net/netns, net/interfaces: move defaultRouteInterface, add Android fallback

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2020-08-10 13:01:49 -07:00
831 changed files with 20215 additions and 122039 deletions
--- a/.bencher/config.yaml
+++ b/.bencher/config.yaml
@@ -1 +0,0 @@
-suppress_failure_on_regression: true
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1 @@
 go.mod filter=go-mod
-*.go  diff=golang
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a bug report
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!-- Please note, this template is for definite bugs, not requests for
+support. If you need help with Tailscale, please email
+support@tailscale.com. We don't provide support via Github issues. -->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Version information:**
+ - Device: [e.g. iPhone X, laptop]
+ - OS: [e.g. Windows, MacOS]
+ - OS version: [e.g. Windows 10, Ubuntu 18.04]
+ - Tailscale version: [e.g. 0.95-0]
+
+**Additional context**
+Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,75 +0,0 @@
-name: Bug report
-description: File a bug report
-labels: [needs-triage, bug]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues).
-        Have an urgent issue? Let us know by emailing us at <support@tailscale.com>.
-  - type: textarea
-    id: what-happened
-    attributes:
-      label: What is the issue?
-      description: What happened? What did you expect to happen?
-      placeholder: oh no
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: Steps to reproduce
-      description: What are the steps you took that hit this issue?
-    validations:
-      required: false
-  - type: textarea
-    id: changes
-    attributes:
-      label: Are there any recent changes that introduced the issue?
-      description: If so, what are those changes?
-    validations:
-      required: false
-  - type: dropdown
-    id: os
-    attributes:
-      label: OS
-      description: What OS are you using? You may select more than one.
-      multiple: true
-      options:
-        - Linux
-        - macOS
-        - Windows
-        - iOS
-        - Android
-        - Synology
-        - Other
-    validations:
-      required: false
-  - type: input
-    id: os-version
-    attributes:
-      label: OS version
-      description: What OS version are you using?
-      placeholder: e.g., Debian 11.0, macOS Big Sur 11.6, Synology DSM 7
-    validations:
-      required: false
-  - type: input
-    id: ts-version
-    attributes:
-      label: Tailscale version
-      description: What Tailscale version are you using?
-      placeholder: e.g., 1.14.4
-    validations:
-      required: false
-  - type: input
-    id: bug-report
-    attributes:
-      label: Bug report
-      description: Please run [`tailscale bugreport`](https://tailscale.com/kb/1080/cli/?q=Cli#bugreport) and share the bug identifier. The identifier is a random string which allows Tailscale support to locate your account and gives a point to focus on when looking for errors.
-      placeholder: e.g., BUG-1b7641a16971a9cd75822c0ed8043fee70ae88cf05c52981dc220eb96a5c49a8-20210427151443Z-fbcd4fd3a4b7ad94
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a bug report!
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,8 +1,5 @@
 blank_issues_enabled: true
 contact_links:
-  - name: Support
-    url: https://tailscale.com/contact/support/
-    about: Contact us for support
-  - name: Troubleshooting
+  - name: Support and Product Questions
    url: https://tailscale.com/kb/1023/troubleshooting
-    about: Troubleshoot common issues
+    about: Please send support questions and questions about the Tailscale product to support@tailscale.com
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,26 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+
+A clear and concise description of any alternative solutions or
+features you've considered.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -1,42 +0,0 @@
-name: Feature request
-description: Propose a new feature
-title: "FR: "
-labels: [needs-triage, fr]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Please check if your feature request is [already filed](https://github.com/tailscale/tailscale/issues).
-        Tell us about your idea!
-  - type: textarea
-    id: problem
-    attributes:
-      label: What are you trying to do?
-      description: Tell us about the problem you're trying to solve.
-    validations:
-      required: false
-  - type: textarea
-    id: solution
-    attributes:
-      label: How should we solve this?
-      description: If you have an idea of how you'd like to see this feature work, let us know.
-    validations:
-      required: false
-  - type: textarea
-    id: alternative
-    attributes:
-      label: What is the impact of not solving this?
-      description: (How) Are you currently working around the issue?
-    validations:
-      required: false
-  - type: textarea
-    id: context
-    attributes:
-      label: Anything else?
-      description: Any additional context to share, e.g., links
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a feature request!
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,21 +0,0 @@
-# Documentation for this file can be found at:
-# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
-version: 2
-updates:
-  ## Disabled between releases. We reenable it briefly after every
-  ## stable release, pull in all changes, and close it again so that
-  ## the tree remains more stable during development and the upstream
-  ## changes have time to soak before the next release.
-  # - package-ecosystem: "gomod"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "daily"
-  #   commit-message:
-  #     prefix: "go.mod:"
-  #   open-pull-requests-limit: 100
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: ".github:"
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,26 +0,0 @@
-name: CIFuzz
-on: [pull_request]
-jobs:
-  Fuzzing:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Build Fuzzers
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        dry-run: false
-        language: go
-    - name: Run Fuzzers
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
-        dry-run: false
-        language: go
-    - name: Upload Crash
-      uses: actions/upload-artifact@v3
-      if: failure() && steps.build.outcome == 'success'
-      with:
-        name: artifacts
-        path: ./out/artifacts
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,71 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ main, release-branch/* ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  schedule:
-    - cron: '31 14 * * 5'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -17,13 +17,13 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14
      id: go

    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: macOS build cmd
      env:
@@ -37,12 +37,6 @@ jobs:
        GOARCH: amd64
      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done

-    - name: iOS build most
-      env:
-        GOOS: ios
-        GOARCH: arm64
-      run: go install ./ipn/... ./wgengine/ ./types/... ./control/controlclient
-
    - uses: k0kubun/action-slack@v2.0.0
      with:
        payload: |
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -17,13 +17,13 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14
      id: go

    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: FreeBSD build cmd
      env:
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -17,13 +17,13 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14
      id: go

    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: OpenBSD build cmd
      env:
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@@ -1,47 +0,0 @@
-name: Wasm-Cross
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Wasm client build
-      env:
-        GOOS: js
-        GOARCH: wasm
-      run: go build ./cmd/tsconnect/wasm
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -17,13 +17,13 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14
      id: go

    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: Windows build cmd
      env:
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -1,28 +0,0 @@
-name: depaware
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18
-
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: depaware tailscaled
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
-
-    - name: depaware tailscale
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -1,38 +0,0 @@
-name: go generate
-
-on:
-  push:
-    branches:
-      - main
-      - "release-branch/*"
-  pull_request:
-    branches:
-      - "*"
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-
-      - name: Check out code
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: check 'go generate' is clean
-        run: |
-          if [[ "${{github.ref}}" == release-branch/* ]]
-          then
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          else
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          fi
-          go generate $pkgs
-          echo
-          echo
-          git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -14,12 +14,12 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14

    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: Run license checker
      run: ./scripts/check_license_headers.sh .
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -1,63 +0,0 @@
-name: Linux race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18
-      id: go
-
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
-    - name: Basic build
-      run: go build ./cmd/...
-
-    - name: Run tests and benchmarks with -race flag on linux
-      run: go test -race -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -17,43 +17,19 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14
      id: go

    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: Basic build
      run: go build ./cmd/...

-    - name: Get QEMU
-      run: |
-        # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something
-        # to run Go binaries. 5.2.0 (Debian bullseye) empirically works, and
-        # use this PPA which brings in a modern qemu.
-        sudo add-apt-repository -y ppa:jacob/virtualisation
-        sudo apt-get -y update
-        sudo apt-get -y install qemu-user
-
    - name: Run tests on linux
-      run: go test -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
+      run: go test ./...

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -17,34 +17,19 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14
      id: go

    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: Basic build
      run: GOARCH=386 go build ./cmd/...

    - name: Run tests on linux
-      run: GOARCH=386 go test -bench=. -benchtime=1x ./...
-
-    - name: Check that no tracked files in the repo have been modified
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-
-    - name: Check that no files have been added to the repo
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
+      run: GOARCH=386 go test ./...

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -14,45 +14,21 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.18
+        go-version: 1.14

    - name: Check out code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v1

    - name: Run go vet
      run: go vet ./...

-    - name: Install staticcheck
-      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
-
    - name: Print staticcheck version
-      run: "staticcheck -version"
+      run: go run honnef.co/go/tools/cmd/staticcheck -version

-    - name: Run staticcheck (linux/amd64)
-      env:
-        GOOS: linux
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (darwin/amd64)
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (windows/amd64)
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (windows/386)
-      env:
-        GOOS: windows
-        GOARCH: "386"
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+    - name: Run staticcheck
+      run: "go run honnef.co/go/tools/cmd/staticcheck -- $(go list ./... | grep -v tempfork)"

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -1,46 +0,0 @@
-name: VM
-
-on:
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  ubuntu2004-LTS-cloud-base:
-    runs-on: [ self-hosted, linux, vm ]
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-      - name: Set GOPATH
-        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
-
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-
-      - name: Checkout Code
-        uses: actions/checkout@v3
-
-      - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
-        env:
-          HOME: "/tmp"
-          TMPDIR: "/tmp"
-          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
-
-      - uses: k0kubun/action-slack@v2.0.0
-        with:
-          payload: |
-            {
-              "attachments": [{
-                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                        "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                        "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        if: failure() && github.event_name == 'push'
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -1,77 +0,0 @@
-name: Windows race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  test:
-    runs-on: windows-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Install Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18.x
-
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike some other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        # The -race- here ensures that non-race builds and race builds do not
-        # overwrite each others cache, as while they share some files, they
-        # differ in most by volume (build cache).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-race-${{ hashFiles('**/go.sum') }}
-
-    - name: Print toolchain details
-      run: gcc -v
-
-    # There is currently an issue in the race detector in Go on Windows when
-    # used with a newer version of GCC.
-    # See https://github.com/tailscale/tailscale/issues/4926.
-    - name: Downgrade MinGW
-      shell: bash
-      run: |
-        choco install mingw --version 10.2.0 --allow-downgrade
-
-    - name: Test with -race flag
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test -race -bench . -benchtime 1x ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -1,63 +0,0 @@
-name: Windows
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  test:
-    runs-on: windows-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Install Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18.x
-
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike some other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-
-    - name: Test
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test -bench . -benchtime 1x ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.gitignore
+++ b/.gitignore
@@ -1,12 +1,12 @@
 # Binaries for programs and plugins
 *~
-*.tmp
 *.exe
 *.dll
 *.so
 *.dylib
-*.spk

+cmd/relaynode/relaynode
+cmd/taillogin/taillogin
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled

@@ -18,7 +18,3 @@ cmd/tailscaled/tailscaled

 # Dependency directories (remove the comment below to include it)
 # vendor/
-
-# direnv config, this may be different for other people so it's probably safer
-# to make this nonspecific.
-.envrc
--- a/ALPINE.txt
+++ b/ALPINE.txt
@@ -1 +0,0 @@
-3.16
--- a/52
+++ b/52
@@ -2,26 +2,15 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.

-############################################################################
-#
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
-#
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
-
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
 #
-#     $ docker build -t tailscale/tailscale .
+#     $ docker build -t tailscale:tailscale .
 #
 # To run the tailscaled agent:
 #
-#     $ docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --privileged tailscale/tailscale tailscaled
+#     $ docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --privileged tailscale:tailscale tailscaled
 #
 # To then log in:
 #
@@ -32,43 +21,18 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.18-alpine AS build-env
+FROM golang:1.14-alpine AS build-env

 WORKDIR /go/src/tailscale

-COPY go.mod go.sum ./
+COPY go.mod .
+COPY go.sum .
 RUN go mod download

-# Pre-build some stuff before the following COPY line invalidates the Docker cache.
-RUN go install \
-    github.com/aws/aws-sdk-go-v2/aws \
-    github.com/aws/aws-sdk-go-v2/config \
-    gvisor.dev/gvisor/pkg/tcpip/adapters/gonet \
-    gvisor.dev/gvisor/pkg/tcpip/stack \
-    golang.org/x/crypto/ssh \
-    golang.org/x/crypto/acme \
-    nhooyr.io/websocket \
-    github.com/mdlayher/netlink \
-    golang.zx2c4.com/wireguard/device
-
 COPY . .

-# see build_docker.sh
-ARG VERSION_LONG=""
-ENV VERSION_LONG=$VERSION_LONG
-ARG VERSION_SHORT=""
-ENV VERSION_SHORT=$VERSION_SHORT
-ARG VERSION_GIT_HASH=""
-ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
-ARG TARGETARCH
-
-RUN GOARCH=$TARGETARCH go install -ldflags="\
-      -X tailscale.com/version.Long=$VERSION_LONG \
-      -X tailscale.com/version.Short=$VERSION_SHORT \
-      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
-      -v ./cmd/tailscale ./cmd/tailscaled
-
-FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN go install -v ./cmd/...

+FROM alpine:3.11
+RUN apk add --no-cache ca-certificates iptables iproute2
 COPY --from=build-env /go/bin/* /usr/local/bin/
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,6 +0,0 @@
-# Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-# Use of this source code is governed by a BSD-style
-# license that can be found in the LICENSE file.
-
-FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/46
+++ b/46
@@ -1,29 +1,27 @@
-BSD 3-Clause License
-
-Copyright (c) 2020 Tailscale & AUTHORS.
-All rights reserved.
+Copyright (c) 2020 Tailscale & AUTHORS. All rights reserved.

 Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+modification, are permitted provided that the following conditions are
+met:

-1. Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Tailscale Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.

-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-   contributors may be used to endorse or promote products derived from
-   this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/46
+++ b/46
@@ -1,49 +1,7 @@
-IMAGE_REPO ?= tailscale/tailscale
-SYNO_ARCH ?= "amd64"
-SYNO_DSM ?= "7"
-
 usage:
 	echo "See Makefile"

-vet:
-	./tool/go vet ./...
-
-tidy:
-	./tool/go mod tidy -compat=1.17
-
-updatedeps:
-	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
-	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
-
-depaware:
-	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
-	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
-
-buildwindows:
-	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-build386:
-	GOOS=linux GOARCH=386 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildlinuxarm:
-	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildmultiarchimage:
-	./build_docker.sh
-
-check: staticcheck vet depaware buildwindows build386 buildlinuxarm
+check: staticcheck

 staticcheck:
-	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
-
-spk:
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}
-
-spkall:
-	mkdir -p spks
-	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all
-
-pushspk: spk
-	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
-	scp tailscale.spk root@${SYNO_HOST}:
-	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk
+	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)
--- a/README.md
+++ b/README.md
@@ -8,12 +8,11 @@ Private WireGuard® networks made easy

 This repository contains all the open source Tailscale client code and
 the `tailscaled` daemon and `tailscale` CLI tool. The `tailscaled`
-daemon runs on Linux, Windows and [macOS](https://tailscale.com/kb/1065/macos-variants/), and to varying degrees on FreeBSD, OpenBSD, and Darwin. (The Tailscale iOS and Android apps use this repo's code, but this repo doesn't contain the mobile GUI code.)
+daemon runs primarily on Linux; it also works to varying degrees on
+FreeBSD, OpenBSD, Darwin, and Windows.

 The Android app is at https://github.com/tailscale/tailscale-android

-The Synology package is at https://github.com/tailscale/tailscale-synology
-
 ## Using

 We serve packages for a variety of distros at
@@ -31,20 +30,8 @@ wrappers that are not open source.
 go install tailscale.com/cmd/tailscale{,d}
 ```

-If you're packaging Tailscale for distribution, use `build_dist.sh`
-instead, to burn commit IDs and version info into the binaries:
-
-```
-./build_dist.sh tailscale.com/cmd/tailscale
-./build_dist.sh tailscale.com/cmd/tailscaled
-```
-
-If your distro has conventions that preclude the use of
-`build_dist.sh`, please do the equivalent of what it does in your
-distro's way, so that bug reports contain useful version information.
-
 We only guarantee to support the latest Go release and any Go beta or
-release candidate builds (currently Go 1.18) in module mode. It might
+release candidate builds (currently Go 1.14) in module mode. It might
 work in earlier Go versions or in GOPATH mode, but we're making no
 effort to keep those working.

@@ -64,13 +51,8 @@ Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)

 ## About Us

-[Tailscale](https://tailscale.com/) is primarily developed by the
-people at https://github.com/orgs/tailscale/people. For other contributors,
-see:
-
-* https://github.com/tailscale/tailscale/graphs/contributors
-* https://github.com/tailscale/tailscale-android/graphs/contributors
-
-## Legal
+We are apenwarr, bradfitz, crawshaw, danderson, dfcarney, josharian
+from Tailscale Inc.
+You can learn more about us from [our website](https://tailscale.com).

 WireGuard is a registered trademark of Jason A. Donenfeld.
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +0,0 @@
-1.29.0
--- a/api.md
+++ b/api.md
--- a/build_dist.sh
+++ b/build_dist.sh
@@ -1,48 +0,0 @@
-#!/usr/bin/env sh
-#
-# Runs `go build` with flags configured for binary distribution. All
-# it does differently from `go build` is burn git commit and version
-# information into the binaries, so that we can track down user
-# issues.
-#
-# If you're packaging Tailscale for a distro, please consider using
-# this script, or executing equivalent commands in your
-# distro-specific build system.
-
-set -eu
-
-IFS=".$IFS" read -r major minor patch <VERSION.txt
-git_hash=$(git rev-parse HEAD)
-if ! git diff-index --quiet HEAD; then
-	git_hash="${git_hash}-dirty"
-fi
-base_hash=$(git rev-list --max-count=1 HEAD -- VERSION.txt)
-change_count=$(git rev-list --count HEAD "^$base_hash")
-short_hash=$(echo "$git_hash" | cut -c1-9)
-
-if expr "$minor" : "[0-9]*[13579]$" >/dev/null; then
-	patch="$change_count"
-	change_suffix=""
-elif [ "$change_count" != "0" ]; then
-	change_suffix="-$change_count"
-else
-	change_suffix=""
-fi
-
-long_suffix="$change_suffix-t$short_hash"
-MINOR="$major.$minor"
-SHORT="$MINOR.$patch"
-LONG="${SHORT}$long_suffix"
-GIT_HASH="$git_hash"
-
-if [ "$1" = "shellvars" ]; then
-	cat <<EOF
-VERSION_MINOR="$MINOR"
-VERSION_SHORT="$SHORT"
-VERSION_LONG="$LONG"
-VERSION_GIT_HASH="$GIT_HASH"
-EOF
-	exit 0
-fi
-
-exec ./tool/go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -1,48 +0,0 @@
-#!/usr/bin/env sh
-
-#
-# Runs `go build` with flags configured for docker distribution. All
-# it does differently from `go build` is burn git commit and version
-# information into the binaries inside docker, so that we can track down user
-# issues.
-#
-############################################################################
-#
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
-#
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
-
-set -eu
-
-# Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
-export PATH=$PWD/tool:$PATH
-
-eval $(./build_dist.sh shellvars)
-DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
-DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.16"
-
-PUSH="${PUSH:-false}"
-REPOS="${REPOS:-${DEFAULT_REPOS}}"
-TAGS="${TAGS:-${DEFAULT_TAGS}}"
-BASE="${BASE:-${DEFAULT_BASE}}"
-
-go run github.com/tailscale/mkctr \
-  --gopaths="\
-    tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
-    tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled" \
-  --ldflags="\
-    -X tailscale.com/version.Long=${VERSION_LONG} \
-    -X tailscale.com/version.Short=${VERSION_SHORT} \
-    -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
-  --files="docs/k8s/run.sh:/tailscale/run.sh" \
-  --base="${BASE}" \
-  --tags="${TAGS}" \
-  --repos="${REPOS}" \
-  --push="${PUSH}" \
-  /bin/sh /tailscale/run.sh
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -1,129 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package chirp implements a client to communicate with the BIRD Internet
-// Routing Daemon.
-package chirp
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"strings"
-)
-
-// New creates a BIRDClient.
-func New(socket string) (*BIRDClient, error) {
-	conn, err := net.Dial("unix", socket)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
-	}
-	b := &BIRDClient{socket: socket, conn: conn, scanner: bufio.NewScanner(conn)}
-	// Read and discard the first line as that is the welcome message.
-	if _, err := b.readResponse(); err != nil {
-		return nil, err
-	}
-	return b, nil
-}
-
-// BIRDClient handles communication with the BIRD Internet Routing Daemon.
-type BIRDClient struct {
-	socket  string
-	conn    net.Conn
-	scanner *bufio.Scanner
-}
-
-// Close closes the underlying connection to BIRD.
-func (b *BIRDClient) Close() error { return b.conn.Close() }
-
-// DisableProtocol disables the provided protocol.
-func (b *BIRDClient) DisableProtocol(protocol string) error {
-	out, err := b.exec("disable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already disabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: disabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to disable %s: %v", protocol, out)
-}
-
-// EnableProtocol enables the provided protocol.
-func (b *BIRDClient) EnableProtocol(protocol string) error {
-	out, err := b.exec("enable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already enabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: enabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to enable %s: %v", protocol, out)
-}
-
-// BIRD CLI docs from https://bird.network.cz/?get_doc&v=20&f=prog-2.html#ss2.9
-
-// Each session of the CLI consists of a sequence of request and replies,
-// slightly resembling the FTP and SMTP protocols.
-// Requests are commands encoded as a single line of text,
-// replies are sequences of lines starting with a four-digit code
-// followed by either a space (if it's the last line of the reply) or
-// a minus sign (when the reply is going to continue with the next line),
-// the rest of the line contains a textual message semantics of which depends on the numeric code.
-// If a reply line has the same code as the previous one and it's a continuation line,
-// the whole prefix can be replaced by a single white space character.
-//
-// Reply codes starting with 0 stand for ‘action successfully completed’ messages,
-// 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.
-
-func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
-	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
-		return "", err
-	}
-	fmt.Fprintln(b.conn)
-	return b.readResponse()
-}
-
-// hasResponseCode reports whether the provided byte slice is
-// prefixed with a BIRD response code.
-// Equivalent regex: `^\d{4}[ -]`.
-func hasResponseCode(s []byte) bool {
-	if len(s) < 5 {
-		return false
-	}
-	for _, b := range s[:4] {
-		if '0' <= b && b <= '9' {
-			continue
-		}
-		return false
-	}
-	return s[4] == ' ' || s[4] == '-'
-}
-
-func (b *BIRDClient) readResponse() (string, error) {
-	var resp strings.Builder
-	var done bool
-	for !done {
-		if !b.scanner.Scan() {
-			return "", fmt.Errorf("reading response from bird failed: %q", resp.String())
-		}
-		if err := b.scanner.Err(); err != nil {
-			return "", err
-		}
-		out := b.scanner.Bytes()
-		if _, err := resp.Write(out); err != nil {
-			return "", err
-		}
-		if hasResponseCode(out) {
-			done = out[4] == ' '
-		}
-		if !done {
-			resp.WriteRune('\n')
-		}
-	}
-	return resp.String(), nil
-}
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -1,111 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-package chirp
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"net"
-	"path/filepath"
-	"strings"
-	"testing"
-)
-
-type fakeBIRD struct {
-	net.Listener
-	protocolsEnabled map[string]bool
-	sock             string
-}
-
-func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pe := make(map[string]bool)
-	for _, p := range protocols {
-		pe[p] = false
-	}
-	return &fakeBIRD{
-		Listener:         l,
-		protocolsEnabled: pe,
-		sock:             sock,
-	}
-}
-
-func (fb *fakeBIRD) listen() error {
-	for {
-		c, err := fb.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		go fb.handle(c)
-	}
-}
-
-func (fb *fakeBIRD) handle(c net.Conn) {
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-	sc := bufio.NewScanner(c)
-	for sc.Scan() {
-		cmd := sc.Text()
-		args := strings.Split(cmd, " ")
-		switch args[0] {
-		case "enable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if en {
-				fmt.Fprintf(c, "0010-%s: already enabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0011-%s: enabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = true
-		case "disable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if !en {
-				fmt.Fprintf(c, "0008-%s: already disabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0009-%s: disabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = false
-		}
-	}
-}
-
-func TestChirp(t *testing.T) {
-	fb := newFakeBIRD(t, "tailscale")
-	defer fb.Close()
-	go fb.listen()
-	c, err := New(fb.sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeded", "rando")
-	}
-	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeded", "rando")
-	}
-}
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -1,478 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"inet.af/netaddr"
-)
-
-// ACLRow defines a rule that grants access by a set of users or groups to a set
-// of servers and ports.
-// Only one of Src/Dst or Users/Ports may be specified.
-type ACLRow struct {
-	Action string   `json:"action,omitempty"` // valid values: "accept"
-	Users  []string `json:"users,omitempty"`  // old name for src
-	Ports  []string `json:"ports,omitempty"`  // old name for dst
-	Src    []string `json:"src,omitempty"`
-	Dst    []string `json:"dst,omitempty"`
-}
-
-// ACLTest defines a test for your ACLs to prevent accidental exposure or
-// revoking of access to key servers and ports. Only one of Src or User may be
-// specified, and only one of Allow/Accept may be specified.
-type ACLTest struct {
-	Src    string   `json:"src,omitempty"`    // source
-	User   string   `json:"user,omitempty"`   // old name for source
-	Accept []string `json:"accept,omitempty"` // expected destination ip:port that user can access
-	Deny   []string `json:"deny,omitempty"`   // expected destination ip:port that user cannot access
-
-	Allow []string `json:"allow,omitempty"` // old name for accept
-}
-
-// ACLDetails contains all the details for an ACL.
-type ACLDetails struct {
-	Tests     []ACLTest           `json:"tests,omitempty"`
-	ACLs      []ACLRow            `json:"acls,omitempty"`
-	Groups    map[string][]string `json:"groups,omitempty"`
-	TagOwners map[string][]string `json:"tagowners,omitempty"`
-	Hosts     map[string]string   `json:"hosts,omitempty"`
-}
-
-// ACL contains an ACLDetails and metadata.
-type ACL struct {
-	ACL  ACLDetails
-	ETag string // to check with version on server
-}
-
-// ACLHuJSON contains the HuJSON string of the ACL and metadata.
-type ACLHuJSON struct {
-	ACL      string
-	Warnings []string
-	ETag     string // to check with version on server
-}
-
-// ACL makes a call to the Tailscale server to get a JSON-parsed version of the ACL.
-// The JSON-parsed version of the ACL contains no comments as proper JSON does not support
-// comments.
-func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACL: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/json")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	acl = &ACL{
-		ACL:  aclDetails,
-		ETag: resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLHuJSON makes a call to the Tailscale server to get the ACL HuJSON and returns
-// it as a string.
-// HuJSON is JSON with a few modifications to make it more human-friendly. The primary
-// changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
-// https://github.com/tailscale/hujson
-func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACLHuJSON: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	data := struct {
-		ACL      []byte   `json:"acl"`
-		Warnings []string `json:"warnings"`
-	}{}
-	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, err
-	}
-
-	acl = &ACLHuJSON{
-		ACL:      string(data.ACL),
-		Warnings: data.Warnings,
-		ETag:     resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLTestFailureSummary specifies a user for which ACL tests
-// failed and the related user-friendly error messages.
-//
-// ACLTestFailureSummary specifies the JSON format sent to the
-// JavaScript client to be rendered in the HTML.
-type ACLTestFailureSummary struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
-}
-
-// ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
-type ACLTestError struct {
-	ErrResponse
-	Data []ACLTestFailureSummary `json:"data"`
-}
-
-func (e ACLTestError) Error() string {
-	return fmt.Sprintf("%s, Data: %+v", e.ErrResponse.Error(), e.Data)
-}
-
-func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, "", err
-	}
-
-	if avoidCollisions {
-		req.Header.Set("If-Match", etag)
-	}
-	req.Header.Set("Accept", acceptHeader)
-	req.Header.Set("Content-Type", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		// check if test error
-		var ate ACLTestError
-		if err := json.Unmarshal(b, &ate); err != nil {
-			return nil, "", err
-		}
-		ate.Status = resp.StatusCode
-		return nil, "", ate
-	}
-	return b, resp.Header.Get("ETag"), nil
-}
-
-// SetACL sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACL(ctx context.Context, acl ACL, avoidCollisions bool) (res *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACL: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	res = &ACL{
-		ACL:  aclDetails,
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// SetACLHuJSON sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if the HuJSON is invalid.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACLHuJSON(ctx context.Context, acl ACLHuJSON, avoidCollisions bool) (res *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACLHuJSON: %w", err)
-		}
-	}()
-
-	postData := []byte(acl.ACL)
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/hujson")
-	if err != nil {
-		return nil, err
-	}
-
-	res = &ACLHuJSON{
-		ACL:  string(b),
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// UserRuleMatch specifies the source users/groups/hosts that a rule targets
-// and the destination ports that they can access.
-// LineNumber is only useful for requests provided in HuJSON form.
-// While JSON requests will have LineNumber, the value is not useful.
-type UserRuleMatch struct {
-	Users      []string `json:"users"`
-	Ports      []string `json:"ports"`
-	LineNumber int      `json:"lineNumber"`
-}
-
-// ACLPreviewResponse is the response type of previewACLPostRequest
-type ACLPreviewResponse struct {
-	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
-	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
-	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
-}
-
-// ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
-type ACLPreview struct {
-	Matches []UserRuleMatch `json:"matches"`
-	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
-	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
-}
-
-func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, err
-	}
-
-	q := req.URL.Query()
-	q.Add("type", previewType)
-	q.Add("previewFor", previewFor)
-	req.URL.RawQuery = q.Encode()
-
-	req.Header.Set("Content-Type", "application/hujson")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-	if err = json.Unmarshal(b, &res); err != nil {
-		return nil, err
-	}
-
-	return res, nil
-}
-
-// PreviewACLForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForUser: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netaddr.IPPort) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForIPPort: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport.String())
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForUser: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, ipport string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForIPPort: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// ValidateACLJSON takes in the given source and destination (in this situation,
-// it is assumed that you are checking whether the source can connect to destination)
-// and creates an ACLTest from that. It then sends the ACLTest to the control api acl
-// validate endpoint, where the test is run. It returns a nil ACLTestError pointer if
-// no test errors occur.
-func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (testErr *ACLTestError, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ValidateACLJSON: %w", err)
-		}
-	}()
-
-	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
-	postData, err := json.Marshal(tests)
-	if err != nil {
-		return nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Content-Type", "application/json")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
-	}
-
-	// The test ran without fail
-	if len(b) == 0 {
-		return nil, nil
-	}
-
-	var res ACLTestError
-	// The test returned errors.
-	if err = json.Unmarshal(b, &res); err != nil {
-		// failed to unmarshal
-		return nil, err
-	}
-	return &res, nil
-}
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -1,32 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package apitype contains types for the Tailscale local API and control plane API.
-package apitype
-
-import "tailscale.com/tailcfg"
-
-// WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
-type WhoIsResponse struct {
-	Node        *tailcfg.Node
-	UserProfile *tailcfg.UserProfile
-
-	// Caps are extra capabilities that the remote Node has to this node.
-	Caps []string `json:",omitempty"`
-}
-
-// FileTarget is a node to which files can be sent, and the PeerAPI
-// URL base to do so via.
-type FileTarget struct {
-	Node *tailcfg.Node
-
-	// PeerAPI is the http://ip:port URL base of the node's peer API,
-	// without any path (not even a single slash).
-	PeerAPIURL string
-}
-
-type WaitingFile struct {
-	Name string
-	Size int64
-}
--- a/client/tailscale/apitype/controltype.go
+++ b/client/tailscale/apitype/controltype.go
@@ -1,20 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package apitype
-
-type DNSConfig struct {
-	Resolvers         []DNSResolver            `json:"resolvers"`
-	FallbackResolvers []DNSResolver            `json:"fallbackResolvers"`
-	Routes            map[string][]DNSResolver `json:"routes"`
-	Domains           []string                 `json:"domains"`
-	Nameservers       []string                 `json:"nameservers"`
-	Proxied           bool                     `json:"proxied"`
-	PerDomain         bool                     `json:",omitempty"`
-}
-
-type DNSResolver struct {
-	Addr                string   `json:"addr"`
-	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
-}
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -1,262 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-	"strings"
-
-	"tailscale.com/types/opt"
-)
-
-type GetDevicesResponse struct {
-	Devices []*Device `json:"devices"`
-}
-
-type DerpRegion struct {
-	Preferred           bool    `json:"preferred,omitempty"`
-	LatencyMilliseconds float64 `json:"latencyMs"`
-}
-
-type ClientConnectivity struct {
-	Endpoints             []string `json:"endpoints"`
-	DERP                  string   `json:"derp"`
-	MappingVariesByDestIP opt.Bool `json:"mappingVariesByDestIP"`
-	// DERPLatency is mapped by region name (e.g. "New York City", "Seattle").
-	DERPLatency    map[string]DerpRegion `json:"latency"`
-	ClientSupports map[string]opt.Bool   `json:"clientSupports"`
-}
-
-type Device struct {
-	// Addresses is a list of the devices's Tailscale IP addresses.
-	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
-	Addresses []string `json:"addresses"`
-	DeviceID  string   `json:"id"`
-	User      string   `json:"user"`
-	Name      string   `json:"name"`
-	Hostname  string   `json:"hostname"`
-
-	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
-	OS                string `json:"os"`
-	Created           string `json:"created"` // Empty for external devices.
-	LastSeen          string `json:"lastSeen"`
-	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
-	Expires           string `json:"expires"`
-	Authorized        bool   `json:"authorized"`
-	IsExternal        bool   `json:"isExternal"`
-	MachineKey        string `json:"machineKey"` // Empty for external devices.
-	NodeKey           string `json:"nodeKey"`
-
-	// BlocksIncomingConnections is configured via the device's
-	// Tailscale client preferences. This field is only reported
-	// to the API starting with Tailscale 1.3.x clients.
-	BlocksIncomingConnections bool `json:"blocksIncomingConnections"`
-
-	// The following fields are not included by default:
-
-	// EnabledRoutes are the previously-approved subnet routes
-	// (e.g. "192.168.4.16/24", "10.5.2.4/32").
-	EnabledRoutes []string `json:"enabledRoutes"` // Empty for external devices.
-	// AdvertisedRoutes are the subnets (both enabled and not enabled)
-	// being requested from the node.
-	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
-
-	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
-}
-
-// DeviceFieldsOpts determines which fields should be returned in the response.
-//
-// Please only use DeviceAllFields and DeviceDefaultFields.
-// Other DeviceFieldsOpts are not supported.
-//
-// TODO: Support other DeviceFieldsOpts.
-// In the future, users should be able to create their own DeviceFieldsOpts
-// as valid arguments by setting the fields they want returned to a "non-nil"
-// value. For example, DeviceFieldsOpts{NodeID: "true"} should only return NodeIDs.
-type DeviceFieldsOpts Device
-
-func (d *DeviceFieldsOpts) addFieldsToQueryParameter() string {
-	if d == DeviceDefaultFields || d == nil {
-		return "default"
-	}
-	if d == DeviceAllFields {
-		return "all"
-	}
-
-	return ""
-}
-
-var (
-	DeviceAllFields = &DeviceFieldsOpts{}
-
-	// DeviceDefaultFields specifies that the following fields are returned:
-	//   Addresses, NodeID, User, Name, Hostname, ClientVersion, UpdateAvailable,
-	//   OS, Created, LastSeen, KeyExpiryDisabled, Expires, Authorized, IsExternal
-	//   MachineKey, NodeKey, BlocksIncomingConnections.
-	DeviceDefaultFields = &DeviceFieldsOpts{}
-)
-
-// Devices retrieves the list of devices for a tailnet.
-//
-// See the Device structure for the list of fields hidden for external devices.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceList []*Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Devices: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var devices GetDevicesResponse
-	err = json.Unmarshal(b, &devices)
-	return devices.Devices, err
-}
-
-// Device retrieved the details for a specific device.
-//
-// See the Device structure for the list of fields hidden for an external device.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFieldsOpts) (device *Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Device: %w", err)
-		}
-	}()
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	err = json.Unmarshal(b, &device)
-	return device, err
-}
-
-// DeleteDevice deletes the specified device from the Client's tailnet.
-// NOTE: Only devices that belong to the Client's tailnet can be deleted.
-// Deleting external devices is not supported.
-func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteDevice: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// AuthorizeDevice marks a device as authorized.
-func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
-
-// SetTags updates the ACL tags on a device.
-func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) error {
-	params := &struct {
-		Tags []string `json:"tags"`
-	}{Tags: tags}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/tags", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
--- a/client/tailscale/dns.go
+++ b/client/tailscale/dns.go
@@ -1,235 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"tailscale.com/client/tailscale/apitype"
-)
-
-// DNSNameServers is returned when retrieving the list of nameservers.
-// It is also the structure provided when setting nameservers.
-type DNSNameServers struct {
-	DNS []string `json:"dns"` // DNS name servers
-}
-
-// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
-//
-// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
-type DNSNameServersPostResponse struct {
-	DNS      []string `json:"dns"`      // DNS name servers
-	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-// DNSSearchpaths is the list of search paths for a given domain.
-type DNSSearchPaths struct {
-	SearchPaths []string `json:"searchPaths"` // DNS search paths
-}
-
-// DNSPreferences is the preferences set for a given tailnet.
-//
-// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
-// there must be at least one nameserver. When all nameservers are removed,
-// MagicDNS is disabled.
-type DNSPreferences struct {
-	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	data, err := json.Marshal(&postData)
-	if err != nil {
-		return nil, err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	req.Header.Set("Content-Type", "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-// DNSConfig retrieves the DNSConfig settings for a domain.
-func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "config")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp apitype.DNSConfig
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
-		}
-	}()
-	var dnsResp apitype.DNSConfig
-	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-// NameServers retrieves the list of nameservers set for a domain.
-func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.NameServers: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "nameservers")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSNameServers
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.DNS, err
-}
-
-// SetNameServers sets the list of nameservers for a tailnet to the list provided
-// by the user.
-//
-// It returns the new list of nameservers and the MagicDNS status in case it was
-// affected by the change. For example, removing all nameservers will turn off
-// MagicDNS.
-func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
-		}
-	}()
-	dnsReq := DNSNameServers{DNS: nameservers}
-	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// DNSPreferences retrieves the DNS preferences set for a tailnet.
-//
-// It returns the status of MagicDNS.
-func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "preferences")
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SetDNSPreferences sets the DNS preferences for a tailnet.
-//
-// MagicDNS can only be enabled when there is at least one nameserver provided.
-// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
-// unless explicitly enabled by a user again.
-func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
-		}
-	}()
-	dnsReq := DNSPreferences{MagicDNS: magicDNS}
-	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
-	if err != nil {
-		return
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SearchPaths retrieves the list of searchpaths set for a tailnet.
-func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "searchpaths")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp *DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
-
-// SetSearchPaths sets the list of searchpaths for a tailnet.
-func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
-		}
-	}()
-	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
-	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
--- a/client/tailscale/example/servetls/servetls.go
+++ b/client/tailscale/example/servetls/servetls.go
@@ -1,29 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The servetls program shows how to run an HTTPS server
-// using a Tailscale cert via LetsEncrypt.
-package main
-
-import (
-	"crypto/tls"
-	"io"
-	"log"
-	"net/http"
-
-	"tailscale.com/client/tailscale"
-)
-
-func main() {
-	s := &http.Server{
-		TLSConfig: &tls.Config{
-			GetCertificate: tailscale.GetCertificate,
-		},
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")
-		}),
-	}
-	log.Printf("Running TLS server on :443 ...")
-	log.Fatal(s.ListenAndServeTLS("", ""))
-}
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -1,711 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net"
-	"net/http"
-	"net/http/httptrace"
-	"net/url"
-	"os/exec"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"go4.org/mem"
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/netutil"
-	"tailscale.com/paths"
-	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-)
-
-// defaultLocalClient is the default LocalClient when using the legacy
-// package-level functions.
-var defaultLocalClient LocalClient
-
-// LocalClient is a client to Tailscale's "local API", communicating with the
-// Tailscale daemon on the local machine. Its API is not necessarily stable and
-// subject to changes between releases. Some API calls have stricter
-// compatibility guarantees, once they've been widely adopted. See method docs
-// for details.
-//
-// Its zero value is valid to use.
-//
-// Any exported fields should be set before using methods on the type
-// and not changed thereafter.
-type LocalClient struct {
-	// Dial optionally specifies an alternate func that connects to the local
-	// machine's tailscaled or equivalent. If nil, a default is used.
-	Dial func(ctx context.Context, network, addr string) (net.Conn, error)
-
-	// Socket specifies an alternate path to the local Tailscale socket.
-	// If empty, a platform-specific default is used.
-	Socket string
-
-	// UseSocketOnly, if true, tries to only connect to tailscaled via the
-	// Unix socket and not via fallback mechanisms as done on macOS when
-	// connecting to the GUI client variants.
-	UseSocketOnly bool
-
-	// tsClient does HTTP requests to the local Tailscale daemon.
-	// It's lazily initialized on first use.
-	tsClient     *http.Client
-	tsClientOnce sync.Once
-}
-
-func (lc *LocalClient) socket() string {
-	if lc.Socket != "" {
-		return lc.Socket
-	}
-	return paths.DefaultTailscaledSocket()
-}
-
-func (lc *LocalClient) dialer() func(ctx context.Context, network, addr string) (net.Conn, error) {
-	if lc.Dial != nil {
-		return lc.Dial
-	}
-	return lc.defaultDialer
-}
-
-func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
-	if addr != "local-tailscaled.sock:80" {
-		return nil, fmt.Errorf("unexpected URL address %q", addr)
-	}
-	if !lc.UseSocketOnly {
-		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
-		// a TCP server on a random port, find the random port. For HTTP connections,
-		// we don't send the token. It gets added in an HTTP Basic-Auth header.
-		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
-			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
-		}
-	}
-	s := safesocket.DefaultConnectionStrategy(lc.socket())
-	// The user provided a non-default tailscaled socket address.
-	// Connect only to exactly what they provided.
-	s.UseFallback(false)
-	return safesocket.Connect(s)
-}
-
-// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
-//
-// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
-//
-// The hostname must be "local-tailscaled.sock", even though it
-// doesn't actually do any DNS lookup. The actual means of connecting to and
-// authenticating to the local Tailscale daemon vary by platform.
-//
-// DoLocalRequest may mutate the request to add Authorization headers.
-func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error) {
-	lc.tsClientOnce.Do(func() {
-		lc.tsClient = &http.Client{
-			Transport: &http.Transport{
-				DialContext: lc.dialer(),
-			},
-		}
-	})
-	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
-		req.SetBasicAuth("", token)
-	}
-	return lc.tsClient.Do(req)
-}
-
-func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
-	res, err := lc.DoLocalRequest(req)
-	if err == nil {
-		if server := res.Header.Get("Tailscale-Version"); server != "" && server != ipn.IPCVersion() && onVersionMismatch != nil {
-			onVersionMismatch(ipn.IPCVersion(), server)
-		}
-		if res.StatusCode == 403 {
-			all, _ := ioutil.ReadAll(res.Body)
-			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
-		}
-		return res, nil
-	}
-	if ue, ok := err.(*url.Error); ok {
-		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
-			path := req.URL.Path
-			pathPrefix, _, _ := strings.Cut(path, "?")
-			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
-		}
-	}
-	return nil, err
-}
-
-type errorJSON struct {
-	Error string
-}
-
-// AccessDeniedError is an error due to permissions.
-type AccessDeniedError struct {
-	err error
-}
-
-func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
-func (e *AccessDeniedError) Unwrap() error { return e.err }
-
-// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
-func IsAccessDeniedError(err error) bool {
-	var ae *AccessDeniedError
-	return errors.As(err, &ae)
-}
-
-// bestError returns either err, or if body contains a valid JSON
-// object of type errorJSON, its non-empty error body.
-func bestError(err error, body []byte) error {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return errors.New(j.Error)
-	}
-	return err
-}
-
-func errorMessageFromBody(body []byte) string {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return j.Error
-	}
-	return strings.TrimSpace(string(body))
-}
-
-var onVersionMismatch func(clientVer, serverVer string)
-
-// SetVersionMismatchHandler sets f as the version mismatch handler
-// to be called when the client (the current process) has a version
-// number that doesn't match the server's declared version.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	onVersionMismatch = f
-}
-
-func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
-	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
-	if err != nil {
-		return nil, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	slurp, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != wantStatus {
-		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
-		return nil, bestError(err, slurp)
-	}
-	return slurp, nil
-}
-
-func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
-	return lc.send(ctx, "GET", path, 200, nil)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-//
-// Deprecated: use LocalClient.WhoIs.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	return defaultLocalClient.WhoIs(ctx, remoteAddr)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		return nil, err
-	}
-	r := new(apitype.WhoIsResponse)
-	if err := json.Unmarshal(body, r); err != nil {
-		if max := 200; len(body) > max {
-			body = append(body[:max], "..."...)
-		}
-		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
-	}
-	return r, nil
-}
-
-// Goroutines returns a dump of the Tailscale daemon's current goroutines.
-func (lc *LocalClient) Goroutines(ctx context.Context) ([]byte, error) {
-	return lc.get200(ctx, "/localapi/v0/goroutines")
-}
-
-// DaemonMetrics returns the Tailscale daemon's metrics in
-// the Prometheus text exposition format.
-func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
-	return lc.get200(ctx, "/localapi/v0/metrics")
-}
-
-// Profile returns a pprof profile of the Tailscale daemon.
-func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
-	var secArg string
-	if sec < 0 || sec > 300 {
-		return nil, errors.New("duration out of range")
-	}
-	if sec != 0 || pprofType == "profile" {
-		secArg = fmt.Sprint(sec)
-	}
-	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
-}
-
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(string(body)), nil
-}
-
-// DebugAction invokes a debug action, such as "rebind" or "restun".
-// These are development tools and subject to change or removal over time.
-func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
-	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	return nil
-}
-
-// Status returns the Tailscale daemon's status.
-func Status(ctx context.Context) (*ipnstate.Status, error) {
-	return defaultLocalClient.Status(ctx)
-}
-
-// Status returns the Tailscale daemon's status.
-func (lc *LocalClient) Status(ctx context.Context) (*ipnstate.Status, error) {
-	return lc.status(ctx, "")
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return defaultLocalClient.StatusWithoutPeers(ctx)
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func (lc *LocalClient) StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return lc.status(ctx, "?peers=false")
-}
-
-func (lc *LocalClient) status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/status"+queryString)
-	if err != nil {
-		return nil, err
-	}
-	st := new(ipnstate.Status)
-	if err := json.Unmarshal(body, st); err != nil {
-		return nil, err
-	}
-	return st, nil
-}
-
-// IDToken is a request to get an OIDC ID token for an audience.
-// The token can be presented to any resource provider which offers OIDC
-// Federation.
-func (lc *LocalClient) IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
-	if err != nil {
-		return nil, err
-	}
-	tr := new(tailcfg.TokenResponse)
-	if err := json.Unmarshal(body, tr); err != nil {
-		return nil, err
-	}
-	return tr, nil
-}
-
-func (lc *LocalClient) WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/files/")
-	if err != nil {
-		return nil, err
-	}
-	var wfs []apitype.WaitingFile
-	if err := json.Unmarshal(body, &wfs); err != nil {
-		return nil, err
-	}
-	return wfs, nil
-}
-
-func (lc *LocalClient) DeleteWaitingFile(ctx context.Context, baseName string) error {
-	_, err := lc.send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
-	return err
-}
-
-func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.ContentLength == -1 {
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("unexpected chunking")
-	}
-	if res.StatusCode != 200 {
-		body, _ := ioutil.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-	return res.Body, res.ContentLength, nil
-}
-
-func (lc *LocalClient) FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/file-targets")
-	if err != nil {
-		return nil, err
-	}
-	var fts []apitype.FileTarget
-	if err := json.Unmarshal(body, &fts); err != nil {
-		return nil, fmt.Errorf("invalid JSON: %w", err)
-	}
-	return fts, nil
-}
-
-// PushFile sends Taildrop file r to target.
-//
-// A size of -1 means unknown.
-// The name parameter is the original filename, not escaped.
-func (lc *LocalClient) PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
-	if err != nil {
-		return err
-	}
-	if size != -1 {
-		req.ContentLength = size
-	}
-	res, err := lc.doLocalRequestNiceError(req)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode == 200 {
-		io.Copy(io.Discard, res.Body)
-		return nil
-	}
-	all, _ := io.ReadAll(res.Body)
-	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
-}
-
-// CheckIPForwarding asks the local Tailscale daemon whether it looks like the
-// machine is properly configured to forward IP packets as a subnet router
-// or exit node.
-func (lc *LocalClient) CheckIPForwarding(ctx context.Context) error {
-	body, err := lc.get200(ctx, "/localapi/v0/check-ip-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
-// CheckPrefs validates the provided preferences, without making any changes.
-//
-// The CLI uses this before a Start call to fail fast if the preferences won't
-// work. Currently (2022-04-18) this only checks for SSH server compatibility.
-// Note that EditPrefs does the same validation as this, so call CheckPrefs before
-// EditPrefs is not necessary.
-func (lc *LocalClient) CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
-	pj, err := json.Marshal(p)
-	if err != nil {
-		return err
-	}
-	_, err = lc.send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
-	return err
-}
-
-func (lc *LocalClient) GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
-	body, err := lc.get200(ctx, "/localapi/v0/prefs")
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
-	mpj, err := json.Marshal(mp)
-	if err != nil {
-		return nil, err
-	}
-	body, err := lc.send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func (lc *LocalClient) Logout(ctx context.Context) error {
-	_, err := lc.send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
-	return err
-}
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := lc.send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}
-
-// DialTCP connects to the host's port via Tailscale.
-//
-// The host may be a base DNS name (resolved from the netmap inside
-// tailscaled), a FQDN, or an IP address.
-//
-// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
-func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
-	connCh := make(chan net.Conn, 1)
-	trace := httptrace.ClientTrace{
-		GotConn: func(info httptrace.GotConnInfo) {
-			connCh <- info.Conn
-		},
-	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header = http.Header{
-		"Upgrade":    []string{"ts-dial"},
-		"Connection": []string{"upgrade"},
-		"Dial-Host":  []string{host},
-		"Dial-Port":  []string{fmt.Sprint(port)},
-	}
-	res, err := lc.DoLocalRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != http.StatusSwitchingProtocols {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
-	}
-	// From here on, the underlying net.Conn is ours to use, but there
-	// is still a read buffer attached to it within resp.Body. So, we
-	// must direct I/O through resp.Body, but we can still use the
-	// underlying net.Conn for stuff like deadlines.
-	var switchedConn net.Conn
-	select {
-	case switchedConn = <-connCh:
-	default:
-	}
-	if switchedConn == nil {
-		res.Body.Close()
-		return nil, fmt.Errorf("httptrace didn't provide a connection")
-	}
-	rwc, ok := res.Body.(io.ReadWriteCloser)
-	if !ok {
-		res.Body.Close()
-		return nil, errors.New("http Transport did not provide a writable body")
-	}
-	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
-}
-
-// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
-// It is intended to be used with netcheck to see availability of DERPs.
-func (lc *LocalClient) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	var derpMap tailcfg.DERPMap
-	res, err := lc.send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(res, &derpMap); err != nil {
-		return nil, fmt.Errorf("invalid derp map json: %w", err)
-	}
-	return &derpMap, nil
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// Deprecated: use LocalClient.CertPair.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	return defaultLocalClient.CertPair(ctx, domain)
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// with ?type=pair, the response PEM is first the one private
-	// key PEM block, then the cert PEM blocks.
-	i := mem.Index(mem.B(res), mem.S("--\n--"))
-	if i == -1 {
-		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
-	}
-	i += len("--\n")
-	keyPEM, certPEM = res[:i], res[i:]
-	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
-		return nil, nil, fmt.Errorf("unexpected output: key in cert")
-	}
-	return certPEM, keyPEM, nil
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-//
-// Deprecated: use LocalClient.GetCertificate.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	return defaultLocalClient.GetCertificate(hi)
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-//
-// API maturity: this is considered a stable API.
-func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi == nil || hi.ServerName == "" {
-		return nil, errors.New("no SNI ServerName")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	name := hi.ServerName
-	if !strings.Contains(name, ".") {
-		if v, ok := lc.ExpandSNIName(ctx, name); ok {
-			name = v
-		}
-	}
-	certPEM, keyPEM, err := lc.CertPair(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-//
-// Deprecated: use LocalClient.ExpandSNIName.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	return defaultLocalClient.ExpandSNIName(ctx, name)
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	st, err := lc.StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", false
-	}
-	for _, d := range st.CertDomains {
-		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
-			return d, true
-		}
-	}
-	return "", false
-}
-
-// Ping sends a ping of the provided type to the provided IP and waits
-// for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
-	v := url.Values{}
-	v.Set("ip", ip.String())
-	v.Set("type", string(pingtype))
-	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error %w: %s", err, body)
-	}
-	pr := new(ipnstate.PingResult)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
-// tailscaledConnectHint gives a little thing about why tailscaled (or
-// platform equivalent) is not answering localapi connections.
-//
-// It ends in a punctuation. See caller.
-func tailscaledConnectHint() string {
-	if runtime.GOOS != "linux" {
-		// TODO(bradfitz): flesh this out
-		return "not running?"
-	}
-	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
-	if err != nil {
-		return "not running?"
-	}
-	// Parse:
-	// LoadState=loaded
-	// ActiveState=inactive
-	// SubState=dead
-	st := map[string]string{}
-	for _, line := range strings.Split(string(out), "\n") {
-		if k, v, ok := strings.Cut(line, "="); ok {
-			st[k] = strings.TrimSpace(v)
-		}
-	}
-	if st["LoadState"] == "loaded" &&
-		(st["SubState"] != "running" || st["ActiveState"] != "active") {
-		return "systemd tailscaled.service not running."
-	}
-	return "not running?"
-}
--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -1,12 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !go1.18
-// +build !go1.18
-
-package tailscale
-
-func init() {
-	you_need_Go_1_18_to_compile_Tailscale()
-}
--- a/client/tailscale/routes.go
+++ b/client/tailscale/routes.go
@@ -1,98 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"inet.af/netaddr"
-)
-
-// Routes contains the lists of subnet routes that are currently advertised by a device,
-// as well as the subnets that are enabled to be routed by the device.
-type Routes struct {
-	AdvertisedRoutes []netaddr.IPPrefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netaddr.IPPrefix `json:"enabledRoutes"`
-}
-
-// Routes retrieves the list of subnet routes that have been enabled for a device.
-// The routes that are returned are not necessarily advertised by the device,
-// they have only been preapproved.
-func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Routes: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var sr Routes
-	err = json.Unmarshal(b, &sr)
-	return &sr, err
-}
-
-type postRoutesParams struct {
-	Routes []netaddr.IPPrefix `json:"routes"`
-}
-
-// SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by inet.af/netaddr.ParseIPPrefix.
-// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
-// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netaddr.IPPrefix) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
-		}
-	}()
-	params := &postRoutesParams{Routes: subnets}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return nil, err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var srr *Routes
-	if err := json.Unmarshal(b, &srr); err != nil {
-		return nil, err
-	}
-	return srr, err
-}
--- a/client/tailscale/tailnet.go
+++ b/client/tailscale/tailnet.go
@@ -1,42 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-package tailscale
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-)
-
-// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
-func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, path, nil)
-	if err != nil {
-		return err
-	}
-
-	c.setAuth(req)
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -1,160 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build go1.18
-// +build go1.18
-
-// Package tailscale contains Go clients for the Tailscale Local API and
-// Tailscale control plane API.
-//
-// Warning: this package is in development and makes no API compatibility
-// promises as of 2022-04-29. It is subject to change at any time.
-package tailscale
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"net/http"
-)
-
-// I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. It was added 2022-04-29 when it was moved to this git repo
-// and will be removed when the public API has settled.
-//
-// TODO(bradfitz): remove this after the we're happy with the public API.
-var I_Acknowledge_This_API_Is_Unstable = false
-
-// TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
-
-const defaultAPIBase = "https://api.tailscale.com"
-
-// maxSize is the maximum read size (10MB) of responses from the server.
-const maxReadSize = 10 << 20
-
-// Client makes API calls to the Tailscale control plane API server.
-//
-// Use NewClient to instantiate one. Exported fields should be set before
-// the client is used and not changed thereafter.
-type Client struct {
-	// tailnet is the globally unique identifier for a Tailscale network, such
-	// as "example.com" or "user@gmail.com".
-	tailnet string
-	// auth is the authentication method to use for this client.
-	// nil means none, which generally won't work, but won't crash.
-	auth AuthMethod
-
-	// BaseURL optionally specifies an alternate API server to use.
-	// If empty, "https://api.tailscale.com" is used.
-	BaseURL string
-
-	// HTTPClient optionally specifies an alternate HTTP client to use.
-	// If nil, http.DefaultClient is used.
-	HTTPClient *http.Client
-}
-
-func (c *Client) httpClient() *http.Client {
-	if c.HTTPClient != nil {
-		return c.HTTPClient
-	}
-	return http.DefaultClient
-}
-
-func (c *Client) baseURL() string {
-	if c.BaseURL != "" {
-		return c.BaseURL
-	}
-	return defaultAPIBase
-}
-
-// AuthMethod is the interface for API authentication methods.
-//
-// Most users will use AuthKey.
-type AuthMethod interface {
-	modifyRequest(req *http.Request)
-}
-
-// APIKey is an AuthMethod for NewClient that authenticates requests
-// using an authkey.
-type APIKey string
-
-func (ak APIKey) modifyRequest(req *http.Request) {
-	req.SetBasicAuth(string(ak), "")
-}
-
-func (c *Client) setAuth(r *http.Request) {
-	if c.auth != nil {
-		c.auth.modifyRequest(r)
-	}
-}
-
-// NewClient is a convenience method for instantiating a new Client.
-//
-// tailnet is the globally unique identifier for a Tailscale network, such
-// as "example.com" or "user@gmail.com".
-// If httpClient is nil, then http.DefaultClient is used.
-// "api.tailscale.com" is set as the BaseURL for the returned client
-// and can be changed manually by the user.
-func NewClient(tailnet string, auth AuthMethod) *Client {
-	return &Client{
-		tailnet: tailnet,
-		auth:    auth,
-	}
-}
-
-func (c *Client) Tailnet() string { return c.tailnet }
-
-// Do sends a raw HTTP request, after adding any authentication headers.
-func (c *Client) Do(req *http.Request) (*http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	return c.httpClient().Do(req)
-}
-
-// sendRequest add the authenication key to the request and sends it. It
-// receives the response and reads up to 10MB of it.
-func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	resp, err := c.httpClient().Do(req)
-	if err != nil {
-		return nil, resp, err
-	}
-	defer resp.Body.Close()
-
-	// Read response. Limit the response to 10MB.
-	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := ioutil.ReadAll(body)
-	if len(b) > maxReadSize {
-		err = errors.New("API response too large")
-	}
-	return b, resp, err
-}
-
-// ErrResponse is the HTTP error returned by the Tailscale server.
-type ErrResponse struct {
-	Status  int
-	Message string
-}
-
-func (e ErrResponse) Error() string {
-	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
-}
-
-// handleErrorResponse decodes the error message from the server and returns
-// an ErrResponse from it.
-func handleErrorResponse(b []byte, resp *http.Response) error {
-	var errResp ErrResponse
-	if err := json.Unmarshal(b, &errResp); err != nil {
-		return err
-	}
-	errResp.Status = resp.StatusCode
-	return errResp
-}
--- a/cmd/addlicense/main.go
+++ b/cmd/addlicense/main.go
@@ -1,77 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Program addlicense adds a license header to a file.
-// It is intended for use with 'go generate',
-// so it has a slightly weird usage.
-package main
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"os/exec"
-)
-
-var (
-	year = flag.Int("year", 0, "copyright year")
-	file = flag.String("file", "", "file to modify")
-)
-
-func usage() {
-	fmt.Fprintf(os.Stderr, `
-usage: addlicense -year YEAR -file FILE <subcommand args...>
-`[1:])
-
-	flag.PrintDefaults()
-	fmt.Fprintf(os.Stderr, `
-addlicense adds a Tailscale license to the beginning of file,
-using year as the copyright year.
-
-It is intended for use with 'go generate', so it also runs a subcommand,
-which presumably creates the file.
-
-Sample usage:
-
-addlicense -year 2021 -file pull_strings.go stringer -type=pull
-`[1:])
-	os.Exit(2)
-}
-
-func main() {
-	flag.Usage = usage
-	flag.Parse()
-	if len(flag.Args()) == 0 {
-		flag.Usage()
-	}
-	cmd := exec.Command(flag.Arg(0), flag.Args()[1:]...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err := cmd.Run()
-	check(err)
-	b, err := os.ReadFile(*file)
-	check(err)
-	f, err := os.OpenFile(*file, os.O_TRUNC|os.O_WRONLY, 0644)
-	check(err)
-	_, err = fmt.Fprintf(f, license, *year)
-	check(err)
-	_, err = f.Write(b)
-	check(err)
-	err = f.Close()
-	check(err)
-}
-
-func check(err error) {
-	if err != nil {
-		fmt.Fprintln(os.Stderr, err)
-		os.Exit(1)
-	}
-}
-
-var license = `
-// Copyright (c) %d Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-`[1:]
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -17,18 +17,22 @@ import (
 	"bytes"
 	"flag"
 	"fmt"
+	"go/ast"
+	"go/format"
+	"go/token"
 	"go/types"
+	"io/ioutil"
 	"log"
 	"os"
 	"strings"

-	"tailscale.com/util/codegen"
+	"golang.org/x/tools/go/packages"
 )

 var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
+	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
-	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )

 func main() {
@@ -41,148 +45,184 @@ func main() {
 	}
 	typeNames := strings.Split(*flagTypes, ",")

-	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
+	cfg := &packages.Config{
+		Mode:  packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedName,
+		Tests: false,
+	}
+	if *flagBuildTags != "" {
+		cfg.BuildFlags = []string{"-tags=" + *flagBuildTags}
+	}
+	pkgs, err := packages.Load(cfg, ".")
 	if err != nil {
 		log.Fatal(err)
 	}
-	it := codegen.NewImportTracker(pkg.Types)
+	if len(pkgs) != 1 {
+		log.Fatalf("wrong number of packages: %d", len(pkgs))
+	}
+	pkg := pkgs[0]
 	buf := new(bytes.Buffer)
+	imports := make(map[string]struct{})
 	for _, typeName := range typeNames {
-		typ, ok := namedTypes[typeName]
-		if !ok {
+		found := false
+		for _, file := range pkg.Syntax {
+			//var fbuf bytes.Buffer
+			//ast.Fprint(&fbuf, pkg.Fset, file, nil)
+			//fmt.Println(fbuf.String())
+
+			for _, d := range file.Decls {
+				decl, ok := d.(*ast.GenDecl)
+				if !ok || decl.Tok != token.TYPE {
+					continue
+				}
+				for _, s := range decl.Specs {
+					spec, ok := s.(*ast.TypeSpec)
+					if !ok || spec.Name.Name != typeName {
+						continue
+					}
+					typeNameObj := pkg.TypesInfo.Defs[spec.Name]
+					typ, ok := typeNameObj.Type().(*types.Named)
+					if !ok {
+						continue
+					}
+					pkg := typeNameObj.Pkg()
+					gen(buf, imports, typeName, typ, pkg)
+				}
+				found = true
+			}
+		}
+		if !found {
 			log.Fatalf("could not find type %s", typeName)
 		}
-		gen(buf, it, typ)
 	}

-	w := func(format string, args ...any) {
-		fmt.Fprintf(buf, format+"\n", args...)
+	contents := new(bytes.Buffer)
+	fmt.Fprintf(contents, header, *flagTypes, pkg.Name)
+	fmt.Fprintf(contents, "import (\n")
+	for s := range imports {
+		fmt.Fprintf(contents, "\t%q\n", s)
 	}
-	if *flagCloneFunc {
-		w("// Clone duplicates src into dst and reports whether it succeeded.")
-		w("// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,")
-		w("// where T is one of %s.", *flagTypes)
-		w("func Clone(dst, src any) bool {")
-		w("	switch src := src.(type) {")
-		for _, typeName := range typeNames {
-			w("	case *%s:", typeName)
-			w("		switch dst := dst.(type) {")
-			w("		case *%s:", typeName)
-			w("			*dst = *src.Clone()")
-			w("			return true")
-			w("		case **%s:", typeName)
-			w("			*dst = src.Clone()")
-			w("			return true")
-			w("		}")
-		}
-		w("	}")
-		w("	return false")
-		w("}")
+	fmt.Fprintf(contents, ")\n\n")
+	contents.Write(buf.Bytes())
+
+	out, err := format.Source(contents.Bytes())
+	if err != nil {
+		log.Fatalf("%s, in source:\n%s", err, contents.Bytes())
 	}
-	cloneOutput := pkg.Name + "_clone.go"
-	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
+
+	output := *flagOutput
+	if output == "" {
+		flag.Usage()
+		os.Exit(2)
+	}
+	if err := ioutil.WriteFile(output, out, 0666); err != nil {
 		log.Fatal(err)
 	}
 }

-func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
-	t, ok := typ.Underlying().(*types.Struct)
-	if !ok {
-		return
+const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner -type %s; DO NOT EDIT.
+
+package %s
+
+`
+
+func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types.Named, thisPkg *types.Package) {
+	pkgQual := func(pkg *types.Package) string {
+		if thisPkg == pkg {
+			return ""
+		}
+		imports[pkg.Path()] = struct{}{}
+		return pkg.Name()
+	}
+	importedName := func(t types.Type) string {
+		return types.TypeString(t, pkgQual)
 	}

-	name := typ.Obj().Name()
-	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
-	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
-	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
-	writef := func(format string, args ...any) {
-		fmt.Fprintf(buf, "\t"+format+"\n", args...)
-	}
-	writef("if src == nil {")
-	writef("\treturn nil")
-	writef("}")
-	writef("dst := new(%s)", name)
-	writef("*dst = *src")
-	for i := 0; i < t.NumFields(); i++ {
-		fname := t.Field(i).Name()
-		ft := t.Field(i).Type()
-		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
-			continue
+	switch t := typ.Underlying().(type) {
+	case *types.Struct:
+		_ = t
+		name := typ.Obj().Name()
+		fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
+		fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
+		fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
+		writef := func(format string, args ...interface{}) {
+			fmt.Fprintf(buf, "\t"+format+"\n", args...)
 		}
-		if named, _ := ft.(*types.Named); named != nil {
-			if codegen.IsViewType(ft) {
-				writef("dst.%s = src.%s", fname, fname)
+		writef("if src == nil {")
+		writef("\treturn nil")
+		writef("}")
+		writef("dst := new(%s)", name)
+		writef("*dst = *src")
+		for i := 0; i < t.NumFields(); i++ {
+			fname := t.Field(i).Name()
+			ft := t.Field(i).Type()
+			if !containsPointers(ft) {
 				continue
 			}
-			if !hasBasicUnderlying(ft) {
+			if named, _ := ft.(*types.Named); named != nil && !hasBasicUnderlying(ft) {
 				writef("dst.%s = *src.%s.Clone()", fname, fname)
 				continue
 			}
-		}
-		switch ft := ft.Underlying().(type) {
-		case *types.Slice:
-			if codegen.ContainsPointers(ft.Elem()) {
-				n := it.QualifiedName(ft.Elem())
-				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
-				writef("for i := range dst.%s {", fname)
-				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
-						writef("\tx := *src.%s[i]", fname)
-						writef("\tdst.%s[i] = &x", fname)
-					} else {
+			switch ft := ft.Underlying().(type) {
+			case *types.Slice:
+				if containsPointers(ft.Elem()) {
+					n := importedName(ft.Elem())
+					writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
+					writef("for i := range dst.%s {", fname)
+					if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
 						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+					} else {
+						writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 					}
+					writef("}")
 				} else {
-					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
+					writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
+				}
+			case *types.Pointer:
+				if named, _ := ft.Elem().(*types.Named); named != nil && containsPointers(ft.Elem()) {
+					writef("dst.%s = src.%s.Clone()", fname, fname)
+					continue
+				}
+				n := importedName(ft.Elem())
+				writef("if dst.%s != nil {", fname)
+				writef("\tdst.%s = new(%s)", fname, n)
+				writef("\t*dst.%s = *src.%s", fname, fname)
+				if containsPointers(ft.Elem()) {
+					writef("\t" + `panic("TODO pointers in pointers")`)
 				}
 				writef("}")
-			} else {
-				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
+			case *types.Map:
+				writef("if dst.%s != nil {", fname)
+				writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
+				if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
+					n := importedName(sliceType.Elem())
+					writef("\tfor k := range src.%s {", fname)
+					// use zero-length slice instead of nil to ensure
+					// the key is always copied.
+					writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
+					writef("\t}")
+				} else if containsPointers(ft.Elem()) {
+					writef("\t\t" + `panic("TODO map value pointers")`)
+				} else {
+					writef("\tfor k, v := range src.%s {", fname)
+					writef("\t\tdst.%s[k] = v", fname)
+					writef("\t}")
+				}
+				writef("}")
+			case *types.Struct:
+				writef(`panic("TODO struct %s")`, fname)
+			default:
+				writef(`panic(fmt.Sprintf("TODO: %T", ft))`)
 			}
-		case *types.Pointer:
-			if named, _ := ft.Elem().(*types.Named); named != nil && codegen.ContainsPointers(ft.Elem()) {
-				writef("dst.%s = src.%s.Clone()", fname, fname)
-				continue
-			}
-			n := it.QualifiedName(ft.Elem())
-			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = new(%s)", fname, n)
-			writef("\t*dst.%s = *src.%s", fname, fname)
-			if codegen.ContainsPointers(ft.Elem()) {
-				writef("\t" + `panic("TODO pointers in pointers")`)
-			}
-			writef("}")
-		case *types.Map:
-			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(ft.Elem()))
-			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
-				n := it.QualifiedName(sliceType.Elem())
-				writef("\tfor k := range src.%s {", fname)
-				// use zero-length slice instead of nil to ensure
-				// the key is always copied.
-				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
-				writef("\t}")
-			} else if codegen.ContainsPointers(ft.Elem()) {
-				writef("\tfor k, v := range src.%s {", fname)
-				writef("\t\tdst.%s[k] = v.Clone()", fname)
-				writef("\t}")
-			} else {
-				writef("\tfor k, v := range src.%s {", fname)
-				writef("\t\tdst.%s[k] = v", fname)
-				writef("\t}")
-			}
-			writef("}")
-		default:
-			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}
+		writef("return dst")
+		fmt.Fprintf(buf, "}\n\n")
 	}
-	writef("return dst")
-	fmt.Fprintf(buf, "}\n\n")
-
-	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
 }

-// hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
 func hasBasicUnderlying(typ types.Type) bool {
 	switch typ.Underlying().(type) {
 	case *types.Slice, *types.Map:
@@ -191,3 +231,34 @@ func hasBasicUnderlying(typ types.Type) bool {
 		return false
 	}
 }
+
+func containsPointers(typ types.Type) bool {
+	switch typ.String() {
+	case "time.Time":
+		// time.Time contains a pointer that does not need copying
+		return false
+	case "inet.af/netaddr.IP":
+		return false
+	}
+	switch ft := typ.Underlying().(type) {
+	case *types.Array:
+		return containsPointers(ft.Elem())
+	case *types.Chan:
+		return true
+	case *types.Interface:
+		return true // a little too broad
+	case *types.Map:
+		return true
+	case *types.Pointer:
+		return true
+	case *types.Slice:
+		return true
+	case *types.Struct:
+		for i := 0; i < ft.NumFields(); i++ {
+			if containsPointers(ft.Field(i).Type()) {
+				return true
+			}
+		}
+	}
+	return false
+}
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -1,67 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"expvar"
-	"log"
-	"net"
-	"net/http"
-	"strings"
-	"sync/atomic"
-	"time"
-)
-
-var dnsCache atomic.Value // of []byte
-
-var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
-
-func refreshBootstrapDNSLoop() {
-	if *bootstrapDNS == "" {
-		return
-	}
-	for {
-		refreshBootstrapDNS()
-		time.Sleep(10 * time.Minute)
-	}
-}
-
-func refreshBootstrapDNS() {
-	if *bootstrapDNS == "" {
-		return
-	}
-	dnsEntries := make(map[string][]net.IP)
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-	names := strings.Split(*bootstrapDNS, ",")
-	var r net.Resolver
-	for _, name := range names {
-		addrs, err := r.LookupIP(ctx, "ip", name)
-		if err != nil {
-			log.Printf("bootstrap DNS lookup %q: %v", name, err)
-			continue
-		}
-		dnsEntries[name] = addrs
-	}
-	j, err := json.MarshalIndent(dnsEntries, "", "\t")
-	if err != nil {
-		// leave the old values in place
-		return
-	}
-	dnsCache.Store(j)
-}
-
-func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
-	bootstrapDNSRequests.Add(1)
-	w.Header().Set("Content-Type", "application/json")
-	j, _ := dnsCache.Load().([]byte)
-	// Bootstrap DNS requests occur cross-regions,
-	// and are randomized per request,
-	// so keeping a connection open is pointlessly expensive.
-	w.Header().Set("Connection", "close")
-	w.Write(j)
-}
--- a/cmd/derper/bootstrap_dns_test.go
+++ b/cmd/derper/bootstrap_dns_test.go
@@ -1,35 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"net/http"
-	"testing"
-)
-
-func BenchmarkHandleBootstrapDNS(b *testing.B) {
-	prev := *bootstrapDNS
-	*bootstrapDNS = "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com"
-	defer func() {
-		*bootstrapDNS = prev
-	}()
-	refreshBootstrapDNS()
-	w := new(bitbucketResponseWriter)
-	b.ReportAllocs()
-	b.ResetTimer()
-	b.RunParallel(func(b *testing.PB) {
-		for b.Next() {
-			handleBootstrapDNS(w, nil)
-		}
-	})
-}
-
-type bitbucketResponseWriter struct{}
-
-func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header) }
-
-func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }
-
-func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -1,95 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"net/http"
-	"path/filepath"
-	"regexp"
-
-	"golang.org/x/crypto/acme/autocert"
-)
-
-var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)
-
-type certProvider interface {
-	// TLSConfig creates a new TLS config suitable for net/http.Server servers.
-	TLSConfig() *tls.Config
-	// HTTPHandler handle ACME related request, if any.
-	HTTPHandler(fallback http.Handler) http.Handler
-}
-
-func certProviderByCertMode(mode, dir, hostname string) (certProvider, error) {
-	if dir == "" {
-		return nil, errors.New("missing required --certdir flag")
-	}
-	switch mode {
-	case "letsencrypt":
-		certManager := &autocert.Manager{
-			Prompt:     autocert.AcceptTOS,
-			HostPolicy: autocert.HostWhitelist(hostname),
-			Cache:      autocert.DirCache(dir),
-		}
-		if hostname == "derp.tailscale.com" {
-			certManager.HostPolicy = prodAutocertHostPolicy
-			certManager.Email = "security@tailscale.com"
-		}
-		return certManager, nil
-	case "manual":
-		return NewManualCertManager(dir, hostname)
-	default:
-		return nil, fmt.Errorf("unsupport cert mode: %q", mode)
-	}
-}
-
-type manualCertManager struct {
-	cert     *tls.Certificate
-	hostname string
-}
-
-// NewManualCertManager returns a cert provider which read certificate by given hostname on create.
-func NewManualCertManager(certdir, hostname string) (certProvider, error) {
-	keyname := unsafeHostnameCharacters.ReplaceAllString(hostname, "")
-	crtPath := filepath.Join(certdir, keyname+".crt")
-	keyPath := filepath.Join(certdir, keyname+".key")
-	cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-	if err != nil {
-		return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
-	}
-	// ensure hostname matches with the certificate
-	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-	if err != nil {
-		return nil, fmt.Errorf("can not load cert: %w", err)
-	}
-	if err := x509Cert.VerifyHostname(hostname); err != nil {
-		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
-	}
-	return &manualCertManager{cert: &cert, hostname: hostname}, nil
-}
-
-func (m *manualCertManager) TLSConfig() *tls.Config {
-	return &tls.Config{
-		Certificates: nil,
-		NextProtos: []string{
-			"h2", "http/1.1", // enable HTTP/2
-		},
-		GetCertificate: m.getCertificate,
-	}
-}
-
-func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi.ServerName != m.hostname {
-		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
-	}
-	return m.cert, nil
-}
-
-func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
-	return fallback
-}
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -7,7 +7,6 @@ package main // import "tailscale.com/cmd/derper"

 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"expvar"
@@ -16,7 +15,6 @@ import (
 	"io"
 	"io/ioutil"
 	"log"
-	"math"
 	"net"
 	"net/http"
 	"os"
@@ -25,7 +23,8 @@ import (
 	"strings"
 	"time"

-	"golang.org/x/time/rate"
+	"github.com/tailscale/wireguard-go/wgcfg"
+	"golang.org/x/crypto/acme/autocert"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
@@ -34,72 +33,35 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
+	"tailscale.com/version"
 )

 var (
 	dev           = flag.Bool("dev", false, "run in localhost development mode")
-	addr          = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
-	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort      = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	addr          = flag.String("a", ":443", "server address")
 	configPath    = flag.String("c", "", "config file path")
-	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
 	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
 	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
 	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
-	runSTUN       = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-
+	runSTUN       = flag.Bool("stun", false, "also run a STUN server")
 	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
 	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
-
-	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
-	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
 )

-var (
-	stats             = new(metrics.Set)
-	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
-	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
-	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
-
-	stunReadError  = stunDisposition.Get("read_error")
-	stunNotSTUN    = stunDisposition.Get("not_stun")
-	stunWriteError = stunDisposition.Get("write_error")
-	stunSuccess    = stunDisposition.Get("success")
-
-	stunIPv4 = stunAddrFamily.Get("ipv4")
-	stunIPv6 = stunAddrFamily.Get("ipv6")
-)
-
-func init() {
-	stats.Set("counter_requests", stunDisposition)
-	stats.Set("counter_addrfamily", stunAddrFamily)
-	expvar.Publish("stun", stats)
-	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
-	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
-}
-
 type config struct {
-	PrivateKey key.NodePrivate
+	PrivateKey wgcfg.PrivateKey
 }

 func loadConfig() config {
 	if *dev {
-		return config{PrivateKey: key.NewNode()}
+		return config{PrivateKey: mustNewKey()}
 	}
 	if *configPath == "" {
-		if os.Getuid() == 0 {
-			*configPath = "/var/lib/derper/derper.key"
-		} else {
-			log.Fatalf("derper: -c <config path> not specified")
-		}
-		log.Printf("no config path specified; using %s", *configPath)
+		log.Fatalf("derper: -c <config path> not specified")
 	}
 	b, err := ioutil.ReadFile(*configPath)
 	switch {
-	case errors.Is(err, os.ErrNotExist):
+	case os.IsNotExist(err):
 		return writeNewConfig()
 	case err != nil:
 		log.Fatal(err)
@@ -113,19 +75,27 @@ func loadConfig() config {
 	}
 }

+func mustNewKey() wgcfg.PrivateKey {
+	key, err := wgcfg.NewPrivateKey()
+	if err != nil {
+		log.Fatal(err)
+	}
+	return key
+}
+
 func writeNewConfig() config {
-	k := key.NewNode()
+	key := mustNewKey()
 	if err := os.MkdirAll(filepath.Dir(*configPath), 0777); err != nil {
 		log.Fatal(err)
 	}
 	cfg := config{
-		PrivateKey: k,
+		PrivateKey: key,
 	}
 	b, err := json.MarshalIndent(cfg, "", "\t")
 	if err != nil {
 		log.Fatal(err)
 	}
-	if err := atomicfile.WriteFile(*configPath, b, 0600); err != nil {
+	if err := atomicfile.WriteFile(*configPath, b, 0666); err != nil {
 		log.Fatal(err)
 	}
 	return cfg
@@ -141,11 +111,6 @@ func main() {
 		tsweb.DevMode = true
 	}

-	listenHost, _, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("invalid server address: %v", err)
-	}
-
 	var logPol *logpolicy.Policy
 	if *logCollection != "" {
 		logPol = logpolicy.New(*logCollection)
@@ -154,10 +119,9 @@ func main() {

 	cfg := loadConfig()

-	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
+	letsEncrypt := tsweb.IsProd443(*addr)

-	s := derp.NewServer(cfg.PrivateKey, log.Printf)
-	s.SetVerifyClient(*verifyClients)
+	s := derp.NewServer(key.Private(cfg.PrivateKey), log.Printf)

 	if *meshPSKFile != "" {
 		b, err := ioutil.ReadFile(*meshPSKFile)
@@ -176,13 +140,9 @@ func main() {
 	}
 	expvar.Publish("derp", s.ExpVar())

-	mux := http.NewServeMux()
-	derpHandler := derphttp.Handler(s)
-	derpHandler = addWebSocketSupport(s, derpHandler)
-	mux.Handle("/derp", derpHandler)
-	mux.HandleFunc("/derp/probe", probeHandler)
-	go refreshBootstrapDNSLoop()
-	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
+	// Create our own mux so we don't expose /debug/ stuff to the world.
+	mux := tsweb.NewMux(debugHandler(s))
+	mux.Handle("/derp", derphttp.Handler(s))
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 		w.WriteHeader(200)
@@ -191,7 +151,7 @@ func main() {
 <p>
  This is a
  <a href="https://tailscale.com/">Tailscale</a>
-  <a href="https://pkg.go.dev/tailscale.com/derp">DERP</a>
+  <a href="https://godoc.org/tailscale.com/derp">DERP</a>
  server.
 </p>
 `)
@@ -199,110 +159,41 @@ func main() {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
-	debug := tsweb.Debugger(mux)
-	debug.KV("TLS hostname", *hostname)
-	debug.KV("Mesh key", s.HasMeshKey())
-	debug.Handle("check", "Consistency check", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		err := s.ConsistencyCheck()
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-		} else {
-			io.WriteString(w, "derp.Server ConsistencyCheck okay")
-		}
-	}))
-	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))

 	if *runSTUN {
-		go serveSTUN(listenHost, *stunPort)
+		go serveSTUN()
 	}

 	httpsrv := &http.Server{
 		Addr:    *addr,
 		Handler: mux,
-
-		// Set read/write timeout. For derper, this basically
-		// only affects TLS setup, as read/write deadlines are
-		// cleared on Hijack, which the DERP server does. But
-		// without this, we slowly accumulate stuck TLS
-		// handshake goroutines forever. This also affects
-		// /debug/ traffic, but 30 seconds is plenty for
-		// Prometheus/etc scraping.
-		ReadTimeout:  30 * time.Second,
-		WriteTimeout: 30 * time.Second,
 	}

-	if serveTLS {
+	var err error
+	if letsEncrypt {
+		if *certDir == "" {
+			log.Fatalf("missing required --certdir flag")
+		}
 		log.Printf("derper: serving on %s with TLS", *addr)
-		var certManager certProvider
-		certManager, err = certProviderByCertMode(*certMode, *certDir, *hostname)
-		if err != nil {
-			log.Fatalf("derper: can not start cert provider: %v", err)
+		certManager := &autocert.Manager{
+			Prompt:     autocert.AcceptTOS,
+			HostPolicy: autocert.HostWhitelist(*hostname),
+			Cache:      autocert.DirCache(*certDir),
+		}
+		if *hostname == "derp.tailscale.com" {
+			certManager.HostPolicy = prodAutocertHostPolicy
+			certManager.Email = "security@tailscale.com"
 		}
 		httpsrv.TLSConfig = certManager.TLSConfig()
-		getCert := httpsrv.TLSConfig.GetCertificate
-		httpsrv.TLSConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			cert, err := getCert(hi)
+		go func() {
+			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 			if err != nil {
-				return nil, err
+				if err != http.ErrServerClosed {
+					log.Fatal(err)
+				}
 			}
-			cert.Certificate = append(cert.Certificate, s.MetaCert())
-			return cert, nil
-		}
-		// Disable TLS 1.0 and 1.1, which are obsolete and have security issues.
-		httpsrv.TLSConfig.MinVersion = tls.VersionTLS12
-		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.TLS != nil {
-				label := "unknown"
-				switch r.TLS.Version {
-				case tls.VersionTLS10:
-					label = "1.0"
-				case tls.VersionTLS11:
-					label = "1.1"
-				case tls.VersionTLS12:
-					label = "1.2"
-				case tls.VersionTLS13:
-					label = "1.3"
-				}
-				tlsRequestVersion.Add(label, 1)
-				tlsActiveVersion.Add(label, 1)
-				defer tlsActiveVersion.Add(label, -1)
-			}
-
-			// Set HTTP headers to appease automated security scanners.
-			//
-			// Security automation gets cranky when HTTPS sites don't
-			// set HSTS, and when they don't specify a content
-			// security policy for XSS mitigation.
-			//
-			// DERP's HTTP interface is only ever used for debug
-			// access (for which trivial safe policies work just
-			// fine), and by DERP clients which don't obey any of
-			// these browser-centric headers anyway.
-			w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
-			w.Header().Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
-			mux.ServeHTTP(w, r)
-		})
-		if *httpPort > -1 {
-			go func() {
-				port80srv := &http.Server{
-					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
-					Handler:     certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}),
-					ReadTimeout: 30 * time.Second,
-					// Crank up WriteTimeout a bit more than usually
-					// necessary just so we can do long CPU profiles
-					// and not hit net/http/pprof's "profile
-					// duration exceeds server's WriteTimeout".
-					WriteTimeout: 5 * time.Minute,
-				}
-				err := port80srv.ListenAndServe()
-				if err != nil {
-					if err != http.ErrServerClosed {
-						log.Fatal(err)
-					}
-				}
-			}()
-		}
-		err = rateLimitedListenAndServeTLS(httpsrv)
+		}()
+		err = httpsrv.ListenAndServeTLS("", "")
 	} else {
 		log.Printf("derper: serving on %s", *addr)
 		err = httpsrv.ListenAndServe()
@@ -312,44 +203,78 @@ func main() {
 	}
 }

-// probeHandler is the endpoint that js/wasm clients hit to measure
-// DERP latency, since they can't do UDP STUN queries.
-func probeHandler(w http.ResponseWriter, r *http.Request) {
-	switch r.Method {
-	case "HEAD", "GET":
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-	default:
-		http.Error(w, "bogus probe method", http.StatusMethodNotAllowed)
-	}
+func debugHandler(s *derp.Server) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.RequestURI == "/debug/check" {
+			err := s.ConsistencyCheck()
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+			} else {
+				io.WriteString(w, "derp.Server ConsistencyCheck okay")
+			}
+			return
+		}
+		f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+		f(`<html><body>
+<h1>DERP debug</h1>
+<ul>
+`)
+		f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+		f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
+		f("<li><b>Mesh Key:</b> %v</li>\n", s.HasMeshKey())
+		f("<li><b>Version:</b> %v</li>\n", version.LONG)
+
+		f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
+   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
+   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
+   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
+   <li><a href="/debug/check">/debug/check</a> internal consistency check</li>
+<ul>
+</html>
+`)
+	})
 }

-func serveSTUN(host string, port int) {
-	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, fmt.Sprint(port)))
+func serveSTUN() {
+	pc, err := net.ListenPacket("udp", ":3478")
 	if err != nil {
 		log.Fatalf("failed to open STUN listener: %v", err)
 	}
 	log.Printf("running STUN server on %v", pc.LocalAddr())
-	serverSTUNListener(context.Background(), pc.(*net.UDPConn))
-}

-func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
-	var buf [64 << 10]byte
 	var (
-		n   int
-		ua  *net.UDPAddr
-		err error
+		stats           = new(metrics.Set)
+		stunDisposition = &metrics.LabelMap{Label: "disposition"}
+		stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+
+		stunReadError  = stunDisposition.Get("read_error")
+		stunNotSTUN    = stunDisposition.Get("not_stun")
+		stunWriteError = stunDisposition.Get("write_error")
+		stunSuccess    = stunDisposition.Get("success")
+
+		stunIPv4 = stunAddrFamily.Get("ipv4")
+		stunIPv6 = stunAddrFamily.Get("ipv6")
 	)
+	stats.Set("counter_requests", stunDisposition)
+	stats.Set("counter_addrfamily", stunAddrFamily)
+	expvar.Publish("stun", stats)
+
+	var buf [64 << 10]byte
 	for {
-		n, ua, err = pc.ReadFromUDP(buf[:])
+		n, addr, err := pc.ReadFrom(buf[:])
 		if err != nil {
-			if ctx.Err() != nil {
-				return
-			}
 			log.Printf("STUN ReadFrom: %v", err)
 			time.Sleep(time.Second)
 			stunReadError.Add(1)
 			continue
 		}
+		ua, ok := addr.(*net.UDPAddr)
+		if !ok {
+			log.Printf("STUN unexpected address %T %v", addr, addr)
+			stunReadError.Add(1)
+			continue
+		}
 		pkt := buf[:n]
 		if !stun.Is(pkt) {
 			stunNotSTUN.Add(1)
@@ -366,7 +291,7 @@ func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
 			stunIPv6.Add(1)
 		}
 		res := stun.Response(txid, ua.IP, uint16(ua.Port))
-		_, err = pc.WriteTo(res, ua)
+		_, err = pc.WriteTo(res, addr)
 		if err != nil {
 			stunWriteError.Add(1)
 		} else {
@@ -396,63 +321,3 @@ func defaultMeshPSKFile() string {
 	}
 	return ""
 }
-
-func rateLimitedListenAndServeTLS(srv *http.Server) error {
-	addr := srv.Addr
-	if addr == "" {
-		addr = ":https"
-	}
-	ln, err := net.Listen("tcp", addr)
-	if err != nil {
-		return err
-	}
-	rln := newRateLimitedListener(ln, rate.Limit(*acceptConnLimit), *acceptConnBurst)
-	expvar.Publish("tls_listener", rln.ExpVar())
-	defer rln.Close()
-	return srv.ServeTLS(rln, "", "")
-}
-
-type rateLimitedListener struct {
-	// These are at the start of the struct to ensure 64-bit alignment
-	// on 32-bit architecture regardless of what other fields may exist
-	// in this package.
-	numAccepts expvar.Int // does not include number of rejects
-	numRejects expvar.Int
-
-	net.Listener
-
-	lim *rate.Limiter
-}
-
-func newRateLimitedListener(ln net.Listener, limit rate.Limit, burst int) *rateLimitedListener {
-	return &rateLimitedListener{Listener: ln, lim: rate.NewLimiter(limit, burst)}
-}
-
-func (l *rateLimitedListener) ExpVar() expvar.Var {
-	m := new(metrics.Set)
-	m.Set("counter_accepted_connections", &l.numAccepts)
-	m.Set("counter_rejected_connections", &l.numRejects)
-	return m
-}
-
-var errLimitedConn = errors.New("cannot accept connection; rate limited")
-
-func (l *rateLimitedListener) Accept() (net.Conn, error) {
-	// Even under a rate limited situation, we accept the connection immediately
-	// and close it, rather than being slow at accepting new connections.
-	// This provides two benefits: 1) it signals to the client that something
-	// is going on on the server, and 2) it prevents new connections from
-	// piling up and occupying resources in the OS kernel.
-	// The client will retry as needing (with backoffs in place).
-	cn, err := l.Listener.Accept()
-	if err != nil {
-		return nil, err
-	}
-	if !l.lim.Allow() {
-		l.numRejects.Add(1)
-		cn.Close()
-		return nil, errLimitedConn
-	}
-	l.numAccepts.Add(1)
-	return cn, nil
-}
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -6,10 +6,7 @@ package main

 import (
 	"context"
-	"net"
 	"testing"
-
-	"tailscale.com/net/stun"
 )

 func TestProdAutocertHostPolicy(t *testing.T) {
@@ -34,36 +31,5 @@ func TestProdAutocertHostPolicy(t *testing.T) {
 			t.Errorf("f(%q) = %v; want %v", tt.in, got, tt.wantOK)
 		}
 	}
-}
-
-func BenchmarkServerSTUN(b *testing.B) {
-	b.ReportAllocs()
-	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer pc.Close()
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	go serverSTUNListener(ctx, pc.(*net.UDPConn))
-	addr := pc.LocalAddr().(*net.UDPAddr)
-
-	var resBuf [1500]byte
-	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-	for i := 0; i < b.N; i++ {
-		if _, err := cc.WriteToUDP(req, addr); err != nil {
-			b.Fatal(err)
-		}
-		_, _, err := cc.ReadFromUDP(resBuf[:])
-		if err != nil {
-			b.Fatal(err)
-		}
-	}

 }
--- a/cmd/derper/mesh.go
+++ b/cmd/derper/mesh.go
@@ -5,13 +5,10 @@
 package main

 import (
-	"context"
 	"errors"
 	"fmt"
 	"log"
-	"net"
 	"strings"
-	"time"

 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
@@ -41,36 +38,8 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		return err
 	}
 	c.MeshKey = s.MeshKey()
-
-	// For meshed peers within a region, connect via VPC addresses.
-	c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
-		host, port, err := net.SplitHostPort(addr)
-		if err != nil {
-			return nil, err
-		}
-		var d net.Dialer
-		var r net.Resolver
-		if port == "443" && strings.HasSuffix(host, ".tailscale.com") {
-			base := strings.TrimSuffix(host, ".tailscale.com")
-			subCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
-			defer cancel()
-			vpcHost := base + "-vpc.tailscale.com"
-			ips, _ := r.LookupIP(subCtx, "ip", vpcHost)
-			if len(ips) > 0 {
-				vpcAddr := net.JoinHostPort(ips[0].String(), port)
-				c, err := d.DialContext(subCtx, network, vpcAddr)
-				if err == nil {
-					log.Printf("connected to %v (%v) instead of %v", vpcHost, ips[0], base)
-					return c, nil
-				}
-				log.Printf("failed to connect to %v (%v): %v; trying non-VPC route", vpcHost, ips[0], err)
-			}
-		}
-		return d.DialContext(ctx, network, addr)
-	})
-
-	add := func(k key.NodePublic) { s.AddPacketForwarder(k, c) }
-	remove := func(k key.NodePublic) { s.RemovePacketForwarder(k, c) }
-	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
+	add := func(k key.Public) { s.AddPacketForwarder(k, c) }
+	remove := func(k key.Public) { s.RemovePacketForwarder(k, c) }
+	go c.RunWatchConnectionLoop(s.PublicKey(), add, remove)
 	return nil
 }
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -1,51 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"bufio"
-	"expvar"
-	"log"
-	"net/http"
-	"strings"
-
-	"nhooyr.io/websocket"
-	"tailscale.com/derp"
-)
-
-var counterWebSocketAccepts = expvar.NewInt("derp_websocket_accepts")
-
-// addWebSocketSupport returns a Handle wrapping base that adds WebSocket server support.
-func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		up := strings.ToLower(r.Header.Get("Upgrade"))
-
-		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
-		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
-		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
-			base.ServeHTTP(w, r)
-			return
-		}
-
-		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
-			Subprotocols:   []string{"derp"},
-			OriginPatterns: []string{"*"},
-		})
-		if err != nil {
-			log.Printf("websocket.Accept: %v", err)
-			return
-		}
-		defer c.Close(websocket.StatusInternalError, "closing")
-		if c.Subprotocol() != "derp" {
-			c.Close(websocket.StatusPolicyViolation, "client must speak the derp subprotocol")
-			return
-		}
-		counterWebSocketAccepts.Add(1)
-		wc := websocket.NetConn(r.Context(), c, websocket.MessageBinary)
-		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
-		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
-	})
-}
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -1,556 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The derpprobe binary probes derpers.
-package main // import "tailscale.com/cmd/derper/derpprobe"
-
-import (
-	"bytes"
-	"context"
-	crand "crypto/rand"
-	"crypto/x509"
-	"encoding/json"
-	"errors"
-	"flag"
-	"fmt"
-	"html"
-	"io"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"sort"
-	"strings"
-	"sync"
-	"time"
-
-	"tailscale.com/derp"
-	"tailscale.com/derp/derphttp"
-	"tailscale.com/net/stun"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-)
-
-var (
-	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
-	listen     = flag.String("listen", ":8030", "HTTP listen address")
-)
-
-// certReissueAfter is the time after which we expect all certs to be
-// reissued, at minimum.
-//
-// This is currently set to the date of the LetsEncrypt ALPN revocation event of Jan 2022:
-// https://community.letsencrypt.org/t/questions-about-renewing-before-tls-alpn-01-revocations/170449
-//
-// If there's another revocation event, bump this again.
-var certReissueAfter = time.Unix(1643226768, 0)
-
-var (
-	mu            sync.Mutex
-	state         = map[nodePair]pairStatus{}
-	lastDERPMap   *tailcfg.DERPMap
-	lastDERPMapAt time.Time
-	certs         = map[string]*x509.Certificate{}
-)
-
-func main() {
-	flag.Parse()
-
-	// proactively load the DERP map. Nothing terrible happens if this fails, so we ignore
-	// the error. The Slack bot will print a notification that the DERP map was empty.
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-	defer cancel()
-	_, _ = getDERPMap(ctx)
-
-	go probeLoop()
-	go slackLoop()
-	log.Fatal(http.ListenAndServe(*listen, http.HandlerFunc(serve)))
-}
-
-func setCert(name string, cert *x509.Certificate) {
-	mu.Lock()
-	defer mu.Unlock()
-	certs[name] = cert
-}
-
-type overallStatus struct {
-	good, bad []string
-}
-
-func (st *overallStatus) addBadf(format string, a ...any) {
-	st.bad = append(st.bad, fmt.Sprintf(format, a...))
-}
-
-func (st *overallStatus) addGoodf(format string, a ...any) {
-	st.good = append(st.good, fmt.Sprintf(format, a...))
-}
-
-func getOverallStatus() (o overallStatus) {
-	mu.Lock()
-	defer mu.Unlock()
-	if lastDERPMap == nil {
-		o.addBadf("no DERP map")
-		return
-	}
-	now := time.Now()
-	if age := now.Sub(lastDERPMapAt); age > time.Minute {
-		o.addBadf("DERPMap hasn't been successfully refreshed in %v", age.Round(time.Second))
-	}
-
-	addPairMeta := func(pair nodePair) {
-		st, ok := state[pair]
-		age := now.Sub(st.at).Round(time.Second)
-		switch {
-		case !ok:
-			o.addBadf("no state for %v", pair)
-		case st.err != nil:
-			o.addBadf("%v: %v", pair, st.err)
-		case age > 90*time.Second:
-			o.addBadf("%v: update is %v old", pair, age)
-		default:
-			o.addGoodf("%v: %v, %v ago", pair, st.latency.Round(time.Millisecond), age)
-		}
-	}
-
-	for _, reg := range sortedRegions(lastDERPMap) {
-		for _, from := range reg.Nodes {
-			addPairMeta(nodePair{"UDP", from.Name})
-			for _, to := range reg.Nodes {
-				addPairMeta(nodePair{from.Name, to.Name})
-			}
-		}
-	}
-
-	var subjs []string
-	for k := range certs {
-		subjs = append(subjs, k)
-	}
-	sort.Strings(subjs)
-
-	soon := time.Now().Add(14 * 24 * time.Hour) // in 2 weeks; autocert does 30 days by default
-	for _, s := range subjs {
-		cert := certs[s]
-		if cert.NotBefore.Before(certReissueAfter) {
-			o.addBadf("cert %q needs reissuing; NotBefore=%v", s, cert.NotBefore.Format(time.RFC3339))
-			continue
-		}
-		if cert.NotAfter.Before(soon) {
-			o.addBadf("cert %q expiring soon (%v); wasn't auto-refreshed", s, cert.NotAfter.Format(time.RFC3339))
-			continue
-		}
-		o.addGoodf("cert %q good %v - %v", s, cert.NotBefore.Format(time.RFC3339), cert.NotAfter.Format(time.RFC3339))
-	}
-
-	return
-}
-
-func serve(w http.ResponseWriter, r *http.Request) {
-	st := getOverallStatus()
-	summary := "All good"
-	if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
-		// This will generate an alert and page a human.
-		// It also ends up in Slack, but as part of the alert handling pipeline not
-		// because we generated a Slack notification from here.
-		w.WriteHeader(500)
-		summary = fmt.Sprintf("%d problems", len(st.bad))
-	}
-
-	io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
-	fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
-	for _, s := range st.bad {
-		fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
-	}
-	for _, s := range st.good {
-		fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
-	}
-	io.WriteString(w, "</ul></body></html>\n")
-}
-
-func notifySlack(text string) error {
-	type SlackRequestBody struct {
-		Text string `json:"text"`
-	}
-
-	slackBody, err := json.Marshal(SlackRequestBody{Text: text})
-	if err != nil {
-		return err
-	}
-
-	webhookUrl := os.Getenv("SLACK_WEBHOOK")
-	if webhookUrl == "" {
-		return errors.New("No SLACK_WEBHOOK configured")
-	}
-
-	req, err := http.NewRequest("POST", webhookUrl, bytes.NewReader(slackBody))
-	if err != nil {
-		return err
-	}
-	req.Header.Add("Content-Type", "application/json")
-
-	client := &http.Client{Timeout: 10 * time.Second}
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != 200 {
-		return errors.New(resp.Status)
-	}
-
-	body, _ := io.ReadAll(resp.Body)
-	if string(body) != "ok" {
-		return errors.New("Non-ok response returned from Slack")
-	}
-	return nil
-}
-
-// We only page a human if it looks like there is a significant outage across multiple regions.
-// To Slack, we report all failures great and small.
-func slackLoop() {
-	inBadState := false
-	for {
-		time.Sleep(time.Second * 30)
-		st := getOverallStatus()
-
-		if len(st.bad) > 0 && !inBadState {
-			err := notifySlack(strings.Join(st.bad, "\n"))
-			if err == nil {
-				inBadState = true
-			} else {
-				log.Printf("%d problems, notify Slack failed: %v", len(st.bad), err)
-			}
-		}
-
-		if len(st.bad) == 0 && inBadState {
-			err := notifySlack("All DERPs recovered.")
-			if err == nil {
-				inBadState = false
-			}
-		}
-	}
-}
-
-func sortedRegions(dm *tailcfg.DERPMap) []*tailcfg.DERPRegion {
-	ret := make([]*tailcfg.DERPRegion, 0, len(dm.Regions))
-	for _, r := range dm.Regions {
-		ret = append(ret, r)
-	}
-	sort.Slice(ret, func(i, j int) bool { return ret[i].RegionID < ret[j].RegionID })
-	return ret
-}
-
-type nodePair struct {
-	from string // DERPNode.Name, or "UDP" for a STUN query to 'to'
-	to   string // DERPNode.Name
-}
-
-func (p nodePair) String() string { return fmt.Sprintf("(%s→%s)", p.from, p.to) }
-
-type pairStatus struct {
-	err     error
-	latency time.Duration
-	at      time.Time
-}
-
-func setDERPMap(dm *tailcfg.DERPMap) {
-	mu.Lock()
-	defer mu.Unlock()
-	lastDERPMap = dm
-	lastDERPMapAt = time.Now()
-}
-
-func setState(p nodePair, latency time.Duration, err error) {
-	mu.Lock()
-	defer mu.Unlock()
-	st := pairStatus{
-		err:     err,
-		latency: latency,
-		at:      time.Now(),
-	}
-	state[p] = st
-	if err != nil {
-		log.Printf("%+v error: %v", p, err)
-	} else {
-		log.Printf("%+v: %v", p, latency.Round(time.Millisecond))
-	}
-}
-
-func probeLoop() {
-	ticker := time.NewTicker(15 * time.Second)
-	for {
-		err := probe()
-		if err != nil {
-			log.Printf("probe: %v", err)
-		}
-		<-ticker.C
-	}
-}
-
-func probe() error {
-	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
-	defer cancel()
-	dm, err := getDERPMap(ctx)
-	if err != nil {
-		return err
-	}
-
-	var wg sync.WaitGroup
-	wg.Add(len(dm.Regions))
-	for _, reg := range dm.Regions {
-		reg := reg
-		go func() {
-			defer wg.Done()
-			for _, from := range reg.Nodes {
-				latency, err := probeUDP(ctx, dm, from)
-				setState(nodePair{"UDP", from.Name}, latency, err)
-				for _, to := range reg.Nodes {
-					latency, err := probeNodePair(ctx, dm, from, to)
-					setState(nodePair{from.Name, to.Name}, latency, err)
-				}
-			}
-		}()
-	}
-
-	wg.Wait()
-	return ctx.Err()
-}
-
-func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (latency time.Duration, err error) {
-	pc, err := net.ListenPacket("udp", ":0")
-	if err != nil {
-		return 0, err
-	}
-	defer pc.Close()
-	uc := pc.(*net.UDPConn)
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-
-	for _, ipStr := range []string{n.IPv4, n.IPv6} {
-		if ipStr == "" {
-			continue
-		}
-		port := n.STUNPort
-		if port == -1 {
-			continue
-		}
-		if port == 0 {
-			port = 3478
-		}
-		for {
-			ip := net.ParseIP(ipStr)
-			_, err := uc.WriteToUDP(req, &net.UDPAddr{IP: ip, Port: port})
-			if err != nil {
-				return 0, err
-			}
-			buf := make([]byte, 1500)
-			uc.SetReadDeadline(time.Now().Add(2 * time.Second))
-			t0 := time.Now()
-			n, _, err := uc.ReadFromUDP(buf)
-			d := time.Since(t0)
-			if err != nil {
-				if ctx.Err() != nil {
-					return 0, fmt.Errorf("timeout reading from %v: %v", ip, err)
-				}
-				if d < time.Second {
-					return 0, fmt.Errorf("error reading from %v: %v", ip, err)
-				}
-				time.Sleep(100 * time.Millisecond)
-				continue
-			}
-			txBack, _, _, err := stun.ParseResponse(buf[:n])
-			if err != nil {
-				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
-			}
-			if txBack != tx {
-				return 0, fmt.Errorf("read wrong tx back from %v", ip)
-			}
-			if latency == 0 || d < latency {
-				latency = d
-			}
-			break
-		}
-	}
-	return latency, nil
-}
-
-func probeNodePair(ctx context.Context, dm *tailcfg.DERPMap, from, to *tailcfg.DERPNode) (latency time.Duration, err error) {
-	// The passed in context is a minute for the whole region. The
-	// idea is that each node pair in the region will be done
-	// serially and regularly in the future, reusing connections
-	// (at least in the happy path). For now they don't reuse
-	// connections and probe at most once every 15 seconds. We
-	// bound the duration of a single node pair within a region
-	// so one bad one can't starve others.
-	ctx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-
-	fromc, err := newConn(ctx, dm, from)
-	if err != nil {
-		return 0, err
-	}
-	defer fromc.Close()
-	toc, err := newConn(ctx, dm, to)
-	if err != nil {
-		return 0, err
-	}
-	defer toc.Close()
-
-	// Wait a bit for from's node to hear about to existing on the
-	// other node in the region, in the case where the two nodes
-	// are different.
-	if from.Name != to.Name {
-		time.Sleep(100 * time.Millisecond) // pretty arbitrary
-	}
-
-	// Make a random packet
-	pkt := make([]byte, 8)
-	crand.Read(pkt)
-
-	t0 := time.Now()
-
-	// Send the random packet.
-	sendc := make(chan error, 1)
-	go func() {
-		sendc <- fromc.Send(toc.SelfPublicKey(), pkt)
-	}()
-	select {
-	case <-ctx.Done():
-		return 0, fmt.Errorf("timeout sending via %q: %w", from.Name, ctx.Err())
-	case err := <-sendc:
-		if err != nil {
-			return 0, fmt.Errorf("error sending via %q: %w", from.Name, err)
-		}
-	}
-
-	// Receive the random packet.
-	recvc := make(chan any, 1) // either derp.ReceivedPacket or error
-	go func() {
-		for {
-			m, err := toc.Recv()
-			if err != nil {
-				recvc <- err
-				return
-			}
-			switch v := m.(type) {
-			case derp.ReceivedPacket:
-				recvc <- v
-			default:
-				log.Printf("%v: ignoring Recv frame type %T", to.Name, v)
-				// Loop.
-			}
-		}
-	}()
-	select {
-	case <-ctx.Done():
-		return 0, fmt.Errorf("timeout receiving from %q: %w", to.Name, ctx.Err())
-	case v := <-recvc:
-		if err, ok := v.(error); ok {
-			return 0, fmt.Errorf("error receiving from %q: %w", to.Name, err)
-		}
-		p := v.(derp.ReceivedPacket)
-		if p.Source != fromc.SelfPublicKey() {
-			return 0, fmt.Errorf("got data packet from unexpected source, %v", p.Source)
-		}
-		if !bytes.Equal(p.Data, pkt) {
-			return 0, fmt.Errorf("unexpected data packet %q", p.Data)
-		}
-	}
-	return time.Since(t0), nil
-}
-
-func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (*derphttp.Client, error) {
-	priv := key.NewNode()
-	dc := derphttp.NewRegionClient(priv, log.Printf, func() *tailcfg.DERPRegion {
-		rid := n.RegionID
-		return &tailcfg.DERPRegion{
-			RegionID:   rid,
-			RegionCode: fmt.Sprintf("%s-%s", dm.Regions[rid].RegionCode, n.Name),
-			RegionName: dm.Regions[rid].RegionName,
-			Nodes:      []*tailcfg.DERPNode{n},
-		}
-	})
-	dc.IsProber = true
-	err := dc.Connect(ctx)
-	if err != nil {
-		return nil, err
-	}
-	cs, ok := dc.TLSConnectionState()
-	if !ok {
-		dc.Close()
-		return nil, errors.New("no TLS state")
-	}
-	if len(cs.PeerCertificates) == 0 {
-		dc.Close()
-		return nil, errors.New("no peer certificates")
-	}
-	if cs.ServerName != n.HostName {
-		dc.Close()
-		return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
-	}
-	setCert(cs.ServerName, cs.PeerCertificates[0])
-
-	errc := make(chan error, 1)
-	go func() {
-		m, err := dc.Recv()
-		if err != nil {
-			errc <- err
-			return
-		}
-		switch m.(type) {
-		case derp.ServerInfoMessage:
-			errc <- nil
-		default:
-			errc <- fmt.Errorf("unexpected first message type %T", errc)
-		}
-	}()
-	select {
-	case err := <-errc:
-		if err != nil {
-			go dc.Close()
-			return nil, err
-		}
-	case <-ctx.Done():
-		go dc.Close()
-		return nil, fmt.Errorf("timeout waiting for ServerInfoMessage: %w", ctx.Err())
-	}
-	return dc, nil
-}
-
-var httpOrFileClient = &http.Client{Transport: httpOrFileTransport()}
-
-func httpOrFileTransport() http.RoundTripper {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.RegisterProtocol("file", http.NewFileTransport(http.Dir("/")))
-	return tr
-}
-
-func getDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", *derpMapURL, nil)
-	if err != nil {
-		return nil, err
-	}
-	res, err := httpOrFileClient.Do(req)
-	if err != nil {
-		mu.Lock()
-		defer mu.Unlock()
-		if lastDERPMap != nil && time.Since(lastDERPMapAt) < 10*time.Minute {
-			// Assume that control is restarting and use
-			// the same one for a bit.
-			return lastDERPMap, nil
-		}
-		return nil, err
-	}
-	defer res.Body.Close()
-	if res.StatusCode != 200 {
-		return nil, fmt.Errorf("fetching %s: %s", *derpMapURL, res.Status)
-	}
-	dm := new(tailcfg.DERPMap)
-	if err := json.NewDecoder(res.Body).Decode(dm); err != nil {
-		return nil, fmt.Errorf("decoding %s JSON: %v", *derpMapURL, err)
-	}
-	setDERPMap(dm)
-	return dm, nil
-}
--- a/cmd/gitops-pusher/README.md
+++ b/cmd/gitops-pusher/README.md
@@ -1,48 +0,0 @@
-# gitops-pusher
-
-This is a small tool to help people achieve a
-[GitOps](https://about.gitlab.com/topics/gitops/) workflow with Tailscale ACL
-changes. This tool is intended to be used in a CI flow that looks like this:
-
-```yaml
-name: Tailscale ACL syncing
-
-on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
-
-jobs:
-  acls:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-      
-      - name: Setup Go environment
-        uses: actions/setup-go@v3.2.0
-        
-      - name: Install gitops-pusher
-        run: go install tailscale.com/cmd/gitops-pusher@latest
-              
-      - name: Deploy ACL
-        if: github.event_name == 'push'
-        env:
-          TS_API_KEY: ${{ secrets.TS_API_KEY }}
-          TS_TAILNET: ${{ secrets.TS_TAILNET }}
-        run: |
-          ~/go/bin/gitops-pusher --policy-file ./policy.hujson apply
-
-      - name: ACL tests
-        if: github.event_name == 'pull_request'
-        env:
-          TS_API_KEY: ${{ secrets.TS_API_KEY }}
-          TS_TAILNET: ${{ secrets.TS_TAILNET }}
-        run: |
-          ~/go/bin/gitops-pusher --policy-file ./policy.hujson test
-```
-
-Change the value of the `--policy-file` flag to point to the policy file on
-disk. Policy files should be in [HuJSON](https://github.com/tailscale/hujson)
-format.
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -1,322 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Command gitops-pusher allows users to use a GitOps flow for managing Tailscale ACLs.
-//
-// See README.md for more details.
-package main
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"net/http/httputil"
-	"os"
-	"regexp"
-	"strings"
-	"time"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"github.com/tailscale/hujson"
-)
-
-var (
-	rootFlagSet  = flag.NewFlagSet("gitops-pusher", flag.ExitOnError)
-	policyFname  = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file")
-	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
-	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
-)
-
-func apply(tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-
-		if controlEtag == localEtag {
-			log.Println("no update needed, doing nothing")
-			return nil
-		}
-
-		if err := applyNewACL(ctx, tailnet, apiKey, *policyFname, controlEtag); err != nil {
-			return err
-		}
-
-		return nil
-	}
-}
-
-func test(tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-
-		if controlEtag == localEtag {
-			log.Println("no updates found, doing nothing")
-			return nil
-		}
-
-		if err := testNewACLs(ctx, tailnet, apiKey, *policyFname); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-func getChecksums(tailnet, apiKey string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
-		if err != nil {
-			return err
-		}
-
-		localEtag, err := sumFile(*policyFname)
-		if err != nil {
-			return err
-		}
-
-		log.Printf("control: %s", controlEtag)
-		log.Printf("local:   %s", localEtag)
-
-		return nil
-	}
-}
-
-func main() {
-	tailnet, ok := os.LookupEnv("TS_TAILNET")
-	if !ok {
-		log.Fatal("set envvar TS_TAILNET to your tailnet's name")
-	}
-	apiKey, ok := os.LookupEnv("TS_API_KEY")
-	if !ok {
-		log.Fatal("set envvar TS_API_KEY to your Tailscale API key")
-	}
-
-	applyCmd := &ffcli.Command{
-		Name:       "apply",
-		ShortUsage: "gitops-pusher [options] apply",
-		ShortHelp:  "Pushes changes to CONTROL",
-		LongHelp:   `Pushes changes to CONTROL`,
-		Exec:       apply(tailnet, apiKey),
-	}
-
-	testCmd := &ffcli.Command{
-		Name:       "test",
-		ShortUsage: "gitops-pusher [options] test",
-		ShortHelp:  "Tests ACL changes",
-		LongHelp:   "Tests ACL changes",
-		Exec:       test(tailnet, apiKey),
-	}
-
-	cksumCmd := &ffcli.Command{
-		Name:       "checksum",
-		ShortUsage: "Shows checksums of ACL files",
-		ShortHelp:  "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		LongHelp:   "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		Exec:       getChecksums(tailnet, apiKey),
-	}
-
-	root := &ffcli.Command{
-		ShortUsage:  "gitops-pusher [options] <command>",
-		ShortHelp:   "Push Tailscale ACLs to CONTROL using a GitOps workflow",
-		Subcommands: []*ffcli.Command{applyCmd, cksumCmd, testCmd},
-		FlagSet:     rootFlagSet,
-	}
-
-	if err := root.Parse(os.Args[1:]); err != nil {
-		log.Fatal(err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), *timeout)
-	defer cancel()
-
-	if err := root.Run(ctx); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
-}
-
-func sumFile(fname string) (string, error) {
-	data, err := os.ReadFile(fname)
-	if err != nil {
-		return "", err
-	}
-
-	formatted, err := hujson.Format(data)
-	if err != nil {
-		return "", err
-	}
-
-	h := sha256.New()
-	_, err = h.Write(formatted)
-	if err != nil {
-		return "", err
-	}
-
-	return fmt.Sprintf("\"%x\"", h.Sum(nil)), nil
-}
-
-func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error {
-	fin, err := os.Open(policyFname)
-	if err != nil {
-		return err
-	}
-	defer fin.Close()
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl", tailnet), fin)
-	if err != nil {
-		return err
-	}
-
-	req.SetBasicAuth(apiKey, "")
-	req.Header.Set("Content-Type", "application/hujson")
-	req.Header.Set("If-Match", oldEtag)
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	got := resp.StatusCode
-	want := http.StatusOK
-	if got != want {
-		var ate ACLTestError
-		err := json.NewDecoder(resp.Body).Decode(&ate)
-		if err != nil {
-			return err
-		}
-
-		return ate
-	}
-
-	return nil
-}
-
-func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
-	fin, err := os.Open(policyFname)
-	if err != nil {
-		return err
-	}
-	defer fin.Close()
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), fin)
-	if err != nil {
-		return err
-	}
-
-	req.SetBasicAuth(apiKey, "")
-	req.Header.Set("Content-Type", "application/hujson")
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	var ate ACLTestError
-	err = json.NewDecoder(resp.Body).Decode(&ate)
-	if err != nil {
-		return err
-	}
-
-	if len(ate.Message) != 0 || len(ate.Data) != 0 {
-		return ate
-	}
-
-	got := resp.StatusCode
-	want := http.StatusOK
-	if got != want {
-		data, _ := httputil.DumpResponse(resp, true)
-		os.Stderr.Write(data)
-		return fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
-	}
-
-	return nil
-}
-
-var lineColMessageSplit = regexp.MustCompile(`^line ([0-9]+), column ([0-9]+): (.*)$`)
-
-type ACLTestError struct {
-	Message string               `json:"message"`
-	Data    []ACLTestErrorDetail `json:"data"`
-}
-
-func (ate ACLTestError) Error() string {
-	var sb strings.Builder
-
-	if *githubSyntax && lineColMessageSplit.MatchString(ate.Message) {
-		sp := lineColMessageSplit.FindStringSubmatch(ate.Message)
-
-		line := sp[1]
-		col := sp[2]
-		msg := sp[3]
-
-		fmt.Fprintf(&sb, "::error file=%s,line=%s,col=%s::%s", *policyFname, line, col, msg)
-	} else {
-		fmt.Fprintln(&sb, ate.Message)
-	}
-	fmt.Fprintln(&sb)
-
-	for _, data := range ate.Data {
-		fmt.Fprintf(&sb, "For user %s:\n", data.User)
-		for _, err := range data.Errors {
-			fmt.Fprintf(&sb, "- %s\n", err)
-		}
-	}
-
-	return sb.String()
-}
-
-type ACLTestErrorDetail struct {
-	User   string   `json:"user"`
-	Errors []string `json:"errors"`
-}
-
-func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl", tailnet), nil)
-	if err != nil {
-		return "", err
-	}
-
-	req.SetBasicAuth(apiKey, "")
-	req.Header.Set("Accept", "application/hujson")
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return "", err
-	}
-	defer resp.Body.Close()
-
-	got := resp.StatusCode
-	want := http.StatusOK
-	if got != want {
-		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
-	}
-
-	return resp.Header.Get("ETag"), nil
-}
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -1,211 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The hello binary runs hello.ts.net.
-package main // import "tailscale.com/cmd/hello"
-
-import (
-	"context"
-	"crypto/tls"
-	_ "embed"
-	"encoding/json"
-	"errors"
-	"flag"
-	"html/template"
-	"io/ioutil"
-	"log"
-	"net/http"
-	"os"
-	"strings"
-	"time"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/client/tailscale/apitype"
-)
-
-var (
-	httpAddr  = flag.String("http", ":80", "address to run an HTTP server on, or empty for none")
-	httpsAddr = flag.String("https", ":443", "address to run an HTTPS server on, or empty for none")
-	testIP    = flag.String("test-ip", "", "if non-empty, look up IP and exit before running a server")
-)
-
-//go:embed hello.tmpl.html
-var embeddedTemplate string
-
-func main() {
-	flag.Parse()
-	if *testIP != "" {
-		res, err := tailscale.WhoIs(context.Background(), *testIP)
-		if err != nil {
-			log.Fatal(err)
-		}
-		e := json.NewEncoder(os.Stdout)
-		e.SetIndent("", "\t")
-		e.Encode(res)
-		return
-	}
-	if devMode() {
-		// Parse it optimistically
-		var err error
-		tmpl, err = template.New("home").Parse(embeddedTemplate)
-		if err != nil {
-			log.Printf("ignoring template error in dev mode: %v", err)
-		}
-	} else {
-		if embeddedTemplate == "" {
-			log.Fatalf("embeddedTemplate is empty; must be build with Go 1.16+")
-		}
-		tmpl = template.Must(template.New("home").Parse(embeddedTemplate))
-	}
-
-	http.HandleFunc("/", root)
-	log.Printf("Starting hello server.")
-
-	errc := make(chan error, 1)
-	if *httpAddr != "" {
-		log.Printf("running HTTP server on %s", *httpAddr)
-		go func() {
-			errc <- http.ListenAndServe(*httpAddr, nil)
-		}()
-	}
-	if *httpsAddr != "" {
-		log.Printf("running HTTPS server on %s", *httpsAddr)
-		go func() {
-			hs := &http.Server{
-				Addr: *httpsAddr,
-				TLSConfig: &tls.Config{
-					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-						switch hi.ServerName {
-						case "hello.ts.net":
-							return tailscale.GetCertificate(hi)
-						case "hello.ipn.dev":
-							c, err := tls.LoadX509KeyPair(
-								"/etc/hello/hello.ipn.dev.crt",
-								"/etc/hello/hello.ipn.dev.key",
-							)
-							if err != nil {
-								return nil, err
-							}
-							return &c, nil
-						}
-						return nil, errors.New("invalid SNI name")
-					},
-				},
-				IdleTimeout:       30 * time.Second,
-				ReadHeaderTimeout: 20 * time.Second,
-				MaxHeaderBytes:    10 << 10,
-			}
-			errc <- hs.ListenAndServeTLS("", "")
-		}()
-	}
-	log.Fatal(<-errc)
-}
-
-func devMode() bool { return *httpsAddr == "" && *httpAddr != "" }
-
-func getTmpl() (*template.Template, error) {
-	if devMode() {
-		tmplData, err := ioutil.ReadFile("hello.tmpl.html")
-		if os.IsNotExist(err) {
-			log.Printf("using baked-in template in dev mode; can't find hello.tmpl.html in current directory")
-			return tmpl, nil
-		}
-		return template.New("home").Parse(string(tmplData))
-	}
-	return tmpl, nil
-}
-
-// tmpl is the template used in prod mode.
-// In dev mode it's only used if the template file doesn't exist on disk.
-// It's initialized by main after flag parsing.
-var tmpl *template.Template
-
-type tmplData struct {
-	DisplayName   string // "Foo Barberson"
-	LoginName     string // "foo@bar.com"
-	ProfilePicURL string // "https://..."
-	MachineName   string // "imac5k"
-	MachineOS     string // "Linux"
-	IP            string // "100.2.3.4"
-}
-
-func tailscaleIP(who *apitype.WhoIsResponse) string {
-	if who == nil {
-		return ""
-	}
-	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
-		}
-	}
-	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
-		}
-	}
-	return ""
-}
-
-func root(w http.ResponseWriter, r *http.Request) {
-	if r.TLS == nil && *httpsAddr != "" {
-		host := r.Host
-		if strings.Contains(r.Host, "100.101.102.103") ||
-			strings.Contains(r.Host, "hello.ipn.dev") {
-			host = "hello.ts.net"
-		}
-		http.Redirect(w, r, "https://"+host, http.StatusFound)
-		return
-	}
-	if r.RequestURI != "/" {
-		http.Redirect(w, r, "/", http.StatusFound)
-		return
-	}
-	if r.TLS != nil && *httpsAddr != "" && strings.Contains(r.Host, "hello.ipn.dev") {
-		http.Redirect(w, r, "https://hello.ts.net", http.StatusFound)
-		return
-	}
-	tmpl, err := getTmpl()
-	if err != nil {
-		w.Header().Set("Content-Type", "text/plain")
-		http.Error(w, "template error: "+err.Error(), 500)
-		return
-	}
-
-	who, err := tailscale.WhoIs(r.Context(), r.RemoteAddr)
-	var data tmplData
-	if err != nil {
-		if devMode() {
-			log.Printf("warning: using fake data in dev mode due to whois lookup error: %v", err)
-			data = tmplData{
-				DisplayName:   "Taily Scalerson",
-				LoginName:     "taily@scaler.son",
-				ProfilePicURL: "https://placekitten.com/200/200",
-				MachineName:   "scaled",
-				MachineOS:     "Linux",
-				IP:            "100.1.2.3",
-			}
-		} else {
-			log.Printf("whois(%q) error: %v", r.RemoteAddr, err)
-			http.Error(w, "Your Tailscale works, but we failed to look you up.", 500)
-			return
-		}
-	} else {
-		data = tmplData{
-			DisplayName:   who.UserProfile.DisplayName,
-			LoginName:     who.UserProfile.LoginName,
-			ProfilePicURL: who.UserProfile.ProfilePicURL,
-			MachineName:   firstLabel(who.Node.ComputedName),
-			MachineOS:     who.Node.Hostinfo.OS(),
-			IP:            tailscaleIP(who),
-		}
-	}
-	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	tmpl.Execute(w, data)
-}
-
-// firstLabel s up until the first period, if any.
-func firstLabel(s string) string {
-	s, _, _ = strings.Cut(s, ".")
-	return s
-}
--- a/cmd/hello/hello.tmpl.html
+++ b/cmd/hello/hello.tmpl.html
@@ -1,436 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
-  <title>Hello from Tailscale</title>
-  <style>
-    html,
-    body {
-      margin: 0;
-      padding: 0;
-    }
-
-    body {
-      font-family: Inter, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
-      font-size: 100%;
-      -webkit-font-smoothing: antialiased;
-      -moz-osx-font-smoothing: grayscale;
-    }
-
-    html,
-    body,
-    main {
-      height: 100%;
-    }
-
-    *,
-    ::before,
-    ::after {
-      box-sizing: border-box;
-      border-width: 0;
-      border-style: solid;
-      border-color: #dad6d5;
-    }
-
-    h1,
-    h2,
-    h3,
-    h4,
-    h5,
-    h6 {
-      margin: 0;
-      font-size: 1rem;
-      font-weight: inherit;
-    }
-
-    a {
-      color: inherit;
-    }
-
-    p {
-      margin: 0;
-    }
-
-    main {
-      display: flex;
-      flex-direction: column;
-      justify-content: center;
-      align-items: center;
-      max-width: 24rem;
-      width: 95%;
-      margin-left: auto;
-      margin-right: auto;
-    }
-
-    .p-2 {
-      padding: 0.5rem;
-    }
-
-    .p-4 {
-      padding: 1rem;
-    }
-
-    .px-2 {
-      padding-left: 0.5rem;
-      padding-right: 0.5rem;
-    }
-
-    .pl-3 {
-      padding-left: 0.75rem;
-    }
-
-    .pr-3 {
-      padding-right: 0.75rem;
-    }
-
-    .pt-4 {
-      padding-top: 1rem;
-    }
-
-    .mr-2 {
-      margin-right: 0.5rem;
-      ;
-    }
-
-    .mb-1 {
-      margin-bottom: 0.25rem;
-    }
-
-    .mb-2 {
-      margin-bottom: 0.5rem;
-    }
-
-    .mb-4 {
-      margin-bottom: 1rem;
-    }
-
-    .mb-6 {
-      margin-bottom: 1.5rem;
-    }
-
-    .mb-8 {
-      margin-bottom: 2rem;
-    }
-
-    .mb-12 {
-      margin-bottom: 3rem;
-    }
-
-    .width-full {
-      width: 100%;
-    }
-
-    .min-width-0 {
-      min-width: 0;
-    }
-
-    .rounded-lg {
-      border-radius: 0.5rem;
-    }
-
-    .relative {
-      position: relative;
-    }
-
-    .flex {
-      display: flex;
-    }
-
-    .justify-between {
-      justify-content: space-between;
-    }
-
-    .items-center {
-      align-items: center;
-    }
-
-    .border {
-      border-width: 1px;
-    }
-
-    .border-t-1 {
-      border-top-width: 1px;
-    }
-
-    .border-gray-100 {
-      border-color: #f7f5f4;
-    }
-
-    .border-gray-200 {
-      border-color: #eeebea;
-    }
-
-    .border-gray-300 {
-      border-color: #dad6d5;
-    }
-
-    .bg-white {
-      background-color: white;
-    }
-
-    .bg-gray-0 {
-      background-color: #faf9f8;
-    }
-
-    .bg-gray-100 {
-      background-color: #f7f5f4;
-    }
-
-    .text-green-600 {
-      color: #0d4b3b;
-    }
-
-    .text-blue-600 {
-      color: #3f5db3;
-    }
-
-    .hover\:text-blue-800:hover {
-      color: #253570;
-    }
-
-    .text-gray-600 {
-      color: #444342;
-    }
-
-    .text-gray-700 {
-      color: #2e2d2d;
-    }
-
-    .text-gray-800 {
-      color: #232222;
-    }
-
-    .text-center {
-      text-align: center;
-    }
-
-    .text-sm {
-      font-size: 0.875rem;
-    }
-
-    .font-title {
-      font-size: 1.25rem;
-      letter-spacing: -0.025em;
-    }
-
-    .font-semibold {
-      font-weight: 600;
-    }
-
-    .font-medium {
-      font-weight: 500;
-    }
-
-    .font-regular {
-      font-weight: 400;
-    }
-
-    .truncate {
-      overflow: hidden;
-      text-overflow: ellipsis;
-      white-space: nowrap;
-    }
-
-    .overflow-hidden {
-      overflow: hidden;
-    }
-
-    .profile-pic {
-      width: 2.5rem;
-      height: 2.5rem;
-      border-radius: 9999px;
-      background-size: cover;
-      margin-right: 0.5rem;
-      flex-shrink: 0;
-    }
-
-    .panel {
-      box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04);
-    }
-
-    .animate .panel {
-      transform: translateY(10%);
-      box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.0), 0 10px 10px -5px rgba(0, 0, 0, 0.0);
-      transition: transform 1200ms ease, opacity 1200ms ease, box-shadow 1200ms ease;
-    }
-
-    .animate .panel-interior {
-      opacity: 0.0;
-      transition: opacity 1200ms ease;
-    }
-
-    .animate .logo {
-      transform: translateY(2rem);
-      opacity: 0.0;
-      transition: transform 1200ms ease, opacity 1200ms ease;
-    }
-
-    .animate .header-title {
-      transform: translateY(1.6rem);
-      opacity: 0.0;
-      transition: transform 1200ms ease, opacity 1200ms ease;
-    }
-
-    .animate .header-text {
-      transform: translateY(1.2rem);
-      opacity: 0.0;
-      transition: transform 1200ms ease, opacity 1200ms ease;
-    }
-
-    .animate .footer {
-      transform: translateY(-0.5rem);
-      opacity: 0.0;
-      transition: transform 1200ms ease, opacity 1200ms ease;
-    }
-
-    .animating .panel {
-      transform: translateY(0);
-      opacity: 1.0;
-      box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1), 0 10px 10px -5px rgba(0, 0, 0, 0.04);
-    }
-
-    .animating .panel-interior {
-      opacity: 1.0;
-    }
-
-    .animating .spinner {
-      opacity: 0.0;
-    }
-
-    .animating .logo,
-    .animating .header-title,
-    .animating .header-text,
-    .animating .footer {
-      transform: translateY(0);
-      opacity: 1.0;
-    }
-
-    .spinner {
-      display: inline-flex;
-      position: absolute;
-      top: 50%;
-      left: 50%;
-      transform: translate(-50%, -50%);
-      align-items: center;
-      transition: opacity 200ms ease;
-    }
-
-    .spinner span {
-      display: inline-block;
-      background-color: currentColor;
-      border-radius: 9999px;
-      animation-name: loading-dots-blink;
-      animation-duration: 1.4s;
-      animation-iteration-count: infinite;
-      animation-fill-mode: both;
-      width: 0.35em;
-      height: 0.35em;
-      margin: 0 0.15em;
-    }
-
-    .spinner span:nth-child(2) {
-      animation-delay: 200ms;
-    }
-
-    .spinner span:nth-child(3) {
-      animation-delay: 400ms;
-    }
-
-    .spinner {
-      display: none;
-    }
-
-    .animate .spinner {
-      display: inline-flex;
-    }
-
-    @keyframes loading-dots-blink {
-      0% {
-        opacity: 0.2;
-      }
-      20% {
-        opacity: 1;
-      }
-      100% {
-        opacity: 0.2;
-      }
-    }
-
-    @media (prefers-reduced-motion) {
-      * {
-        animation-duration: 0ms !important;
-        transition-duration: 0ms !important;
-        transition-delay: 0ms !important;
-      }
-    }
-  </style>
-</head>
-<body class="bg-gray-100">
-  <script>
-    (function() {
-      var lastSeen = localStorage.getItem("lastSeen");
-      if (!lastSeen) {
-        document.body.classList.add("animate");
-        window.addEventListener("load", function () {
-          setTimeout(function () {
-            document.body.classList.add("animating");
-            localStorage.setItem("lastSeen", Date.now());
-          }, 100);
-        });
-      }
-    })();
-  </script>
-  <main class="text-gray-800">
-    <svg class="logo mb-6" width="28" height="28" viewBox="0 0 22 22" fill="none" xmlns="http://www.w3.org/2000/svg">
-      <circle opacity="0.2" cx="3.4" cy="3.25" r="2.7" fill="currentColor" />
-      <circle cx="3.4" cy="11.3" r="2.7" fill="currentColor" />
-      <circle opacity="0.2" cx="3.4" cy="19.5" r="2.7" fill="currentColor" />
-      <circle cx="11.5" cy="11.3" r="2.7" fill="currentColor" />
-      <circle cx="11.5" cy="19.5" r="2.7" fill="currentColor" />
-      <circle opacity="0.2" cx="11.5" cy="3.25" r="2.7" fill="currentColor" />
-      <circle opacity="0.2" cx="19.5" cy="3.25" r="2.7" fill="currentColor" />
-      <circle cx="19.5" cy="11.3" r="2.7" fill="currentColor" />
-      <circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor" />
-    </svg>
-    <header class="mb-8 text-center">
-      <h1 class="header-title font-title font-semibold mb-2">You're connected over Tailscale!</h1>
-      <p class="header-text">This device is signed in as…</p>
-    </header>
-    <div class="panel relative bg-white rounded-lg width-full shadow-xl mb-8 p-4">
-      <div class="spinner text-gray-600">
-        <span></span>
-        <span></span>
-        <span></span>
-      </div>
-      <div class="panel-interior flex items-center width-full min-width-0 p-2 mb-4">
-        <div class="profile-pic bg-gray-100" style="background-image: url({{.ProfilePicURL}});"></div>
-        <div class="overflow-hidden">
-          {{ with .DisplayName }}
-          <h4 class="font-semibold truncate">{{.}}</h4>
-          {{ end }}
-          <h5 class="text-gray-600 truncate">{{.LoginName}}</h5>
-        </div>
-      </div>
-      <div
-        class="panel-interior border border-gray-200 bg-gray-0 rounded-lg p-2 pl-3 pr-3 mb-2 width-full flex justify-between items-center">
-        <div class="flex items-center min-width-0">
-          <svg class="text-gray-600 mr-2" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none"
-            stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
-            <rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
-            <rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
-            <line x1="6" y1="6" x2="6.01" y2="6"></line>
-            <line x1="6" y1="18" x2="6.01" y2="18"></line>
-          </svg>
-          <h4 class="font-semibold truncate mr-2">{{.MachineName}}</h4>
-        </div>
-        <h5>{{.IP}}</h5>
-      </div>
-    </div>
-    <footer class="footer text-gray-600 text-center mb-12">
-      <p>Read about <a href="https://tailscale.com/kb/1017/install#advanced-features" class="text-blue-600 hover:text-blue-800"
-          target="_blank">what you can do next &rarr;</a></p>
-    </footer>
-  </main>
-</body>
-</html>
--- a/cmd/microproxy/microproxy.go
+++ b/cmd/microproxy/microproxy.go
@@ -0,0 +1,175 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// microproxy proxies incoming HTTPS connections to another
+// destination. Instead of managing its own TLS certificates, it
+// borrows issued certificates and keys from an autocert directory.
+package main
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"tailscale.com/logpolicy"
+	"tailscale.com/tsweb"
+)
+
+var (
+	addr          = flag.String("addr", ":4430", "server address")
+	certdir       = flag.String("certdir", "", "directory to borrow LetsEncrypt certificates from")
+	hostname      = flag.String("hostname", "", "hostname to serve")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	nodeExporter  = flag.String("node-exporter", "http://localhost:9100", "URL of the local prometheus node exporter")
+	goVarsURL     = flag.String("go-vars-url", "http://localhost:8383/debug/vars", "URL of a local Go server's /debug/vars endpoint")
+)
+
+func main() {
+	flag.Parse()
+
+	if *logCollection != "" {
+		logpolicy.New(*logCollection)
+	}
+
+	ne, err := url.Parse(*nodeExporter)
+	if err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *nodeExporter, err)
+	}
+	proxy := httputil.NewSingleHostReverseProxy(ne)
+	proxy.FlushInterval = time.Second
+
+	if _, err = url.Parse(*goVarsURL); err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *goVarsURL, err)
+	}
+
+	mux := tsweb.NewMux(http.HandlerFunc(debugHandler))
+	mux.Handle("/metrics", tsweb.Protected(proxy))
+	mux.Handle("/varz", tsweb.Protected(tsweb.StdHandler(&goVarsHandler{*goVarsURL}, log.Printf)))
+
+	ch := &certHolder{
+		hostname: *hostname,
+		path:     filepath.Join(*certdir, *hostname),
+	}
+
+	httpsrv := &http.Server{
+		Addr:    *addr,
+		Handler: mux,
+		TLSConfig: &tls.Config{
+			GetCertificate: ch.GetCertificate,
+		},
+	}
+
+	if err := httpsrv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+		log.Fatal(err)
+	}
+}
+
+type goVarsHandler struct {
+	url string
+}
+
+func promPrint(w io.Writer, prefix string, obj map[string]interface{}) {
+	for k, i := range obj {
+		if prefix != "" {
+			k = prefix + "_" + k
+		}
+		switch v := i.(type) {
+		case map[string]interface{}:
+			promPrint(w, k, v)
+		case float64:
+			fmt.Fprintf(w, "%s %f\n", k, v)
+		default:
+			fmt.Fprintf(w, "# Skipping key %q, unhandled type %T\n", k, v)
+		}
+	}
+}
+
+func (h *goVarsHandler) ServeHTTPReturn(w http.ResponseWriter, r *http.Request) error {
+	resp, err := http.Get(h.url)
+	if err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+	defer resp.Body.Close()
+	var mon map[string]interface{}
+	if err := json.NewDecoder(resp.Body).Decode(&mon); err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+
+	w.WriteHeader(http.StatusOK)
+	promPrint(w, "", mon)
+	return nil
+}
+
+// certHolder loads and caches a TLS certificate from disk, reloading
+// it every hour.
+type certHolder struct {
+	hostname string // only hostname allowed in SNI
+	path     string // path of certificate+key combined PEM file
+
+	mu     sync.Mutex
+	cert   *tls.Certificate // cached parsed cert+key
+	loaded time.Time
+}
+
+func (c *certHolder) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if ch.ServerName != c.hostname {
+		return nil, fmt.Errorf("wrong client SNI %q", ch.ServerName)
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if time.Since(c.loaded) > time.Hour {
+		if err := c.loadLocked(); err != nil {
+			log.Printf("Reloading cert %q: %v", c.path, err)
+			// continue anyway, we might be able to serve off the stale cert.
+		}
+	}
+	return c.cert, nil
+}
+
+// load reloads the TLS certificate and key from disk. Caller must
+// hold mu.
+func (c *certHolder) loadLocked() error {
+	bs, err := ioutil.ReadFile(c.path)
+	if err != nil {
+		return fmt.Errorf("reading %q: %v", c.path, err)
+	}
+	cert, err := tls.X509KeyPair(bs, bs)
+	if err != nil {
+		return fmt.Errorf("parsing %q: %v", c.path, err)
+	}
+
+	c.cert = &cert
+	c.loaded = time.Now()
+	return nil
+}
+
+// debugHandler serves a page with links to tsweb-managed debug URLs
+// at /debug/.
+func debugHandler(w http.ResponseWriter, r *http.Request) {
+	f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+	f(`<html><body>
+<h1>microproxy debug</h1>
+<ul>
+`)
+	f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+	f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
+	f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
+   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
+   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
+   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
+<ul>
+</html>
+`)
+}
--- a/cmd/mkpkg/main.go
+++ b/cmd/mkpkg/main.go
@@ -6,7 +6,6 @@
 package main

 import (
-	"flag"
 	"fmt"
 	"log"
 	"os"
@@ -15,15 +14,13 @@ import (
 	"github.com/goreleaser/nfpm"
 	_ "github.com/goreleaser/nfpm/deb"
 	_ "github.com/goreleaser/nfpm/rpm"
+	"github.com/pborman/getopt"
 )

 // parseFiles parses a comma-separated list of colon-separated pairs
 // into a map of filePathOnDisk -> filePathInPackage.
 func parseFiles(s string) (map[string]string, error) {
 	ret := map[string]string{}
-	if len(s) == 0 {
-		return ret, nil
-	}
 	for _, f := range strings.Split(s, ",") {
 		fs := strings.Split(f, ":")
 		if len(fs) != 2 {
@@ -44,21 +41,19 @@ func parseEmptyDirs(s string) []string {
 }

 func main() {
-	out := flag.String("out", "", "output file to write")
-	name := flag.String("name", "tailscale", "package name")
-	description := flag.String("description", "The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO", "package description")
-	goarch := flag.String("arch", "amd64", "GOARCH this package is for")
-	pkgType := flag.String("type", "deb", "type of package to build (deb or rpm)")
-	files := flag.String("files", "", "comma-separated list of files in src:dst form")
-	configFiles := flag.String("configs", "", "like --files, but for files marked as user-editable config files")
-	emptyDirs := flag.String("emptydirs", "", "comma-separated list of empty directories")
-	version := flag.String("version", "0.0.0", "version of the package")
-	postinst := flag.String("postinst", "", "debian postinst script path")
-	prerm := flag.String("prerm", "", "debian prerm script path")
-	postrm := flag.String("postrm", "", "debian postrm script path")
-	replaces := flag.String("replaces", "", "package which this package replaces, if any")
-	depends := flag.String("depends", "", "comma-separated list of packages this package depends on")
-	flag.Parse()
+	out := getopt.StringLong("out", 'o', "", "output file to write")
+	goarch := getopt.StringLong("arch", 'a', "amd64", "GOARCH this package is for")
+	pkgType := getopt.StringLong("type", 't', "deb", "type of package to build (deb or rpm)")
+	files := getopt.StringLong("files", 'F', "", "comma-separated list of files in src:dst form")
+	configFiles := getopt.StringLong("configs", 'C', "", "like --files, but for files marked as user-editable config files")
+	emptyDirs := getopt.StringLong("emptydirs", 'E', "", "comma-separated list of empty directories")
+	version := getopt.StringLong("version", 0, "0.0.0", "version of the package")
+	postinst := getopt.StringLong("postinst", 0, "", "debian postinst script path")
+	prerm := getopt.StringLong("prerm", 0, "", "debian prerm script path")
+	postrm := getopt.StringLong("postrm", 0, "", "debian postrm script path")
+	replaces := getopt.StringLong("replaces", 0, "", "package which this package replaces, if any")
+	depends := getopt.StringLong("depends", 0, "", "comma-separated list of packages this package depends on")
+	getopt.Parse()

 	filesMap, err := parseFiles(*files)
 	if err != nil {
@@ -70,12 +65,12 @@ func main() {
 	}
 	emptyDirList := parseEmptyDirs(*emptyDirs)
 	info := nfpm.WithDefaults(&nfpm.Info{
-		Name:        *name,
+		Name:        "tailscale",
 		Arch:        *goarch,
 		Platform:    "linux",
 		Version:     *version,
 		Maintainer:  "Tailscale Inc <info@tailscale.com>",
-		Description: *description,
+		Description: "The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO",
 		Homepage:    "https://www.tailscale.com",
 		License:     "MIT",
 		Overridables: nfpm.Overridables{
--- a/cmd/nginx-auth/.gitignore
+++ b/cmd/nginx-auth/.gitignore
@@ -1,4 +0,0 @@
-nga.sock
-*.deb
-*.rpm
-tailscale.nginx-auth
--- a/cmd/nginx-auth/README.md
+++ b/cmd/nginx-auth/README.md
@@ -1,157 +0,0 @@
-# nginx-auth
-
-This is a tool that allows users to use Tailscale Whois authentication with
-NGINX as a reverse proxy. This allows users that already have a bunch of
-services hosted on an internal NGINX server to point those domains to the
-Tailscale IP of the NGINX server and then seamlessly use Tailscale for
-authentication.
-
-Many thanks to [@zrail](https://twitter.com/zrail/status/1511788463586222087) on
-Twitter for introducing the basic idea and offering some sample code. This
-program is based on that sample code with security enhancements. Namely:
-
-* This listens over a UNIX socket instead of a TCP socket, to prevent
-  leakage to the network
-* This uses systemd socket activation so that systemd owns the socket
-  and can then lock down the service to the bare minimum required to do
-  its job without having to worry about dropping permissions
-* This provides additional information in HTTP response headers that can
-  be useful for integrating with various services
-
-## Configuration
-
-In order to protect a service with this tool, do the following in the respective
-`server` block:
-
-Create an authentication location with the `internal` flag set:
-
-```nginx
-location /auth {
-  internal;
-
-  proxy_pass http://unix:/run/tailscale.nginx-auth.sock;
-  proxy_pass_request_body off;
-
-  proxy_set_header Host $http_host;
-  proxy_set_header Remote-Addr $remote_addr;
-  proxy_set_header Remote-Port $remote_port;
-  proxy_set_header Original-URI $request_uri;
-}
-```
-
-Then add the following to the `location /` block:
-
-```
-auth_request /auth;
-auth_request_set $auth_user $upstream_http_tailscale_user;
-auth_request_set $auth_name $upstream_http_tailscale_name;
-auth_request_set $auth_login $upstream_http_tailscale_login;
-auth_request_set $auth_tailnet $upstream_http_tailscale_tailnet;
-auth_request_set $auth_profile_picture $upstream_http_tailscale_profile_picture;
-
-proxy_set_header X-Webauth-User "$auth_user";
-proxy_set_header X-Webauth-Name "$auth_name";
-proxy_set_header X-Webauth-Login "$auth_login";
-proxy_set_header X-Webauth-Tailnet "$auth_tailnet";
-proxy_set_header X-Webauth-Profile-Picture "$auth_profile_picture";
-```
-
-When this configuration is used with a Go HTTP handler such as this:
-
-```go
-http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
-	e := json.NewEncoder(w)
-	e.SetIndent("", "  ")
-	e.Encode(r.Header)
-})
-```
-
-You will get output like this:
-
-```json
-{
-  "Accept": [
-    "*/*"
-  ],
-  "Connection": [
-    "upgrade"
-  ],
-  "User-Agent": [
-    "curl/7.82.0"
-  ],
-  "X-Webauth-Login": [
-    "Xe"
-  ],
-  "X-Webauth-Name": [
-    "Xe Iaso"
-  ],
-  "X-Webauth-Profile-Picture": [
-    "https://avatars.githubusercontent.com/u/529003?v=4"
-  ],
-  "X-Webauth-Tailnet": [
-    "cetacean.org.github"
-  ]
-  "X-Webauth-User": [
-    "Xe@github"
-  ]
-}
-```
-
-## Headers
-
-The authentication service provides the following headers to decorate your
-proxied requests:
-
-| Header                      | Example Value                                                      | Description                                                                   |
-| :------                     | :--------------                                                    | :----------                                                                   |
-| `Tailscale-User`            | `azurediamond@hunter2.net`                                         | The Tailscale username the remote machine is logged in as in user@host form   |
-| `Tailscale-Login`           | `azurediamond`                                                     | The user portion of the Tailscale username the remote machine is logged in as |
-| `Tailscale-Name`            | `Azure Diamond`                                                    | The "real name" of the Tailscale user the machine is logged in as             |
-| `Tailscale-Profile-Picture` | `https://i.kym-cdn.com/photos/images/newsfeed/001/065/963/ae0.png` | The profile picture provided by the Identity Provider your tailnet uses       |
-| `Tailscale-Tailnet`          | `hunter2.net`                                       | The tailnet name                                                              |
-
-Most of the time you can set `X-Webauth-User` to the contents of the
-`Tailscale-User` header, but some services may not accept a username with an `@`
-symbol in it. If this is the case, set `X-Webauth-User` to the `Tailscale-Login`
-header.
-
-The `Tailscale-Tailnet` header can help you identify which tailnet the session
-is coming from. If you are using node sharing, this can help you make sure that
-you aren't giving administrative access to people outside your tailnet.
-
-### Allow Requests From Only One Tailnet
-
-If you want to prevent node sharing from allowing users to access a service, add
-the `Expected-Tailnet` header to your auth request:
-
-```nginx
-location /auth {
-  # ...
-  proxy_set_header Expected-Tailnet "tailscale.com";
-}
-```
-
-If a user from a different tailnet tries to use that service, this will return a
-generic "forbidden" error page:
-
-```html
-<html>
-<head><title>403 Forbidden</title></head>
-<body>
-<center><h1>403 Forbidden</h1></center>
-<hr><center>nginx/1.18.0 (Ubuntu)</center>
-</body>
-</html>
-```
-
-## Building
-
-Install `cmd/mkpkg`:
-
-```
-cd .. && go install ./mkpkg
-```
-
-Then run `./mkdeb.sh`. It will emit a `.deb` and `.rpm` package for amd64
-machines (Linux uname flag: `x86_64`). You can add these to your deployment
-methods as you see fit.
--- a/cmd/nginx-auth/deb/postinst.sh
+++ b/cmd/nginx-auth/deb/postinst.sh
@@ -1,14 +0,0 @@
-if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
-	  deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
-	  if deb-systemd-helper --quiet was-enabled 'tailscale.nginx-auth.socket'; then
-		    deb-systemd-helper enable 'tailscale.nginx-auth.socket' >/dev/null || true
-	  else
-		    deb-systemd-helper update-state 'tailscale.nginx-auth.socket' >/dev/null || true
-	  fi
-
-    if systemctl is-active tailscale.nginx-auth.socket >/dev/null; then
-        systemctl --system daemon-reload >/dev/null || true
-        deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
-        deb-systemd-invoke restart 'tailscale.nginx-auth.socket' >/dev/null || true
-    fi
-fi
--- a/cmd/nginx-auth/deb/postrm.sh
+++ b/cmd/nginx-auth/deb/postrm.sh
@@ -1,19 +0,0 @@
-#!/bin/sh
-set -e
-if [ -d /run/systemd/system ] ; then
-	  systemctl --system daemon-reload >/dev/null || true
-fi
-
-if [ -x "/usr/bin/deb-systemd-helper" ]; then
-    if [ "$1" = "remove" ]; then
-		    deb-systemd-helper mask 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper mask 'tailscale.nginx-auth.service' >/dev/null || true
-	  fi
-
-    if [ "$1" = "purge" ]; then
-		    deb-systemd-helper purge 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
-		    deb-systemd-helper purge 'tailscale.nginx-auth.service' >/dev/null || true
-		    deb-systemd-helper unmask 'tailscale.nginx-auth.service' >/dev/null || true
-	  fi
-fi
--- a/cmd/nginx-auth/deb/prerm.sh
+++ b/cmd/nginx-auth/deb/prerm.sh
@@ -1,8 +0,0 @@
-#!/bin/sh
-set -e
-if [ "$1" = "remove" ]; then
-	  if [ -d /run/systemd/system ]; then
-		    deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
-		    deb-systemd-invoke stop 'tailscale.nginx-auth.socket' >/dev/null || true
-	  fi
-fi
--- a/cmd/nginx-auth/mkdeb.sh
+++ b/cmd/nginx-auth/mkdeb.sh
@@ -1,31 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .
-
-VERSION=0.1.1
-
-mkpkg \
-    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
-    --name=tailscale-nginx-auth \
-    --version=${VERSION} \
-    --type=deb \
-    --arch=amd64 \
-    --postinst=deb/postinst.sh \
-    --postrm=deb/postrm.sh \
-    --prerm=deb/prerm.sh \
-    --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
-
-mkpkg \
-    --out=tailscale-nginx-auth-${VERSION}-amd64.rpm \
-    --name=tailscale-nginx-auth \
-    --version=${VERSION} \
-    --type=rpm \
-    --arch=amd64 \
-    --postinst=rpm/postinst.sh \
-    --postrm=rpm/postrm.sh \
-    --prerm=rpm/prerm.sh \
-    --description="Tailscale NGINX authentication protocol handler" \
-    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@@ -1,127 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux
-
-// Command nginx-auth is a tool that allows users to use Tailscale Whois
-// authentication with NGINX as a reverse proxy. This allows users that
-// already have a bunch of services hosted on an internal NGINX server
-// to point those domains to the Tailscale IP of the NGINX server and
-// then seamlessly use Tailscale for authentication.
-package main
-
-import (
-	"flag"
-	"log"
-	"net"
-	"net/http"
-	"net/netip"
-	"net/url"
-	"os"
-	"strings"
-
-	"github.com/coreos/go-systemd/activation"
-	"tailscale.com/client/tailscale"
-)
-
-var (
-	sockPath = flag.String("sockpath", "", "the filesystem path for the unix socket this service exposes")
-)
-
-func main() {
-	flag.Parse()
-
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		remoteHost := r.Header.Get("Remote-Addr")
-		remotePort := r.Header.Get("Remote-Port")
-		if remoteHost == "" || remotePort == "" {
-			w.WriteHeader(http.StatusBadRequest)
-			log.Println("set Remote-Addr to $remote_addr and Remote-Port to $remote_port in your nginx config")
-			return
-		}
-
-		remoteAddrStr := net.JoinHostPort(remoteHost, remotePort)
-		remoteAddr, err := netip.ParseAddrPort(remoteAddrStr)
-		if err != nil {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("remote address and port are not valid: %v", err)
-			return
-		}
-
-		info, err := tailscale.WhoIs(r.Context(), remoteAddr.String())
-		if err != nil {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("can't look up %s: %v", remoteAddr, err)
-			return
-		}
-
-		if len(info.Node.Tags) != 0 {
-			w.WriteHeader(http.StatusForbidden)
-			log.Printf("node %s is tagged", info.Node.Hostinfo.Hostname())
-			return
-		}
-
-		_, tailnet, ok := strings.Cut(info.Node.Name, info.Node.ComputedName+".")
-		if !ok {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-			return
-		}
-		tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
-		if !ok {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-			return
-		}
-
-		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
-			w.WriteHeader(http.StatusForbidden)
-			log.Printf("user is part of tailnet %s, wanted: %s", tailnet, url.QueryEscape(expectedTailnet))
-			return
-		}
-
-		h := w.Header()
-		h.Set("Tailscale-Login", strings.Split(info.UserProfile.LoginName, "@")[0])
-		h.Set("Tailscale-User", info.UserProfile.LoginName)
-		h.Set("Tailscale-Name", info.UserProfile.DisplayName)
-		h.Set("Tailscale-Profile-Picture", info.UserProfile.ProfilePicURL)
-		h.Set("Tailscale-Tailnet", tailnet)
-		w.WriteHeader(http.StatusNoContent)
-	})
-
-	if *sockPath != "" {
-		_ = os.Remove(*sockPath) // ignore error, this file may not already exist
-		ln, err := net.Listen("unix", *sockPath)
-		if err != nil {
-			log.Fatalf("can't listen on %s: %v", *sockPath, err)
-		}
-		defer ln.Close()
-
-		log.Printf("listening on %s", *sockPath)
-		log.Fatal(http.Serve(ln, mux))
-	}
-
-	listeners, err := activation.Listeners()
-	if err != nil {
-		log.Fatalf("no sockets passed to this service with systemd: %v", err)
-	}
-
-	// NOTE(Xe): normally you'd want to make a waitgroup here and then register
-	// each listener with it. In this case I want this to blow up horribly if
-	// any of the listeners stop working. systemd will restart it due to the
-	// socket activation at play.
-	//
-	// TL;DR: Let it crash, it will come back
-	for _, ln := range listeners {
-		go func(ln net.Listener) {
-			log.Printf("listening on %s", ln.Addr())
-			log.Fatal(http.Serve(ln, mux))
-		}(ln)
-	}
-
-	for {
-		select {}
-	}
-}
--- a/cmd/nginx-auth/rpm/postinst.sh
+++ b/cmd/nginx-auth/rpm/postinst.sh
--- a/cmd/nginx-auth/rpm/postrm.sh
+++ b/cmd/nginx-auth/rpm/postrm.sh
@@ -1,9 +0,0 @@
-# $1 == 0 for uninstallation.
-# $1 == 1 for removing old package during upgrade.
-
-systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
-    # Package upgrade, not uninstall
-    systemctl stop tailscale.nginx-auth.service >/dev/null 2>&1 || :
-    systemctl try-restart tailscale.nginx-auth.socket >/dev/null 2>&1 || :
-fi
--- a/cmd/nginx-auth/rpm/prerm.sh
+++ b/cmd/nginx-auth/rpm/prerm.sh
@@ -1,9 +0,0 @@
-# $1 == 0 for uninstallation.
-# $1 == 1 for removing old package during upgrade.
-
-if [ $1 -eq 0 ] ; then
-    # Package removal, not upgrade
-    systemctl --no-reload disable tailscale.nginx-auth.socket > /dev/null 2>&1 || :
-    systemctl stop tailscale.nginx-auth.socket > /dev/null 2>&1 || :
-    systemctl stop tailscale.nginx-auth.service > /dev/null 2>&1 || :
-fi
--- a/cmd/nginx-auth/tailscale.nginx-auth.service
+++ b/cmd/nginx-auth/tailscale.nginx-auth.service
@@ -1,11 +0,0 @@
-[Unit]
-Description=Tailscale NGINX Authentication service
-After=nginx.service
-Wants=nginx.service
-
-[Service]
-ExecStart=/usr/sbin/tailscale.nginx-auth
-DynamicUser=yes
-
-[Install]
-WantedBy=default.target
--- a/cmd/nginx-auth/tailscale.nginx-auth.socket
+++ b/cmd/nginx-auth/tailscale.nginx-auth.socket
@@ -1,9 +0,0 @@
-[Unit]
-Description=Tailscale NGINX Authentication socket
-PartOf=tailscale.nginx-auth.service
-
-[Socket]
-ListenStream=/var/run/tailscale.nginx-auth.sock
-
-[Install]
-WantedBy=sockets.target
--- a/cmd/printdep/printdep.go
+++ b/cmd/printdep/printdep.go
@@ -1,51 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The printdep command is a build system tool for printing out information
-// about dependencies.
-package main
-
-import (
-	"flag"
-	"fmt"
-	"log"
-	"runtime"
-	"strings"
-
-	ts "tailscale.com"
-)
-
-var (
-	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
-	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
-	alpine         = flag.Bool("alpine", false, "print the tag of alpine docker image")
-)
-
-func main() {
-	flag.Parse()
-	if *alpine {
-		fmt.Println(strings.TrimSpace(ts.AlpineDockerTag))
-		return
-	}
-	if *goToolchain {
-		fmt.Println(strings.TrimSpace(ts.GoToolchainRev))
-	}
-	if *goToolchainURL {
-		var suffix string
-		switch runtime.GOARCH {
-		case "amd64":
-			// None
-		case "arm64":
-			suffix = "-" + runtime.GOARCH
-		default:
-			log.Fatalf("unsupported GOARCH %q", runtime.GOARCH)
-		}
-		switch runtime.GOOS {
-		case "linux", "darwin":
-		default:
-			log.Fatalf("unsupported GOOS %q", runtime.GOOS)
-		}
-		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
-	}
-}
--- a/cmd/proxy-to-grafana/proxy-to-grafana.go
+++ b/cmd/proxy-to-grafana/proxy-to-grafana.go
@@ -1,159 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// proxy-to-grafana is a reverse proxy which identifies users based on their
-// originating Tailscale identity and maps them to corresponding Grafana
-// users, creating them if needed.
-//
-// It uses Grafana's AuthProxy feature:
-// https://grafana.com/docs/grafana/latest/auth/auth-proxy/
-//
-// Set the TS_AUTHKEY environment variable to have this server automatically
-// join your tailnet, or look for the logged auth link on first start.
-//
-// Use this Grafana configuration to enable the auth proxy:
-//
-//     [auth.proxy]
-//     enabled = true
-//     header_name = X-WEBAUTH-USER
-//     header_property = username
-//     auto_sign_up = true
-//     whitelist = 127.0.0.1
-//     headers = Name:X-WEBAUTH-NAME
-//     enable_login_token = true
-package main
-
-import (
-	"context"
-	"crypto/tls"
-	"flag"
-	"fmt"
-	"log"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"strings"
-	"time"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tsnet"
-)
-
-var (
-	hostname     = flag.String("hostname", "", "Tailscale hostname to serve on, used as the base name for MagicDNS or subdomain in your domain alias for HTTPS.")
-	backendAddr  = flag.String("backend-addr", "", "Address of the Grafana server served over HTTP, in host:port format. Typically localhost:nnnn.")
-	tailscaleDir = flag.String("state-dir", "./", "Alternate directory to use for Tailscale state storage. If empty, a default is used.")
-	useHTTPS     = flag.Bool("use-https", false, "Serve over HTTPS via your *.ts.net subdomain if enabled in Tailscale admin.")
-)
-
-func main() {
-	flag.Parse()
-	if *hostname == "" || strings.Contains(*hostname, ".") {
-		log.Fatal("missing or invalid --hostname")
-	}
-	if *backendAddr == "" {
-		log.Fatal("missing --backend-addr")
-	}
-	ts := &tsnet.Server{
-		Dir:      *tailscaleDir,
-		Hostname: *hostname,
-	}
-
-	// TODO(bradfitz,maisem): move this to a method on tsnet.Server probably.
-	if err := ts.Start(); err != nil {
-		log.Fatalf("Error starting tsnet.Server: %v", err)
-	}
-	localClient, _ := ts.LocalClient()
-
-	url, err := url.Parse(fmt.Sprintf("http://%s", *backendAddr))
-	if err != nil {
-		log.Fatalf("couldn't parse backend address: %v", err)
-	}
-
-	proxy := httputil.NewSingleHostReverseProxy(url)
-	originalDirector := proxy.Director
-	proxy.Director = func(req *http.Request) {
-		originalDirector(req)
-		modifyRequest(req, localClient)
-	}
-
-	var ln net.Listener
-	if *useHTTPS {
-		ln, err = ts.Listen("tcp", ":443")
-		ln = tls.NewListener(ln, &tls.Config{
-			GetCertificate: localClient.GetCertificate,
-		})
-
-		go func() {
-			// wait for tailscale to start before trying to fetch cert names
-			for i := 0; i < 60; i++ {
-				st, err := localClient.Status(context.Background())
-				if err != nil {
-					log.Printf("error retrieving tailscale status; retrying: %v", err)
-				} else {
-					log.Printf("tailscale status: %v", st.BackendState)
-					if st.BackendState == "Running" {
-						break
-					}
-				}
-				time.Sleep(time.Second)
-			}
-
-			l80, err := ts.Listen("tcp", ":80")
-			if err != nil {
-				log.Fatal(err)
-			}
-			name, ok := localClient.ExpandSNIName(context.Background(), *hostname)
-			if !ok {
-				log.Fatalf("can't get hostname for https redirect")
-			}
-			if err := http.Serve(l80, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				http.Redirect(w, r, fmt.Sprintf("https://%s", name), http.StatusMovedPermanently)
-			})); err != nil {
-				log.Fatal(err)
-			}
-		}()
-	} else {
-		ln, err = ts.Listen("tcp", ":80")
-	}
-	if err != nil {
-		log.Fatal(err)
-	}
-	log.Printf("proxy-to-grafana running at %v, proxying to %v", ln.Addr(), *backendAddr)
-	log.Fatal(http.Serve(ln, proxy))
-}
-
-func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
-	// with enable_login_token set to true, we get a cookie that handles
-	// auth for paths that are not /login
-	if req.URL.Path != "/login" {
-		return
-	}
-
-	user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
-	if err != nil {
-		log.Printf("error getting Tailscale user: %v", err)
-		return
-	}
-
-	req.Header.Set("X-Webauth-User", user.LoginName)
-	req.Header.Set("X-Webauth-Name", user.DisplayName)
-}
-
-func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, ipPort string) (*tailcfg.UserProfile, error) {
-	whois, err := localClient.WhoIs(ctx, ipPort)
-	if err != nil {
-		return nil, fmt.Errorf("failed to identify remote host: %w", err)
-	}
-	if len(whois.Node.Tags) != 0 {
-		return nil, fmt.Errorf("tagged nodes are not users")
-	}
-	if whois.UserProfile == nil || whois.UserProfile.LoginName == "" {
-		return nil, fmt.Errorf("failed to identify remote user")
-	}
-
-	return whois.UserProfile, nil
-}
--- a/cmd/speedtest/speedtest.go
+++ b/cmd/speedtest/speedtest.go
@@ -1,121 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Program speedtest provides the speedtest command. The reason to keep it separate from
-// the normal tailscale cli is because it is not yet ready to go in the tailscale binary.
-// It will be included in the tailscale cli after it has been added to tailscaled.
-
-// Example usage for client command: go run cmd/speedtest -host 127.0.0.1:20333 -t 5s
-// This will connect to the server on 127.0.0.1:20333 and start a 5 second download speedtest.
-// Example usage for server command: go run cmd/speedtest -s -host :20333
-// This will start a speedtest server on port 20333.
-package main
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"net"
-	"os"
-	"strconv"
-	"text/tabwriter"
-	"time"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/net/speedtest"
-)
-
-// Runs the speedtest command as a commandline program
-func main() {
-	args := os.Args[1:]
-	if err := speedtestCmd.Parse(args); err != nil {
-		fmt.Fprintln(os.Stderr, err.Error())
-		os.Exit(1)
-	}
-
-	err := speedtestCmd.Run(context.Background())
-	if errors.Is(err, flag.ErrHelp) {
-		fmt.Fprintln(os.Stderr, speedtestCmd.ShortUsage)
-		os.Exit(2)
-	}
-	if err != nil {
-		fmt.Fprintln(os.Stderr, err.Error())
-		os.Exit(1)
-	}
-}
-
-// speedtestCmd is the root command. It runs either the server or client depending on the
-// flags passed to it.
-var speedtestCmd = &ffcli.Command{
-	Name:       "speedtest",
-	ShortUsage: "speedtest [-host <host:port>] [-s] [-r] [-t <test duration>]",
-	ShortHelp:  "Run a speed test",
-	FlagSet: (func() *flag.FlagSet {
-		fs := flag.NewFlagSet("speedtest", flag.ExitOnError)
-		fs.StringVar(&speedtestArgs.host, "host", ":20333", "host:port pair to connect to or listen on")
-		fs.DurationVar(&speedtestArgs.testDuration, "t", speedtest.DefaultDuration, "duration of the speed test")
-		fs.BoolVar(&speedtestArgs.runServer, "s", false, "run a speedtest server")
-		fs.BoolVar(&speedtestArgs.reverse, "r", false, "run in reverse mode (server sends, client receives)")
-		return fs
-	})(),
-	Exec: runSpeedtest,
-}
-
-var speedtestArgs struct {
-	host         string
-	testDuration time.Duration
-	runServer    bool
-	reverse      bool
-}
-
-func runSpeedtest(ctx context.Context, args []string) error {
-
-	if _, _, err := net.SplitHostPort(speedtestArgs.host); err != nil {
-		var addrErr *net.AddrError
-		if errors.As(err, &addrErr) && addrErr.Err == "missing port in address" {
-			// if no port is provided, append the default port
-			speedtestArgs.host = net.JoinHostPort(speedtestArgs.host, strconv.Itoa(speedtest.DefaultPort))
-		}
-	}
-
-	if speedtestArgs.runServer {
-		listener, err := net.Listen("tcp", speedtestArgs.host)
-		if err != nil {
-			return err
-		}
-
-		fmt.Printf("listening on %v\n", listener.Addr())
-
-		return speedtest.Serve(listener)
-	}
-
-	// Ensure the duration is within the allowed range
-	if speedtestArgs.testDuration < speedtest.MinDuration || speedtestArgs.testDuration > speedtest.MaxDuration {
-		return fmt.Errorf("test duration must be within %v and %v", speedtest.MinDuration, speedtest.MaxDuration)
-	}
-
-	dir := speedtest.Download
-	if speedtestArgs.reverse {
-		dir = speedtest.Upload
-	}
-
-	fmt.Printf("Starting a %s test with %s\n", dir, speedtestArgs.host)
-	results, err := speedtest.RunClient(dir, speedtestArgs.testDuration, speedtestArgs.host)
-	if err != nil {
-		return err
-	}
-
-	w := tabwriter.NewWriter(os.Stdout, 12, 0, 0, ' ', tabwriter.TabIndent)
-	fmt.Println("Results:")
-	fmt.Fprintln(w, "Interval\t\tTransfer\t\tBandwidth\t\t")
-	for _, r := range results {
-		if r.Total {
-			fmt.Fprintln(w, "-------------------------------------------------------------------------")
-		}
-		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Seconds(), r.IntervalEnd.Seconds(), r.MegaBits(), r.MBitsPerSecond())
-	}
-	w.Flush()
-	return nil
-}
--- a/cmd/tailscale/cli/auth-redirect.html
+++ b/cmd/tailscale/cli/auth-redirect.html
@@ -1,57 +0,0 @@
-<html>
-<head>
-	<title>Redirecting...</title>
-	<style>
-		html,
-		body {
-			height: 100%;
-		}
-
-		html {
-			background-color: rgb(249, 247, 246);
-			font-family: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, "Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
-			line-height: 1.5;
-			-webkit-text-size-adjust: 100%;
-			-webkit-font-smoothing: antialiased;
-			-moz-osx-font-smoothing: grayscale;
-		}
-
-		body {
-			display: flex;
-			flex-direction: column;
-			align-items: center;
-			justify-content: center;
-		}
-
-		.spinner {
-			margin-bottom: 2rem;
-			border: 4px rgba(112, 110, 109, 0.5) solid;
-			border-left-color: transparent;
-			border-radius: 9999px;
-			width: 4rem;
-			height: 4rem;
-			-webkit-animation: spin 700ms linear infinite;
-      animation: spin 800ms linear infinite;
-		}
-
-		.label {
-			color: rgb(112, 110, 109);
-			padding-left: 0.4rem;
-		}
-
-		@-webkit-keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-
-		@keyframes spin {
-			to {
-				transform: rotate(360deg);
-			}
-		}
-	</style>
-</head> <body>
-	<div class="spinner"></div>
-	<div class="label">Redirecting...</div>
-</body>
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -1,36 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var bugReportCmd = &ffcli.Command{
-	Name:       "bugreport",
-	Exec:       runBugReport,
-	ShortHelp:  "Print a shareable identifier to help diagnose issues",
-	ShortUsage: "bugreport [note]",
-}
-
-func runBugReport(ctx context.Context, args []string) error {
-	var note string
-	switch len(args) {
-	case 0:
-	case 1:
-		note = args[0]
-	default:
-		return errors.New("unknown argumets")
-	}
-	logMarker, err := localClient.BugReport(ctx, note)
-	if err != nil {
-		return err
-	}
-	outln(logMarker)
-	return nil
-}
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -1,151 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/atomicfile"
-	"tailscale.com/ipn"
-	"tailscale.com/version"
-)
-
-var certCmd = &ffcli.Command{
-	Name:       "cert",
-	Exec:       runCert,
-	ShortHelp:  "get TLS certs",
-	ShortUsage: "cert [flags] <domain>",
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("cert")
-		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
-		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
-		return fs
-	})(),
-}
-
-var certArgs struct {
-	certFile string
-	keyFile  string
-	serve    bool
-}
-
-func runCert(ctx context.Context, args []string) error {
-	if certArgs.serve {
-		s := &http.Server{
-			TLSConfig: &tls.Config{
-				GetCertificate: localClient.GetCertificate,
-			},
-			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
-					if v, ok := localClient.ExpandSNIName(r.Context(), r.Host); ok {
-						http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
-						return
-					}
-				}
-				fmt.Fprintf(w, "<h1>Hello from Tailscale</h1>It works.")
-			}),
-		}
-		log.Printf("running TLS server on :443 ...")
-		return s.ListenAndServeTLS("", "")
-	}
-
-	if len(args) != 1 {
-		var hint bytes.Buffer
-		if st, err := localClient.Status(ctx); err == nil {
-			if st.BackendState != ipn.Running.String() {
-				fmt.Fprintf(&hint, "\nTailscale is not running.\n")
-			} else if len(st.CertDomains) == 0 {
-				fmt.Fprintf(&hint, "\nHTTPS cert support is not enabled/configured for your tailnet.\n")
-			} else if len(st.CertDomains) == 1 {
-				fmt.Fprintf(&hint, "\nFor domain, use %q.\n", st.CertDomains[0])
-			} else {
-				fmt.Fprintf(&hint, "\nValid domain options: %q.\n", st.CertDomains)
-			}
-		}
-		return fmt.Errorf("Usage: tailscale cert [flags] <domain>%s", hint.Bytes())
-	}
-	domain := args[0]
-
-	printf := func(format string, a ...any) {
-		printf(format, a...)
-	}
-	if certArgs.certFile == "-" || certArgs.keyFile == "-" {
-		printf = log.Printf
-		log.SetFlags(0)
-	}
-	if certArgs.certFile == "" && certArgs.keyFile == "" {
-		certArgs.certFile = domain + ".crt"
-		certArgs.keyFile = domain + ".key"
-	}
-	certPEM, keyPEM, err := localClient.CertPair(ctx, domain)
-	if err != nil {
-		return err
-	}
-	needMacWarning := version.IsSandboxedMacOS()
-	macWarn := func() {
-		if !needMacWarning {
-			return
-		}
-		needMacWarning = false
-		dir := "io.tailscale.ipn.macos"
-		if version.IsMacSysExt() {
-			dir = "io.tailscale.ipn.macsys"
-		}
-		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s/Data\n", dir)
-	}
-	if certArgs.certFile != "" {
-		certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
-		if err != nil {
-			return err
-		}
-		if certArgs.certFile != "-" {
-			macWarn()
-			if certChanged {
-				printf("Wrote public cert to %v\n", certArgs.certFile)
-			} else {
-				printf("Public cert unchanged at %v\n", certArgs.certFile)
-			}
-		}
-	}
-	if certArgs.keyFile != "" {
-		keyChanged, err := writeIfChanged(certArgs.keyFile, keyPEM, 0600)
-		if err != nil {
-			return err
-		}
-		if certArgs.keyFile != "-" {
-			macWarn()
-			if keyChanged {
-				printf("Wrote private key to %v\n", certArgs.keyFile)
-			} else {
-				printf("Private key unchanged at %v\n", certArgs.keyFile)
-			}
-		}
-	}
-	return nil
-}
-
-func writeIfChanged(filename string, contents []byte, mode os.FileMode) (changed bool, err error) {
-	if filename == "-" {
-		Stdout.Write(contents)
-		return false, nil
-	}
-	if old, err := os.ReadFile(filename); err == nil && bytes.Equal(contents, old) {
-		return false, nil
-	}
-	if err := atomicfile.WriteFile(filename, contents, mode); err != nil {
-		return false, err
-	}
-	return true, nil
-}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -8,238 +8,90 @@ package cli

 import (
 	"context"
-	"errors"
 	"flag"
-	"fmt"
-	"io"
 	"log"
 	"net"
 	"os"
 	"os/signal"
 	"runtime"
-	"strconv"
 	"strings"
-	"sync"
 	"syscall"
-	"text/tabwriter"

-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/envknob"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/syncs"
-	"tailscale.com/version/distro"
 )

-var Stderr io.Writer = os.Stderr
-var Stdout io.Writer = os.Stdout
-
-func printf(format string, a ...any) {
-	fmt.Fprintf(Stdout, format, a...)
-}
-
-// outln is like fmt.Println in the common case, except when Stdout is
-// changed (as in js/wasm).
-//
-// It's not named println because that looks like the Go built-in
-// which goes to stderr and formats slightly differently.
-func outln(a ...any) {
-	fmt.Fprintln(Stdout, a...)
-}
-
 // ActLikeCLI reports whether a GUI application should act like the
 // CLI based on os.Args, GOOS, the context the process is running in
 // (pty, parent PID), etc.
 func ActLikeCLI() bool {
-	// This function is only used on macOS.
-	if runtime.GOOS != "darwin" {
+	if len(os.Args) < 2 {
 		return false
 	}
-
-	// Escape hatch to let people force running the macOS
-	// GUI Tailscale binary as the CLI.
-	if v, _ := strconv.ParseBool(os.Getenv("TAILSCALE_BE_CLI")); v {
+	switch os.Args[1] {
+	case "up", "status", "netcheck", "version",
+		"-V", "--version", "-h", "--help":
 		return true
 	}
-
-	// If our parent is launchd, we're definitely not
-	// being run as a CLI.
-	if os.Getppid() == 1 {
-		return false
-	}
-
-	// Xcode adds the -NSDocumentRevisionsDebugMode flag on execution.
-	// If present, we are almost certainly being run as a GUI.
-	for _, arg := range os.Args {
-		if arg == "-NSDocumentRevisionsDebugMode" {
-			return false
-		}
-	}
-
-	// Looking at the environment of the GUI Tailscale app (ps eww
-	// $PID), empirically none of these environment variables are
-	// present. But all or some of these should be present with
-	// Terminal.all and bash or zsh.
-	for _, e := range []string{
-		"SHLVL",
-		"TERM",
-		"TERM_PROGRAM",
-		"PS1",
-	} {
-		if os.Getenv(e) != "" {
-			return true
-		}
-	}
 	return false
 }

-func newFlagSet(name string) *flag.FlagSet {
-	onError := flag.ExitOnError
-	if runtime.GOOS == "js" {
-		onError = flag.ContinueOnError
-	}
-	fs := flag.NewFlagSet(name, onError)
-	fs.SetOutput(Stderr)
-	return fs
-}
-
-// CleanUpArgs rewrites command line arguments for simplicity and backwards compatibility.
-// In particular, it rewrites --authkey to --auth-key.
-func CleanUpArgs(args []string) []string {
-	out := make([]string, 0, len(args))
-	for _, arg := range args {
-		// Rewrite --authkey to --auth-key, and --authkey=x to --auth-key=x,
-		// and the same for the -authkey variant.
-		switch {
-		case arg == "--authkey", arg == "-authkey":
-			arg = "--auth-key"
-		case strings.HasPrefix(arg, "--authkey="), strings.HasPrefix(arg, "-authkey="):
-			arg = strings.TrimLeft(arg, "-")
-			arg = strings.TrimPrefix(arg, "authkey=")
-			arg = "--auth-key=" + arg
-		}
-		out = append(out, arg)
-	}
-	return out
-}
-
-var localClient tailscale.LocalClient
-
 // Run runs the CLI. The args do not include the binary name.
-func Run(args []string) (err error) {
-	args = CleanUpArgs(args)
-
+func Run(args []string) error {
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
 		args = []string{"version"}
 	}

-	var warnOnce sync.Once
-	tailscale.SetVersionMismatchHandler(func(clientVer, serverVer string) {
-		warnOnce.Do(func() {
-			fmt.Fprintf(Stderr, "Warning: client version %q != tailscaled server version %q\n", clientVer, serverVer)
-		})
-	})
-
-	rootfs := newFlagSet("tailscale")
+	rootfs := flag.NewFlagSet("tailscale", flag.ExitOnError)
 	rootfs.StringVar(&rootArgs.socket, "socket", paths.DefaultTailscaledSocket(), "path to tailscaled's unix socket")

 	rootCmd := &ffcli.Command{
 		Name:       "tailscale",
-		ShortUsage: "tailscale [flags] <subcommand> [command flags]",
+		ShortUsage: "tailscale subcommand [flags]",
 		ShortHelp:  "The easiest, most secure way to use WireGuard.",
 		LongHelp: strings.TrimSpace(`
-For help on subcommands, add --help after: "tailscale status --help".
-
 This CLI is still under active development. Commands and flags will
 change in the future.
 `),
 		Subcommands: []*ffcli.Command{
 			upCmd,
-			downCmd,
-			logoutCmd,
 			netcheckCmd,
-			ipCmd,
 			statusCmd,
-			pingCmd,
-			ncCmd,
-			sshCmd,
 			versionCmd,
-			webCmd,
-			fileCmd,
-			bugReportCmd,
-			certCmd,
 		},
-		FlagSet:   rootfs,
-		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
-		UsageFunc: usageFunc,
-	}
-	for _, c := range rootCmd.Subcommands {
-		c.UsageFunc = usageFunc
-	}
-	if envknob.UseWIPCode() {
-		rootCmd.Subcommands = append(rootCmd.Subcommands, idTokenCmd)
-	}
-
-	// Don't advertise the debug command, but it exists.
-	if strSliceContains(args, "debug") {
-		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
-	}
-	if runtime.GOOS == "linux" && distro.Get() == distro.Synology {
-		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
+		FlagSet: rootfs,
+		Exec:    func(context.Context, []string) error { return flag.ErrHelp },
 	}

 	if err := rootCmd.Parse(args); err != nil {
-		if errors.Is(err, flag.ErrHelp) {
-			return nil
-		}
 		return err
 	}

-	localClient.Socket = rootArgs.socket
-	rootfs.Visit(func(f *flag.Flag) {
-		if f.Name == "socket" {
-			localClient.UseSocketOnly = true
-		}
-	})
-
-	err = rootCmd.Run(context.Background())
-	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
-		return fmt.Errorf("%v\n\nUse 'sudo tailscale %s' or 'tailscale up --operator=$USER' to not require root.", err, strings.Join(args, " "))
-	}
-	if errors.Is(err, flag.ErrHelp) {
+	err := rootCmd.Run(context.Background())
+	if err == flag.ErrHelp {
 		return nil
 	}
 	return err
 }

-func fatalf(format string, a ...any) {
-	if Fatalf != nil {
-		Fatalf(format, a...)
-		return
-	}
+func fatalf(format string, a ...interface{}) {
 	log.SetFlags(0)
 	log.Fatalf(format, a...)
 }

-// Fatalf, if non-nil, is used instead of log.Fatalf.
-var Fatalf func(format string, a ...any)
-
 var rootArgs struct {
 	socket string
 }

-var gotSignal syncs.AtomicBool
-
 func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
-	s := safesocket.DefaultConnectionStrategy(rootArgs.socket)
-	c, err := safesocket.Connect(s)
+	c, err := safesocket.Connect(rootArgs.socket, 41112)
 	if err != nil {
 		if runtime.GOOS != "windows" && rootArgs.socket == "" {
 			fatalf("--socket cannot be empty")
 		}
-		fatalf("Failed to connect to tailscaled. (safesocket.Connect: %v)\n", err)
+		fatalf("Failed to connect to connect to tailscaled. (safesocket.Connect: %v)\n", err)
 	}
 	clientToServer := func(b []byte) {
 		ipn.WriteMsg(c, b)
@@ -250,14 +102,7 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 	go func() {
 		interrupt := make(chan os.Signal, 1)
 		signal.Notify(interrupt, syscall.SIGINT, syscall.SIGTERM)
-		select {
-		case <-interrupt:
-		case <-ctx.Done():
-			// Context canceled elsewhere.
-			signal.Reset(syscall.SIGINT, syscall.SIGTERM)
-			return
-		}
-		gotSignal.Set(true)
+		<-interrupt
 		c.Close()
 		cancel()
 	}()
@@ -267,98 +112,17 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 }

 // pump receives backend messages on conn and pushes them into bc.
-func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) error {
+func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) {
 	defer conn.Close()
 	for ctx.Err() == nil {
 		msg, err := ipn.ReadMsg(conn)
 		if err != nil {
 			if ctx.Err() != nil {
-				return ctx.Err()
+				return
 			}
-			if errors.Is(err, io.EOF) || errors.Is(err, net.ErrClosed) {
-				return fmt.Errorf("%w (tailscaled stopped running?)", err)
-			}
-			return err
+			log.Printf("ReadMsg: %v\n", err)
+			break
 		}
 		bc.GotNotifyMsg(msg)
 	}
-	return ctx.Err()
-}
-
-func strSliceContains(ss []string, s string) bool {
-	for _, v := range ss {
-		if v == s {
-			return true
-		}
-	}
-	return false
-}
-
-func usageFunc(c *ffcli.Command) string {
-	var b strings.Builder
-
-	fmt.Fprintf(&b, "USAGE\n")
-	if c.ShortUsage != "" {
-		fmt.Fprintf(&b, "  %s\n", c.ShortUsage)
-	} else {
-		fmt.Fprintf(&b, "  %s\n", c.Name)
-	}
-	fmt.Fprintf(&b, "\n")
-
-	if c.LongHelp != "" {
-		fmt.Fprintf(&b, "%s\n\n", c.LongHelp)
-	}
-
-	if len(c.Subcommands) > 0 {
-		fmt.Fprintf(&b, "SUBCOMMANDS\n")
-		tw := tabwriter.NewWriter(&b, 0, 2, 2, ' ', 0)
-		for _, subcommand := range c.Subcommands {
-			fmt.Fprintf(tw, "  %s\t%s\n", subcommand.Name, subcommand.ShortHelp)
-		}
-		tw.Flush()
-		fmt.Fprintf(&b, "\n")
-	}
-
-	if countFlags(c.FlagSet) > 0 {
-		fmt.Fprintf(&b, "FLAGS\n")
-		tw := tabwriter.NewWriter(&b, 0, 2, 2, ' ', 0)
-		c.FlagSet.VisitAll(func(f *flag.Flag) {
-			var s string
-			name, usage := flag.UnquoteUsage(f)
-			if isBoolFlag(f) {
-				s = fmt.Sprintf("  --%s, --%s=false", f.Name, f.Name)
-			} else {
-				s = fmt.Sprintf("  --%s", f.Name) // Two spaces before --; see next two comments.
-				if len(name) > 0 {
-					s += " " + name
-				}
-			}
-			// Four spaces before the tab triggers good alignment
-			// for both 4- and 8-space tab stops.
-			s += "\n    \t"
-			s += strings.ReplaceAll(usage, "\n", "\n    \t")
-
-			if f.DefValue != "" {
-				s += fmt.Sprintf(" (default %s)", f.DefValue)
-			}
-
-			fmt.Fprintln(&b, s)
-		})
-		tw.Flush()
-		fmt.Fprintf(&b, "\n")
-	}
-
-	return strings.TrimSpace(b.String())
-}
-
-func isBoolFlag(f *flag.Flag) bool {
-	bf, ok := f.Value.(interface {
-		IsBoolFlag() bool
-	})
-	return ok && bf.IsBoolFlag()
-}
-
-func countFlags(fs *flag.FlagSet) (n int) {
-	fs.VisitAll(func(*flag.Flag) { n++ })
-	return n
 }
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -1,987 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"reflect"
-	"strings"
-	"testing"
-
-	qt "github.com/frankban/quicktest"
-	"github.com/google/go-cmp/cmp"
-	"inet.af/netaddr"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tstest"
-	"tailscale.com/types/persist"
-	"tailscale.com/types/preftype"
-	"tailscale.com/version/distro"
-)
-
-// geese is a collection of gooses. It need not be complete.
-// But it should include anything handled specially (e.g. linux, windows)
-// and at least one thing that's not (darwin, freebsd).
-var geese = []string{"linux", "darwin", "windows", "freebsd"}
-
-// Test that checkForAccidentalSettingReverts's updateMaskedPrefsFromUpFlag can handle
-// all flags. This will panic if a new flag creeps in that's unhandled.
-//
-// Also, issue 1880: advertise-exit-node was being ignored. Verify that all flags cause an edit.
-func TestUpdateMaskedPrefsFromUpFlag(t *testing.T) {
-	for _, goos := range geese {
-		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs)
-		fs.VisitAll(func(f *flag.Flag) {
-			mp := new(ipn.MaskedPrefs)
-			updateMaskedPrefsFromUpFlag(mp, f.Name)
-			got := mp.Pretty()
-			wantEmpty := preflessFlag(f.Name)
-			isEmpty := got == "MaskedPrefs{}"
-			if isEmpty != wantEmpty {
-				t.Errorf("flag %q created MaskedPrefs %s; want empty=%v", f.Name, got, wantEmpty)
-			}
-		})
-	}
-}
-
-func TestCheckForAccidentalSettingReverts(t *testing.T) {
-	tests := []struct {
-		name     string
-		flags    []string // argv to be parsed by FlagSet
-		curPrefs *ipn.Prefs
-
-		curExitNodeIP netaddr.IP
-		curUser       string // os.Getenv("USER") on the client side
-		goos          string // empty means "linux"
-		distro        distro.Distro
-
-		want string
-	}{
-		{
-			name:  "bare_up_means_up",
-			flags: []string{},
-			curPrefs: &ipn.Prefs{
-				ControlURL:  ipn.DefaultControlURL,
-				WantRunning: false,
-				Hostname:    "foo",
-			},
-			want: "",
-		},
-		{
-			name:  "losing_hostname",
-			flags: []string{"--accept-dns"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      false,
-				Hostname:         "foo",
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-			},
-			want: accidentalUpPrefix + " --accept-dns --hostname=foo",
-		},
-		{
-			name:  "hostname_changing_explicitly",
-			flags: []string{"--hostname=bar"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-				Hostname:         "foo",
-			},
-			want: "",
-		},
-		{
-			name:  "hostname_changing_empty_explicitly",
-			flags: []string{"--hostname="},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-				Hostname:         "foo",
-			},
-			want: "",
-		},
-		{
-			// Issue 1725: "tailscale up --authkey=..." (or other non-empty flags) works from
-			// a fresh server's initial prefs.
-			name:     "up_with_default_prefs",
-			flags:    []string{"--authkey=foosdlkfjskdljf"},
-			curPrefs: ipn.NewPrefs(),
-			want:     "",
-		},
-		{
-			name:  "implicit_operator_change",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				OperatorUser:     "alice",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			curUser: "eve",
-			want:    accidentalUpPrefix + " --hostname=foo --operator=alice",
-		},
-		{
-			name:  "implicit_operator_matches_shell_user",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				OperatorUser:     "alice",
-			},
-			curUser: "alice",
-			want:    "",
-		},
-		{
-			name:  "error_advertised_routes_exit_node_removed",
-			flags: []string{"--advertise-routes=10.0.42.0/24"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.42.0/24"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-			},
-			want: accidentalUpPrefix + " --advertise-routes=10.0.42.0/24 --advertise-exit-node",
-		},
-		{
-			name:  "advertised_routes_exit_node_removed_explicit",
-			flags: []string{"--advertise-routes=10.0.42.0/24", "--advertise-exit-node=false"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.42.0/24"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-			},
-			want: "",
-		},
-		{
-			name:  "advertised_routes_includes_the_0_routes", // but no --advertise-exit-node
-			flags: []string{"--advertise-routes=11.1.43.0/24,0.0.0.0/0,::/0"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.42.0/24"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-			},
-			want: "",
-		},
-		{
-			name:  "advertise_exit_node", // Issue 1859
-			flags: []string{"--advertise-exit-node"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			want: "",
-		},
-		{
-			name:  "advertise_exit_node_over_existing_routes",
-			flags: []string{"--advertise-exit-node"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
-				},
-			},
-			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
-		},
-		{
-			name:  "advertise_exit_node_over_existing_routes_and_exit_node",
-			flags: []string{"--advertise-exit-node"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
-				},
-			},
-			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
-		},
-		{
-			name:  "exit_node_clearing", // Issue 1777
-			flags: []string{"--exit-node="},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeID: "fooID",
-			},
-			want: "",
-		},
-		{
-			name:  "remove_all_implicit",
-			flags: []string{"--force-reauth"},
-			curPrefs: &ipn.Prefs{
-				WantRunning:      true,
-				ControlURL:       ipn.DefaultControlURL,
-				RouteAll:         true,
-				AllowSingleHosts: false,
-				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
-				CorpDNS:          false,
-				ShieldsUp:        true,
-				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
-				Hostname:         "myhostname",
-				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-				NetfilterMode: preftype.NetfilterNoDivert,
-				OperatorUser:  "alice",
-			},
-			curUser: "eve",
-			want:    accidentalUpPrefix + " --force-reauth --accept-dns=false --accept-routes --advertise-exit-node --advertise-routes=10.0.0.0/16 --advertise-tags=tag:foo,tag:bar --exit-node=100.64.5.6 --host-routes=false --hostname=myhostname --netfilter-mode=nodivert --operator=alice --shields-up",
-		},
-		{
-			name:  "remove_all_implicit_except_hostname",
-			flags: []string{"--hostname=newhostname"},
-			curPrefs: &ipn.Prefs{
-				WantRunning:      true,
-				ControlURL:       ipn.DefaultControlURL,
-				RouteAll:         true,
-				AllowSingleHosts: false,
-				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
-				CorpDNS:          false,
-				ShieldsUp:        true,
-				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
-				Hostname:         "myhostname",
-				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
-				},
-				NetfilterMode: preftype.NetfilterNoDivert,
-				OperatorUser:  "alice",
-			},
-			curUser: "eve",
-			want:    accidentalUpPrefix + " --hostname=newhostname --accept-dns=false --accept-routes --advertise-routes=10.0.0.0/16 --advertise-tags=tag:foo,tag:bar --exit-node=100.64.5.6 --host-routes=false --netfilter-mode=nodivert --operator=alice --shields-up",
-		},
-		{
-			name:  "loggedout_is_implicit",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				LoggedOut:        true,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			want: "", // not an error. LoggedOut is implicit.
-		},
-		{
-			// Test that a pre-1.8 version of Tailscale with bogus NoSNAT pref
-			// values is able to enable exit nodes without warnings.
-			name:  "make_windows_exit_node",
-			flags: []string{"--advertise-exit-node"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				RouteAll:         true,
-
-				// And assume this no-op accidental pre-1.8 value:
-				NoSNAT: true,
-			},
-			goos: "windows",
-			want: "", // not an error
-		},
-		{
-			name:  "ignore_netfilter_change_non_linux",
-			flags: []string{"--accept-dns"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-
-				NetfilterMode: preftype.NetfilterNoDivert, // we never had this bug, but pretend it got set non-zero on Windows somehow
-			},
-			goos: "openbsd",
-			want: "", // not an error
-		},
-		{
-			name:  "operator_losing_routes_step1", // https://twitter.com/EXPbits/status/1390418145047887877
-			flags: []string{"--operator=expbits"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
-				},
-			},
-			want: accidentalUpPrefix + " --operator=expbits --advertise-exit-node --advertise-routes=1.2.0.0/16",
-		},
-		{
-			name:  "operator_losing_routes_step2", // https://twitter.com/EXPbits/status/1390418145047887877
-			flags: []string{"--operator=expbits", "--advertise-routes=1.2.0.0/16"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
-				},
-			},
-			want: accidentalUpPrefix + " --advertise-routes=1.2.0.0/16 --operator=expbits --advertise-exit-node",
-		},
-		{
-			name:  "errors_preserve_explicit_flags",
-			flags: []string{"--reset", "--force-reauth=false", "--authkey=secretrand"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      false,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-				AllowSingleHosts: true,
-
-				Hostname: "foo",
-			},
-			want: accidentalUpPrefix + " --auth-key=secretrand --force-reauth=false --reset --hostname=foo",
-		},
-		{
-			name:  "error_exit_node_omit_with_ip_pref",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeIP: netaddr.MustParseIP("100.64.5.4"),
-			},
-			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.4",
-		},
-		{
-			name:          "error_exit_node_omit_with_id_pref",
-			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netaddr.MustParseIP("100.64.5.7"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeID: "some_stable_id",
-			},
-			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
-		},
-		{
-			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
-			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netaddr.MustParseIP("100.2.3.4"),
-			curPrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-
-				ExitNodeAllowLANAccess: true,
-				ExitNodeID:             "some_stable_id",
-			},
-			want: accidentalUpPrefix + " --hostname=foo --exit-node-allow-lan-access --exit-node=100.2.3.4",
-		},
-		{
-			name:  "ignore_login_server_synonym",
-			flags: []string{"--login-server=https://controlplane.tailscale.com"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			want: "", // not an error
-		},
-		{
-			name:  "ignore_login_server_synonym_on_other_change",
-			flags: []string{"--netfilter-mode=off"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				AllowSingleHosts: true,
-				CorpDNS:          false,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			want: accidentalUpPrefix + " --netfilter-mode=off --accept-dns=false",
-		},
-		{
-			// Issue 3176: on Synology, don't require --accept-routes=false because user
-			// migth've had old an install, and we don't support --accept-routes anyway.
-			name:  "synology_permit_omit_accept_routes",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				CorpDNS:          true,
-				AllowSingleHosts: true,
-				RouteAll:         true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			goos:   "linux",
-			distro: distro.Synology,
-			want:   "",
-		},
-		{
-			// Same test case as "synology_permit_omit_accept_routes" above, but
-			// on non-Synology distro.
-			name:  "not_synology_dont_permit_omit_accept_routes",
-			flags: []string{"--hostname=foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				CorpDNS:          true,
-				AllowSingleHosts: true,
-				RouteAll:         true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			goos:   "linux",
-			distro: "", // not Synology
-			want:   accidentalUpPrefix + " --hostname=foo --accept-routes",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			goos := "linux"
-			if tt.goos != "" {
-				goos = tt.goos
-			}
-			var upArgs upArgsT
-			flagSet := newUpFlagSet(goos, &upArgs)
-			flags := CleanUpArgs(tt.flags)
-			flagSet.Parse(flags)
-			newPrefs, err := prefsFromUpArgs(upArgs, t.Logf, new(ipnstate.Status), goos)
-			if err != nil {
-				t.Fatal(err)
-			}
-			upEnv := upCheckEnv{
-				goos:          goos,
-				flagSet:       flagSet,
-				curExitNodeIP: tt.curExitNodeIP,
-				distro:        tt.distro,
-				user:          tt.curUser,
-			}
-			applyImplicitPrefs(newPrefs, tt.curPrefs, upEnv)
-			var got string
-			if err := checkForAccidentalSettingReverts(newPrefs, tt.curPrefs, upEnv); err != nil {
-				got = err.Error()
-			}
-			if strings.TrimSpace(got) != tt.want {
-				t.Errorf("unexpected result\n got: %s\nwant: %s\n", got, tt.want)
-			}
-		})
-	}
-}
-
-func upArgsFromOSArgs(goos string, flagArgs ...string) (args upArgsT) {
-	fs := newUpFlagSet(goos, &args)
-	fs.Parse(flagArgs) // populates args
-	return
-}
-
-func TestPrefsFromUpArgs(t *testing.T) {
-	tests := []struct {
-		name     string
-		args     upArgsT
-		goos     string           // runtime.GOOS; empty means linux
-		st       *ipnstate.Status // or nil
-		want     *ipn.Prefs
-		wantErr  string
-		wantWarn string
-	}{
-		{
-			name: "default_linux",
-			goos: "linux",
-			args: upArgsFromOSArgs("linux"),
-			want: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      true,
-				NoSNAT:           false,
-				NetfilterMode:    preftype.NetfilterOn,
-				CorpDNS:          true,
-				AllowSingleHosts: true,
-			},
-		},
-		{
-			name: "default_windows",
-			goos: "windows",
-			args: upArgsFromOSArgs("windows"),
-			want: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      true,
-				CorpDNS:          true,
-				AllowSingleHosts: true,
-				RouteAll:         true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-		},
-		{
-			name: "advertise_default_route",
-			args: upArgsFromOSArgs("linux", "--advertise-exit-node"),
-			want: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
-				WantRunning:      true,
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-				},
-				NetfilterMode: preftype.NetfilterOn,
-			},
-		},
-		{
-			name: "error_advertise_route_invalid_ip",
-			args: upArgsT{
-				advertiseRoutes: "foo",
-			},
-			wantErr: `"foo" is not a valid IP address or CIDR prefix`,
-		},
-		{
-			name: "error_advertise_route_unmasked_bits",
-			args: upArgsT{
-				advertiseRoutes: "1.2.3.4/16",
-			},
-			wantErr: `1.2.3.4/16 has non-address bits set; expected 1.2.0.0/16`,
-		},
-		{
-			name: "error_exit_node_bad_ip",
-			args: upArgsT{
-				exitNodeIP: "foo",
-			},
-			wantErr: `invalid value "foo" for --exit-node; must be IP or unique node name`,
-		},
-		{
-			name: "error_exit_node_allow_lan_without_exit_node",
-			args: upArgsT{
-				exitNodeAllowLANAccess: true,
-			},
-			wantErr: `--exit-node-allow-lan-access can only be used with --exit-node`,
-		},
-		{
-			name: "error_tag_prefix",
-			args: upArgsT{
-				advertiseTags: "foo",
-			},
-			wantErr: `tag: "foo": tags must start with 'tag:'`,
-		},
-		{
-			name: "error_long_hostname",
-			args: upArgsT{
-				hostname: strings.Repeat("a", 300),
-			},
-			wantErr: `hostname too long: 300 bytes (max 256)`,
-		},
-		{
-			name: "error_linux_netfilter_empty",
-			args: upArgsT{
-				netfilterMode: "",
-			},
-			wantErr: `invalid value --netfilter-mode=""`,
-		},
-		{
-			name: "error_linux_netfilter_bogus",
-			args: upArgsT{
-				netfilterMode: "bogus",
-			},
-			wantErr: `invalid value --netfilter-mode="bogus"`,
-		},
-		{
-			name: "error_exit_node_ip_is_self_ip",
-			args: upArgsT{
-				exitNodeIP: "100.105.106.107",
-			},
-			st: &ipnstate.Status{
-				TailscaleIPs: []netaddr.IP{netaddr.MustParseIP("100.105.106.107")},
-			},
-			wantErr: `cannot use 100.105.106.107 as an exit node as it is a local IP address to this machine; did you mean --advertise-exit-node?`,
-		},
-		{
-			name: "warn_linux_netfilter_nodivert",
-			goos: "linux",
-			args: upArgsT{
-				netfilterMode: "nodivert",
-			},
-			wantWarn: "netfilter=nodivert; add iptables calls to ts-* chains manually.",
-			want: &ipn.Prefs{
-				WantRunning:   true,
-				NetfilterMode: preftype.NetfilterNoDivert,
-				NoSNAT:        true,
-			},
-		},
-		{
-			name: "warn_linux_netfilter_off",
-			goos: "linux",
-			args: upArgsT{
-				netfilterMode: "off",
-			},
-			wantWarn: "netfilter=off; configure iptables yourself.",
-			want: &ipn.Prefs{
-				WantRunning:   true,
-				NetfilterMode: preftype.NetfilterOff,
-				NoSNAT:        true,
-			},
-		},
-		{
-			name: "via_route_good",
-			goos: "linux",
-			args: upArgsT{
-				advertiseRoutes: "fd7a:115c:a1e0:b1a::bb:10.0.0.0/112",
-				netfilterMode:   "off",
-			},
-			want: &ipn.Prefs{
-				WantRunning: true,
-				NoSNAT:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
-				},
-			},
-		},
-		{
-			name: "via_route_short_prefix",
-			goos: "linux",
-			args: upArgsT{
-				advertiseRoutes: "fd7a:115c:a1e0:b1a::/64",
-				netfilterMode:   "off",
-			},
-			wantErr: "fd7a:115c:a1e0:b1a::/64 4-in-6 prefix must be at least a /96",
-		},
-		{
-			name: "via_route_short_reserved_siteid",
-			goos: "linux",
-			args: upArgsT{
-				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
-				netfilterMode:   "off",
-			},
-			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var warnBuf tstest.MemLogger
-			goos := tt.goos
-			if goos == "" {
-				goos = "linux"
-			}
-			st := tt.st
-			if st == nil {
-				st = new(ipnstate.Status)
-			}
-			got, err := prefsFromUpArgs(tt.args, warnBuf.Logf, st, goos)
-			gotErr := fmt.Sprint(err)
-			if tt.wantErr != "" {
-				if tt.wantErr != gotErr {
-					t.Errorf("wrong error.\n got error: %v\nwant error: %v\n", gotErr, tt.wantErr)
-				}
-				return
-			}
-			if err != nil {
-				t.Fatal(err)
-			}
-			if tt.want == nil {
-				t.Fatal("tt.want is nil")
-			}
-			if !got.Equals(tt.want) {
-				jgot, _ := json.MarshalIndent(got, "", "\t")
-				jwant, _ := json.MarshalIndent(tt.want, "", "\t")
-				if bytes.Equal(jgot, jwant) {
-					t.Logf("prefs differ only in non-JSON-visible ways (nil/non-nil zero-length arrays)")
-				}
-				t.Errorf("wrong prefs\n got: %s\nwant: %s\n\ngot: %s\nwant: %s\n",
-					got.Pretty(), tt.want.Pretty(),
-					jgot, jwant,
-				)
-
-			}
-		})
-	}
-
-}
-
-func TestPrefFlagMapping(t *testing.T) {
-	prefHasFlag := map[string]bool{}
-	for _, pv := range prefsOfFlag {
-		for _, pref := range pv {
-			prefHasFlag[pref] = true
-		}
-	}
-
-	prefType := reflect.TypeOf(ipn.Prefs{})
-	for i := 0; i < prefType.NumField(); i++ {
-		prefName := prefType.Field(i).Name
-		if prefHasFlag[prefName] {
-			continue
-		}
-		switch prefName {
-		case "WantRunning", "Persist", "LoggedOut":
-			// All explicitly handled (ignored) by checkForAccidentalSettingReverts.
-			continue
-		case "OSVersion", "DeviceModel":
-			// Only used by Android, which doesn't have a CLI mode anyway, so
-			// fine to not map.
-			continue
-		case "NotepadURLs":
-			// TODO(bradfitz): https://github.com/tailscale/tailscale/issues/1830
-			continue
-		}
-		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
-	}
-}
-
-func TestFlagAppliesToOS(t *testing.T) {
-	for _, goos := range geese {
-		var upArgs upArgsT
-		fs := newUpFlagSet(goos, &upArgs)
-		fs.VisitAll(func(f *flag.Flag) {
-			if !flagAppliesToOS(f.Name, goos) {
-				t.Errorf("flagAppliesToOS(%q, %q) = false but found in %s set", f.Name, goos, goos)
-			}
-		})
-	}
-}
-
-func TestUpdatePrefs(t *testing.T) {
-	tests := []struct {
-		name     string
-		flags    []string // argv to be parsed into env.flagSet and env.upArgs
-		curPrefs *ipn.Prefs
-		env      upCheckEnv // empty goos means "linux"
-
-		// checkUpdatePrefsMutations, if non-nil, is run with the new prefs after
-		// updatePrefs might've mutated them (from applyImplicitPrefs).
-		checkUpdatePrefsMutations func(t *testing.T, newPrefs *ipn.Prefs)
-
-		wantSimpleUp   bool
-		wantJustEditMP *ipn.MaskedPrefs
-		wantErrSubtr   string
-	}{
-		{
-			name:  "bare_up_means_up",
-			flags: []string{},
-			curPrefs: &ipn.Prefs{
-				ControlURL:  ipn.DefaultControlURL,
-				WantRunning: false,
-				Hostname:    "foo",
-			},
-		},
-		{
-			name:  "just_up",
-			flags: []string{},
-			curPrefs: &ipn.Prefs{
-				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
-			},
-			env: upCheckEnv{
-				backendState: "Stopped",
-			},
-			wantSimpleUp: true,
-		},
-		{
-			name:  "just_edit",
-			flags: []string{},
-			curPrefs: &ipn.Prefs{
-				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
-			},
-			env:            upCheckEnv{backendState: "Running"},
-			wantSimpleUp:   true,
-			wantJustEditMP: &ipn.MaskedPrefs{WantRunningSet: true},
-		},
-		{
-			name:  "just_edit_reset",
-			flags: []string{"--reset"},
-			curPrefs: &ipn.Prefs{
-				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
-			},
-			env: upCheckEnv{backendState: "Running"},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				AdvertiseRoutesSet:        true,
-				AdvertiseTagsSet:          true,
-				AllowSingleHostsSet:       true,
-				ControlURLSet:             true,
-				CorpDNSSet:                true,
-				ExitNodeAllowLANAccessSet: true,
-				ExitNodeIDSet:             true,
-				ExitNodeIPSet:             true,
-				HostnameSet:               true,
-				NetfilterModeSet:          true,
-				NoSNATSet:                 true,
-				OperatorUserSet:           true,
-				RouteAllSet:               true,
-				RunSSHSet:                 true,
-				ShieldsUpSet:              true,
-				WantRunningSet:            true,
-			},
-		},
-		{
-			name:  "control_synonym",
-			flags: []string{},
-			curPrefs: &ipn.Prefs{
-				ControlURL: "https://login.tailscale.com",
-				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
-			},
-			env:            upCheckEnv{backendState: "Running"},
-			wantSimpleUp:   true,
-			wantJustEditMP: &ipn.MaskedPrefs{WantRunningSet: true},
-		},
-		{
-			name:  "change_login_server",
-			flags: []string{"--login-server=https://localhost:1000"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			env:            upCheckEnv{backendState: "Running"},
-			wantSimpleUp:   true,
-			wantJustEditMP: &ipn.MaskedPrefs{WantRunningSet: true},
-			wantErrSubtr:   "can't change --login-server without --force-reauth",
-		},
-		{
-			name:  "change_tags",
-			flags: []string{"--advertise-tags=tag:foo"},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
-				AllowSingleHosts: true,
-				CorpDNS:          true,
-				NetfilterMode:    preftype.NetfilterOn,
-			},
-			env: upCheckEnv{backendState: "Running"},
-		},
-		{
-			// Issue 3808: explicitly empty --operator= should clear value.
-			name:  "explicit_empty_operator",
-			flags: []string{"--operator="},
-			curPrefs: &ipn.Prefs{
-				ControlURL:       "https://login.tailscale.com",
-				CorpDNS:          true,
-				AllowSingleHosts: true,
-				NetfilterMode:    preftype.NetfilterOn,
-				OperatorUser:     "somebody",
-			},
-			env: upCheckEnv{user: "somebody", backendState: "Running"},
-			wantJustEditMP: &ipn.MaskedPrefs{
-				OperatorUserSet: true,
-				WantRunningSet:  true,
-			},
-			checkUpdatePrefsMutations: func(t *testing.T, prefs *ipn.Prefs) {
-				if prefs.OperatorUser != "" {
-					t.Errorf("operator sent to backend should be empty; got %q", prefs.OperatorUser)
-				}
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if tt.env.goos == "" {
-				tt.env.goos = "linux"
-			}
-			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
-			flags := CleanUpArgs(tt.flags)
-			tt.env.flagSet.Parse(flags)
-
-			newPrefs, err := prefsFromUpArgs(tt.env.upArgs, t.Logf, new(ipnstate.Status), tt.env.goos)
-			if err != nil {
-				t.Fatal(err)
-			}
-			simpleUp, justEditMP, err := updatePrefs(newPrefs, tt.curPrefs, tt.env)
-			if err != nil {
-				if tt.wantErrSubtr != "" {
-					if !strings.Contains(err.Error(), tt.wantErrSubtr) {
-						t.Fatalf("want error %q, got: %v", tt.wantErrSubtr, err)
-					}
-					return
-				}
-				t.Fatal(err)
-			}
-			if tt.checkUpdatePrefsMutations != nil {
-				tt.checkUpdatePrefsMutations(t, newPrefs)
-			}
-			if simpleUp != tt.wantSimpleUp {
-				t.Fatalf("simpleUp=%v, want %v", simpleUp, tt.wantSimpleUp)
-			}
-			var oldEditPrefs ipn.Prefs
-			if justEditMP != nil {
-				oldEditPrefs = justEditMP.Prefs
-				justEditMP.Prefs = ipn.Prefs{} // uninteresting
-			}
-			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was %+v", oldEditPrefs)
-				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
-			}
-		})
-	}
-}
-
-var cmpIP = cmp.Comparer(func(a, b netaddr.IP) bool {
-	return a == b
-})
-
-func TestCleanUpArgs(t *testing.T) {
-	c := qt.New(t)
-	tests := []struct {
-		in   []string
-		want []string
-	}{
-		{in: []string{"something"}, want: []string{"something"}},
-		{in: []string{}, want: []string{}},
-		{in: []string{"--authkey=0"}, want: []string{"--auth-key=0"}},
-		{in: []string{"a", "--authkey=1", "b"}, want: []string{"a", "--auth-key=1", "b"}},
-		{in: []string{"a", "--auth-key=2", "b"}, want: []string{"a", "--auth-key=2", "b"}},
-		{in: []string{"a", "-authkey=3", "b"}, want: []string{"a", "--auth-key=3", "b"}},
-		{in: []string{"a", "-auth-key=4", "b"}, want: []string{"a", "-auth-key=4", "b"}},
-		{in: []string{"a", "--authkey", "5", "b"}, want: []string{"a", "--auth-key", "5", "b"}},
-		{in: []string{"a", "-authkey", "6", "b"}, want: []string{"a", "--auth-key", "6", "b"}},
-		{in: []string{"a", "authkey", "7", "b"}, want: []string{"a", "authkey", "7", "b"}},
-		{in: []string{"--authkeyexpiry", "8"}, want: []string{"--authkeyexpiry", "8"}},
-		{in: []string{"--auth-key-expiry", "9"}, want: []string{"--auth-key-expiry", "9"}},
-	}
-
-	for _, tt := range tests {
-		got := CleanUpArgs(tt.in)
-		c.Assert(got, qt.DeepEquals, tt.want)
-	}
-}
--- a/cmd/tailscale/cli/configure-host.go
+++ b/cmd/tailscale/cli/configure-host.go
@@ -1,85 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"os"
-	"os/exec"
-	"runtime"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/hostinfo"
-	"tailscale.com/version/distro"
-)
-
-var configureHostCmd = &ffcli.Command{
-	Name:      "configure-host",
-	Exec:      runConfigureHost,
-	ShortHelp: "Configure Synology to enable more Tailscale features",
-	LongHelp: strings.TrimSpace(`
-The 'configure-host' command is intended to run at boot as root
-to create the /dev/net/tun device and give the tailscaled binary
-permission to use it.
-
-See: https://tailscale.com/kb/1152/synology-outbound/
-`),
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("configure-host")
-		return fs
-	})(),
-}
-
-var configureHostArgs struct{}
-
-func runConfigureHost(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return errors.New("unknown arguments")
-	}
-	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
-		return errors.New("only implemented on Synology")
-	}
-	if uid := os.Getuid(); uid != 0 {
-		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
-	}
-	osVer := hostinfo.GetOSVersion()
-	isDSM6 := strings.HasPrefix(osVer, "Synology 6")
-	isDSM7 := strings.HasPrefix(osVer, "Synology 7")
-	if !isDSM6 && !isDSM7 {
-		return fmt.Errorf("unsupported DSM version %q", osVer)
-	}
-	if _, err := os.Stat("/dev/net/tun"); os.IsNotExist(err) {
-		if err := os.MkdirAll("/dev/net", 0755); err != nil {
-			return fmt.Errorf("creating /dev/net: %v", err)
-		}
-		if out, err := exec.Command("/bin/mknod", "/dev/net/tun", "c", "10", "200").CombinedOutput(); err != nil {
-			return fmt.Errorf("creating /dev/net/tun: %v, %s", err, out)
-		}
-	}
-	if err := os.Chmod("/dev/net/tun", 0666); err != nil {
-		return err
-	}
-	if isDSM6 {
-		fmt.Printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
-		return nil
-	}
-
-	const daemonBin = "/var/packages/Tailscale/target/bin/tailscaled"
-	if _, err := os.Stat(daemonBin); err != nil {
-		if os.IsNotExist(err) {
-			return fmt.Errorf("tailscaled binary not found at %s. Is the Tailscale *.spk package installed?", daemonBin)
-		}
-		return err
-	}
-	if out, err := exec.Command("/bin/setcap", "cap_net_admin,cap_net_raw+eip", daemonBin).CombinedOutput(); err != nil {
-		return fmt.Errorf("setcap: %v, %s", err, out)
-	}
-	fmt.Printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
-	return nil
-}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -1,507 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bufio"
-	"bytes"
-	"context"
-	"encoding/binary"
-	"encoding/json"
-	"errors"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"runtime"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
-	"tailscale.com/control/controlhttp"
-	"tailscale.com/hostinfo"
-	"tailscale.com/ipn"
-	"tailscale.com/net/tsaddr"
-	"tailscale.com/paths"
-	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-)
-
-var debugCmd = &ffcli.Command{
-	Name:     "debug",
-	Exec:     runDebug,
-	LongHelp: `"tailscale debug" contains misc debug facilities; it is not a stable interface.`,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("debug")
-		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
-		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-sec seconds and write it to this file; - for stdout")
-		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
-		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
-		return fs
-	})(),
-	Subcommands: []*ffcli.Command{
-		{
-			Name:      "derp-map",
-			Exec:      runDERPMap,
-			ShortHelp: "print DERP map",
-		},
-		{
-			Name:      "daemon-goroutines",
-			Exec:      runDaemonGoroutines,
-			ShortHelp: "print tailscaled's goroutines",
-		},
-		{
-			Name:      "metrics",
-			Exec:      runDaemonMetrics,
-			ShortHelp: "print tailscaled's metrics",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("metrics")
-				fs.BoolVar(&metricsArgs.watch, "watch", false, "print JSON dump of delta values")
-				return fs
-			})(),
-		},
-		{
-			Name:      "env",
-			Exec:      runEnv,
-			ShortHelp: "print cmd/tailscale environment",
-		},
-		{
-			Name:      "stat",
-			Exec:      runStat,
-			ShortHelp: "stat a file",
-		},
-		{
-			Name:      "hostinfo",
-			Exec:      runHostinfo,
-			ShortHelp: "print hostinfo",
-		},
-		{
-			Name:      "local-creds",
-			Exec:      runLocalCreds,
-			ShortHelp: "print how to access Tailscale local API",
-		},
-		{
-			Name:      "restun",
-			Exec:      localAPIAction("restun"),
-			ShortHelp: "force a magicsock restun",
-		},
-		{
-			Name:      "rebind",
-			Exec:      localAPIAction("rebind"),
-			ShortHelp: "force a magicsock rebind",
-		},
-		{
-			Name:      "prefs",
-			Exec:      runPrefs,
-			ShortHelp: "print prefs",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("prefs")
-				fs.BoolVar(&prefsArgs.pretty, "pretty", false, "If true, pretty-print output")
-				return fs
-			})(),
-		},
-		{
-			Name:      "watch-ipn",
-			Exec:      runWatchIPN,
-			ShortHelp: "subscribe to IPN message bus",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("watch-ipn")
-				fs.BoolVar(&watchIPNArgs.netmap, "netmap", true, "include netmap in messages")
-				return fs
-			})(),
-		},
-		{
-			Name:      "via",
-			Exec:      runVia,
-			ShortHelp: "convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
-		},
-		{
-			Name:      "ts2021",
-			Exec:      runTS2021,
-			ShortHelp: "debug ts2021 protocol connectivity",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("ts2021")
-				fs.StringVar(&ts2021Args.host, "host", "controlplane.tailscale.com", "hostname of control plane")
-				fs.IntVar(&ts2021Args.version, "version", int(tailcfg.CurrentCapabilityVersion), "protocol version")
-				return fs
-			})(),
-		},
-	},
-}
-
-var debugArgs struct {
-	file    string
-	cpuSec  int
-	cpuFile string
-	memFile string
-}
-
-func writeProfile(dst string, v []byte) error {
-	if dst == "-" {
-		_, err := Stdout.Write(v)
-		return err
-	}
-	return os.WriteFile(dst, v, 0600)
-}
-
-func outName(dst string) string {
-	if dst == "-" {
-		return "stdout"
-	}
-	if runtime.GOOS == "darwin" {
-		return fmt.Sprintf("%s (warning: sandboxed macOS binaries write to Library/Containers; use - to write to stdout and redirect to file instead)", dst)
-	}
-	return dst
-}
-
-func runDebug(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return errors.New("unknown arguments")
-	}
-	var usedFlag bool
-	if out := debugArgs.cpuFile; out != "" {
-		usedFlag = true // TODO(bradfitz): add "profile" subcommand
-		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
-		if v, err := localClient.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
-			return err
-		} else {
-			if err := writeProfile(out, v); err != nil {
-				return err
-			}
-			log.Printf("CPU profile written to %s", outName(out))
-		}
-	}
-	if out := debugArgs.memFile; out != "" {
-		usedFlag = true // TODO(bradfitz): add "profile" subcommand
-		log.Printf("Capturing memory profile ...")
-		if v, err := localClient.Profile(ctx, "heap", 0); err != nil {
-			return err
-		} else {
-			if err := writeProfile(out, v); err != nil {
-				return err
-			}
-			log.Printf("Memory profile written to %s", outName(out))
-		}
-	}
-	if debugArgs.file != "" {
-		usedFlag = true // TODO(bradfitz): add "file" subcommand
-		if debugArgs.file == "get" {
-			wfs, err := localClient.WaitingFiles(ctx)
-			if err != nil {
-				fatalf("%v\n", err)
-			}
-			e := json.NewEncoder(Stdout)
-			e.SetIndent("", "\t")
-			e.Encode(wfs)
-			return nil
-		}
-		delete := strings.HasPrefix(debugArgs.file, "delete:")
-		if delete {
-			return localClient.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
-		}
-		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
-		if err != nil {
-			return err
-		}
-		log.Printf("Size: %v\n", size)
-		io.Copy(Stdout, rc)
-		return nil
-	}
-	if usedFlag {
-		// TODO(bradfitz): delete this path when all debug flags are migrated
-		// to subcommands.
-		return nil
-	}
-	return errors.New("see 'tailscale debug --help")
-}
-
-func runLocalCreds(ctx context.Context, args []string) error {
-	port, token, err := safesocket.LocalTCPPortAndToken()
-	if err == nil {
-		printf("curl -u:%s http://localhost:%d/localapi/v0/status\n", token, port)
-		return nil
-	}
-	if runtime.GOOS == "windows" {
-		printf("curl http://localhost:%v/localapi/v0/status\n", safesocket.WindowsLocalPort)
-		return nil
-	}
-	printf("curl --unix-socket %s http://foo/localapi/v0/status\n", paths.DefaultTailscaledSocket())
-	return nil
-}
-
-var prefsArgs struct {
-	pretty bool
-}
-
-func runPrefs(ctx context.Context, args []string) error {
-	prefs, err := localClient.GetPrefs(ctx)
-	if err != nil {
-		return err
-	}
-	if prefsArgs.pretty {
-		outln(prefs.Pretty())
-	} else {
-		j, _ := json.MarshalIndent(prefs, "", "\t")
-		outln(string(j))
-	}
-	return nil
-}
-
-var watchIPNArgs struct {
-	netmap bool
-}
-
-func runWatchIPN(ctx context.Context, args []string) error {
-	c, bc, ctx, cancel := connect(ctx)
-	defer cancel()
-
-	bc.SetNotifyCallback(func(n ipn.Notify) {
-		if !watchIPNArgs.netmap {
-			n.NetMap = nil
-		}
-		j, _ := json.MarshalIndent(n, "", "\t")
-		printf("%s\n", j)
-	})
-	bc.RequestEngineStatus()
-	pump(ctx, bc, c)
-	return errors.New("exit")
-}
-
-func runDERPMap(ctx context.Context, args []string) error {
-	dm, err := localClient.CurrentDERPMap(ctx)
-	if err != nil {
-		return fmt.Errorf(
-			"failed to get local derp map, instead `curl %s/derpmap/default`: %w", ipn.DefaultControlURL, err,
-		)
-	}
-	enc := json.NewEncoder(Stdout)
-	enc.SetIndent("", "\t")
-	enc.Encode(dm)
-	return nil
-}
-
-func localAPIAction(action string) func(context.Context, []string) error {
-	return func(ctx context.Context, args []string) error {
-		if len(args) > 0 {
-			return errors.New("unexpected arguments")
-		}
-		return localClient.DebugAction(ctx, action)
-	}
-}
-
-func runEnv(ctx context.Context, args []string) error {
-	for _, e := range os.Environ() {
-		outln(e)
-	}
-	return nil
-}
-
-func runStat(ctx context.Context, args []string) error {
-	for _, a := range args {
-		fi, err := os.Lstat(a)
-		if err != nil {
-			fmt.Printf("%s: %v\n", a, err)
-			continue
-		}
-		fmt.Printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
-		if fi.IsDir() {
-			ents, _ := os.ReadDir(a)
-			for i, ent := range ents {
-				if i == 25 {
-					fmt.Printf("  ...\n")
-					break
-				}
-				fmt.Printf("  - %s\n", ent.Name())
-			}
-		}
-	}
-	return nil
-}
-
-func runHostinfo(ctx context.Context, args []string) error {
-	hi := hostinfo.New()
-	j, _ := json.MarshalIndent(hi, "", "  ")
-	os.Stdout.Write(j)
-	return nil
-}
-
-func runDaemonGoroutines(ctx context.Context, args []string) error {
-	goroutines, err := localClient.Goroutines(ctx)
-	if err != nil {
-		return err
-	}
-	Stdout.Write(goroutines)
-	return nil
-}
-
-var metricsArgs struct {
-	watch bool
-}
-
-func runDaemonMetrics(ctx context.Context, args []string) error {
-	last := map[string]int64{}
-	for {
-		out, err := localClient.DaemonMetrics(ctx)
-		if err != nil {
-			return err
-		}
-		if !metricsArgs.watch {
-			Stdout.Write(out)
-			return nil
-		}
-		bs := bufio.NewScanner(bytes.NewReader(out))
-		type change struct {
-			name     string
-			from, to int64
-		}
-		var changes []change
-		var maxNameLen int
-		for bs.Scan() {
-			line := bytes.TrimSpace(bs.Bytes())
-			if len(line) == 0 || line[0] == '#' {
-				continue
-			}
-			f := strings.Fields(string(line))
-			if len(f) != 2 {
-				continue
-			}
-			name := f[0]
-			n, _ := strconv.ParseInt(f[1], 10, 64)
-			prev, ok := last[name]
-			if ok && prev == n {
-				continue
-			}
-			last[name] = n
-			if !ok {
-				continue
-			}
-			changes = append(changes, change{name, prev, n})
-			if len(name) > maxNameLen {
-				maxNameLen = len(name)
-			}
-		}
-		if len(changes) > 0 {
-			format := fmt.Sprintf("%%-%ds %%+5d => %%v\n", maxNameLen)
-			for _, c := range changes {
-				fmt.Fprintf(Stdout, format, c.name, c.to-c.from, c.to)
-			}
-			io.WriteString(Stdout, "\n")
-		}
-		time.Sleep(time.Second)
-	}
-}
-
-func runVia(ctx context.Context, args []string) error {
-	switch len(args) {
-	default:
-		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
-	case 1:
-		ipp, err := netaddr.ParseIPPrefix(args[0])
-		if err != nil {
-			return err
-		}
-		if !ipp.IP().Is6() {
-			return errors.New("with one argument, expect an IPv6 CIDR")
-		}
-		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
-			return errors.New("not a via route")
-		}
-		if ipp.Bits() < 96 {
-			return errors.New("short length, want /96 or more")
-		}
-		v4 := tsaddr.UnmapVia(ipp.IP())
-		a := ipp.IP().As16()
-		siteID := binary.BigEndian.Uint32(a[8:12])
-		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
-	case 2:
-		siteID, err := strconv.ParseUint(args[0], 0, 32)
-		if err != nil {
-			return fmt.Errorf("invalid site-id %q; must be decimal or hex with 0x prefix", args[0])
-		}
-		if siteID > 0xff {
-			return fmt.Errorf("site-id values over 255 are currently reserved")
-		}
-		ipp, err := netaddr.ParseIPPrefix(args[1])
-		if err != nil {
-			return err
-		}
-		via, err := tsaddr.MapVia(uint32(siteID), ipp)
-		if err != nil {
-			return err
-		}
-		fmt.Println(via)
-	}
-	return nil
-}
-
-var ts2021Args struct {
-	host    string // "controlplane.tailscale.com"
-	version int    // 27 or whatever
-}
-
-func runTS2021(ctx context.Context, args []string) error {
-	log.SetOutput(os.Stdout)
-	log.SetFlags(log.Ltime | log.Lmicroseconds)
-
-	machinePrivate := key.NewMachine()
-	var dialer net.Dialer
-
-	var keys struct {
-		PublicKey key.MachinePublic
-	}
-	keysURL := "https://" + ts2021Args.host + "/key?v=" + strconv.Itoa(ts2021Args.version)
-	log.Printf("Fetching keys from %s ...", keysURL)
-	req, err := http.NewRequestWithContext(ctx, "GET", keysURL, nil)
-	if err != nil {
-		return err
-	}
-	res, err := http.DefaultClient.Do(req)
-	if err != nil {
-		log.Printf("Do: %v", err)
-		return err
-	}
-	if res.StatusCode != 200 {
-		log.Printf("Status: %v", res.Status)
-		return errors.New(res.Status)
-	}
-	if err := json.NewDecoder(res.Body).Decode(&keys); err != nil {
-		log.Printf("JSON: %v", err)
-		return fmt.Errorf("decoding /keys JSON: %w", err)
-	}
-	res.Body.Close()
-
-	dialFunc := func(ctx context.Context, network, address string) (net.Conn, error) {
-		log.Printf("Dial(%q, %q) ...", network, address)
-		c, err := dialer.DialContext(ctx, network, address)
-		if err != nil {
-			log.Printf("Dial(%q, %q) = %v", network, address, err)
-		} else {
-			log.Printf("Dial(%q, %q) = %v / %v", network, address, c.LocalAddr(), c.RemoteAddr())
-		}
-		return c, err
-	}
-
-	conn, err := controlhttp.Dial(ctx, net.JoinHostPort(ts2021Args.host, "80"), machinePrivate, keys.PublicKey, uint16(ts2021Args.version), dialFunc)
-	log.Printf("controlhttp.Dial = %p, %v", conn, err)
-	if err != nil {
-		return err
-	}
-	log.Printf("did noise handshake")
-
-	gotPeer := conn.Peer()
-	if gotPeer != keys.PublicKey {
-		log.Printf("peer = %v, want %v", gotPeer, keys.PublicKey)
-		return errors.New("key mismatch")
-	}
-
-	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
-	return nil
-}
--- a/cmd/tailscale/cli/diag.go
+++ b/cmd/tailscale/cli/diag.go
@@ -1,56 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux || windows || darwin
-// +build linux windows darwin
-
-package cli
-
-import (
-	"fmt"
-	"path/filepath"
-	"runtime"
-	"strings"
-
-	ps "github.com/mitchellh/go-ps"
-)
-
-// fixTailscaledConnectError is called when the local tailscaled has
-// been determined unreachable due to the provided origErr value. It
-// returns either the same error or a better one to help the user
-// understand why tailscaled isn't running for their platform.
-func fixTailscaledConnectError(origErr error) error {
-	procs, err := ps.Processes()
-	if err != nil {
-		return fmt.Errorf("failed to connect to local Tailscaled process and failed to enumerate processes while looking for it")
-	}
-	var foundProc ps.Process
-	for _, proc := range procs {
-		base := filepath.Base(proc.Executable())
-		if base == "tailscaled" {
-			foundProc = proc
-			break
-		}
-		if runtime.GOOS == "darwin" && base == "IPNExtension" {
-			foundProc = proc
-			break
-		}
-		if runtime.GOOS == "windows" && strings.EqualFold(base, "tailscaled.exe") {
-			foundProc = proc
-			break
-		}
-	}
-	if foundProc == nil {
-		switch runtime.GOOS {
-		case "windows":
-			return fmt.Errorf("failed to connect to local tailscaled process; is the Tailscale service running?")
-		case "darwin":
-			return fmt.Errorf("failed to connect to local Tailscale service; is Tailscale running?")
-		case "linux":
-			return fmt.Errorf("failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?)")
-		}
-		return fmt.Errorf("failed to connect to local tailscaled process; it doesn't appear to be running")
-	}
-	return fmt.Errorf("failed to connect to local tailscaled (which appears to be running as %v, pid %v). Got error: %w", foundProc.Executable(), foundProc.Pid(), origErr)
-}
--- a/cmd/tailscale/cli/diag_other.go
+++ b/cmd/tailscale/cli/diag_other.go
@@ -1,17 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !linux && !windows && !darwin
-// +build !linux,!windows,!darwin
-
-package cli
-
-import "fmt"
-
-// The github.com/mitchellh/go-ps package doesn't work on all platforms,
-// so just don't diagnose connect failures.
-
-func fixTailscaledConnectError(origErr error) error {
-	return fmt.Errorf("failed to connect to local tailscaled process (is it running?); got: %w", origErr)
-}
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -1,57 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"flag"
-	"fmt"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn"
-)
-
-var downCmd = &ffcli.Command{
-	Name:       "down",
-	ShortUsage: "down",
-	ShortHelp:  "Disconnect from Tailscale",
-
-	Exec:    runDown,
-	FlagSet: newDownFlagSet(),
-}
-
-func newDownFlagSet() *flag.FlagSet {
-	downf := newFlagSet("down")
-	registerAcceptRiskFlag(downf)
-	return downf
-}
-
-func runDown(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return fmt.Errorf("too many non-flag arguments: %q", args)
-	}
-
-	if isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`); err != nil {
-			return err
-		}
-	}
-
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return fmt.Errorf("error fetching current status: %w", err)
-	}
-	if st.BackendState == "Stopped" {
-		fmt.Fprintf(Stderr, "Tailscale was already stopped.\n")
-		return nil
-	}
-	_, err = localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
-		Prefs: ipn.Prefs{
-			WantRunning: false,
-		},
-		WantRunningSet: true,
-	})
-	return err
-}
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -1,552 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"mime"
-	"net/http"
-	"os"
-	"path"
-	"path/filepath"
-	"strings"
-	"time"
-	"unicode/utf8"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/time/rate"
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/envknob"
-	"tailscale.com/ipn"
-	"tailscale.com/net/tsaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/version"
-)
-
-var fileCmd = &ffcli.Command{
-	Name:       "file",
-	ShortUsage: "file <cp|get> ...",
-	ShortHelp:  "Send or receive files",
-	Subcommands: []*ffcli.Command{
-		fileCpCmd,
-		fileGetCmd,
-	},
-	Exec: func(context.Context, []string) error {
-		// TODO(bradfitz): is there a better ffcli way to
-		// annotate subcommand-required commands that don't
-		// have an exec body of their own?
-		return errors.New("file subcommand required; run 'tailscale file -h' for details")
-	},
-}
-
-var fileCpCmd = &ffcli.Command{
-	Name:       "cp",
-	ShortUsage: "file cp <files...> <target>:",
-	ShortHelp:  "Copy file(s) to a host",
-	Exec:       runCp,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("cp")
-		fs.StringVar(&cpArgs.name, "name", "", "alternate filename to use, especially useful when <file> is \"-\" (stdin)")
-		fs.BoolVar(&cpArgs.verbose, "verbose", false, "verbose output")
-		fs.BoolVar(&cpArgs.targets, "targets", false, "list possible file cp targets")
-		return fs
-	})(),
-}
-
-var cpArgs struct {
-	name    string
-	verbose bool
-	targets bool
-}
-
-func runCp(ctx context.Context, args []string) error {
-	if cpArgs.targets {
-		return runCpTargets(ctx, args)
-	}
-	if len(args) < 2 {
-		return errors.New("usage: tailscale file cp <files...> <target>:")
-	}
-	files, target := args[:len(args)-1], args[len(args)-1]
-	if !strings.HasSuffix(target, ":") {
-		return fmt.Errorf("final argument to 'tailscale file cp' must end in colon")
-	}
-	target = strings.TrimSuffix(target, ":")
-	hadBrackets := false
-	if strings.HasPrefix(target, "[") && strings.HasSuffix(target, "]") {
-		hadBrackets = true
-		target = strings.TrimSuffix(strings.TrimPrefix(target, "["), "]")
-	}
-	if ip, err := netaddr.ParseIP(target); err == nil && ip.Is6() && !hadBrackets {
-		return fmt.Errorf("an IPv6 literal must be written as [%s]", ip)
-	} else if hadBrackets && (err != nil || !ip.Is6()) {
-		return errors.New("unexpected brackets around target")
-	}
-	ip, _, err := tailscaleIPFromArg(ctx, target)
-	if err != nil {
-		return err
-	}
-
-	stableID, isOffline, err := getTargetStableID(ctx, ip)
-	if err != nil {
-		return fmt.Errorf("can't send to %s: %v", target, err)
-	}
-	if isOffline {
-		fmt.Fprintf(Stderr, "# warning: %s is offline\n", target)
-	}
-
-	if len(files) > 1 {
-		if cpArgs.name != "" {
-			return errors.New("can't use --name= with multiple files")
-		}
-		for _, fileArg := range files {
-			if fileArg == "-" {
-				return errors.New("can't use '-' as STDIN file when providing filename arguments")
-			}
-		}
-	}
-
-	for _, fileArg := range files {
-		var fileContents io.Reader
-		var name = cpArgs.name
-		var contentLength int64 = -1
-		if fileArg == "-" {
-			fileContents = os.Stdin
-			if name == "" {
-				name, fileContents, err = pickStdinFilename()
-				if err != nil {
-					return err
-				}
-			}
-		} else {
-			f, err := os.Open(fileArg)
-			if err != nil {
-				if version.IsSandboxedMacOS() {
-					return errors.New("the GUI version of Tailscale on macOS runs in a macOS sandbox that can't read files")
-				}
-				return err
-			}
-			defer f.Close()
-			fi, err := f.Stat()
-			if err != nil {
-				return err
-			}
-			if fi.IsDir() {
-				return errors.New("directories not supported")
-			}
-			contentLength = fi.Size()
-			fileContents = io.LimitReader(f, contentLength)
-			if name == "" {
-				name = filepath.Base(fileArg)
-			}
-
-			if envknob.Bool("TS_DEBUG_SLOW_PUSH") {
-				fileContents = &slowReader{r: fileContents}
-			}
-		}
-
-		if cpArgs.verbose {
-			log.Printf("sending %q to %v/%v/%v ...", name, target, ip, stableID)
-		}
-		err := localClient.PushFile(ctx, stableID, contentLength, name, fileContents)
-		if err != nil {
-			return err
-		}
-		if cpArgs.verbose {
-			log.Printf("sent %q", name)
-		}
-	}
-	return nil
-}
-
-func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNodeID, isOffline bool, err error) {
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		return "", false, err
-	}
-	fts, err := localClient.FileTargets(ctx)
-	if err != nil {
-		return "", false, err
-	}
-	for _, ft := range fts {
-		n := ft.Node
-		for _, a := range n.Addresses {
-			if a.IP() != ip {
-				continue
-			}
-			isOffline = n.Online != nil && !*n.Online
-			return n.StableID, isOffline, nil
-		}
-	}
-	return "", false, fileTargetErrorDetail(ctx, ip)
-}
-
-// fileTargetErrorDetail returns a non-nil error saying why ip is an
-// invalid file sharing target.
-func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
-	found := false
-	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
-		for _, peer := range st.Peer {
-			for _, pip := range peer.TailscaleIPs {
-				if pip == ip {
-					found = true
-					if peer.UserID != st.Self.UserID {
-						return errors.New("owned by different user; can only send files to your own devices")
-					}
-				}
-			}
-		}
-	}
-	if found {
-		return errors.New("target seems to be running an old Tailscale version")
-	}
-	if !tsaddr.IsTailscaleIP(ip) {
-		return fmt.Errorf("unknown target; %v is not a Tailscale IP address", ip)
-	}
-	return errors.New("unknown target; not in your Tailnet")
-}
-
-const maxSniff = 4 << 20
-
-func ext(b []byte) string {
-	if len(b) < maxSniff && utf8.Valid(b) {
-		return ".txt"
-	}
-	if exts, _ := mime.ExtensionsByType(http.DetectContentType(b)); len(exts) > 0 {
-		return exts[0]
-	}
-	return ""
-}
-
-// pickStdinFilename reads a bit of stdin to return a good filename
-// for its contents. The returned Reader is the concatenation of the
-// read and unread bits.
-func pickStdinFilename() (name string, r io.Reader, err error) {
-	sniff, err := io.ReadAll(io.LimitReader(os.Stdin, maxSniff))
-	if err != nil {
-		return "", nil, err
-	}
-	return "stdin" + ext(sniff), io.MultiReader(bytes.NewReader(sniff), os.Stdin), nil
-}
-
-type slowReader struct {
-	r  io.Reader
-	rl *rate.Limiter
-}
-
-func (r *slowReader) Read(p []byte) (n int, err error) {
-	const burst = 4 << 10
-	plen := len(p)
-	if plen > burst {
-		plen = burst
-	}
-	if r.rl == nil {
-		r.rl = rate.NewLimiter(rate.Limit(1<<10), burst)
-	}
-	n, err = r.r.Read(p[:plen])
-	r.rl.WaitN(context.Background(), n)
-	return
-}
-
-func runCpTargets(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return errors.New("invalid arguments with --targets")
-	}
-	fts, err := localClient.FileTargets(ctx)
-	if err != nil {
-		return err
-	}
-	for _, ft := range fts {
-		n := ft.Node
-		var detail string
-		if n.Online != nil {
-			if !*n.Online {
-				detail = "offline"
-			}
-		} else {
-			detail = "unknown-status"
-		}
-		if detail != "" && n.LastSeen != nil {
-			d := time.Since(*n.LastSeen)
-			detail += fmt.Sprintf("; last seen %v ago", d.Round(time.Minute))
-		}
-		if detail != "" {
-			detail = "\t" + detail
-		}
-		printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
-	}
-	return nil
-}
-
-// onConflict is a flag.Value for the --conflict flag's three string options.
-type onConflict string
-
-const (
-	skipOnExist         onConflict = "skip"
-	overwriteExisting   onConflict = "overwrite" //  Overwrite any existing file at the target location
-	createNumberedFiles onConflict = "rename"    //  Create an alternately named file in the style of Chrome Downloads
-)
-
-func (v *onConflict) String() string { return string(*v) }
-
-func (v *onConflict) Set(s string) error {
-	if s == "" {
-		*v = skipOnExist
-		return nil
-	}
-	*v = onConflict(strings.ToLower(s))
-	if *v != skipOnExist && *v != overwriteExisting && *v != createNumberedFiles {
-		return fmt.Errorf("%q is not one of (skip|overwrite|rename)", s)
-	}
-	return nil
-}
-
-var fileGetCmd = &ffcli.Command{
-	Name:       "get",
-	ShortUsage: "file get [--wait] [--verbose] [--conflict=(skip|overwrite|rename)] <target-directory>",
-	ShortHelp:  "Move files out of the Tailscale file inbox",
-	Exec:       runFileGet,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("get")
-		fs.BoolVar(&getArgs.wait, "wait", false, "wait for a file to arrive if inbox is empty")
-		fs.BoolVar(&getArgs.loop, "loop", false, "run get in a loop, receiving files as they come in")
-		fs.BoolVar(&getArgs.verbose, "verbose", false, "verbose output")
-		fs.Var(&getArgs.conflict, "conflict", `behavior when a conflicting (same-named) file already exists in the target directory.
-	skip:       skip conflicting files: leave them in the taildrop inbox and print an error. get any non-conflicting files
-	overwrite:  overwrite existing file
-	rename:     write to a new number-suffixed filename`)
-		return fs
-	})(),
-}
-
-var getArgs = struct {
-	wait     bool
-	loop     bool
-	verbose  bool
-	conflict onConflict
-}{conflict: skipOnExist}
-
-func numberedFileName(dir, name string, i int) string {
-	ext := path.Ext(name)
-	return filepath.Join(dir, fmt.Sprintf("%s (%d)%s",
-		strings.TrimSuffix(name, ext),
-		i, ext))
-}
-
-func openFileOrSubstitute(dir, base string, action onConflict) (*os.File, error) {
-	targetFile := filepath.Join(dir, base)
-	f, err := os.OpenFile(targetFile, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644)
-	if err == nil {
-		return f, nil
-	}
-	// Something went wrong trying to open targetFile as a new file for writing.
-	switch action {
-	default:
-		// This should not happen.
-		return nil, fmt.Errorf("file issue. how to resolve this conflict? no one knows.")
-	case skipOnExist:
-		if _, statErr := os.Stat(targetFile); statErr == nil {
-			// we can stat a file at that path: so it already exists.
-			return nil, fmt.Errorf("refusing to overwrite file: %w", err)
-		}
-		return nil, fmt.Errorf("failed to write; %w", err)
-	case overwriteExisting:
-		// remove the target file and create it anew so we don't fall for an
-		// attacker who symlinks a known target name to a file he wants changed.
-		if err = os.Remove(targetFile); err != nil {
-			return nil, fmt.Errorf("unable to remove target file: %w", err)
-		}
-		if f, err = os.OpenFile(targetFile, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644); err != nil {
-			return nil, fmt.Errorf("unable to overwrite: %w", err)
-		}
-		return f, nil
-	case createNumberedFiles:
-		// It's possible the target directory or filesystem isn't writable by us,
-		// not just that the target file(s) already exists.  For now, give up after
-		// a limited number of attempts.  In future, maybe distinguish this case
-		// and follow in the style of https://tinyurl.com/chromium100
-		maxAttempts := 100
-		for i := 1; i < maxAttempts; i++ {
-			if f, err = os.OpenFile(numberedFileName(dir, base, i), os.O_RDWR|os.O_CREATE|os.O_EXCL, 0644); err == nil {
-				return f, nil
-			}
-		}
-		return nil, fmt.Errorf("unable to find a name for writing %v, final attempt: %w", targetFile, err)
-	}
-}
-
-func receiveFile(ctx context.Context, wf apitype.WaitingFile, dir string) (targetFile string, size int64, err error) {
-	rc, size, err := localClient.GetWaitingFile(ctx, wf.Name)
-	if err != nil {
-		return "", 0, fmt.Errorf("opening inbox file %q: %w", wf.Name, err)
-	}
-	defer rc.Close()
-	f, err := openFileOrSubstitute(dir, wf.Name, getArgs.conflict)
-	if err != nil {
-		return "", 0, err
-	}
-	_, err = io.Copy(f, rc)
-	if err != nil {
-		f.Close()
-		return "", 0, fmt.Errorf("failed to write %v: %v", f.Name(), err)
-	}
-	return f.Name(), size, f.Close()
-}
-
-func runFileGetOneBatch(ctx context.Context, dir string) []error {
-	var wfs []apitype.WaitingFile
-	var err error
-	var errs []error
-	for len(errs) == 0 {
-		wfs, err = localClient.WaitingFiles(ctx)
-		if err != nil {
-			errs = append(errs, fmt.Errorf("getting WaitingFiles: %w", err))
-			break
-		}
-		if len(wfs) != 0 || !(getArgs.wait || getArgs.loop) {
-			break
-		}
-		if getArgs.verbose {
-			printf("waiting for file...")
-		}
-		if err := waitForFile(ctx); err != nil {
-			errs = append(errs, err)
-		}
-	}
-
-	deleted := 0
-	for i, wf := range wfs {
-		if len(errs) > 100 {
-			// Likely, everything is broken.
-			// Don't try to receive any more files in this batch.
-			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs)-i))
-			break
-		}
-		writtenFile, size, err := receiveFile(ctx, wf, dir)
-		if err != nil {
-			errs = append(errs, err)
-			continue
-		}
-		if getArgs.verbose {
-			printf("wrote %v as %v (%d bytes)\n", wf.Name, writtenFile, size)
-		}
-		if err = localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
-			errs = append(errs, fmt.Errorf("deleting %q from inbox: %v", wf.Name, err))
-			continue
-		}
-		deleted++
-	}
-	if deleted == 0 && len(wfs) > 0 {
-		// persistently stuck files are basically an error
-		errs = append(errs, fmt.Errorf("moved %d/%d files", deleted, len(wfs)))
-	} else if getArgs.verbose {
-		printf("moved %d/%d files\n", deleted, len(wfs))
-	}
-	return errs
-}
-
-func runFileGet(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: file get <target-directory>")
-	}
-	log.SetFlags(0)
-
-	dir := args[0]
-	if dir == "/dev/null" {
-		return wipeInbox(ctx)
-	}
-
-	if fi, err := os.Stat(dir); err != nil || !fi.IsDir() {
-		return fmt.Errorf("%q is not a directory", dir)
-	}
-	if getArgs.loop {
-		for {
-			errs := runFileGetOneBatch(ctx, dir)
-			for _, err := range errs {
-				outln(err)
-			}
-			if len(errs) > 0 {
-				// It's possible whatever caused the error(s) (e.g. conflicting target file,
-				// full disk, unwritable target directory) will re-occur if we try again so
-				// let's back off and not busy loop on error.
-				//
-				// If we've been invoked as:
-				//    tailscale file get --conflict=skip ~/Downloads
-				// then any file coming in named the same as one in ~/Downloads will always
-				// appear as an "error" until the user clears it, but other incoming files
-				// should be receivable when they arrive, so let's not wait too long to
-				// check again.
-				time.Sleep(5 * time.Second)
-			}
-		}
-	}
-	errs := runFileGetOneBatch(ctx, dir)
-	if len(errs) == 0 {
-		return nil
-	}
-	for _, err := range errs[:len(errs)-1] {
-		outln(err)
-	}
-	return errs[len(errs)-1]
-}
-
-func wipeInbox(ctx context.Context) error {
-	if getArgs.wait {
-		return errors.New("can't use --wait with /dev/null target")
-	}
-	wfs, err := localClient.WaitingFiles(ctx)
-	if err != nil {
-		return fmt.Errorf("getting WaitingFiles: %w", err)
-	}
-	deleted := 0
-	for _, wf := range wfs {
-		if getArgs.verbose {
-			log.Printf("deleting %v ...", wf.Name)
-		}
-		if err := localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
-			return fmt.Errorf("deleting %q: %v", wf.Name, err)
-		}
-		deleted++
-	}
-	if getArgs.verbose {
-		log.Printf("deleted %d files", deleted)
-	}
-	return nil
-}
-
-func waitForFile(ctx context.Context) error {
-	c, bc, pumpCtx, cancel := connect(ctx)
-	defer cancel()
-	fileWaiting := make(chan bool, 1)
-	notifyError := make(chan error, 1)
-	bc.SetNotifyCallback(func(n ipn.Notify) {
-		if n.ErrMessage != nil {
-			notifyError <- fmt.Errorf("Notify.ErrMessage: %v", *n.ErrMessage)
-		}
-		if n.FilesWaiting != nil {
-			select {
-			case fileWaiting <- true:
-			default:
-			}
-		}
-	})
-	go pump(pumpCtx, bc, c)
-	select {
-	case <-fileWaiting:
-		return nil
-	case <-pumpCtx.Done():
-		return pumpCtx.Err()
-	case <-ctx.Done():
-		return ctx.Err()
-	case err := <-notifyError:
-		return err
-	}
-}
--- a/cmd/tailscale/cli/id-token.go
+++ b/cmd/tailscale/cli/id-token.go
@@ -1,34 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"fmt"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var idTokenCmd = &ffcli.Command{
-	Name:       "id-token",
-	ShortUsage: "id-token <aud>",
-	ShortHelp:  "fetch an OIDC id-token for the Tailscale machine",
-	Exec:       runIDToken,
-}
-
-func runIDToken(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: id-token <aud>")
-	}
-
-	tr, err := localClient.IDToken(ctx, args[0])
-	if err != nil {
-		return err
-	}
-
-	fmt.Println(tr.IDToken)
-	return nil
-}
--- a/cmd/tailscale/cli/ip.go
+++ b/cmd/tailscale/cli/ip.go
@@ -1,122 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
-	"tailscale.com/ipn/ipnstate"
-)
-
-var ipCmd = &ffcli.Command{
-	Name:       "ip",
-	ShortUsage: "ip [-1] [-4] [-6] [peer hostname or ip address]",
-	ShortHelp:  "Show Tailscale IP addresses",
-	LongHelp:   "Show Tailscale IP addresses for peer. Peer defaults to the current machine.",
-	Exec:       runIP,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("ip")
-		fs.BoolVar(&ipArgs.want1, "1", false, "only print one IP address")
-		fs.BoolVar(&ipArgs.want4, "4", false, "only print IPv4 address")
-		fs.BoolVar(&ipArgs.want6, "6", false, "only print IPv6 address")
-		return fs
-	})(),
-}
-
-var ipArgs struct {
-	want1 bool
-	want4 bool
-	want6 bool
-}
-
-func runIP(ctx context.Context, args []string) error {
-	if len(args) > 1 {
-		return errors.New("too many arguments, expected at most one peer")
-	}
-	var of string
-	if len(args) == 1 {
-		of = args[0]
-	}
-
-	v4, v6 := ipArgs.want4, ipArgs.want6
-	nflags := 0
-	for _, b := range []bool{ipArgs.want1, v4, v6} {
-		if b {
-			nflags++
-		}
-	}
-	if nflags > 1 {
-		return errors.New("tailscale ip -1, -4, and -6 are mutually exclusive")
-	}
-	if !v4 && !v6 {
-		v4, v6 = true, true
-	}
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return err
-	}
-	ips := st.TailscaleIPs
-	if of != "" {
-		ip, _, err := tailscaleIPFromArg(ctx, of)
-		if err != nil {
-			return err
-		}
-		peer, ok := peerMatchingIP(st, ip)
-		if !ok {
-			return fmt.Errorf("no peer found with IP %v", ip)
-		}
-		ips = peer.TailscaleIPs
-	}
-	if len(ips) == 0 {
-		return fmt.Errorf("no current Tailscale IPs; state: %v", st.BackendState)
-	}
-
-	if ipArgs.want1 {
-		ips = ips[:1]
-	}
-	match := false
-	for _, ip := range ips {
-		if ip.Is4() && v4 || ip.Is6() && v6 {
-			match = true
-			outln(ip)
-		}
-	}
-	if !match {
-		if ipArgs.want4 {
-			return errors.New("no Tailscale IPv4 address")
-		}
-		if ipArgs.want6 {
-			return errors.New("no Tailscale IPv6 address")
-		}
-	}
-	return nil
-}
-
-func peerMatchingIP(st *ipnstate.Status, ipStr string) (ps *ipnstate.PeerStatus, ok bool) {
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		return
-	}
-	for _, ps = range st.Peer {
-		for _, pip := range ps.TailscaleIPs {
-			if ip == pip {
-				return ps, true
-			}
-		}
-	}
-	if ps := st.Self; ps != nil {
-		for _, pip := range ps.TailscaleIPs {
-			if ip == pip {
-				return ps, true
-			}
-		}
-	}
-	return nil, false
-}
--- a/cmd/tailscale/cli/logout.go
+++ b/cmd/tailscale/cli/logout.go
@@ -1,33 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var logoutCmd = &ffcli.Command{
-	Name:       "logout",
-	ShortUsage: "logout [flags]",
-	ShortHelp:  "Disconnect from Tailscale and expire current node key",
-
-	LongHelp: strings.TrimSpace(`
-"tailscale logout" brings the network down and invalidates
-the current node key, forcing a future use of it to cause
-a reauthentication.
-`),
-	Exec: runLogout,
-}
-
-func runLogout(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return fmt.Errorf("too many non-flag arguments: %q", args)
-	}
-	return localClient.Logout(ctx)
-}
--- a/cmd/tailscale/cli/nc.go
+++ b/cmd/tailscale/cli/nc.go
@@ -1,62 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"strconv"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-)
-
-var ncCmd = &ffcli.Command{
-	Name:       "nc",
-	ShortUsage: "nc <hostname-or-IP> <port>",
-	ShortHelp:  "Connect to a port on a host, connected to stdin/stdout",
-	Exec:       runNC,
-}
-
-func runNC(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		printf("%s\n", description)
-		os.Exit(1)
-	}
-
-	if len(args) != 2 {
-		return errors.New("usage: nc <hostname-or-IP> <port>")
-	}
-
-	hostOrIP, portStr := args[0], args[1]
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		return fmt.Errorf("invalid port number %q", portStr)
-	}
-
-	// TODO(bradfitz): also add UDP too, via flag?
-	c, err := localClient.DialTCP(ctx, hostOrIP, uint16(port))
-	if err != nil {
-		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, port, err)
-	}
-	defer c.Close()
-	errc := make(chan error, 1)
-	go func() {
-		_, err := io.Copy(os.Stdout, c)
-		errc <- err
-	}()
-	go func() {
-		_, err := io.Copy(c, os.Stdin)
-		errc <- err
-	}()
-	return <-errc
-}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -9,19 +9,16 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
-	"io"
-	"io/ioutil"
 	"log"
-	"net/http"
+	"os"
 	"sort"
 	"strings"
 	"time"

-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/envknob"
-	"tailscale.com/ipn"
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/derp/derpmap"
+	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netcheck"
-	"tailscale.com/net/portmapper"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 )
@@ -32,7 +29,7 @@ var netcheckCmd = &ffcli.Command{
 	ShortHelp:  "Print an analysis of local network conditions",
 	Exec:       runNetcheck,
 	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("netcheck")
+		fs := flag.NewFlagSet("netcheck", flag.ExitOnError)
 		fs.StringVar(&netcheckArgs.format, "format", "", `output format; empty (for human-readable), "json" or "json-line"`)
 		fs.DurationVar(&netcheckArgs.every, "every", 0, "if non-zero, do an incremental report with the given frequency")
 		fs.BoolVar(&netcheckArgs.verbose, "verbose", false, "verbose logs")
@@ -48,8 +45,7 @@ var netcheckArgs struct {

 func runNetcheck(ctx context.Context, args []string) error {
 	c := &netcheck.Client{
-		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
-		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil),
+		DNSCache: dnscache.Get(),
 	}
 	if netcheckArgs.verbose {
 		c.Logf = logger.WithPrefix(log.Printf, "netcheck: ")
@@ -59,20 +55,10 @@ func runNetcheck(ctx context.Context, args []string) error {
 	}

 	if strings.HasPrefix(netcheckArgs.format, "json") {
-		fmt.Fprintln(Stderr, "# Warning: this JSON format is not yet considered a stable interface")
+		fmt.Fprintln(os.Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}

-	dm, err := localClient.CurrentDERPMap(ctx)
-	noRegions := dm != nil && len(dm.Regions) == 0
-	if noRegions {
-		log.Printf("No DERP map from tailscaled; using default.")
-	}
-	if err != nil || noRegions {
-		dm, err = prodDERPMap(ctx, http.DefaultClient)
-		if err != nil {
-			return err
-		}
-	}
+	dm := derpmap.Prod()
 	for {
 		t0 := time.Now()
 		report, err := c.GetReport(ctx, dm)
@@ -81,7 +67,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 			c.Logf("GetReport took %v; err=%v", d.Round(time.Millisecond), err)
 		}
 		if err != nil {
-			return fmt.Errorf("netcheck: %w", err)
+			log.Fatalf("netcheck: %v", err)
 		}
 		if err := printReport(dm, report); err != nil {
 			return err
@@ -111,65 +97,48 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	}
 	if j != nil {
 		j = append(j, '\n')
-		Stdout.Write(j)
+		os.Stdout.Write(j)
 		return nil
 	}

-	printf("\nReport:\n")
-	printf("\t* UDP: %v\n", report.UDP)
+	fmt.Printf("\nReport:\n")
+	fmt.Printf("\t* UDP: %v\n", report.UDP)
 	if report.GlobalV4 != "" {
-		printf("\t* IPv4: yes, %v\n", report.GlobalV4)
+		fmt.Printf("\t* IPv4: yes, %v\n", report.GlobalV4)
 	} else {
-		printf("\t* IPv4: (no addr found)\n")
+		fmt.Printf("\t* IPv4: (no addr found)\n")
 	}
 	if report.GlobalV6 != "" {
-		printf("\t* IPv6: yes, %v\n", report.GlobalV6)
+		fmt.Printf("\t* IPv6: yes, %v\n", report.GlobalV6)
 	} else if report.IPv6 {
-		printf("\t* IPv6: (no addr found)\n")
-	} else if report.OSHasIPv6 {
-		printf("\t* IPv6: no, but OS has support\n")
+		fmt.Printf("\t* IPv6: (no addr found)\n")
 	} else {
-		printf("\t* IPv6: no, unavailable in OS\n")
+		fmt.Printf("\t* IPv6: no\n")
 	}
-	printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
-	printf("\t* HairPinning: %v\n", report.HairPinning)
-	printf("\t* PortMapping: %v\n", portMapping(report))
+	fmt.Printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
+	fmt.Printf("\t* HairPinning: %v\n", report.HairPinning)
+	fmt.Printf("\t* PortMapping: %v\n", portMapping(report))

 	// When DERP latency checking failed,
 	// magicsock will try to pick the DERP server that
 	// most of your other nodes are also using
 	if len(report.RegionLatency) == 0 {
-		printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
+		fmt.Printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
 	} else {
-		printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
-		printf("\t* DERP latency:\n")
+		fmt.Printf("\t* Nearest DERP: %v (%v)\n", report.PreferredDERP, dm.Regions[report.PreferredDERP].RegionCode)
+		fmt.Printf("\t* DERP latency:\n")
 		var rids []int
 		for rid := range dm.Regions {
 			rids = append(rids, rid)
 		}
-		sort.Slice(rids, func(i, j int) bool {
-			l1, ok1 := report.RegionLatency[rids[i]]
-			l2, ok2 := report.RegionLatency[rids[j]]
-			if ok1 != ok2 {
-				return ok1 // defined things sort first
-			}
-			if !ok1 {
-				return rids[i] < rids[j]
-			}
-			return l1 < l2
-		})
+		sort.Ints(rids)
 		for _, rid := range rids {
 			d, ok := report.RegionLatency[rid]
 			var latency string
 			if ok {
 				latency = d.Round(time.Millisecond / 10).String()
 			}
-			r := dm.Regions[rid]
-			var derpNum string
-			if netcheckArgs.verbose {
-				derpNum = fmt.Sprintf("derp%d, ", rid)
-			}
-			printf("\t\t- %3s: %-7s (%s%s)\n", r.RegionCode, latency, derpNum, r.RegionName)
+			fmt.Printf("\t\t- %v, %3s = %s\n", rid, dm.Regions[rid].RegionCode, latency)
 		}
 	}
 	return nil
@@ -191,27 +160,3 @@ func portMapping(r *netcheck.Report) string {
 	}
 	return strings.Join(got, ", ")
 }
-
-func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", ipn.DefaultControlURL+"/derpmap/default", nil)
-	if err != nil {
-		return nil, fmt.Errorf("create prodDERPMap request: %w", err)
-	}
-	res, err := httpc.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
-	}
-	defer res.Body.Close()
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
-	if err != nil {
-		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
-	}
-	if res.StatusCode != 200 {
-		return nil, fmt.Errorf("fetch prodDERPMap: %v: %s", res.Status, b)
-	}
-	var derpMap tailcfg.DERPMap
-	if err = json.Unmarshal(b, &derpMap); err != nil {
-		return nil, fmt.Errorf("fetch prodDERPMap: %w", err)
-	}
-	return &derpMap, nil
-}
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -1,216 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-	"log"
-	"net"
-	"os"
-	"strings"
-	"time"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-)
-
-var pingCmd = &ffcli.Command{
-	Name:       "ping",
-	ShortUsage: "ping <hostname-or-IP>",
-	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
-	LongHelp: strings.TrimSpace(`
-
-The 'tailscale ping' command pings a peer node from the Tailscale layer
-and reports which route it took for each response. The first ping or
-so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
-traversal finds a direct path through.
-
-If 'tailscale ping' works but a normal ping does not, that means one
-side's operating system firewall is blocking packets; 'tailscale ping'
-does not inject packets into either side's TUN devices.
-
-By default, 'tailscale ping' stops after 10 pings or once a direct
-(non-DERP) path has been established, whichever comes first.
-
-The provided hostname must resolve to or be a Tailscale IP
-(e.g. 100.x.y.z) or a subnet IP advertised by a Tailscale
-relay node.
-
-`),
-	Exec: runPing,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("ping")
-		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
-		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
-		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
-		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
-		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
-		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
-		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
-		return fs
-	})(),
-}
-
-var pingArgs struct {
-	num         int
-	untilDirect bool
-	verbose     bool
-	tsmp        bool
-	icmp        bool
-	peerAPI     bool
-	timeout     time.Duration
-}
-
-func pingType() tailcfg.PingType {
-	if pingArgs.tsmp {
-		return tailcfg.PingTSMP
-	}
-	if pingArgs.icmp {
-		return tailcfg.PingICMP
-	}
-	if pingArgs.peerAPI {
-		return tailcfg.PingPeerAPI
-	}
-	return tailcfg.PingDisco
-}
-
-func runPing(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		printf("%s\n", description)
-		os.Exit(1)
-	}
-
-	if len(args) != 1 || args[0] == "" {
-		return errors.New("usage: ping <hostname-or-IP>")
-	}
-	var ip string
-
-	hostOrIP := args[0]
-	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
-	if err != nil {
-		return err
-	}
-	if self {
-		printf("%v is local Tailscale IP\n", ip)
-		return nil
-	}
-
-	if pingArgs.verbose && ip != hostOrIP {
-		log.Printf("lookup %q => %q", hostOrIP, ip)
-	}
-
-	n := 0
-	anyPong := false
-	for {
-		n++
-		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netaddr.MustParseIP(ip), pingType())
-		cancel()
-		if err != nil {
-			if errors.Is(err, context.DeadlineExceeded) {
-				printf("ping %q timed out\n", ip)
-				if n == pingArgs.num {
-					if !anyPong {
-						return errors.New("no reply")
-					}
-					return nil
-				}
-				continue
-			}
-			return err
-		}
-		if pr.Err != "" {
-			if pr.IsLocalIP {
-				outln(pr.Err)
-				return nil
-			}
-			return errors.New(pr.Err)
-		}
-		latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
-		via := pr.Endpoint
-		if pr.DERPRegionID != 0 {
-			via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
-		}
-		if via == "" {
-			// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
-			// For now just say which protocol it used.
-			via = string(pingType())
-		}
-		if pingArgs.peerAPI {
-			printf("hit peerapi of %s (%s) at %s in %s\n", pr.NodeIP, pr.NodeName, pr.PeerAPIURL, latency)
-			return nil
-		}
-		anyPong = true
-		extra := ""
-		if pr.PeerAPIPort != 0 {
-			extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
-		}
-		printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
-		if pingArgs.tsmp || pingArgs.icmp {
-			return nil
-		}
-		if pr.Endpoint != "" && pingArgs.untilDirect {
-			return nil
-		}
-		time.Sleep(time.Second)
-
-		if n == pingArgs.num {
-			if !anyPong {
-				return errors.New("no reply")
-			}
-			if pingArgs.untilDirect {
-				return errors.New("direct connection not established")
-			}
-			return nil
-		}
-	}
-}
-
-func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, self bool, err error) {
-	// If the argument is an IP address, use it directly without any resolution.
-	if net.ParseIP(hostOrIP) != nil {
-		return hostOrIP, false, nil
-	}
-
-	// Otherwise, try to resolve it first from the network peer list.
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return "", false, err
-	}
-	match := func(ps *ipnstate.PeerStatus) bool {
-		return strings.EqualFold(hostOrIP, dnsOrQuoteHostname(st, ps)) || hostOrIP == ps.DNSName
-	}
-	for _, ps := range st.Peer {
-		if match(ps) {
-			if len(ps.TailscaleIPs) == 0 {
-				return "", false, errors.New("node found but lacks an IP")
-			}
-			return ps.TailscaleIPs[0].String(), false, nil
-		}
-	}
-	if match(st.Self) && len(st.Self.TailscaleIPs) > 0 {
-		return st.Self.TailscaleIPs[0].String(), true, nil
-	}
-
-	// Finally, use DNS.
-	var res net.Resolver
-	if addrs, err := res.LookupHost(ctx, hostOrIP); err != nil {
-		return "", false, fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
-	} else if len(addrs) == 0 {
-		return "", false, fmt.Errorf("no IPs found for %q", hostOrIP)
-	} else {
-		return addrs[0], false, nil
-	}
-}
--- a/cmd/tailscale/cli/risks.go
+++ b/cmd/tailscale/cli/risks.go
@@ -1,78 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"errors"
-	"flag"
-	"fmt"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-	"time"
-)
-
-var (
-	riskTypes     []string
-	acceptedRisks string
-	riskLoseSSH   = registerRiskType("lose-ssh")
-)
-
-func registerRiskType(riskType string) string {
-	riskTypes = append(riskTypes, riskType)
-	return riskType
-}
-
-// registerAcceptRiskFlag registers the --accept-risk flag. Accepted risks are accounted for
-// in presentRiskToUser.
-func registerAcceptRiskFlag(f *flag.FlagSet) {
-	f.StringVar(&acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
-}
-
-// riskAccepted reports whether riskType is in acceptedRisks.
-func riskAccepted(riskType string) bool {
-	for _, r := range strings.Split(acceptedRisks, ",") {
-		if r == riskType {
-			return true
-		}
-	}
-	return false
-}
-
-var errAborted = errors.New("aborted, no changes made")
-
-// riskAbortTimeSeconds is the number of seconds to wait after displaying the
-// risk message before continuing with the operation.
-// It is used by the presentRiskToUser function below.
-const riskAbortTimeSeconds = 5
-
-// presentRiskToUser displays the risk message and waits for the user to
-// cancel. It returns errorAborted if the user aborts.
-func presentRiskToUser(riskType, riskMessage string) error {
-	if riskAccepted(riskType) {
-		return nil
-	}
-	fmt.Println(riskMessage)
-	fmt.Printf("To skip this warning, use --accept-risk=%s\n", riskType)
-
-	interrupt := make(chan os.Signal, 1)
-	signal.Notify(interrupt, syscall.SIGINT)
-	var msgLen int
-	for left := riskAbortTimeSeconds; left > 0; left-- {
-		msg := fmt.Sprintf("\rContinuing in %d seconds...", left)
-		msgLen = len(msg)
-		fmt.Print(msg)
-		select {
-		case <-interrupt:
-			fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen+1))
-			return errAborted
-		case <-time.After(time.Second):
-			continue
-		}
-	}
-	fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen))
-	return errAborted
-}
--- a/cmd/tailscale/cli/ssh.go
+++ b/cmd/tailscale/cli/ssh.go
@@ -1,210 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"context"
-	"errors"
-	"fmt"
-	"log"
-	"os"
-	"os/user"
-	"path/filepath"
-	"runtime"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
-	"tailscale.com/envknob"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/tsaddr"
-	"tailscale.com/version"
-)
-
-var sshCmd = &ffcli.Command{
-	Name:       "ssh",
-	ShortUsage: "ssh [user@]<host> [args...]",
-	ShortHelp:  "SSH to a Tailscale machine",
-	Exec:       runSSH,
-}
-
-func runSSH(ctx context.Context, args []string) error {
-	if runtime.GOOS == "darwin" && version.IsSandboxedMacOS() && !envknob.UseWIPCode() {
-		return errors.New("The 'tailscale ssh' subcommand is not available on sandboxed macOS builds.\nUse the regular 'ssh' client instead.")
-	}
-	if len(args) == 0 {
-		return errors.New("usage: ssh [user@]<host>")
-	}
-	arg, argRest := args[0], args[1:]
-	username, host, ok := strings.Cut(arg, "@")
-	if !ok {
-		host = arg
-		lu, err := user.Current()
-		if err != nil {
-			return nil
-		}
-		username = lu.Username
-	}
-
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return err
-	}
-
-	// hostForSSH is the hostname we'll tell OpenSSH we're
-	// connecting to, so we have to maintain fewer entries in the
-	// known_hosts files.
-	hostForSSH := host
-	if v, ok := nodeDNSNameFromArg(st, host); ok {
-		hostForSSH = v
-	}
-
-	ssh, err := findSSH()
-	if err != nil {
-		// TODO(bradfitz): use Go's crypto/ssh client instead
-		// of failing. But for now:
-		return fmt.Errorf("no system 'ssh' command found: %w", err)
-	}
-	tailscaleBin, err := os.Executable()
-	if err != nil {
-		return err
-	}
-	knownHostsFile, err := writeKnownHosts(st)
-	if err != nil {
-		return err
-	}
-
-	argv := []string{ssh}
-
-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		argv = append(argv, "-vvv")
-	}
-	argv = append(argv,
-		// Only trust SSH hosts that we know about.
-		"-o", fmt.Sprintf("UserKnownHostsFile %q", knownHostsFile),
-		"-o", "UpdateHostKeys no",
-		"-o", "StrictHostKeyChecking yes",
-	)
-
-	// TODO(bradfitz): nc is currently broken on macOS:
-	// https://github.com/tailscale/tailscale/issues/4529
-	// So don't use it for now. MagicDNS is usually working on macOS anyway
-	// and they're not in userspace mode, so 'nc' isn't very useful.
-	if runtime.GOOS != "darwin" {
-		argv = append(argv,
-			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
-				tailscaleBin,
-				rootArgs.socket,
-			))
-	}
-
-	// Explicitly rebuild the user@host argument rather than
-	// passing it through.  In general, the use of OpenSSH's ssh
-	// binary is a crutch for now.  We don't want to be
-	// Hyrum-locked into passing through all OpenSSH flags to the
-	// OpenSSH client forever. We try to make our flags and args
-	// be compatible, but only a subset. The "tailscale ssh"
-	// command should be a simple and portable one. If they want
-	// to use a different one, we'll later be making stock ssh
-	// work well by default too. (doing things like automatically
-	// setting known_hosts, etc)
-	argv = append(argv, username+"@"+hostForSSH)
-
-	argv = append(argv, argRest...)
-
-	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
-		log.Printf("Running: %q, %q ...", ssh, argv)
-	}
-
-	return execSSH(ssh, argv)
-}
-
-func writeKnownHosts(st *ipnstate.Status) (knownHostsFile string, err error) {
-	confDir, err := os.UserConfigDir()
-	if err != nil {
-		return "", err
-	}
-	tsConfDir := filepath.Join(confDir, "tailscale")
-	if err := os.MkdirAll(tsConfDir, 0700); err != nil {
-		return "", err
-	}
-	knownHostsFile = filepath.Join(tsConfDir, "ssh_known_hosts")
-	want := genKnownHosts(st)
-	if cur, err := os.ReadFile(knownHostsFile); err != nil || !bytes.Equal(cur, want) {
-		if err := os.WriteFile(knownHostsFile, want, 0644); err != nil {
-			return "", err
-		}
-	}
-	return knownHostsFile, nil
-}
-
-func genKnownHosts(st *ipnstate.Status) []byte {
-	var buf bytes.Buffer
-	for _, k := range st.Peers() {
-		ps := st.Peer[k]
-		for _, hk := range ps.SSH_HostKeys {
-			hostKey := strings.TrimSpace(hk)
-			if strings.ContainsAny(hostKey, "\n\r") { // invalid
-				continue
-			}
-			fmt.Fprintf(&buf, "%s %s\n", ps.DNSName, hostKey)
-		}
-	}
-	return buf.Bytes()
-}
-
-// nodeDNSNameFromArg returns the PeerStatus.DNSName value from a peer
-// in st that matches the input arg which can be a base name, full
-// DNS name, or an IP.
-func nodeDNSNameFromArg(st *ipnstate.Status, arg string) (dnsName string, ok bool) {
-	if arg == "" {
-		return
-	}
-	argIP, _ := netaddr.ParseIP(arg)
-	for _, ps := range st.Peer {
-		dnsName = ps.DNSName
-		if !argIP.IsZero() {
-			for _, ip := range ps.TailscaleIPs {
-				if ip == argIP {
-					return dnsName, true
-				}
-			}
-			continue
-		}
-		if strings.EqualFold(strings.TrimSuffix(arg, "."), strings.TrimSuffix(dnsName, ".")) {
-			return dnsName, true
-		}
-		if base, _, ok := strings.Cut(ps.DNSName, "."); ok && strings.EqualFold(base, arg) {
-			return dnsName, true
-		}
-	}
-	return "", false
-}
-
-// getSSHClientEnvVar returns the "SSH_CLIENT" environment variable
-// for the current process group, if any.
-var getSSHClientEnvVar = func() string {
-	return ""
-}
-
-// isSSHOverTailscale checks if the invocation is in a SSH session over Tailscale.
-// It is used to detect if the user is about to take an action that might result in them
-// disconnecting from the machine (e.g. disabling SSH)
-func isSSHOverTailscale() bool {
-	sshClient := getSSHClientEnvVar()
-	if sshClient == "" {
-		return false
-	}
-	ipStr, _, ok := strings.Cut(sshClient, " ")
-	if !ok {
-		return false
-	}
-	ip, err := netaddr.ParseIP(ipStr)
-	if err != nil {
-		return false
-	}
-	return tsaddr.IsTailscaleIP(ip)
-}
--- a/cmd/tailscale/cli/ssh_exec.go
+++ b/cmd/tailscale/cli/ssh_exec.go
@@ -1,26 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !js && !windows
-// +build !js,!windows
-
-package cli
-
-import (
-	"errors"
-	"os"
-	"os/exec"
-	"syscall"
-)
-
-func findSSH() (string, error) {
-	return exec.LookPath("ssh")
-}
-
-func execSSH(ssh string, argv []string) error {
-	if err := syscall.Exec(ssh, argv, os.Environ()); err != nil {
-		return err
-	}
-	return errors.New("unreachable")
-}
--- a/Show More
+++ b/Show More