headscale icon indicating copy to clipboard operation
headscale copied to clipboard

Published 20 hours ago verified publisher icon juanfont

Add custom STUN responses

Open neta540 opened this issue 1 year ago • 1 comments

I would like to request a feature to allow the STUN server to return a custom IP address instead so that the other peers can connect to it. Basically, I would like to request a feature to return custom values for the responses using a ruleset that will be defined in the headscale config.

For example, I would like to have a config like this:

derp:
  server:
    ...

    stun:
      listen_addr: "0.0.0.0:3478"
      rules:
        - match: "10.1.40.0/24"
          return: "5.5.5.5"

Why

I am running a complex network with multiple subnets and complex NAT mapping, having headscale running inside a vlan separate from other vlans which can connect into it, but also connect to other peers from different network. I ran into a problem where the the STUN server is returning the IP internal address of the node in its vlan, where the other peers from other networks cannot connect to it.

neta540 avatar Jan 07 '24 21:01 neta540

I've tried to implement the functionality on a fork, commit is here:

https://github.com/neta540/headscale/commit/b1578a1ddead32cedf536f418ffdd669e83ebeed

This commit adds the functionality to set custom responses for the STUN server, allowing the server to use a rule-set to respond with addresses that are not from the server's prespective, this may be useful in complex NAT setups. First match wins, so the order of the rules is important.

When a port is not specified, the port from the client's request is used.

Example config:

...
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
    stun:
      listen_addr: "0.0.0.0:3478"
      rules:
        - match: "10.1.1.1/32"
          address: "4.4.4.4"
        - match: "10.0.0.0/8"
          address: "5.5.5.5"
        - match: "192.168.0.0/16"
          address: "6.6.6.6:1234"

derp.server.stun_listen_addr is changed to derp.server.stun.listen_addr, the old config location for the listen address will still work, but the new config location I suggest here takes precedence, to have all the STUN server config clean in one place.

I can make a PR if you want to use this.

Implements #1679

neta540 avatar Jan 09 '24 07:01 neta540

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar Apr 09 '24 01:04 github-actions[bot]

I eventually used a custom STUN server instead of the one provided by Headscale.

neta540 avatar Apr 09 '24 03:04 neta540