYPort = 2
+)
+
 type Options struct {
 	EnableTailnet     bool
 	CoordinatorDialer CoordinatorDialer
@@ -63,7 +72,6 @@ type Options struct {
 }
 
 type Metadata struct {
-	IPAddresses          []netip.Addr      `json:"ip_addresses"`
 	DERPMap              *tailcfg.DERPMap  `json:"derpmap"`
 	EnvironmentVariables map[string]string `json:"environment_variables"`
 	StartupScript        string            `json:"startup_script"`
@@ -163,18 +171,14 @@ func (a *agent) run(ctx context.Context) {
 
 	go a.runWebRTCNetworking(ctx)
 	if a.enableTailnet {
-		go a.runTailnet(ctx, metadata.IPAddresses, metadata.DERPMap)
+		go a.runTailnet(ctx, metadata.DERPMap)
 	}
 }
 
-func (a *agent) runTailnet(ctx context.Context, addresses []netip.Addr, derpMap *tailcfg.DERPMap) {
-	ipRanges := make([]netip.Prefix, 0, len(addresses))
-	for _, address := range addresses {
-		ipRanges = append(ipRanges, netip.PrefixFrom(address, 128))
-	}
+func (a *agent) runTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) {
 	var err error
 	a.network, err = tailnet.NewConn(&tailnet.Options{
-		Addresses: ipRanges,
+		Addresses: []netip.Prefix{netip.PrefixFrom(tailnetIP, 128)},
 		DERPMap:   derpMap,
 		Logger:    a.logger.Named("tailnet"),
 	})
@@ -184,7 +188,7 @@ func (a *agent) runTailnet(ctx context.Context, addresses []netip.Addr, derpMap
 	}
 	go a.runCoordinator(ctx)
 
-	sshListener, err := a.network.Listen("tcp", ":12212")
+	sshListener, err := a.network.Listen("tcp", ":"+strconv.Itoa(tailnetSSHPort))
 	if err != nil {
 		a.logger.Critical(ctx, "listen for ssh", slog.Error(err))
 		return
@@ -198,6 +202,20 @@ func (a *agent) runTailnet(ctx context.Context, addresses []netip.Addr, derpMap
 			go a.sshServer.HandleConn(conn)
 		}
 	}()
+	reconnectingPTYListener, err := a.network.Listen("tcp", ":"+strconv.Itoa(tailnetReconnectingPTYPort))
+	if err != nil {
+		a.logger.Critical(ctx, "listen for reconnecting pty", slog.Error(err))
+		return
+	}
+	go func() {
+		for {
+			conn, err := reconnectingPTYListener.Accept()
+			if err != nil {
+				return
+			}
+			go a.handleReconnectingPTY(ctx, "tailnet", conn)
+		}
+	}()
 }
 
 // runCoordinator listens for nodes and updates the self-node as it changes.
 
@@ -135,7 +135,6 @@ func (c *WebRTCConn) Close() error {
 }
 
 type TailnetConn struct {
-	Target netip.Addr
 	*tailnet.Conn
 }
 
@@ -152,11 +151,11 @@ func (c *TailnetConn) CloseWithError(err error) error {
 }
 
 func (c *TailnetConn) ReconnectingPTY(id string, height, width uint16, command string) (net.Conn, error) {
-	return nil, xerrors.New("not implemented")
+	return c.DialContextTCP(context.Background(), netip.AddrPortFrom(tailnetIP, uint16(tailnetReconnectingPTYPort)))
 }
 
 func (c *TailnetConn) SSH() (net.Conn, error) {
-	return c.DialContextTCP(context.Background(), netip.AddrPortFrom(c.Target, 12212))
+	return c.DialContextTCP(context.Background(), netip.AddrPortFrom(tailnetIP, uint16(tailnetSSHPort)))
 }
 
 // SSHClient calls SSH to create a client that uses a weak cipher
@@ -181,5 +180,5 @@ func (c *TailnetConn) SSHClient() (*ssh.Client, error) {
 func (c *TailnetConn) DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {
 	_, rawPort, _ := net.SplitHostPort(addr)
 	port, _ := strconv.Atoi(rawPort)
-	return c.Conn.DialContextTCP(ctx, netip.AddrPortFrom(c.Target, uint16(port)))
+	return c.Conn.DialContextTCP(ctx, netip.AddrPortFrom(tailnetIP, uint16(port)))
 }
@@ -133,7 +133,6 @@ func Root() *cobra.Command {
 		update(),
 		users(),
 		versionCmd(),
-		wireguardPortForward(),
 		workspaceAgent(),
 	)
 
 
@@ -41,6 +41,7 @@ import (
 	"golang.org/x/xerrors"
 	"google.golang.org/api/idtoken"
 	"google.golang.org/api/option"
+	"tailscale.com/tailcfg"
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
@@ -94,6 +95,7 @@ func server() *cobra.Command {
 		oidcEmailDomain                  string
 		oidcIssuerURL                    string
 		oidcScopes                       []string
+		tailscaleEnable                  bool
 		telemetryEnable                  bool
 		telemetryURL                     string
 		tlsCertFile                      string
@@ -231,6 +233,17 @@ func server() *cobra.Command {
 			if err != nil {
 				return xerrors.Errorf("parse URL: %w", err)
 			}
+			accessURLPortRaw := accessURLParsed.Port()
+			if accessURLPortRaw == "" {
+				accessURLPortRaw = "80"
+				if accessURLParsed.Scheme == "https" {
+					accessURLPortRaw = "443"
+				}
+			}
+			accessURLPort, err := strconv.Atoi(accessURLPortRaw)
+			if err != nil {
+				return xerrors.Errorf("parse access URL port: %w", err)
+			}
 
 			// Warn the user if the access URL appears to be a loopback address.
 			isLocal, err := isLocalURL(ctx, accessURLParsed)
@@ -272,10 +285,61 @@ func server() *cobra.Command {
 				})
 			}
 			options := &coderd.Options{
-				AccessURL:            accessURLParsed,
-				ICEServers:           iceServers,
-				Logger:               logger.Named("coderd"),
-				Database:             databasefake.New(),
+				AccessURL:  accessURLParsed,
+				ICEServers: iceServers,
+				Logger:     logger.Named("coderd"),
+				Database:   databasefake.New(),
+				DERPMap: &tailcfg.DERPMap{
+					Regions: map[int]*tailcfg.DERPRegion{
+						1: {
+							RegionID:   1,
+							RegionCode: "coder",
+							RegionName: "Coder",
+							Nodes: []*tailcfg.DERPNode{{
+								Name:     "1a",
+								RegionID: 1,
+								STUNOnly: true,
+								HostName: "stun.l.google.com",
+								STUNPort: 19302,
+							}, {
+								Name:         "1b",
+								RegionID:     1,
+								HostName:     accessURLParsed.Hostname(),
+								DERPPort:     accessURLPort,
+								STUNPort:     -1,
+								HTTPForTests: accessURLParsed.Scheme == "http",
+							}},
+						},
+						2: {
+							RegionID:   2,
+							RegionCode: "nyc",
+							RegionName: "New York City",
+							Nodes: []*tailcfg.DERPNode{
+								{
+									Name:     "2c",
+									RegionID: 2,
+									HostName: "derp1c.tailscale.com",
+									IPv4:     "104.248.8.210",
+									IPv6:     "2604:a880:800:10::7a0:e001",
+								},
+							},
+						},
+						3: {
+							RegionID:   3,
+							RegionCode: "sin",
+							RegionName: "Singapore",
+							Nodes: []*tailcfg.DERPNode{
+								{
+									Name:     "3a",
+									RegionID: 3,
+									HostName: "derp3.tailscale.com",
+									IPv4:     "68.183.179.66",
+									IPv6:     "2400:6180:0:d1::67d:8001",
+								},
+							},
+						},
+					},
+				},
 				Pubsub:               database.NewPubsubInMemory(),
 				CacheDir:             cacheDir,
 				GoogleTokenValidator: googleTokenValidator,
@@ -710,6 +774,9 @@ func server() *cobra.Command {
 		"Specifies an issuer URL to use for OIDC.")
 	cliflag.StringArrayVarP(root.Flags(), &oidcScopes, "oidc-scopes", "", "CODER_OIDC_SCOPES", []string{oidc.ScopeOpenID, "profile", "email"},
 		"Specifies scopes to grant when authenticating with OIDC.")
+	cliflag.BoolVarP(root.Flags(), &tailscaleEnable, "tailscale", "", "CODER_TAILSCALE", false,
+		"Specifies whether Tailscale networking is used for web applications and terminals.")
+	_ = root.Flags().MarkHidden("tailscale")
 	enableTelemetryByDefault := !isTest()
 	cliflag.BoolVarP(root.Flags(), &telemetryEnable, "telemetry", "", "CODER_TELEMETRY", enableTelemetryByDefault, "Specifies whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.")
 	cliflag.StringVarP(root.Flags(), &telemetryURL, "telemetry-url", "", "CODER_TELEMETRY_URL", "https://telemetry.coder.com", "Specifies a URL to send telemetry to.")
 
@@ -19,15 +19,17 @@ import (
 	gosshagent "golang.org/x/crypto/ssh/agent"
 	"golang.org/x/term"
 	"golang.org/x/xerrors"
-	tslogger "tailscale.com/types/logger"
 
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+
+	"github.com/coder/coder/agent"
 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/autobuild/notify"
 	"github.com/coder/coder/coderd/util/ptr"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/cryptorand"
-	"github.com/coder/coder/peer/peerwg"
 )
 
 var workspacePollInterval = time.Minute
@@ -85,86 +87,35 @@ func ssh() *cobra.Command {
 				return xerrors.Errorf("await agent: %w", err)
 			}
 
-			var newSSHClient func() (*gossh.Client, error)
-
+			var conn agent.Conn
 			if !wireguard {
-				conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, nil)
-				if err != nil {
-					return err
-				}
-				defer conn.Close()
-
-				stopPolling := tryPollWorkspaceAutostop(ctx, client, workspace)
-				defer stopPolling()
+				conn, err = client.DialWorkspaceAgent(ctx, workspaceAgent.ID, nil)
+			} else {
+				conn, err = client.DialWorkspaceAgentTailnet(ctx, slog.Make(sloghuman.Sink(cmd.ErrOrStderr())).Leveled(slog.LevelDebug), workspaceAgent.ID)
+			}
+			if err != nil {
+				return err
+			}
+			defer conn.Close()
 
-				if stdio {
-					rawSSH, err := conn.SSH()
-					if err != nil {
-						return err
-					}
-					defer rawSSH.Close()
+			stopPolling := tryPollWorkspaceAutostop(ctx, client, workspace)
+			defer stopPolling()
 
-					go func() {
-						_, _ = io.Copy(cmd.OutOrStdout(), rawSSH)
-					}()
-					_, _ = io.Copy(rawSSH, cmd.InOrStdin())
-					return nil
+			if stdio {
+				rawSSH, err := conn.SSH()
+				if err != nil {
+					return err
 				}
+				defer rawSSH.Close()
 
-				newSSHClient = conn.SSHClient
-			} else {
-				// TODO: more granual control of Tailscale logging.
-				peerwg.Logf = tslogger.Discard //nolint
-
-				// ipv6 := peerwg.UUIDToNetaddr(uuid.New())
-				// wgn, err := peerwg.New(
-				// 	slog.Make(sloghuman.Sink(os.Stderr)),
-				// 	[]netip.Prefix{netip.PrefixFrom(ipv6, 128)},
-				// )
-				// if err != nil {
-				// 	return xerrors.Errorf("create wireguard network: %w", err)
-				// }
-
-				// err = client.PostWireguardPeer(cmd.Context(), workspace.ID, peerwg.Handshake{
-				// 	Recipient:      workspaceAgent.ID,
-				// 	NodePublicKey:  wgn.NodePrivateKey.Public(),
-				// 	DiscoPublicKey: wgn.DiscoPublicKey,
-				// 	IPv6:           ipv6,
-				// })
-				// if err != nil {
-				// 	return xerrors.Errorf("post wireguard peer: %w", err)
-				// }
-
-				// err = wgn.AddPeer(peerwg.Handshake{
-				// 	Recipient:      workspaceAgent.ID,
-				// 	DiscoPublicKey: workspaceAgent.DiscoPublicKey,
-				// 	NodePublicKey:  workspaceAgent.NodePublicKey,
-				// 	IPv6:           workspaceAgent.IPAddresses[0], // TODO: fix?
-				// })
-				// if err != nil {
-				// 	return xerrors.Errorf("add workspace agent as peer: %w", err)
-				// }
-
-				// if stdio {
-				// 	rawSSH, err := wgn.SSH(cmd.Context(), workspaceAgent.IPAddresses[0]) // TODO: fix?
-				// 	if err != nil {
-				// 		return err
-				// 	}
-				// 	defer rawSSH.Close()
-
-				// 	go func() {
-				// 		_, _ = io.Copy(cmd.OutOrStdout(), rawSSH)
-				// 	}()
-				// 	_, _ = io.Copy(rawSSH, cmd.InOrStdin())
-				// 	return nil
-				// }
-
-				// newSSHClient = func() (*gossh.Client, error) {
-				// 	return wgn.SSHClient(ctx, workspaceAgent.IPAddresses[0]) // TODO: fix?
-				// }
+				go func() {
+					_, _ = io.Copy(cmd.OutOrStdout(), rawSSH)
+				}()
+				_, _ = io.Copy(rawSSH, cmd.InOrStdin())
+				return nil
 			}
 
-			sshClient, err := newSSHClient()
+			sshClient, err := conn.SSHClient()
 			if err != nil {
 				return err
 			}
Original file line number	Diff line number	Diff line change
`@@ -135,7 +135,6 @@ func (c *WebRTCConn) Close() error {`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`type TailnetConn struct {`
`138`		`- Target netip.Addr`
`139`	`138`	`*tailnet.Conn`
`140`	`139`	`}`
`141`	`140`
`@@ -152,11 +151,11 @@ func (c *TailnetConn) CloseWithError(err error) error {`
`152`	`151`	`}`
`153`	`152`
`154`	`153`	`func (c *TailnetConn) ReconnectingPTY(id string, height, width uint16, command string) (net.Conn, error) {`
`155`		`- return nil, xerrors.New("not implemented")`
	`154`	`+ return c.DialContextTCP(context.Background(), netip.AddrPortFrom(tailnetIP, uint16(tailnetReconnectingPTYPort)))`
`156`	`155`	`}`
`157`	`156`
`158`	`157`	`func (c *TailnetConn) SSH() (net.Conn, error) {`
`159`		`- return c.DialContextTCP(context.Background(), netip.AddrPortFrom(c.Target, 12212))`
	`158`	`+ return c.DialContextTCP(context.Background(), netip.AddrPortFrom(tailnetIP, uint16(tailnetSSHPort)))`
`160`	`159`	`}`
`161`	`160`
`162`	`161`	`// SSHClient calls SSH to create a client that uses a weak cipher`
`@@ -181,5 +180,5 @@ func (c TailnetConn) SSHClient() (ssh.Client, error) {`
`181`	`180`	`func (c *TailnetConn) DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {`
`182`	`181`	`_, rawPort, _ := net.SplitHostPort(addr)`
`183`	`182`	`port, _ := strconv.Atoi(rawPort)`
`184`		`- return c.Conn.DialContextTCP(ctx, netip.AddrPortFrom(c.Target, uint16(port)))`
	`183`	`+ return c.Conn.DialContextTCP(ctx, netip.AddrPortFrom(tailnetIP, uint16(port)))`
`185`	`184`	`}`
Original file line number	Diff line number	Diff line change
`@@ -133,7 +133,6 @@ func Root() *cobra.Command {`
`133`	`133`	`update(),`
`134`	`134`	`users(),`
`135`	`135`	`versionCmd(),`
`136`		`- wireguardPortForward(),`
`137`	`136`	`workspaceAgent(),`
`138`	`137`	`)`
`139`	`138`