@@ -64,6 +64,7 @@ type Options struct {
6464 SSHMaxTimeout time.Duration
6565 TailnetListenPort uint16
6666 Subsystem codersdk.AgentSubsystem
67+ Addresses []netip.Prefix
6768
6869 PrometheusRegistry * prometheus.Registry
6970}
@@ -132,6 +133,7 @@ func New(options Options) Agent {
132133 connStatsChan : make (chan * agentsdk.Stats , 1 ),
133134 sshMaxTimeout : options .SSHMaxTimeout ,
134135 subsystem : options .Subsystem ,
136+ addresses : options .Addresses ,
135137
136138 prometheusRegistry : prometheusRegistry ,
137139 metrics : newAgentMetrics (prometheusRegistry ),
@@ -177,6 +179,7 @@ type agent struct {
177179 lifecycleStates []agentsdk.PostLifecycleRequest
178180
179181 network * tailnet.Conn
182+ addresses []netip.Prefix
180183 connStatsChan chan * agentsdk.Stats
181184 latestStat atomic.Pointer [agentsdk.Stats ]
182185
@@ -545,6 +548,10 @@ func (a *agent) run(ctx context.Context) error {
545548 }
546549 a .logger .Info (ctx , "fetched manifest" , slog .F ("manifest" , manifest ))
547550
551+ if manifest .AgentID == uuid .Nil {
552+ return xerrors .New ("nil agentID returned by manifest" )
553+ }
554+
548555 // Expand the directory and send it back to coderd so external
549556 // applications that rely on the directory can use it.
550557 //
@@ -630,7 +637,7 @@ func (a *agent) run(ctx context.Context) error {
630637 network := a .network
631638 a .closeMutex .Unlock ()
632639 if network == nil {
633- network , err = a .createTailnet (ctx , manifest .DERPMap , manifest .DisableDirectConnections )
640+ network , err = a .createTailnet (ctx , manifest .AgentID , manifest . DERPMap , manifest .DisableDirectConnections )
634641 if err != nil {
635642 return xerrors .Errorf ("create tailnet: %w" , err )
636643 }
@@ -648,6 +655,11 @@ func (a *agent) run(ctx context.Context) error {
648655
649656 a .startReportingConnectionStats (ctx )
650657 } else {
658+ // Update the wireguard IPs if the agent ID changed.
659+ err := network .SetAddresses (a .wireguardAddresses (manifest .AgentID ))
660+ if err != nil {
661+ a .logger .Error (ctx , "update tailnet addresses" , slog .Error (err ))
662+ }
651663 // Update the DERP map and allow/disallow direct connections.
652664 network .SetDERPMap (manifest .DERPMap )
653665 network .SetBlockEndpoints (manifest .DisableDirectConnections )
@@ -661,6 +673,20 @@ func (a *agent) run(ctx context.Context) error {
661673 return nil
662674}
663675
676+ func (a * agent ) wireguardAddresses (agentID uuid.UUID ) []netip.Prefix {
677+ if len (a .addresses ) == 0 {
678+ return []netip.Prefix {
679+ // This is the IP that should be used primarily.
680+ netip .PrefixFrom (tailnet .IPFromUUID (agentID ), 128 ),
681+ // We also listen on the legacy codersdk.WorkspaceAgentIP. This
682+ // allows for a transition away from wsconncache.
683+ netip .PrefixFrom (codersdk .WorkspaceAgentIP , 128 ),
684+ }
685+ }
686+
687+ return a .addresses
688+ }
689+
664690func (a * agent ) trackConnGoroutine (fn func ()) error {
665691 a .closeMutex .Lock ()
666692 defer a .closeMutex .Unlock ()
@@ -675,9 +701,9 @@ func (a *agent) trackConnGoroutine(fn func()) error {
675701 return nil
676702}
677703
678- func (a * agent ) createTailnet (ctx context.Context , derpMap * tailcfg.DERPMap , disableDirectConnections bool ) (_ * tailnet.Conn , err error ) {
704+ func (a * agent ) createTailnet (ctx context.Context , agentID uuid. UUID , derpMap * tailcfg.DERPMap , disableDirectConnections bool ) (_ * tailnet.Conn , err error ) {
679705 network , err := tailnet .NewConn (& tailnet.Options {
680- Addresses : []netip. Prefix { netip . PrefixFrom ( codersdk . WorkspaceAgentIP , 128 )} ,
706+ Addresses : a . wireguardAddresses ( agentID ) ,
681707 DERPMap : derpMap ,
682708 Logger : a .logger .Named ("tailnet" ),
683709 ListenPort : a .tailnetListenPort ,
0 commit comments