11# Networking
22
3- Coder's network topology has three types of nodes: workspaces, Coder servers,
4- and users.
3+ The pages in this section outline Coder's networking stack and how aspects
4+ connect to or interact with each other.
5+
6+ This page is a high-level reference of Coder's network topology, requirements,
7+ and connection types.
8+
9+ ![ Basic user to Coder diagram] ( ../../images/admin/networking/network-stack/network-user-workspace.png )
10+
11+ ## Coder server, workspaces, users
12+
13+ Coder's network topology has three general types of nodes or ways of interacting
14+ with Coder:
15+
16+ - Coder servers
17+ - Workspaces
18+ - Users
519
620The Coder server must have an inbound address reachable by users and workspaces,
721but otherwise, all topologies _ just work_ with Coder.
@@ -11,65 +25,29 @@ Direct connections are as fast as connecting to the workspace outside of Coder.
1125When NAT traversal fails, connections are relayed through the Coder server. All
1226user-workspace connections are end-to-end encrypted.
1327
14- [ Tailscale's open source ] ( https://tailscale.com ) backs our websocket/HTTPS
15- networking logic.
28+ [ Tailscale] ( https://tailscale.com ) 's implementation of
29+ [ Wireguard ] ( https://www.wireguard.com/ ) backs our websocket/HTTPS networking logic.
1630
1731## Requirements
1832
19- In order for clients and workspaces to be able to connect:
33+ Coder’s networking is designed to support a wide range of infrastructure targets.
34+ Because of that, there are very few requirements for running Coder in your network:
35+
36+ - The central server (coderd) needs port 443 to be open for HTTPS and websocket traffic
37+ - Workspaces, clients (developer laptops), and provisioners only need to reach the Coder server and establish a websocket connection. No ports need to be open.
2038
21- > ** Note:** We strongly recommend that clients connect to Coder and their
22- > workspaces over a good quality, broadband network connection. The following
23- > are minimum requirements:
24- >
25- > - better than 400ms round-trip latency to the Coder server and to their
26- > workspace
27- > - better than 0.5% random packet loss
39+ In order for clients and workspaces to be able to connect:
2840
2941- All clients and agents must be able to establish a connection to the Coder
3042 server (` CODER_ACCESS_URL ` ) over HTTP/HTTPS.
3143- Any reverse proxy or ingress between the Coder control plane and
3244 clients/agents must support WebSockets.
3345
34- In order for clients to be able to establish direct connections:
35-
36- > ** Note:** Direct connections via the web browser are not supported. To improve
37- > latency for browser-based applications running inside Coder workspaces in
38- > regions far from the Coder control plane, consider deploying one or more
39- > [ workspace proxies] ( ./workspace-proxies.md ) .
40-
41- - The client is connecting using the CLI (e.g. ` coder ssh ` or
42- ` coder port-forward ` ). Note that the
43- [ VSCode extension] ( https://marketplace.visualstudio.com/items?itemName=coder.coder-remote )
44- and [ JetBrains Plugin] ( https://plugins.jetbrains.com/plugin/19620-coder/ ) , and
45- [ ` ssh coder.<workspace> ` ] ( ../../reference/cli/config-ssh.md ) all utilize the
46- CLI to establish a workspace connection.
47- - Either the client or workspace agent are able to discover a reachable
48- ` ip:port ` of their counterpart. If the agent and client are able to
49- communicate with each other using their locally assigned IP addresses, then a
50- direct connection can be established immediately. Otherwise, the client and
51- agent will contact
52- [ the configured STUN servers] ( ../../reference/cli/server.md#--derp-server-stun-addresses )
53- to try and determine which ` ip:port ` can be used to communicate with their
54- counterpart. See [ STUN and NAT] ( ./stun.md ) for more details on how this
55- process works.
56- - All outbound UDP traffic must be allowed for both the client and the agent on
57- ** all ports** to each others' respective networks.
58- - To establish a direct connection, both agent and client use STUN. This
59- involves sending UDP packets outbound on ` udp/3478 ` to the configured
60- [ STUN server] ( ../../reference/cli/server.md#--derp-server-stun-addresses ) .
61- If either the agent or the client are unable to send and receive UDP packets
62- to a STUN server, then direct connections will not be possible.
63- - Both agents and clients will then establish a
64- [ WireGuard] ( https://www.wireguard.com/ ) ️ tunnel and send UDP traffic on
65- ephemeral (high) ports. If a firewall between the client and the agent
66- blocks this UDP traffic, direct connections will not be possible.
67-
6846## Coder server
6947
7048Workspaces connect to the Coder server via the server's external address, set
7149via [ ` ACCESS_URL ` ] ( ../../admin/setup/index.md#access-url ) . There must not be a
72- NAT between workspaces and coder server.
50+ NAT between workspaces and the Coder server.
7351
7452Users connect to the Coder server's dashboard and API through its ` ACCESS_URL `
7553as well. There must not be a NAT between users and the Coder server.
@@ -98,11 +76,23 @@ dashboard-accessed web apps.
9876
9977## 🌎 Geo-distribution
10078
79+ By default, Coder will attempt to create direct peer-to-peer connections between
80+ the client (developer laptop) and workspace.
81+ If this doesn’t work, the end result will be transparent to the end user because
82+ Coder will fall back to connections relayed to the control plane.
83+
10184### Direct connections
10285
103- Direct connections are a straight line between the user and workspace, so there
104- is no special geo-distribution configuration. To speed up direct connections,
105- move the user and workspace closer together.
86+ Direct connections reduce latency and improve upload and download speeds for developers.
87+ However, there are many scenarios where direct connections cannot be established,
88+ such as when the Coder [ administrators disable direct connections] ( ../../reference/cli/server.md#--block-direct-connections ) .
89+
90+ Consult the [ direct connections section] ( ./troubleshooting.md#common-problems-with-direct-connections )
91+ of the troubleshooting guide for more information.
92+ The troubleshooting guide also explains how to identify if a connection is direct
93+ or not via the ` coder ping ` command.
94+
95+ Ideally, to speed up direct connections, move the user and workspace closer together.
10696
10797Establishing a direct connection can be an involved process because both the
10898client and workspace agent will likely be behind at least one level of NAT,
@@ -116,6 +106,40 @@ Coder will use a relayed connection. By default,
116106but this can be disabled or changed for
117107[ offline deployments] ( ../../install/offline.md ) .
118108
109+ In order for clients to be able to establish direct connections:
110+
111+ > ** Note:** Direct connections via the web browser are not supported. To improve
112+ > latency for browser-based applications running inside Coder workspaces in
113+ > regions far from the Coder control plane, consider deploying one or more
114+ > [ workspace proxies] ( ./workspace-proxies.md ) .
115+
116+ - The client is connecting using the CLI (e.g. ` coder ssh ` or
117+ ` coder port-forward ` ). Note that the
118+ [ VSCode extension] ( https://marketplace.visualstudio.com/items?itemName=coder.coder-remote )
119+ and [ JetBrains Plugin] ( https://plugins.jetbrains.com/plugin/19620-coder/ ) , and
120+ [ ` ssh coder.<workspace> ` ] ( ../../reference/cli/config-ssh.md ) all utilize the
121+ CLI to establish a workspace connection.
122+ - Either the client or workspace agent are able to discover a reachable
123+ ` ip:port ` of their counterpart. If the agent and client are able to
124+ communicate with each other using their locally assigned IP addresses, then a
125+ direct connection can be established immediately. Otherwise, the client and
126+ agent will contact
127+ [ the configured STUN servers] ( ../../reference/cli/server.md#--derp-server-stun-addresses )
128+ to try and determine which ` ip:port ` can be used to communicate with their
129+ counterpart. See [ STUN and NAT] ( ./stun.md ) for more details on how this
130+ process works.
131+ - All outbound UDP traffic must be allowed for both the client and the agent on
132+ ** all ports** to each others' respective networks.
133+ - To establish a direct connection, both agent and client use STUN. This
134+ involves sending UDP packets outbound on ` udp/3478 ` to the configured
135+ [ STUN server] ( ../../reference/cli/server.md#--derp-server-stun-addresses ) .
136+ If either the agent or the client are unable to send and receive UDP packets
137+ to a STUN server, then direct connections will not be possible.
138+ - Both agents and clients will then establish a
139+ [ WireGuard] ( https://www.wireguard.com/ ) ️ tunnel and send UDP traffic on
140+ ephemeral (high) ports. If a firewall between the client and the agent
141+ blocks this UDP traffic, direct connections will not be possible.
142+
119143### Relayed connections
120144
121145By default, your Coder server also runs a built-in DERP relay which can be used
0 commit comments