headscale

package module
v0.12.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 11, 2022 License: BSD-3-Clause Imports: 65 Imported by: 1

README ¶

headscale

ci

An open source, self-hosted implementation of the Tailscale coordination server.

Join our Discord server for a chat.

Note: Always select the same GitHub tag as the released version you use to ensure you have the correct example configuration and documentation. The main branch might contain unreleased changes.

Overview

Tailscale is a modern VPN built on top of Wireguard. It works like an overlay network between the computers of your networks - using all kinds of NAT traversal sorcery.

Everything in Tailscale is Open Source, except the GUI clients for proprietary OS (Windows and macOS/iOS), and the 'coordination/control server'.

The control server works as an exchange point of Wireguard public keys for the nodes in the Tailscale network. It also assigns the IP addresses of the clients, creates the boundaries between each user, enables sharing machines between users, and exposes the advertised routes of your nodes.

headscale implements this coordination server.

Status

  • Base functionality (nodes can communicate with each other)
  • Node registration through the web flow
  • Network changes are relayed to the nodes
  • Namespaces support (~tailnets in Tailscale.com naming)
  • Routing (advertise & accept, including exit nodes)
  • Node registration via pre-auth keys (including reusable keys, and ephemeral node support)
  • JSON-formatted output
  • ACLs
  • Taildrop (File Sharing)
  • Support for alternative IP ranges in the tailnets (default Tailscale's 100.64.0.0/10)
  • DNS (passing DNS servers to nodes)
  • Single-Sign-On (via Open ID Connect)
  • Share nodes between namespaces
  • MagicDNS (see docs/)

Client OS support

OS Supports headscale
Linux Yes
OpenBSD Yes
macOS Yes (see /apple on your headscale for more information)
Windows Yes
Android You need to compile the client yourself
iOS Not yet

Roadmap 🤷

Suggestions/PRs welcomed!

Running headscale

Please have a look at the documentation under docs/.

Disclaimer

  1. We have nothing to do with Tailscale, or Tailscale Inc.
  2. The purpose of Headscale is maintaining a working, self-hosted Tailscale control panel.

Contributing

To contribute to Headscale you would need the lastest version of Go and Buf(Protobuf generator).

Code style

To ensure we have some consistency with a growing number of contributes, this project has adopted linting and style/formatting rules:

The Go code is linted with golangci-lint and formatted with golines (width 88) and gofumpt. Please configure your editor to run the tools while developing and make sure to run make lint and make fmt before committing any code.

The Proto code is linted with buf and formatted with clang-format.

The rest (markdown, yaml, etc) is formatted with prettier.

Check out the .golangci.yaml and Makefile to see the specific configuration.

Install development tools
  • Go
  • Buf
  • Protobuf tools:
make install-protobuf-plugins
Testing and building

Some parts of the project requires the generation of Go code from Protobuf (if changes is made in proto/) and it must be (re-)generated with:

make generate

Note: Please check in changes from gen/ in a separate commit to make it easier to review.

To run the tests:

make test

To build the program:

make build

Contributors

Juan
Juan Font 		Kristoffer
Kristoffer Dalby 		Ward
Ward Vandewege 		ohdearaugustin/
ohdearaugustin 		unreality/
unreality 		Aaron
Aaron Bieber
Paul
Paul Tötterman 		Casey
Casey Marshall 		Silver
Silver Bullet 		thomas/
thomas 		Arthur
Arthur Woimbée 		Felix
Felix Kronlage-Dammers
Felix
Felix Yan 		Shaanan
Shaanan Cohney 		Teteros/
Teteros 		The
The Gitter Badger 		Tianon
Tianon Gravi 		Tjerk
Tjerk Woudsma
Zakhar
Zakhar Bessarab 		derelm/
derelm 		ignoramous/
ignoramous 		zy/
zy

Documentation ¶

Overview ¶

nolint

Index ¶

Constants ¶

View Source 
const (
	Base10    = 10
	BitSize16 = 16
)
View Source 
const (
	RegisterMethodAuthKey                    = "authKey"
	RegisterMethodOIDC                       = "oidc"
	RegisterMethodCLI                        = "cli"
	ErrRegisterMethodCLIDoesNotSupportExpire = Error(
		"machines registered with CLI does not support expire",
	)
)
View Source 
const (
	AuthPrefix = "Bearer "
	Postgres   = "postgres"
	Sqlite     = "sqlite3"

	HTTPReadTimeout = 30 * time.Second
)
View Source 
const (
	ByteSize = 8
)

Variables ¶

This section is empty.

Functions ¶

func DiscoPublicKeyEnsurePrefix ¶ added in v0.12.1 

func DiscoPublicKeyEnsurePrefix(discoKey string) string

func DiscoPublicKeyStripPrefix ¶ added in v0.12.1 

func DiscoPublicKeyStripPrefix(discoKey key.DiscoPublic) string

func GetDERPMap ¶ added in v0.11.0 

func GetDERPMap(cfg DERPConfig) *tailcfg.DERPMap

func GrpcSocketDialer ¶ added in v0.12.1 

func GrpcSocketDialer(ctx context.Context, addr string) (net.Conn, error)

func MachinePublicKeyEnsurePrefix ¶ added in v0.12.1 

func MachinePublicKeyEnsurePrefix(machineKey string) string

func MachinePublicKeyStripPrefix ¶ added in v0.12.1 

func MachinePublicKeyStripPrefix(machineKey key.MachinePublic) string

func NodePublicKeyEnsurePrefix ¶ added in v0.12.1 

func NodePublicKeyEnsurePrefix(nodeKey string) string

func NodePublicKeyStripPrefix ¶ added in v0.12.1 

func NodePublicKeyStripPrefix(nodeKey key.NodePublic) string

func PrivateKeyEnsurePrefix ¶ added in v0.12.1 

func PrivateKeyEnsurePrefix(privateKey string) string

func SwaggerAPIv1 ¶ added in v0.12.1 

func SwaggerAPIv1(ctx *gin.Context)

func SwaggerUI ¶ added in v0.12.1 

func SwaggerUI(ctx *gin.Context)

Types ¶

type ACL ¶ added in v0.3.0 

type ACL struct {
	Action string   `json:"Action"`
	Users  []string `json:"Users"`
	Ports  []string `json:"Ports"`
}

ACL is a basic rule for the ACL Policy.

type ACLPolicy ¶ added in v0.3.0 

type ACLPolicy struct {
	Groups    Groups    `json:"Groups"`
	Hosts     Hosts     `json:"Hosts"`
	TagOwners TagOwners `json:"TagOwners"`
	ACLs      []ACL     `json:"ACLs"`
	Tests     []ACLTest `json:"Tests"`
}

ACLPolicy represents a Tailscale ACL Policy.

func (ACLPolicy) IsZero ¶ added in v0.3.0 

func (policy ACLPolicy) IsZero() bool

IsZero is perhaps a bit naive here.

type ACLTest ¶ added in v0.3.0 

type ACLTest struct {
	User  string   `json:"User"`
	Allow []string `json:"Allow"`
	Deny  []string `json:"Deny,omitempty"`
}

ACLTest is not implemented, but should be use to check if a certain rule is allowed.

type AppleMobileConfig ¶ added in v0.9.2 

type AppleMobileConfig struct {
	UUID    uuid.UUID
	URL     string
	Payload string
}

type AppleMobilePlatformConfig ¶ added in v0.9.2 

type AppleMobilePlatformConfig struct {
	UUID uuid.UUID
	URL  string
}

type CLIConfig ¶ added in v0.12.1 

type CLIConfig struct {
	Address  string
	APIKey   string
	Insecure bool
	Timeout  time.Duration
}

type Config ¶ 

type Config struct {
	ServerURL                      string
	Addr                           string
	EphemeralNodeInactivityTimeout time.Duration
	IPPrefix                       netaddr.IPPrefix
	PrivateKeyPath                 string
	BaseDomain                     string

	DERP DERPConfig

	DBtype string
	DBpath string
	DBhost string
	DBport int
	DBname string
	DBuser string
	DBpass string

	TLSLetsEncryptListen        string
	TLSLetsEncryptHostname      string
	TLSLetsEncryptCacheDir      string
	TLSLetsEncryptChallengeType string

	TLSCertPath string
	TLSKeyPath  string

	ACMEURL   string
	ACMEEmail string

	DNSConfig *tailcfg.DNSConfig

	UnixSocket string

	OIDC OIDCConfig

	CLI CLIConfig
}

Config contains the initial Headscale configuration.

type DERPConfig ¶ added in v0.11.0 

type DERPConfig struct {
	URLs            []url.URL
	Paths           []string
	AutoUpdate      bool
	UpdateFrequency time.Duration
}

type Error ¶ 

type Error string

Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors

func (Error) Error ¶ 

func (e Error) Error() string

type Groups ¶ added in v0.3.0 

type Groups map[string][]string

Groups references a series of alias in the ACL rules.

type Headscale ¶ 

type Headscale struct {
	DERPMap *tailcfg.DERPMap
	// contains filtered or unexported fields
}

Headscale represents the base app of the service.

func NewHeadscale ¶ 

func NewHeadscale(cfg Config) (*Headscale, error)

NewHeadscale returns the Headscale app.

func (*Headscale) AddSharedMachineToNamespace ¶ added in v0.8.0 

func (h *Headscale) AddSharedMachineToNamespace(
	machine *Machine,
	namespace *Namespace,
) error

AddSharedMachineToNamespace adds a machine as a shared node to a namespace.

func (*Headscale) AppleMobileConfig ¶ added in v0.9.2 

func (h *Headscale) AppleMobileConfig(ctx *gin.Context)

AppleMobileConfig shows a simple message in the browser to point to the CLI Listens in /register.

func (*Headscale) ApplePlatformConfig ¶ added in v0.9.2 

func (h *Headscale) ApplePlatformConfig(ctx *gin.Context)

func (*Headscale) CreateNamespace ¶ 

func (h *Headscale) CreateNamespace(name string) (*Namespace, error)

CreateNamespace creates a new Namespace. Returns error if could not be created or another namespace already exists.

func (*Headscale) CreatePreAuthKey ¶ 

func (h *Headscale) CreatePreAuthKey(
	namespaceName string,
	reusable bool,
	ephemeral bool,
	expiration *time.Time,
) (*PreAuthKey, error)

CreatePreAuthKey creates a new PreAuthKey in a namespace, and returns it.

func (*Headscale) DeleteMachine ¶ added in v0.6.1 

func (h *Headscale) DeleteMachine(machine *Machine) error

DeleteMachine softs deletes a Machine from the database.

func (*Headscale) DestroyNamespace ¶ 

func (h *Headscale) DestroyNamespace(name string) error

DestroyNamespace destroys a Namespace. Returns error if the Namespace does not exist or if there are machines associated with it.

func (*Headscale) DestroyPreAuthKey ¶ added in v0.12.1 

func (h *Headscale) DestroyPreAuthKey(pak PreAuthKey) error

DestroyPreAuthKey destroys a preauthkey. Returns error if the PreAuthKey does not exist.

func (*Headscale) EnableNodeRoute deprecated 

func (h *Headscale) EnableNodeRoute(
	namespace string,
	nodeName string,
	routeStr string,
) error

Deprecated: use EnableRoute in machine.go EnableNodeRoute enables a subnet route advertised by a node (identified by namespace and node name).

func (*Headscale) EnableRoutes ¶ added in v0.12.1 

func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error

EnableNodeRoute enables new routes based on a list of new routes. It will _replace_ the previous list of routes.

func (*Headscale) ExpireMachine ¶ added in v0.12.1 

func (h *Headscale) ExpireMachine(machine *Machine)

ExpireMachine takes a Machine struct and sets the expire field to now.

func (*Headscale) ExpirePreAuthKey ¶ added in v0.12.1 

func (h *Headscale) ExpirePreAuthKey(k *PreAuthKey) error

MarkExpirePreAuthKey marks a PreAuthKey as expired.

func (*Headscale) GetAdvertisedNodeRoutes deprecated added in v0.7.0 

func (h *Headscale) GetAdvertisedNodeRoutes(
	namespace string,
	nodeName string,
) (*[]netaddr.IPPrefix, error)

Deprecated: use machine function instead GetAdvertisedNodeRoutes returns the subnet routes advertised by a node (identified by namespace and node name).

func (*Headscale) GetEnabledNodeRoutes deprecated added in v0.7.0 

func (h *Headscale) GetEnabledNodeRoutes(
	namespace string,
	nodeName string,
) ([]netaddr.IPPrefix, error)

Deprecated: use machine function instead GetEnabledNodeRoutes returns the subnet routes enabled by a node (identified by namespace and node name).

func (*Headscale) GetMachine ¶ 

func (h *Headscale) GetMachine(namespace string, name string) (*Machine, error)

GetMachine finds a Machine by name and namespace and returns the Machine struct.

func (*Headscale) GetMachineByID ¶ added in v0.6.1 

func (h *Headscale) GetMachineByID(id uint64) (*Machine, error)

GetMachineByID finds a Machine by ID and returns the Machine struct.

func (*Headscale) GetMachineByMachineKey ¶ added in v0.9.3 

func (h *Headscale) GetMachineByMachineKey(
	machineKey key.MachinePublic,
) (*Machine, error)

GetMachineByMachineKey finds a Machine by ID and returns the Machine struct.

func (*Headscale) GetNamespace ¶ 

func (h *Headscale) GetNamespace(name string) (*Namespace, error)

GetNamespace fetches a namespace by name.

func (*Headscale) GetPreAuthKey ¶ added in v0.6.1 

func (h *Headscale) GetPreAuthKey(namespace string, key string) (*PreAuthKey, error)

GetPreAuthKey returns a PreAuthKey for a given key.

func (*Headscale) HardDeleteMachine ¶ added in v0.6.1 

func (h *Headscale) HardDeleteMachine(machine *Machine) error

HardDeleteMachine hard deletes a Machine from the database.

func (*Headscale) IsNodeRouteEnabled deprecated added in v0.7.0 

func (h *Headscale) IsNodeRouteEnabled(
	namespace string,
	nodeName string,
	routeStr string,
) bool

Deprecated: use machine function instead IsNodeRouteEnabled checks if a certain route has been enabled.

func (*Headscale) KeyHandler ¶ 

func (h *Headscale) KeyHandler(ctx *gin.Context)

KeyHandler provides the Headscale pub key Listens in /key.

func (*Headscale) ListMachines ¶ added in v0.12.1 

func (h *Headscale) ListMachines() ([]Machine, error)

func (*Headscale) ListMachinesInNamespace ¶ 

func (h *Headscale) ListMachinesInNamespace(name string) ([]Machine, error)

ListMachinesInNamespace gets all the nodes in a given namespace.

func (*Headscale) ListNamespaces ¶ 

func (h *Headscale) ListNamespaces() ([]Namespace, error)

ListNamespaces gets all the existing namespaces.

func (*Headscale) ListPreAuthKeys ¶ added in v0.12.1 

func (h *Headscale) ListPreAuthKeys(namespaceName string) ([]PreAuthKey, error)

ListPreAuthKeys returns the list of PreAuthKeys for a namespace.

func (*Headscale) ListSharedMachinesInNamespace ¶ added in v0.8.0 

func (h *Headscale) ListSharedMachinesInNamespace(name string) ([]Machine, error)

ListSharedMachinesInNamespace returns all the machines that are shared to the specified namespace.

func (*Headscale) LoadACLPolicy ¶ added in v0.3.0 

func (h *Headscale) LoadACLPolicy(path string) error

LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.

func (*Headscale) OIDCCallback ¶ added in v0.12.1 

func (h *Headscale) OIDCCallback(ctx *gin.Context)

OIDCCallback handles the callback from the OIDC endpoint Retrieves the mkey from the state cache and adds the machine to the users email namespace TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities TODO: Add groups information from OIDC tokens into machine HostInfo Listens in /oidc/callback.

func (*Headscale) PollNetMapHandler ¶ 

func (h *Headscale) PollNetMapHandler(ctx *gin.Context)

PollNetMapHandler takes care of /machine/:id/map

This is the busiest endpoint, as it keeps the HTTP long poll that updates the clients when something in the network changes.

The clients POST stuff like HostInfo and their Endpoints here, but only after their first request (marked with the ReadOnly field).

At this moment the updates are sent in a quite horrendous way, but they kinda work.

func (*Headscale) PollNetMapStream ¶ added in v0.6.1 

func (h *Headscale) PollNetMapStream(
	ctx *gin.Context,
	machine *Machine,
	mapRequest tailcfg.MapRequest,
	machineKey key.MachinePublic,
	pollDataChan chan []byte,
	keepAliveChan chan []byte,
	updateChan chan struct{},
	cancelKeepAlive chan struct{},
)

PollNetMapStream takes care of /machine/:id/map stream logic, ensuring we communicate updates and data to the connected clients.

func (*Headscale) RefreshMachine ¶ added in v0.12.1 

func (h *Headscale) RefreshMachine(machine *Machine, expiry time.Time)

RefreshMachine takes a Machine struct and sets the expire field to now.

func (*Headscale) RegisterMachine ¶ 

func (h *Headscale) RegisterMachine(
	machineKeyStr string,
	namespaceName string,
) (*Machine, error)

RegisterMachine is executed from the CLI to register a new Machine using its MachineKey.

func (*Headscale) RegisterOIDC ¶ added in v0.12.1 

func (h *Headscale) RegisterOIDC(ctx *gin.Context)

RegisterOIDC redirects to the OIDC provider for authentication Puts machine key in cache so the callback can retrieve it using the oidc state param Listens in /oidc/register/:mKey.

func (*Headscale) RegisterWebAPI ¶ 

func (h *Headscale) RegisterWebAPI(ctx *gin.Context)

RegisterWebAPI shows a simple message in the browser to point to the CLI Listens in /register.

func (*Headscale) RegistrationHandler ¶ 

func (h *Headscale) RegistrationHandler(ctx *gin.Context)

RegistrationHandler handles the actual registration process of a machine Endpoint /machine/:id.

func (*Headscale) RemoveSharedMachineFromAllNamespaces ¶ added in v0.10.1 

func (h *Headscale) RemoveSharedMachineFromAllNamespaces(machine *Machine) error

RemoveSharedMachineFromAllNamespaces removes a machine as a shared node from all namespaces.

func (*Headscale) RemoveSharedMachineFromNamespace ¶ added in v0.10.4 

func (h *Headscale) RemoveSharedMachineFromNamespace(
	machine *Machine,
	namespace *Namespace,
) error

RemoveSharedMachineFromNamespace removes a shared machine from a namespace.

func (*Headscale) RenameNamespace ¶ added in v0.10.4 

func (h *Headscale) RenameNamespace(oldName, newName string) error

RenameNamespace renames a Namespace. Returns error if the Namespace does not exist or if another Namespace exists with the new name.

func (*Headscale) RequestMapUpdates ¶ added in v0.6.1 

func (h *Headscale) RequestMapUpdates(namespaceID uint) error

TODO(kradalby): Remove the need for this. RequestMapUpdates signals the KV worker to update the maps for this namespace.

func (*Headscale) Serve ¶ 

func (h *Headscale) Serve() error

Serve launches a GIN server with the Headscale API.

func (*Headscale) SetMachineNamespace ¶ 

func (h *Headscale) SetMachineNamespace(machine *Machine, namespaceName string) error

SetMachineNamespace assigns a Machine to a namespace.

func (*Headscale) UpdateMachine ¶ added in v0.7.0 

func (h *Headscale) UpdateMachine(machine *Machine) error

UpdateMachine takes a Machine struct pointer (typically already loaded from database and updates it with the latest data from the database.

type Hosts ¶ added in v0.3.0 

type Hosts map[string]netaddr.IPPrefix

Hosts are alias for IP addresses or subnets.

func (*Hosts) UnmarshalJSON ¶ added in v0.3.0 

func (hosts *Hosts) UnmarshalJSON(data []byte) error

UnmarshalJSON allows to parse the Hosts directly into netaddr objects.

type IDTokenClaims ¶ added in v0.12.1 

type IDTokenClaims struct {
	Name     string   `json:"name,omitempty"`
	Groups   []string `json:"groups,omitempty"`
	Email    string   `json:"email"`
	Username string   `json:"preferred_username,omitempty"`
}

type KV ¶ 

type KV struct {
	Key   string
	Value string
}

KV is a key-value store in a psql table. For future use...

type Machine ¶ 

type Machine struct {
	ID          uint64 `gorm:"primary_key"`
	MachineKey  string `gorm:"type:varchar(64);unique_index"`
	NodeKey     string
	DiscoKey    string
	IPAddress   string
	Name        string
	NamespaceID uint
	Namespace   Namespace `gorm:"foreignKey:NamespaceID"`

	Registered     bool // temp
	RegisterMethod string
	AuthKeyID      uint
	AuthKey        *PreAuthKey

	LastSeen             *time.Time
	LastSuccessfulUpdate *time.Time
	Expiry               *time.Time

	HostInfo      datatypes.JSON
	Endpoints     datatypes.JSON
	EnabledRoutes datatypes.JSON

	CreatedAt time.Time
	UpdatedAt time.Time
	DeletedAt *time.Time
}

Machine is a Headscale client.

func (*Machine) GetAdvertisedRoutes ¶ added in v0.12.1 

func (machine *Machine) GetAdvertisedRoutes() ([]netaddr.IPPrefix, error)

func (*Machine) GetEnabledRoutes ¶ added in v0.12.1 

func (machine *Machine) GetEnabledRoutes() ([]netaddr.IPPrefix, error)

func (*Machine) GetHostInfo ¶ 

func (machine *Machine) GetHostInfo() (*tailcfg.Hostinfo, error)

GetHostInfo returns a Hostinfo struct for the machine.

func (*Machine) IsRoutesEnabled ¶ added in v0.12.1 

func (machine *Machine) IsRoutesEnabled(routeStr string) bool

func (*Machine) RoutesToProto ¶ added in v0.12.1 

func (machine *Machine) RoutesToProto() (*v1.Routes, error)

func (Machine) String ¶ added in v0.9.3 

func (machine Machine) String() string

type Machines ¶ added in v0.9.3 

type Machines []Machine

func (Machines) String ¶ added in v0.9.3 

func (machines Machines) String() string

type MachinesP ¶ added in v0.9.3 

type MachinesP []*Machine

func (MachinesP) String ¶ added in v0.9.3 

func (machines MachinesP) String() string

TODO(kradalby): Remove when we have generics...

type Namespace ¶ 

type Namespace struct {
	gorm.Model
	Name string `gorm:"unique"`
}

Namespace is the way Headscale implements the concept of users in Tailscale

At the end of the day, users in Tailscale are some kind of 'bubbles' or namespaces that contain our machines.

type OIDCConfig ¶ added in v0.12.1 

type OIDCConfig struct {
	Issuer       string
	ClientID     string
	ClientSecret string
	MatchMap     map[string]string
}

type PreAuthKey ¶ 

type PreAuthKey struct {
	ID          uint64 `gorm:"primary_key"`
	Key         string
	NamespaceID uint
	Namespace   Namespace
	Reusable    bool
	Ephemeral   bool `gorm:"default:false"`
	Used        bool `gorm:"default:false"`

	CreatedAt  *time.Time
	Expiration *time.Time
}

PreAuthKey describes a pre-authorization key usable in a particular namespace.

type SharedMachine ¶ added in v0.8.0 

type SharedMachine struct {
	gorm.Model
	MachineID   uint64
	Machine     Machine
	NamespaceID uint
	Namespace   Namespace
}

SharedMachine is a join table to support sharing nodes between namespaces.

type TagOwners ¶ added in v0.3.0 

type TagOwners map[string][]string

TagOwners specify what users (namespaces?) are allow to use certain tags.

Source Files ¶

View all Source files

Directories ¶

Path Synopsis
cmd
headscale
headscale/cli
gen
go/headscale/v1
Package v1 is a reverse proxy.
 Package v1 is a reverse proxy.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.