Add ability to choose a custom coordination server #45
Conversation
Signed-off-by: Trevor Bergeron <[email protected]>
|
I expect to support setting the control server URL via MDM deployments, as a variable which can be set. I don't especially want to have it in the UI like this, most people using the app won't know what it is or why it would be so emphasized. |
|
I'd have stuck it in the debug stuff so it's not in the UI for people who aren't specifically looking for it, but the search bar to access debug isn't accessible until after logging in to the default server = |
|
There's already precedent for a hidden debug menu: tailscale/tailscale#1738 (comment) You type "debug" into the search box and then debug options show up in the menu. I'd be fine with that for Android. For iOS we should only do the MDM thing. |
|
That's the debug stuff I meant - Enabling the debug menu options requires having access to the search bar, which is only shown post-login. I like how you got that in without needing any added UI elements 😸 |
|
I would also love to see something like this offered. I'm coming from the headscale crowd trying things out. So far the only place I have gotten stuck has been on the Android version. I would love to be able to use the prebuilt client if possible. I was trying to build from source, but...that's a subject for another issue. I do agree that requiring a tailscale account before getting to the secret menu would be a rough user flow, but I'll take what I can get. I would prefer either an option like what is proposed, or even a secret 5-tap sequence in some corner of the login window. |
|
This is how one would set up for an MDM on Android: Once done, users who don't have a full MPM can use an app to toggle settings like TestDPC: https://play.google.com/store/apps/details?id=com.afwsamples.testdpc&hl=en_US&gl=US |
FWIW I (as another soon-to-be user of headscale) would strongly prefer not to have to rely on another app to do this. Obviously I'll take what I can get, but access to a developer menu via the login screen where the option is available would be much better IMO, even on top of MDM. For one, this allows users of low-end devices with minimal storage and no MDM to still self-host. Also, it means that more debug/developer options can easily be included in the future and also that this feature can be documented if required without relying on or pointing to a 3rd party. |
|
Is there any progress on this PR, or are people just brainstorming for how to implement this feature? |
|
An approach which uses the Android MDM APIs to set properties would be reasonable, as there are ways to set properties which don't involve installing a full MDM. |
I totally agree with you. I think this pull request should be accepted as is. This would be a very nice feature identical to what other apps like Element (Matrix client) already implement, letting the default server as An MDM approach is the complete opposite of ease of use. No one would really understand or agree with the need to install an app like TestDPC just to configure a single URL for another. |
We do want Android users to be able to configure their control plane server URL. We do not want to add gunk to menus that most users won't use and will be confused by. (Keep in mind that us nerds in these comments on this PR and related issues are not Tailscale's typical users. Many Tailscale users aren't even tech people; they just need to use it for work because their company told them that's what their corporate VPN is.) So we need to do something slightly hidden to make this option not appear right away. In the past, we hid an option unless you typed "debug" into the search box. We could also wire up the Tailscale CLI to the But what we won't accept as is is adding nerdy options to menus. So let's find something more hidden. |
It definitely needs some tweaks from someone who knows what they're doing to be in a state I'd consider good even for powerusers, but thanks ❤️
The app still has tools that show up if you search "debug", but that search box isn't available until well after this setting would need to be changed. I'm fine with using If you want to make it really hidden with zero changes to this app:
Users wanting a custom server would sideload that, set the setting, then update it to the normal version using the play store. |
Indeed, I have no doubt that most users will be from companies that simply tell them to use this program. But, what if those companies are using their own I still think that the best option, for everyone, without a doubt, is the one proposed in this pull request. |
That's why we really want MDM support. Then companies can push out provisioning profiles or whatnot. But generally, most Headscale users are nerdy folk (like me) doing their own self-hosting. Hiding this a bit for nerds for personal use seems fine.
Yes, you've made your position clear. I hope I've made ours clear. We're not going to accept this being super prominent in the UI where it'll confuse non-tech users. |
That said, I haven't patched this in and built it. My Android dev environment always rots (and/or I forget where things are at) whenever I go to hack on it more. @half-duplex, have screenshots? |
|
Yep, or you can play with the APK in my fork's tag. Screenshots
|
|
I personally like the "if developer options are enabled" if there is an API for that, or the "v0.0.1 config app" idea. My usecase involves letting non-tech people connect to my VPN (obviously without setting up MDM on their phones) so I would prefer that the feature is easy enough to access that I can give them instructions to do so, without relying on ADB or a third party app, even if it's not necessarily visible right away or as prominent as other options. While I don't think @half-duplex 's solution would be confusing necessarily (I also somewhat hope you think so too after seeing the screenshots :P), I can see your point of view and, ultimately, we can't demand anything given that everyone requesting this feature is explicitly NOT paying tailscale :P. That said, I ultimately hope for some sort of compromise like "tap out 'debug' in Morse code on the screen to open the debug menu" or use the konami code instead or "click an empty area 8 times in a row and then hold it", all of which should be sufficiently hidden. |
|
It's unfortunate that the maintainers of Tailscale are holding this position regarding having a relatively hidden option in the UI.
This "gunk" is hidden behind very deliberate on-screen selections. It's hard to imagine someone accidentally entering that screen and being unable to back out of it. But if that's why this functionality isn't being added, then it's pretty easy to add a scary red warning text that instructs the user to press "Back" if they don't know what this menu is for. Regardless, I think for most people, insinuating that they're too technologically illiterate or "confused" to back out of a menu is somewhat insulting. Meanwhile, this over-simplification ends up alienating the users who find Tailscale to be an excellent piece of software but want to, for one reason or another, self-host the control plane. If I want my partner or mother to access an internal file server, I'm not going to be installing MDM software on their devices. I'm not going to be enabling developer mode, or dropping into an adb shell either. It should be possible to specify the URL without relatively dirty hacks. I'm not sure why Tailscale insists that the end users of a self-hosted control plane must be as technologically literate as the one who hosts the control plane. I can tell my mother to press the three dots, select the "advanced option", and enter an URL over the phone. I cannot do the same with any of the other suggested options. I'm not demanding that Tailscale merge this PR in particular, but rather seriously reconsider their stance on having an option similar to this in the pre-auth UI. I'm not entitled, just very disappointed. |
Full ACK, I couldn't write this better. I also don't understand why this should be a blocker. This also would avoid in all those custom build forks, which of course also have a different signature and so on. In the end that patch would add security to those who want to host the stuff themselves, as they finally could use the official client. |
Thanks! This isn't as nerdy looking as I'd feared. I might've been remembering a different PR. How about this as a compromise:
.... but no Android dev mode or "adb push" etc. If we do Android MDM stuff later, it's likely one of the MDM properties will let enterprise admins lock/hide that menu option, forcing it to their on-prem control plane. I can try doing adding that to this PR, unless you have time, @half-duplex. |
|
That solution would be great, or android-style build number rapid tap or long-press. As I've said, I don't really speak golang, so anything I try would probably need nontrivial edits. Any changes you want to make to this PR are entirely welcome, or closing it if you'd prefer to start from scratch. It's here in equal parts for "in case you're too busy and this is good enough" and to progress the discussion. Thanks! |
|
Hey @eliasnaur, do you have time to help us finish this up? Another thing I noticed: when the menu is open, the dotdotdot menu appears but doesn't do anything. It shouldn't be present on this screen:
|
By default, only show the version number in the login screen's menu. But if you open and close it a few times, then show the alternate control plane server option. It's always shown if you've ever edited the value. And rename it to just "Change server" and remove "Advanced". Updates #45
|
@half-duplex, I just sent #55 with this commit plus a bit of tweaking in a second commit. |
By default, only show the version number in the login screen's menu. But if you open and close it a few times, then show the alternate control plane server option. It's always shown if you've ever edited the value. And rename it to just "Change server" and remove "Advanced". Updates #45
By default, only show the version number in the login screen's menu. But if you open and close it a few times, then show the alternate control plane server option. It's always shown if you've ever edited the value. And rename it to just "Change server" and remove "Advanced". Updates #45
|
Merged in #55 |
|
Quoting @DentonGentry from #55: This functionality is available in the 1.29.72 in the Open Testing track in the Play Store.
It will be present in the next major release 1.30.0. |
This allows users to set a custom coordination/login/control server via a 3-dots menu on the login view.
This is sub-optimal in at least three ways, but I'm already out of my depth.
Screenshots
Related:
https://twitter.com/dave_universetf/status/1415046381996167170
juanfont/headscale#58
juanfont/headscale#146