Keep DERP always direct

derp/derphttp/derphttp_client.go

@@ -707,7 +707,7 @@ func (c *Client) _DialRegionTLS(ctx context.Context, reg *tailcfg.DERPRegion) (t
 }
 
 func (c *Client) dialContext(ctx context.Context, proto, addr string) (net.Conn, error) {
-	return netns.NewDialer(c.logf, c.netMon).DialContext(ctx, proto, addr)
+	return netns.NewDialerAlwaysDirect(c.logf, c.netMon).DialContext(ctx, proto, addr)
 }
 
 // shouldDialProto reports whether an explicitly provided IPv4 or IPv6

logpolicy/logpolicy.go

@@ -798,7 +798,7 @@ func dialContext(ctx context.Context, netw, addr string, netMon *netmon.Monitor,
 	nd := netns.FromDialer(logf, netMon, &net.Dialer{
 		Timeout:   30 * time.Second,
 		KeepAlive: netknob.PlatformTCPKeepAlive(),
-	})
+	}, false)
 	t0 := time.Now()
 	c, err := nd.DialContext(ctx, netw, addr)
 	d := time.Since(t0).Round(time.Millisecond)

net/netns/netns.go

@@ -95,18 +95,27 @@ func NewDialer(logf logger.Logf, netMon *netmon.Monitor) Dialer {
 	}
 	return FromDialer(logf, netMon, &net.Dialer{
 		KeepAlive: netknob.PlatformTCPKeepAlive(),
-	})
+	}, false)
+}
+
+func NewDialerAlwaysDirect(logf logger.Logf, netMon *netmon.Monitor) Dialer {
+	if netMon == nil {
+		panic("netns.NewDialer called with nil netMon")
+	}
+	return FromDialer(logf, netMon, &net.Dialer{
+		KeepAlive: netknob.PlatformTCPKeepAlive(),
+	}, true)
 }
 
 // FromDialer returns sets d.Control as necessary to run in a logical
 // network namespace that doesn't route back into Tailscale. It also
 // handles using a SOCKS if configured in the environment with
 // ALL_PROXY.
-func FromDialer(logf logger.Logf, netMon *netmon.Monitor, d *net.Dialer) Dialer {
+func FromDialer(logf logger.Logf, netMon *netmon.Monitor, d *net.Dialer, ad bool) Dialer {
 	if netMon == nil {
 		panic("netns.FromDialer called with nil netMon")
 	}
-	if dialer := netMon.Dialer(); dialer != nil {
+	if dialer := netMon.Dialer(); dialer != nil && !ad {
 		return dialerWrapper{dialer}
 	}
 	if disabled.Load() {