coder
diff --git a/‎.github/workflows/security.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/security.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 9 additions & 7 deletions b/‎agent/agent.go
Lines changed: 9 additions & 7 deletions
diff --git a/‎cli/netcheck.go
Lines changed: 62 additions & 0 deletions b/‎cli/netcheck.go
Lines changed: 62 additions & 0 deletions
diff --git a/‎cli/netcheck_test.go
Lines changed: 38 additions & 0 deletions b/‎cli/netcheck_test.go
Lines changed: 38 additions & 0 deletions
diff --git a/‎cli/ping.go
Lines changed: 7 additions & 1 deletion b/‎cli/ping.go
Lines changed: 7 additions & 1 deletion
diff --git a/‎cli/portforward.go
Lines changed: 15 additions & 1 deletion b/‎cli/portforward.go
Lines changed: 15 additions & 1 deletion
diff --git a/‎cli/root.go
Lines changed: 21 additions & 10 deletions b/‎cli/root.go
Lines changed: 21 additions & 10 deletions
diff --git a/‎cli/server.go
Lines changed: 1 addition & 0 deletions b/‎cli/server.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎cli/speedtest.go
Lines changed: 5 additions & 0 deletions b/‎cli/speedtest.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎cli/ssh.go
Lines changed: 5 additions & 1 deletion b/‎cli/ssh.go
Lines changed: 5 additions & 1 deletion
@@ -75,7 +75,7 @@ jobs:
 
       - name: Install sqlc
         run: |
-          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.17.2/sqlc_1.17.2_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.18.0/sqlc_1.18.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
       - name: Install yq
         run: go run github.com/mikefarah/yq/v4@v4.30.6
       - name: Install mockgen
 
@@ -593,7 +593,7 @@ func (a *agent) run(ctx context.Context) error {
 	network := a.network
 	a.closeMutex.Unlock()
 	if network == nil {
-		network, err = a.createTailnet(ctx, manifest.DERPMap)
+		network, err = a.createTailnet(ctx, manifest.DERPMap, manifest.DisableDirectConnections)
 		if err != nil {
 			return xerrors.Errorf("create tailnet: %w", err)
 		}
@@ -611,8 +611,9 @@ func (a *agent) run(ctx context.Context) error {
 
 		a.startReportingConnectionStats(ctx)
 	} else {
-		// Update the DERP map!
+		// Update the DERP map and allow/disallow direct connections.
 		network.SetDERPMap(manifest.DERPMap)
+		network.SetBlockEndpoints(manifest.DisableDirectConnections)
 	}
 
 	a.logger.Debug(ctx, "running tailnet connection coordinator")
@@ -637,12 +638,13 @@ func (a *agent) trackConnGoroutine(fn func()) error {
 	return nil
 }
 
-func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (_ *tailnet.Conn, err error) {
+func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap, disableDirectConnections bool) (_ *tailnet.Conn, err error) {
 	network, err := tailnet.NewConn(&tailnet.Options{
-		Addresses:  []netip.Prefix{netip.PrefixFrom(codersdk.WorkspaceAgentIP, 128)},
-		DERPMap:    derpMap,
-		Logger:     a.logger.Named("tailnet"),
-		ListenPort: a.tailnetListenPort,
+		Addresses:      []netip.Prefix{netip.PrefixFrom(codersdk.WorkspaceAgentIP, 128)},
+		DERPMap:        derpMap,
+		Logger:         a.logger.Named("tailnet"),
+		ListenPort:     a.tailnetListenPort,
+		BlockEndpoints: disableDirectConnections,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
 
@@ -0,0 +1,62 @@
+package cli
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/clibase"
+	"github.com/coder/coder/coderd/healthcheck"
+	"github.com/coder/coder/codersdk"
+)
+
+func (r *RootCmd) netcheck() *clibase.Cmd {
+	client := new(codersdk.Client)
+
+	cmd := &clibase.Cmd{
+		Use:    "netcheck",
+		Short:  "Print network debug information for DERP and STUN",
+		Hidden: true,
+		Middleware: clibase.Chain(
+			r.InitClient(client),
+		),
+		Handler: func(inv *clibase.Invocation) error {
+			ctx, cancel := context.WithTimeout(inv.Context(), 30*time.Second)
+			defer cancel()
+
+			connInfo, err := client.WorkspaceAgentConnectionInfo(ctx)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprint(inv.Stderr, "Gathering a network report. This may take a few seconds...\n\n")
+
+			var report healthcheck.DERPReport
+			report.Run(ctx, &healthcheck.DERPReportOptions{
+				DERPMap: connInfo.DERPMap,
+			})
+
+			raw, err := json.MarshalIndent(report, "", "  ")
+			if err != nil {
+				return err
+			}
+
+			n, err := inv.Stdout.Write(raw)
+			if err != nil {
+				return err
+			}
+			if n != len(raw) {
+				return xerrors.Errorf("failed to write all bytes to stdout; wrote %d, len %d", n, len(raw))
+			}
+
+			_, _ = inv.Stdout.Write([]byte("\n"))
+			return nil
+		},
+	}
+
+	cmd.Options = clibase.OptionSet{}
+	return cmd
+}
@@ -0,0 +1,38 @@
+package cli_test
+
+import (
+	"bytes"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/healthcheck"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestNetcheck(t *testing.T) {
+	t.Parallel()
+
+	pty := ptytest.New(t)
+	config := login(t, pty)
+
+	var out bytes.Buffer
+	inv, _ := clitest.New(t, "netcheck", "--global-config", string(config))
+	inv.Stdout = &out
+
+	clitest.StartWithWaiter(t, inv).RequireSuccess()
+
+	b := out.Bytes()
+	t.Log(string(b))
+	var report healthcheck.DERPReport
+	require.NoError(t, json.Unmarshal(b, &report))
+
+	assert.True(t, report.Healthy)
+	require.Len(t, report.Regions, 1)
+	for _, v := range report.Regions {
+		require.Len(t, v.NodeReports, len(v.Region.Nodes))
+	}
+}
@@ -49,7 +49,13 @@ func (r *RootCmd) ping() *clibase.Cmd {
 				logger = slog.Make(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)
 			}
 
-			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{Logger: logger})
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
+			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
+				Logger:         logger,
+				BlockEndpoints: r.disableDirect,
+			})
 			if err != nil {
 				return err
 			}
 
@@ -15,6 +15,9 @@ import (
 	"github.com/pion/udp"
 	"golang.org/x/xerrors"
 
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+
 	"github.com/coder/coder/agent/agentssh"
 	"github.com/coder/coder/cli/clibase"
 	"github.com/coder/coder/cli/cliui"
@@ -98,7 +101,18 @@ func (r *RootCmd) portForward() *clibase.Cmd {
 				return xerrors.Errorf("await agent: %w", err)
 			}
 
-			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, nil)
+			var logger slog.Logger
+			if r.verbose {
+				logger = slog.Make(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)
+			}
+
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
+			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
+				Logger:         logger,
+				BlockEndpoints: r.disableDirect,
+			})
 			if err != nil {
 				return err
 			}
 
@@ -60,6 +60,7 @@ const (
 	varNoFeatureWarning = "no-feature-warning"
 	varForceTty         = "force-tty"
 	varVerbose          = "verbose"
+	varDisableDirect    = "disable-direct-connections"
 	notLoggedInMessage  = "You are not logged in. Try logging in using 'coder login <url>'."
 
 	envNoVersionCheck   = "CODER_NO_VERSION_WARNING"
@@ -107,6 +108,7 @@ func (r *RootCmd) Core() []*clibase.Cmd {
 
 		// Hidden
 		r.gitssh(),
+		r.netcheck(),
 		r.vscodeSSH(),
 		r.workspaceAgent(),
 	}
@@ -366,6 +368,13 @@ func (r *RootCmd) Command(subcommands []*clibase.Cmd) (*clibase.Cmd, error) {
 			Value:         clibase.BoolOf(&r.verbose),
 			Group:         globalGroup,
 		},
+		{
+			Flag:        varDisableDirect,
+			Env:         "CODER_DISABLE_DIRECT_CONNECTIONS",
+			Description: "Disable direct (P2P) connections to workspaces.",
+			Value:       clibase.BoolOf(&r.disableDirect),
+			Group:       globalGroup,
+		},
 		{
 			Flag:        "debug-http",
 			Description: "Debug codersdk HTTP requests.",
@@ -412,16 +421,17 @@ func isTest() bool {
 
 // RootCmd contains parameters and helpers useful to all commands.
 type RootCmd struct {
-	clientURL    *url.URL
-	token        string
-	globalConfig string
-	header       []string
-	agentToken   string
-	agentURL     *url.URL
-	forceTTY     bool
-	noOpen       bool
-	verbose      bool
-	debugHTTP    bool
+	clientURL     *url.URL
+	token         string
+	globalConfig  string
+	header        []string
+	agentToken    string
+	agentURL      *url.URL
+	forceTTY      bool
+	noOpen        bool
+	verbose       bool
+	disableDirect bool
+	debugHTTP     bool
 
 	noVersionCheck   bool
 	noFeatureWarning bool
@@ -523,6 +533,7 @@ func (r *RootCmd) InitClient(client *codersdk.Client) clibase.MiddlewareFunc {
 				client.PlainLogger = os.Stderr
 				client.LogBodies = true
 			}
+			client.DisableDirectConnections = r.disableDirect
 
 			// We send these requests in parallel to minimize latency.
 			var (
 
@@ -413,6 +413,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			derpMap, err := tailnet.NewDERPMap(
 				ctx, defaultRegion, cfg.DERP.Server.STUNAddresses,
 				cfg.DERP.Config.URL.String(), cfg.DERP.Config.Path.String(),
+				cfg.DERP.Config.BlockDirect.Value(),
 			)
 			if err != nil {
 				return xerrors.Errorf("create derp map: %w", err)
 
@@ -50,13 +50,18 @@ func (r *RootCmd) speedtest() *clibase.Cmd {
 			if err != nil && !xerrors.Is(err, cliui.AgentStartError) {
 				return xerrors.Errorf("await agent: %w", err)
 			}
+
 			logger, ok := LoggerFromContext(ctx)
 			if !ok {
 				logger = slog.Make(sloghuman.Sink(inv.Stderr))
 			}
 			if r.verbose {
 				logger = logger.Leveled(slog.LevelDebug)
 			}
+
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
 			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
 				Logger: logger,
 			})
 
@@ -195,8 +195,12 @@ func (r *RootCmd) ssh() *clibase.Cmd {
 				// We don't print the error because cliui.Agent does that for us.
 			}
 
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
 			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
-				Logger: logger,
+				Logger:         logger,
+				BlockEndpoints: r.disableDirect,
 			})
 			if err != nil {
 				return xerrors.Errorf("dial agent: %w", err)
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,13 @@ func (r RootCmd) ping() clibase.Cmd {`
`49`	`49`	`logger = slog.Make(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)`
`50`	`50`	`}`
`51`	`51`
`52`		`- conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{Logger: logger})`
	`52`	`+ if r.disableDirect {`
	`53`	`+ _, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")`
	`54`	`+ }`
	`55`	`+ conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{`
	`56`	`+ Logger: logger,`
	`57`	`+ BlockEndpoints: r.disableDirect,`
	`58`	`+ })`
`53`	`59`	`if err != nil {`
`54`	`60`	`return err`
`55`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -413,6 +413,7 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`413`	`413`	`derpMap, err := tailnet.NewDERPMap(`
`414`	`414`	`ctx, defaultRegion, cfg.DERP.Server.STUNAddresses,`
`415`	`415`	`cfg.DERP.Config.URL.String(), cfg.DERP.Config.Path.String(),`
	`416`	`+ cfg.DERP.Config.BlockDirect.Value(),`
`416`	`417`	`)`
`417`	`418`	`if err != nil {`
`418`	`419`	`return xerrors.Errorf("create derp map: %w", err)`
Original file line number	Diff line number	Diff line change
`@@ -50,13 +50,18 @@ func (r RootCmd) speedtest() clibase.Cmd {`
`50`	`50`	`if err != nil && !xerrors.Is(err, cliui.AgentStartError) {`
`51`	`51`	`return xerrors.Errorf("await agent: %w", err)`
`52`	`52`	`}`
	`53`	`+`
`53`	`54`	`logger, ok := LoggerFromContext(ctx)`
`54`	`55`	`if !ok {`
`55`	`56`	`logger = slog.Make(sloghuman.Sink(inv.Stderr))`
`56`	`57`	`}`
`57`	`58`	`if r.verbose {`
`58`	`59`	`logger = logger.Leveled(slog.LevelDebug)`
`59`	`60`	`}`
	`61`	`+`
	`62`	`+ if r.disableDirect {`
	`63`	`+ _, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")`
	`64`	`+ }`
`60`	`65`	`conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{`
`61`	`66`	`Logger: logger,`
`62`	`67`	`})`