webnet/tailscale
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

net/tsdial, ipn/localapi, client/local: let clients dial non-Tailscale addresses directly

Browse Source 
Add a tsdial.Dialer.UserDialPlan method that resolves an address and
reports whether the dialer would route it via Tailscale. The LocalAPI
/dial handler now uses this to skip proxying for addresses that aren't
Tailscale routes (e.g. localhost), returning a Dial-Self response with
the resolved address so the client can dial it directly. This avoids
an unnecessary round-trip through the daemon for local connections.

The client's UserDial handles the new response by dialing the resolved
address itself, and the server passes the pre-resolved IP:port for
Tailscale dials to avoid redundant DNS lookups.

Thanks to giacomo and Moyao for pointing this out!

Updates tailscale/corp#39702

Change-Id: I78d640f11ccd92f43ddd505cbb0db8fee19f43a6
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
Brad Fitzpatrick
2026-04-06 23:45:17 +00:00
committed by Brad Fitzpatrick
parent 649781df84
commit 0e10a3f580
6 changed files with 276 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ipn/localapi/localapi.go
+22 -4
View File
@@ -1169,16 +1169,34 @@ func (h *Handler) serveDial(w http.ResponseWriter, r *http.Request) {
http.Error(w, "missing Dial-Host or Dial-Port header", http.StatusBadRequest)
return
}
network := cmp.Or(r.Header.Get("Dial-Network"), "tcp")
addr := net.JoinHostPort(hostStr, portStr)
// Check whether the resolved address is a Tailscale route.
// If not, tell the client to dial it directly so the connection
// comes from the calling user's UID rather than our root-owned daemon.
ipp, viaTailscale, err := h.b.Dialer().UserDialPlan(r.Context(), network, addr)
if err != nil {
http.Error(w, "resolve failure: "+err.Error(), http.StatusBadGateway)
return
}
if !viaTailscale {
w.Header().Set("Dial-Self", "true")
w.Header().Set("Dial-Addr", ipp.String())
w.WriteHeader(http.StatusOK)
return
}
hijacker, ok := w.(http.Hijacker)
if !ok {
http.Error(w, "make request over HTTP/1", http.StatusBadRequest)
return
}
network := cmp.Or(r.Header.Get("Dial-Network"), "tcp")
addr := net.JoinHostPort(hostStr, portStr)
outConn, err := h.b.Dialer().UserDial(r.Context(), network, addr)
// Dial via Tailscale using the resolved IP:port to avoid a TOCTOU
// race with DNS re-resolution.
outConn, err := h.b.Dialer().UserDial(r.Context(), network, ipp.String())
if err != nil {
http.Error(w, "dial failure: "+err.Error(), http.StatusBadGateway)
return