TUN-6043: Allow UI-managed Tunnels to fallback from QUIC but warn about that

nmldiegues · nmldiegues · commit 7a6ab54fcb73 · 2022-04-12T09:46:07.000+01:00
diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go
@@ -216,6 +216,7 @@ func prepareTunnelConfig(
 	)
 
 	transportProtocol := c.String("protocol")
+	protocolFetcher := edgediscovery.ProtocolPercentage
 
 	cfg := config.GetConfiguration()
 	if isNamedTunnel {
@@ -227,7 +228,20 @@ func prepareTunnelConfig(
 		features := append(c.StringSlice("features"), supervisor.FeatureSerializedHeaders)
 		if c.IsSet(TunnelTokenFlag) {
 			if transportProtocol == connection.AutoSelectFlag {
-				transportProtocol = connection.QUIC.String()
+				protocolFetcher = func() (edgediscovery.ProtocolPercents, error) {
+					// If the Tunnel is remotely managed and no protocol is set, we prefer QUIC, but still allow fall-back.
+					preferQuic := []edgediscovery.ProtocolPercent{
+						{
+							Protocol:   connection.QUIC.String(),
+							Percentage: 100,
+						},
+						{
+							Protocol:   connection.HTTP2.String(),
+							Percentage: 100,
+						},
+					}
+					return preferQuic, nil
+				}
 			}
 			features = append(features, supervisor.FeatureAllowRemoteConfig)
 			log.Info().Msg("Will be fetching remotely managed configuration from Cloudflare API. Defaulting to protocol: quic")
@@ -274,7 +288,7 @@ func prepareTunnelConfig(
 	}
 
 	warpRoutingEnabled := isWarpRoutingEnabled(cfg.WarpRouting, isNamedTunnel)
-	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, warpRoutingEnabled, namedTunnel, edgediscovery.ProtocolPercentage, supervisor.ResolveTTL, log)
+	protocolSelector, err := connection.NewProtocolSelector(transportProtocol, warpRoutingEnabled, namedTunnel, protocolFetcher, supervisor.ResolveTTL, log)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/supervisor/tunnel.go b/supervisor/tunnel.go
@@ -235,6 +235,15 @@ func selectNextProtocol(
 	_, hasFallback := selector.Fallback()
 
 	if protocolBackoff.ReachedMaxRetries() || (hasFallback && isNetworkActivityTimeout) {
+		if isNetworkActivityTimeout {
+			connLog.Warn().Msg("If this log occurs persistently, and cloudflared is unable to connect to " +
+				"Cloudflare Network with `quic` protocol, then most likely your machine/network is getting its egress " +
+				"UDP to port 7844 (or others) blocked or dropped. Make sure to allow egress connectivity as per " +
+				"https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ports-and-ips/\n" +
+				"If you are using private routing to this Tunnel, then UDP (and Private DNS Resolution) will not work" +
+				"unless your cloudflared can connect with Cloudflare Network with `quic`.")
+		}
+
 		fallback, hasFallback := selector.Fallback()
 		if !hasFallback {
 			return false
