docs: add networking troubleshooting page

ethanndickson · ethanndickson · commit 533193cf2468 · 2024-09-04T05:03:11.000Z
diff --git a/cli/cliui/agent.go b/cli/cliui/agent.go
@@ -309,7 +309,7 @@ func PeerDiagnostics(w io.Writer, d tailnet.PeerDiagnostics) {
 		_, _ = fmt.Fprint(w, "✘ not connected to DERP\n")
 	}
 	if d.SentNode {
-		_, _ = fmt.Fprint(w, "✔ sent local data to Coder networking coodinator\n")
+		_, _ = fmt.Fprint(w, "✔ sent local data to Coder networking coordinator\n")
 	} else {
 		_, _ = fmt.Fprint(w, "✘ have not sent local data to Coder networking coordinator\n")
 	}
@@ -381,6 +381,9 @@ func (d ConnDiags) Write(w io.Writer) {
 			_, _ = fmt.Fprintf(w, " - %s\n\n", msg)
 		}
 	}
+	if !d.PingP2P || d.Verbose || len(client) > 0 || len(agent) > 0 || len(general) > 1 {
+		_, _ = fmt.Fprintln(w, "For more information, see https://coder.com/docs/networking/troubleshooting")
+	}
 }
 
 func (d ConnDiags) splitDiagnostics() (general, client, agent []string) {
diff --git a/cli/cliui/agent_test.go b/cli/cliui/agent_test.go
@@ -533,7 +533,7 @@ func TestPeerDiagnostics(t *testing.T) {
 				LastWireguardHandshake: time.Time{},
 			},
 			want: []*regexp.Regexp{
-				regexp.MustCompile(`^✔ sent local data to Coder networking coodinator$`),
+				regexp.MustCompile(`^✔ sent local data to Coder networking coordinator$`),
 			},
 		},
 		{
diff --git a/docs/manifest.json b/docs/manifest.json
@@ -346,6 +346,11 @@
 					"title": "STUN and NAT",
 					"description": "Learn how Coder establishes direct connections",
 					"path": "./networking/stun.md"
+				},
+				{
+					"title": "Troubleshooting",
+					"description": "Troubleshoot networking issues in Coder",
+					"path": "./networking/troubleshooting.md"
 				}
 			]
 		},
diff --git a/docs/networking/index.md b/docs/networking/index.md
@@ -169,41 +169,7 @@ with security policies. In these cases, pass the `--browser-only` flag to
 With browser-only connections, developers can only connect to their workspaces
 via the web terminal and [web IDEs](../ides/web-ides.md).
 
-## Troubleshooting
-
-The `coder ping -v <workspace>` will ping a workspace and return debug logs for
-the connection. We recommend running this command and inspecting the output when
-debugging SSH connections to a workspace. For example:
-
-```console
-$ coder ping -v my-workspace
-
-2023-06-21 17:50:22.412 [debu] wgengine: ping(fd7a:115c:a1e0:49d6:b259:b7ac:b1b2:48f4): sending disco ping to [cFYPo] ...
-pong from my-workspace proxied via DERP(Denver) in 90ms
-2023-06-21 17:50:22.503 [debu] wgengine: magicsock: closing connection to derp-13 (conn-close), age 5s
-2023-06-21 17:50:22.503 [debu] wgengine: magicsock: 0 active derp conns
-2023-06-21 17:50:22.504 [debu] wgengine: wg: [v2] Routine: receive incoming v6 - stopped
-2023-06-21 17:50:22.504 [debu] wgengine: wg: [v2] Device closed
-```
-
-The `coder speedtest <workspace>` command measures user <-> workspace
-throughput. E.g.:
-
-```
-$ coder speedtest dev
-29ms via coder
-Starting a 5s download test...
-INTERVAL       TRANSFER         BANDWIDTH
-0.00-1.00 sec  630.7840 MBits   630.7404 Mbits/sec
-1.00-2.00 sec  913.9200 MBits   913.8106 Mbits/sec
-2.00-3.00 sec  943.1040 MBits   943.0399 Mbits/sec
-3.00-4.00 sec  933.3760 MBits   933.2143 Mbits/sec
-4.00-5.00 sec  848.8960 MBits   848.7019 Mbits/sec
-5.00-5.02 sec  13.5680 MBits    828.8189 Mbits/sec
-----------------------------------------------------
-0.00-5.02 sec  4283.6480 MBits  853.8217 Mbits/sec
-```
-
 ## Up next
 
 - Learn about [Port Forwarding](./port-forwarding.md)
+- Troubleshoot [Networking Issues](./troubleshooting.md)
diff --git a/docs/networking/troubleshooting.md b/docs/networking/troubleshooting.md
@@ -0,0 +1,109 @@
+# Troubleshooting
+
+The `coder ping <workspace>` command not only pings a workspace, but also prints
+diagnostics on the state of the connection. Appending the verbose flag
+(`-v/--verbose`) to the command will also print client debug logs. These
+diagnostics are created by inspecting both the client and agent network
+configurations, and provide insights into why a direct connection may be
+impeded, or why the quality of one might be degraded.
+
+```console
+$ coder ping dev
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 210ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 210ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+pong from dev proxied via  DERP(Council Bluffs, Iowa)  in 209ms
+✔ preferred DERP region: 10015 (Australia Fly.io (Sydney))
+✔ sent local data to Coder networking coordinator
+✔ received remote agent data from Coder networking coordinator
+    preferred DERP region: 999 (Council Bluffs, Iowa)
+    endpoints: 204.16.241.141:46433, 172.17.0.1:46433, 172.20.0.6:46433
+✔ Wireguard handshake 11s ago
+
+❗ You are connected via a DERP relay, not directly (p2p)
+Possible client-side issues with direct connection:
+ - Network interface utun0 has MTU 1280, (less than 1378), which may degrade the quality of direct connections
+
+Possible agent-side issues with direct connection:
+ - Agent is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers
+ - Agent IP address is within an AWS range (AWS uses hard NAT)
+```
+
+## Common Problems
+
+### Deployment-wide Direct Connection Blocking
+
+Direct connections can be disabled at the deployment level by setting the
+`CODER_BLOCK_DIRECT` environment variable or the `coder server`
+`--block-direct-connections` flag. This forces all connections to be relayed via
+DERP, preventing any and all direct connections to workspace agents. If set,
+this will be reflected in the output of `coder ping`.
+
+### Firewall blocking UDP
+
+Some corporate firewalls block UDP traffic. Direct connections, and
+communicating with STUN servers to establish them, require UDP. `coder ping`
+will indicate if either the Coder agent or client is unable to communicate with
+any known STUN servers over UDP.
+
+If this is the case, you may need to add exceptions to the firewall to allow UDP
+for Coder workspaces, clients, and STUN servers.
+
+### Hard NAT
+
+`coder ping` will indicate if it's possible the client or agent is behind a hard
+NAT. Hard NATs may prevent direct connections from being established,
+particularly if both sides are behind one. Direct connections may also be
+impeded if one side is behind a hard NAT and the other is running a firewall
+that blocks ingress traffic from unknown 5-tuples (Protocol, Source IP, Source
+Port, Destination IP, Destination Port). Learn more about
+[STUN and NAT](./stun.md).
+
+### VPNs
+
+If a VPN is the default route for all IP traffic, it may interfere with the
+ability for clients and agents to form direct connections. This happens if the
+NAT does not permit traffic to be
+['hairpinned'](./stun.md#3-direct-connections-with-vpn-and-nat-hairpinning) from
+the public IP address of the NAT (determined via STUN) to the internal IP
+address of the agent.
+
+If this is the case, you may need to add exceptions to the VPN for Coder, modify
+the NAT configuration, or deploy an internal STUN server.
+
+### Low MTU
+
+If a network interface on the side of either the client or agent has an MTU
+smaller than 1378, any direct connections form may have degraded
+quality/performance, as IP packets are fragmented. `coder ping` will indicate if
+this is the case by inspecting client and agent interfaces.
+
+If another interface cannot be used, and the MTU cannot be changed, you may have
+to disable direct connections, and relaying all traffic via DERP, which will not
+be affected by the low MTU.
+
+## Throughput
+
+The `coder speedtest <workspace>` command measures user <-> workspace
+throughput:
+
+```console
+$ coder speedtest dev
+29ms via coder
+Starting a 5s download test...
+INTERVAL       TRANSFER         BANDWIDTH
+0.00-1.00 sec  630.7840 MBits   630.7404 Mbits/sec
+1.00-2.00 sec  913.9200 MBits   913.8106 Mbits/sec
+2.00-3.00 sec  943.1040 MBits   943.0399 Mbits/sec
+3.00-4.00 sec  933.3760 MBits   933.2143 Mbits/sec
+4.00-5.00 sec  848.8960 MBits   848.7019 Mbits/sec
+5.00-5.02 sec  13.5680 MBits    828.8189 Mbits/sec
+----------------------------------------------------
+0.00-5.02 sec  4283.6480 MBits  853.8217 Mbits/sec
+```

Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,7 @@ func PeerDiagnostics(w io.Writer, d tailnet.PeerDiagnostics) {`
`309`	`309`	`_, _ = fmt.Fprint(w, "✘ not connected to DERP\n")`
`310`	`310`	`}`
`311`	`311`	`if d.SentNode {`
`312`		`- _, _ = fmt.Fprint(w, "✔ sent local data to Coder networking coodinator\n")`
	`312`	`+ _, _ = fmt.Fprint(w, "✔ sent local data to Coder networking coordinator\n")`
`313`	`313`	`} else {`
`314`	`314`	`_, _ = fmt.Fprint(w, "✘ have not sent local data to Coder networking coordinator\n")`
`315`	`315`	`}`
`@@ -381,6 +381,9 @@ func (d ConnDiags) Write(w io.Writer) {`
`381`	`381`	`_, _ = fmt.Fprintf(w, " - %s\n\n", msg)`
`382`	`382`	`}`
`383`	`383`	`}`
	`384`	`+ if !d.PingP2P \|\| d.Verbose \|\| len(client) > 0 \|\| len(agent) > 0 \|\| len(general) > 1 {`
	`385`	`+ _, _ = fmt.Fprintln(w, "For more information, see https://coder.com/docs/networking/troubleshooting")`
	`386`	`+ }`
`384`	`387`	`}`
`385`	`388`
`386`	`389`	`func (d ConnDiags) splitDiagnostics() (general, client, agent []string) {`
Original file line number	Diff line number	Diff line change
`@@ -533,7 +533,7 @@ func TestPeerDiagnostics(t *testing.T) {`
`533`	`533`	`LastWireguardHandshake: time.Time{},`
`534`	`534`	`},`
`535`	`535`	`want: []*regexp.Regexp{`
`536`		- regexp.MustCompile(`^✔ sent local data to Coder networking coodinator$`),
	`536`	+ regexp.MustCompile(`^✔ sent local data to Coder networking coordinator$`),
`537`	`537`	`},`
`538`	`538`	`},`
`539`	`539`	`{`
Original file line number	Diff line number	Diff line change
`@@ -346,6 +346,11 @@`
`346`	`346`	`"title": "STUN and NAT",`
`347`	`347`	`"description": "Learn how Coder establishes direct connections",`
`348`	`348`	`"path": "./networking/stun.md"`
	`349`	`+ },`
	`350`	`+ {`
	`351`	`+ "title": "Troubleshooting",`
	`352`	`+ "description": "Troubleshoot networking issues in Coder",`
	`353`	`+ "path": "./networking/troubleshooting.md"`
`349`	`354`	`}`
`350`	`355`	`]`
`351`	`356`	`},`