CI: try GitHub's Large runners

Signed-off-by: Denton Gentry <dgentry@tailscale.com>

.github/licenses.tmpl

@@ -0,0 +1,17 @@
+# Tailscale CLI and daemon dependencies
+
+The following open source dependencies are used to build the [tailscale][] and
+[tailscaled][] commands. These are primarily used on Linux and BSD variants as
+well as an [option for macOS][].
+
+[tailscale]: https://pkg.go.dev/tailscale.com/cmd/tailscale
+[tailscaled]: https://pkg.go.dev/tailscale.com/cmd/tailscaled
+[option for macOS]: https://tailscale.com/kb/1065/macos-variants/
+
+## Go Packages
+
+Some packages may only be included on certain architectures or operating systems.
+
+{{ range . }}
+ - [{{.Name}}](https://pkg.go.dev/{{.Name}}) ([{{.LicenseName}}]({{.LicenseURL}}))
+{{- end }}

.github/workflows/cifuzz.yml

@@ -1,8 +1,15 @@
 name: CIFuzz
-on: [pull_request]
+on:
+  push:
+    branches: [ main, release-branch/* ]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   Fuzzing:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
     steps:
     - name: Build Fuzzers
       id: build
@@ -15,7 +22,7 @@ jobs:
       uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
       with:
         oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
+        fuzz-seconds: 900
         dry-run: false
         language: go
     - name: Upload Crash

.github/workflows/codeql-analysis.yml

@@ -20,10 +20,14 @@ on:
   schedule:
     - cron: '31 14 * * 5'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
     permissions:
       actions: read
       contents: read

.github/workflows/cross-android.yml

@@ -1,4 +1,4 @@
-name: staticcheck
+name: Android-Cross
 
 on:
   push:
@@ -8,51 +8,35 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
+      id: go
 
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Run go vet
-      run: go vet ./...
-
-    - name: Install staticcheck
-      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
-
-    - name: Print staticcheck version
-      run: "staticcheck -version"
-
-    - name: Run staticcheck (linux/amd64)
+    - name: Android smoke build
+      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
+      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
+      # some Android breakages early.
+      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
       env:
-        GOOS: linux
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (darwin/amd64)
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (windows/amd64)
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (windows/386)
-      env:
-        GOOS: windows
-        GOARCH: "386"
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+        GOOS: android
+        GOARCH: arm64
+      run: go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
 
     - uses: k0kubun/action-slack@v2.0.0
       with:

.github/workflows/cross-darwin.yml

@@ -8,23 +8,26 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: macOS build cmd
       env:
         GOOS: darwin

.github/workflows/cross-freebsd.yml

@@ -8,23 +8,26 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: FreeBSD build cmd
       env:
         GOOS: freebsd

.github/workflows/cross-openbsd.yml

@@ -8,23 +8,26 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: OpenBSD build cmd
       env:
         GOOS: openbsd

.github/workflows/cross-wasm.yml

@@ -8,28 +8,38 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: Wasm client build
       env:
         GOOS: js
         GOARCH: wasm
-      run: go build ./cmd/tsconnect/wasm
+      run: go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+
+    - name: tsconnect static build
+      # Use our custom Go toolchain, we set build tags (to control binary size)
+      # that depend on it.
+      run: |
+        ./tool/go run ./cmd/tsconnect --fast-compression build
+        ./tool/go run ./cmd/tsconnect build-pkg
 
     - uses: k0kubun/action-slack@v2.0.0
       with:

.github/workflows/cross-windows.yml

@@ -8,23 +8,26 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: Windows build cmd
       env:
         GOOS: windows

.github/workflows/depaware.yml

@@ -8,21 +8,25 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18
-
     - name: Check out code
       uses: actions/checkout@v3
 
-    - name: depaware tailscaled
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
 
-    - name: depaware tailscale
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
+    - name: depaware
+      run: go run github.com/tailscale/depaware --check
+        tailscale.com/cmd/tailscaled
+        tailscale.com/cmd/tailscale
+        tailscale.com/cmd/derper

.github/workflows/go-licenses.yml

@@ -0,0 +1,64 @@
+name: go-licenses
+
+on:
+  # run action when a change lands in the main branch which updates go.mod or
+  # our license template file. Also allow manual triggering.
+  push:
+    branches:
+      - main
+    paths:
+      - go.mod
+      - .github/licenses.tmpl
+      - .github/workflows/go-licenses.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  tailscale:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Install go-licenses
+        run: |
+          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
+
+      - name: Run go-licenses
+        env:
+          # include all build tags to include platform-specific dependencies
+          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
+        run: |
+          [ -d licenses ] || mkdir licenses
+          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
+
+      - name: Get access token
+        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.LICENSING_APP_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
+
+      - name: Send pull request
+        uses: peter-evans/create-pull-request@18f90432bedd2afd6a825469ffd38aa24712a91d #v4.1.1
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: License Updater <noreply@tailscale.com>
+          committer: License Updater <noreply@tailscale.com>
+          branch: licenses/cli
+          commit-message: "licenses: update tailscale{,d} licenses"
+          title: "licenses: update tailscale{,d} licenses"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          team-reviewers: opensource-license-reviewers

.github/workflows/go_generate.yml

@@ -9,21 +9,25 @@ on:
     branches:
       - "*"
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   check:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.18
-
       - name: Check out code
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
       - name: check 'go generate' is clean
         run: |
           if [[ "${{github.ref}}" == release-branch/* ]]

.github/workflows/go_mod_tidy.yml

@@ -0,0 +1,35 @@
+name: go mod tidy
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "*"
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: check 'go mod tidy' is clean
+        run: |
+          go mod tidy
+          echo
+          echo
+          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)

.github/workflows/license.yml

@@ -8,18 +8,22 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
-
-    - name: Check out code
-      uses: actions/checkout@v3
+        go-version-file: go.mod
 
     - name: Run license checker
       run: ./scripts/check_license_headers.sh .

.github/workflows/linux-race.yml

@@ -8,23 +8,26 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: Basic build
       run: go build ./cmd/...
 

.github/workflows/linux.yml

@@ -8,32 +8,36 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: Basic build
       run: go build ./cmd/...
 
+    - name: Build variants
+      run: |
+        go install --tags=ts_include_cli ./cmd/tailscaled
+        go install --tags=ts_omit_aws ./cmd/tailscaled
+
     - name: Get QEMU
       run: |
-        # The qemu in Ubuntu 20.04 (Focal) is too old; we need 5.x something
-        # to run Go binaries. 5.2.0 (Debian bullseye) empirically works, and
-        # use this PPA which brings in a modern qemu.
-        sudo add-apt-repository -y ppa:jacob/virtualisation
         sudo apt-get -y update
         sudo apt-get -y install qemu-user
 

.github/workflows/linux32.yml

@@ -8,23 +8,26 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: github-4vcpu-ubuntu-2204
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
 
     - name: Set up Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18
+        go-version-file: go.mod
       id: go
 
-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
     - name: Basic build
       run: GOARCH=386 go build ./cmd/...
 

.github/workflows/static-analysis.yml

@@ -0,0 +1,112 @@
+name: static-analysis
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  gofmt:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+    - name: Run gofmt (goimports)
+      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  vet:
+    runs-on: github-4vcpu-ubuntu-2204
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Run go vet
+      run: go vet ./...
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  staticcheck:
+    runs-on: github-4vcpu-ubuntu-2204
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin]
+        goarch: [amd64]
+        include:
+          - goos: windows
+            goarch: 386
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Install staticcheck
+      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
+
+    - name: Print staticcheck version
+      run: "staticcheck -version"
+
+    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/tsconnect-pkg-publish.yml

@@ -0,0 +1,30 @@
+name: "@tailscale/connect npm publish"
+
+on: workflow_dispatch
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up node
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16.x"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Build package
+        # Build with build_dist.sh to ensure that version information is embedded.
+        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
+        # also picks up our custom Go toolchain.
+        run: |
+          ./build_dist.sh tailscale.com/cmd/tsconnect
+          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
+
+      - name: Publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
+        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public

.github/workflows/vm.yml

@@ -5,6 +5,10 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   ubuntu2004-LTS-cloud-base:
     runs-on: [ self-hosted, linux, vm ]
@@ -15,13 +19,13 @@ jobs:
       - name: Set GOPATH
         run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
 
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
       - name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.18
-
-      - name: Checkout Code
-        uses: actions/checkout@v3
+          go-version-file: go.mod
 
       - name: Run VM tests
         run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004

.github/workflows/windows-race.yml

@@ -1,77 +0,0 @@
-name: Windows race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  test:
-    runs-on: windows-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Install Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.18.x
-
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike some other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        # The -race- here ensures that non-race builds and race builds do not
-        # overwrite each others cache, as while they share some files, they
-        # differ in most by volume (build cache).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-race-${{ hashFiles('**/go.sum') }}
-
-    - name: Print toolchain details
-      run: gcc -v
-
-    # There is currently an issue in the race detector in Go on Windows when
-    # used with a newer version of GCC.
-    # See https://github.com/tailscale/tailscale/issues/4926.
-    - name: Downgrade MinGW
-      shell: bash
-      run: |
-        choco install mingw --version 10.2.0 --allow-downgrade
-
-    - name: Test with -race flag
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test -race -bench . -benchtime 1x ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-

.github/workflows/windows.yml

@@ -8,21 +8,24 @@ on:
     branches:
       - '*'
 
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
   test:
-    runs-on: windows-latest
+    runs-on: windows-8vcpu
 
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
 
     - name: Install Go
       uses: actions/setup-go@v3
       with:
-        go-version: 1.18.x
-
-    - name: Checkout code
-      uses: actions/checkout@v3
+        go-version-file: go.mod
 
     - name: Restore Cache
       uses: actions/cache@v3

Dockerfile

@@ -32,7 +32,7 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.18-alpine AS build-env
+FROM golang:1.19-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 
@@ -72,3 +72,4 @@ FROM alpine:3.16
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 
 COPY --from=build-env /go/bin/* /usr/local/bin/
+COPY --from=build-env /go/src/tailscale/docs/k8s/run.sh /usr/local/bin/

Makefile

@@ -9,15 +9,19 @@ vet:
 	./tool/go vet ./...
 
 tidy:
-	./tool/go mod tidy -compat=1.17
+	./tool/go mod tidy
 
 updatedeps:
-	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
-	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
+	./tool/go run github.com/tailscale/depaware --update \
+		tailscale.com/cmd/tailscaled \
+		tailscale.com/cmd/tailscale \
+		tailscale.com/cmd/derper
 
 depaware:
-	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
-	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
+	./tool/go run github.com/tailscale/depaware --check \
+		tailscale.com/cmd/tailscaled \
+		tailscale.com/cmd/tailscale \
+		tailscale.com/cmd/derper
 
 buildwindows:
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
@@ -28,10 +32,13 @@ build386:
 buildlinuxarm:
 	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
 
+buildwasm:
+	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+
 buildmultiarchimage:
 	./build_docker.sh
 
-check: staticcheck vet depaware buildwindows build386 buildlinuxarm
+check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm
 
 staticcheck:
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)

README.md

@@ -43,10 +43,7 @@ If your distro has conventions that preclude the use of
 `build_dist.sh`, please do the equivalent of what it does in your
 distro's way, so that bug reports contain useful version information.
 
-We only guarantee to support the latest Go release and any Go beta or
-release candidate builds (currently Go 1.18) in module mode. It might
-work in earlier Go versions or in GOPATH mode, but we're making no
-effort to keep those working.
+We require the latest Go release, currently Go 1.19.
 
 ## Bugs
 

VERSION.txt

@@ -1 +1 @@
-1.29.0
+1.31.0

api.md

@@ -1120,7 +1120,7 @@ Replaces the list of searchpaths with the list supplied by the user and returns
 `searchPaths` - A list of searchpaths in JSON.
 ```
 {
-  "searchPaths: ["user1.example.com", "user2.example.com"]
+  "searchPaths": ["user1.example.com", "user2.example.com"]
 }
 ```
 

atomicfile/atomicfile.go

@@ -9,16 +9,15 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
 )
 
 // WriteFile writes data to filename+some suffix, then renames it
-// into filename.
+// into filename. The perm argument is ignored on Windows.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
 	}

build_dist.sh

@@ -45,4 +45,25 @@ EOF
 	exit 0
 fi
 
-exec ./tool/go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
+tags=""
+ldflags="-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}"
+
+# build_dist.sh arguments must precede go build arguments.
+while [ "$#" -gt 1 ]; do
+	case "$1" in
+	--extra-small)
+		shift
+		ldflags="$ldflags -w -s"
+		tags="${tags:+$tags,}ts_omit_aws"
+		;;
+	--box)
+		shift
+		tags="${tags:+$tags,}ts_include_cli"
+		;;
+	*)
+		break
+		;;
+	esac
+done
+
+exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"

chirp/chirp.go

@@ -11,15 +11,31 @@ import (
 	"fmt"
 	"net"
 	"strings"
+	"time"
+)
+
+const (
+	// Maximum amount of time we should wait when reading a response from BIRD.
+	responseTimeout = 10 * time.Second
 )
 
 // New creates a BIRDClient.
 func New(socket string) (*BIRDClient, error) {
+	return newWithTimeout(socket, responseTimeout)
+}
+
+func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
-	b := &BIRDClient{socket: socket, conn: conn, scanner: bufio.NewScanner(conn)}
+	b := &BIRDClient{
+		socket:  socket,
+		conn:    conn,
+		scanner: bufio.NewScanner(conn),
+		timeNow: time.Now,
+		timeout: timeout,
+	}
 	// Read and discard the first line as that is the welcome message.
 	if _, err := b.readResponse(); err != nil {
 		return nil, err
@@ -32,6 +48,8 @@ type BIRDClient struct {
 	socket  string
 	conn    net.Conn
 	scanner *bufio.Scanner
+	timeNow func() time.Time
+	timeout time.Duration
 }
 
 // Close closes the underlying connection to BIRD.
@@ -81,10 +99,15 @@ func (b *BIRDClient) EnableProtocol(protocol string) error {
 // 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.
 
 func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
+	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
+		return "", err
+	}
 	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
 		return "", err
 	}
-	fmt.Fprintln(b.conn)
+	if _, err := fmt.Fprintln(b.conn); err != nil {
+		return "", err
+	}
 	return b.readResponse()
 }
 
@@ -105,14 +128,20 @@ func hasResponseCode(s []byte) bool {
 }
 
 func (b *BIRDClient) readResponse() (string, error) {
+	// Set the read timeout before we start reading anything.
+	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
+		return "", err
+	}
+
 	var resp strings.Builder
 	var done bool
 	for !done {
 		if !b.scanner.Scan() {
-			return "", fmt.Errorf("reading response from bird failed: %q", resp.String())
-		}
-		if err := b.scanner.Err(); err != nil {
-			return "", err
+			if err := b.scanner.Err(); err != nil {
+				return "", err
+			}
+
+			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
 		}
 		out := b.scanner.Bytes()
 		if _, err := resp.Write(out); err != nil {

chirp/chirp_test.go

@@ -8,9 +8,12 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"testing"
+	"time"
 )
 
 type fakeBIRD struct {
@@ -109,3 +112,82 @@ func TestChirp(t *testing.T) {
 		t.Fatalf("disabling %q succeded", "rando")
 	}
 }
+
+type hangingListener struct {
+	net.Listener
+	t    *testing.T
+	done chan struct{}
+	wg   sync.WaitGroup
+	sock string
+}
+
+func newHangingListener(t *testing.T) *hangingListener {
+	sock := filepath.Join(t.TempDir(), "sock")
+	l, err := net.Listen("unix", sock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return &hangingListener{
+		Listener: l,
+		t:        t,
+		done:     make(chan struct{}),
+		sock:     sock,
+	}
+}
+
+func (hl *hangingListener) Stop() {
+	hl.Close()
+	close(hl.done)
+	hl.wg.Wait()
+}
+
+func (hl *hangingListener) listen() error {
+	for {
+		c, err := hl.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			return err
+		}
+		hl.wg.Add(1)
+		go hl.handle(c)
+	}
+}
+
+func (hl *hangingListener) handle(c net.Conn) {
+	defer hl.wg.Done()
+
+	// Write our fake first line of response so that we get into the read loop
+	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
+
+	ticker := time.NewTicker(2 * time.Second)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ticker.C:
+			hl.t.Logf("connection still hanging")
+		case <-hl.done:
+			return
+		}
+	}
+}
+
+func TestChirpTimeout(t *testing.T) {
+	fb := newHangingListener(t)
+	defer fb.Stop()
+	go fb.listen()
+
+	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = c.EnableProtocol("tailscale")
+	if err == nil {
+		t.Fatal("got err=nil, want timeout")
+	}
+	if !os.IsTimeout(err) {
+		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
+	}
+}

client/tailscale/acl.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package tailscale
 
@@ -13,8 +13,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-
-	"inet.af/netaddr"
+	"net/netip"
 )
 
 // ACLRow defines a rule that grants access by a set of users or groups to a set
@@ -354,7 +353,7 @@ func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (r
 // Returns ACLPreview on success with matches in a slice. If there are no matches,
 // the call is still successful but Matches will be an empty slice.
 // Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netaddr.IPPort) (res *ACLPreview, err error) {
+func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.AddrPort) (res *ACLPreview, err error) {
 	// Format return errors to be descriptive.
 	defer func() {
 		if err != nil {

client/tailscale/devices.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package tailscale
 

client/tailscale/dns.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package tailscale
 

client/tailscale/localclient.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package tailscale
 
@@ -15,10 +15,10 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"net/http/httptrace"
+	"net/netip"
 	"net/url"
 	"os/exec"
 	"runtime"
@@ -28,7 +28,6 @@ import (
 	"time"
 
 	"go4.org/mem"
-	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -36,6 +35,7 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tka"
 )
 
 // defaultLocalClient is the default LocalClient when using the legacy
@@ -136,7 +136,7 @@ func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Respons
 			onVersionMismatch(ipn.IPCVersion(), server)
 		}
 		if res.StatusCode == 403 {
-			all, _ := ioutil.ReadAll(res.Body)
+			all, _ := io.ReadAll(res.Body)
 			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
 		}
 		return res, nil
@@ -206,7 +206,7 @@ func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus
 		return nil, err
 	}
 	defer res.Body.Close()
-	slurp, err := ioutil.ReadAll(res.Body)
+	slurp, err := io.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -364,7 +364,7 @@ func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc
 		return nil, 0, fmt.Errorf("unexpected chunking")
 	}
 	if res.StatusCode != 200 {
-		body, _ := ioutil.ReadAll(res.Body)
+		body, _ := io.ReadAll(res.Body)
 		res.Body.Close()
 		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
 	}
@@ -665,7 +665,7 @@ func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn str
 
 // Ping sends a ping of the provided type to the provided IP and waits
 // for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
+func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
 	v := url.Values{}
 	v.Set("ip", ip.String())
 	v.Set("type", string(pingtype))
@@ -680,6 +680,42 @@ func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg
 	return pr, nil
 }
 
+// NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
+func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.NetworkLockStatus, error) {
+	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/status", 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
+// NetworkLockInit initializes the tailnet key authority.
+func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+	var b bytes.Buffer
+	type initRequest struct {
+		Keys []tka.Key
+	}
+
+	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys}); err != nil {
+		return nil, err
+	}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/init", 200, &b)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //

client/tailscale/required_version.go

@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !go1.18
-// +build !go1.18
+//go:build !go1.19
+// +build !go1.19
 
 package tailscale
 
 func init() {
-	you_need_Go_1_18_to_compile_Tailscale()
+	you_need_Go_1_19_to_compile_Tailscale()
 }

client/tailscale/routes.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package tailscale
 
@@ -13,15 +13,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-
-	"inet.af/netaddr"
+	"net/netip"
 )
 
 // Routes contains the lists of subnet routes that are currently advertised by a device,
 // as well as the subnets that are enabled to be routed by the device.
 type Routes struct {
-	AdvertisedRoutes []netaddr.IPPrefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netaddr.IPPrefix `json:"enabledRoutes"`
+	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
+	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
 }
 
 // Routes retrieves the list of subnet routes that have been enabled for a device.
@@ -56,14 +55,14 @@ func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, e
 }
 
 type postRoutesParams struct {
-	Routes []netaddr.IPPrefix `json:"routes"`
+	Routes []netip.Prefix `json:"routes"`
 }
 
 // SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by inet.af/netaddr.ParseIPPrefix.
+// Subnets must be parsable by net/netip.ParsePrefix.
 // Subnets do not have to be currently advertised by a device, they may be pre-enabled.
 // Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netaddr.IPPrefix) (routes *Routes, err error) {
+func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("tailscale.SetRoutes: %w", err)

client/tailscale/tailnet.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package tailscale
 

client/tailscale/tailscale.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 // Package tailscale contains Go clients for the Tailscale Local API and
 // Tailscale control plane API.
@@ -17,7 +17,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 )
 
@@ -131,7 +130,7 @@ func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error)
 
 	// Read response. Limit the response to 10MB.
 	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := ioutil.ReadAll(body)
+	b, err := io.ReadAll(body)
 	if len(b) > maxReadSize {
 		err = errors.New("API response too large")
 	}

cmd/cloner/cloner.go

@@ -153,18 +153,25 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 			}
 			writef("}")
 		case *types.Map:
+			elem := ft.Elem()
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(ft.Elem()))
-			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
+			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
+			if sliceType, isSlice := elem.(*types.Slice); isSlice {
 				n := it.QualifiedName(sliceType.Elem())
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
 				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
 				writef("\t}")
-			} else if codegen.ContainsPointers(ft.Elem()) {
+			} else if codegen.ContainsPointers(elem) {
 				writef("\tfor k, v := range src.%s {", fname)
-				writef("\t\tdst.%s[k] = v.Clone()", fname)
+				switch elem.(type) {
+				case *types.Pointer:
+					writef("\t\tdst.%s[k] = v.Clone()", fname)
+				default:
+					writef("\t\tv2 := v.Clone()")
+					writef("\t\tdst.%s[k] = *v2", fname)
+				}
 				writef("\t}")
 			} else {
 				writef("\tfor k, v := range src.%s {", fname)

cmd/derper/bootstrap_dns.go

@@ -12,20 +12,36 @@ import (
 	"net"
 	"net/http"
 	"strings"
-	"sync/atomic"
 	"time"
+
+	"tailscale.com/syncs"
 )
 
-var dnsCache atomic.Value // of []byte
+const refreshTimeout = time.Minute
 
-var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
+type dnsEntryMap map[string][]net.IP
+
+var (
+	dnsCache            syncs.AtomicValue[dnsEntryMap]
+	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
+	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
+)
+
+var (
+	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
+	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
+	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
+	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
+	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
+)
 
 func refreshBootstrapDNSLoop() {
-	if *bootstrapDNS == "" {
+	if *bootstrapDNS == "" && *unpublishedDNS == "" {
 		return
 	}
 	for {
 		refreshBootstrapDNS()
+		refreshUnpublishedDNS()
 		time.Sleep(10 * time.Minute)
 	}
 }
@@ -34,10 +50,34 @@ func refreshBootstrapDNS() {
 	if *bootstrapDNS == "" {
 		return
 	}
-	dnsEntries := make(map[string][]net.IP)
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
 	defer cancel()
-	names := strings.Split(*bootstrapDNS, ",")
+	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
+	j, err := json.MarshalIndent(dnsEntries, "", "\t")
+	if err != nil {
+		// leave the old values in place
+		return
+	}
+
+	dnsCache.Store(dnsEntries)
+	dnsCacheBytes.Store(j)
+}
+
+func refreshUnpublishedDNS() {
+	if *unpublishedDNS == "" {
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
+	defer cancel()
+
+	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
+	unpublishedDNSCache.Store(dnsEntries)
+}
+
+func resolveList(ctx context.Context, names []string) dnsEntryMap {
+	dnsEntries := make(dnsEntryMap)
+
 	var r net.Resolver
 	for _, name := range names {
 		addrs, err := r.LookupIP(ctx, "ip", name)
@@ -47,21 +87,47 @@ func refreshBootstrapDNS() {
 		}
 		dnsEntries[name] = addrs
 	}
-	j, err := json.MarshalIndent(dnsEntries, "", "\t")
-	if err != nil {
-		// leave the old values in place
-		return
-	}
-	dnsCache.Store(j)
+	return dnsEntries
 }
 
 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	bootstrapDNSRequests.Add(1)
+
 	w.Header().Set("Content-Type", "application/json")
-	j, _ := dnsCache.Load().([]byte)
-	// Bootstrap DNS requests occur cross-regions,
-	// and are randomized per request,
-	// so keeping a connection open is pointlessly expensive.
+	// Bootstrap DNS requests occur cross-regions, and are randomized per
+	// request, so keeping a connection open is pointlessly expensive.
 	w.Header().Set("Connection", "close")
+
+	// Try answering a query from our hidden map first
+	if q := r.URL.Query().Get("q"); q != "" {
+		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
+			unpublishedDNSHits.Add(1)
+
+			// Only return the specific query, not everything.
+			m := dnsEntryMap{q: ips}
+			j, err := json.MarshalIndent(m, "", "\t")
+			if err == nil {
+				w.Write(j)
+				return
+			}
+		}
+
+		// If we have a "q" query for a name in the published cache
+		// list, then track whether that's a hit/miss.
+		if m, ok := dnsCache.Load()[q]; ok {
+			if len(m) > 0 {
+				publishedDNSHits.Add(1)
+			} else {
+				publishedDNSMisses.Add(1)
+			}
+		} else {
+			// If it wasn't in either cache, treat this as a query
+			// for the unpublished cache, and thus a cache miss.
+			unpublishedDNSMisses.Add(1)
+		}
+	}
+
+	// Fall back to returning the public set of cached DNS names
+	j := dnsCacheBytes.Load()
 	w.Write(j)
 }

cmd/derper/bootstrap_dns_test.go

@@ -5,7 +5,12 @@
 package main
 
 import (
+	"encoding/json"
+	"net"
 	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"reflect"
 	"testing"
 )
 
@@ -17,11 +22,12 @@ func BenchmarkHandleBootstrapDNS(b *testing.B) {
 	}()
 	refreshBootstrapDNS()
 	w := new(bitbucketResponseWriter)
+	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
 	b.ReportAllocs()
 	b.ResetTimer()
 	b.RunParallel(func(b *testing.PB) {
 		for b.Next() {
-			handleBootstrapDNS(w, nil)
+			handleBootstrapDNS(w, req)
 		}
 	})
 }
@@ -33,3 +39,116 @@ func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header
 func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }
 
 func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
+
+func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
+	t.Helper()
+	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
+	w := httptest.NewRecorder()
+	handleBootstrapDNS(w, req)
+
+	res := w.Result()
+	if res.StatusCode != 200 {
+		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
+	}
+	var ips dnsEntryMap
+	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
+		t.Fatalf("error decoding response body: %v", err)
+	}
+	return ips
+}
+
+func TestUnpublishedDNS(t *testing.T) {
+	const published = "login.tailscale.com"
+	const unpublished = "log.tailscale.io"
+
+	prev1, prev2 := *bootstrapDNS, *unpublishedDNS
+	*bootstrapDNS = published
+	*unpublishedDNS = unpublished
+	t.Cleanup(func() {
+		*bootstrapDNS = prev1
+		*unpublishedDNS = prev2
+	})
+
+	refreshBootstrapDNS()
+	refreshUnpublishedDNS()
+
+	hasResponse := func(q string) bool {
+		_, found := getBootstrapDNS(t, q)[q]
+		return found
+	}
+
+	if !hasResponse(published) {
+		t.Errorf("expected response for: %s", published)
+	}
+	if !hasResponse(unpublished) {
+		t.Errorf("expected response for: %s", unpublished)
+	}
+
+	// Verify that querying for a random query or a real query does not
+	// leak our unpublished domain
+	m1 := getBootstrapDNS(t, published)
+	if _, found := m1[unpublished]; found {
+		t.Errorf("found unpublished domain %s: %+v", unpublished, m1)
+	}
+	m2 := getBootstrapDNS(t, "random.example.com")
+	if _, found := m2[unpublished]; found {
+		t.Errorf("found unpublished domain %s: %+v", unpublished, m2)
+	}
+}
+
+func resetMetrics() {
+	publishedDNSHits.Set(0)
+	publishedDNSMisses.Set(0)
+	unpublishedDNSHits.Set(0)
+	unpublishedDNSMisses.Set(0)
+}
+
+// Verify that we don't count an empty list in the unpublishedDNSCache as a
+// cache hit in our metrics.
+func TestUnpublishedDNSEmptyList(t *testing.T) {
+	pub := dnsEntryMap{
+		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
+	}
+	dnsCache.Store(pub)
+	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))
+
+	unpublishedDNSCache.Store(dnsEntryMap{
+		"log.tailscale.io":           {},
+		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
+	})
+
+	t.Run("CacheMiss", func(t *testing.T) {
+		// One domain in map but empty, one not in map at all
+		for _, q := range []string{"log.tailscale.io", "login.tailscale.com"} {
+			resetMetrics()
+			ips := getBootstrapDNS(t, q)
+
+			// Expected our public map to be returned on a cache miss
+			if !reflect.DeepEqual(ips, pub) {
+				t.Errorf("got ips=%+v; want %+v", ips, pub)
+			}
+			if v := unpublishedDNSHits.Value(); v != 0 {
+				t.Errorf("got hits=%d; want 0", v)
+			}
+			if v := unpublishedDNSMisses.Value(); v != 1 {
+				t.Errorf("got misses=%d; want 1", v)
+			}
+		}
+	})
+
+	// Verify that we do get a valid response and metric.
+	t.Run("CacheHit", func(t *testing.T) {
+		resetMetrics()
+		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
+		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
+		if !reflect.DeepEqual(ips, want) {
+			t.Errorf("got ips=%+v; want %+v", ips, want)
+		}
+		if v := unpublishedDNSHits.Value(); v != 1 {
+			t.Errorf("got hits=%d; want 1", v)
+		}
+		if v := unpublishedDNSMisses.Value(); v != 0 {
+			t.Errorf("got misses=%d; want 0", v)
+		}
+	})
+}

cmd/derper/cert.go

@@ -20,6 +20,11 @@ var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)
 
 type certProvider interface {
 	// TLSConfig creates a new TLS config suitable for net/http.Server servers.
+	//
+	// The returned Config must have a GetCertificate function set and that
+	// function must return a unique *tls.Certificate for each call. The
+	// returned *tls.Certificate will be mutated by the caller to append to the
+	// (*tls.Certificate).Certificate field.
 	TLSConfig() *tls.Config
 	// HTTPHandler handle ACME related request, if any.
 	HTTPHandler(fallback http.Handler) http.Handler
@@ -87,7 +92,13 @@ func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certif
 	if hi.ServerName != m.hostname {
 		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
 	}
-	return m.cert, nil
+
+	// Return a shallow copy of the cert so the caller can append to its
+	// Certificate field.
+	certCopy := new(tls.Certificate)
+	*certCopy = *m.cert
+	certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
+	return certCopy, nil
 }
 
 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {

cmd/derper/depaware.txt

@@ -0,0 +1,197 @@
+tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depaware)
+
+        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
+        filippo.io/edwards25519/field                                from filippo.io/edwards25519
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
+   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
+        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
+   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
+     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
+        go4.org/netipx                                               from tailscale.com/wgengine/filter
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
+        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
+        tailscale.com                                                from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
+        tailscale.com/client/tailscale                               from tailscale.com/derp
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
+        tailscale.com/derp                                           from tailscale.com/cmd/derper+
+        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
+        tailscale.com/disco                                          from tailscale.com/derp
+        tailscale.com/envknob                                        from tailscale.com/derp+
+        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
+        tailscale.com/ipn                                            from tailscale.com/client/tailscale
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
+     💣 tailscale.com/metrics                                        from tailscale.com/cmd/derper+
+        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
+        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
+        tailscale.com/net/netknob                                    from tailscale.com/net/netns
+        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
+        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
+        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
+        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
+        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
+        tailscale.com/paths                                          from tailscale.com/client/tailscale
+        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
+        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
+        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
+        tailscale.com/tka                                            from tailscale.com/client/tailscale+
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
+     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
+        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
+        tailscale.com/types/empty                                    from tailscale.com/ipn
+        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
+        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
+        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
+        tailscale.com/types/netmap                                   from tailscale.com/ipn
+        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/pad32                                    from tailscale.com/derp
+        tailscale.com/types/persist                                  from tailscale.com/ipn
+        tailscale.com/types/preftype                                 from tailscale.com/ipn
+        tailscale.com/types/structs                                  from tailscale.com/ipn+
+        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
+        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
+        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
+   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
+        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
+   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
+        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
+   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
+        tailscale.com/version                                        from tailscale.com/derp+
+        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
+        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
+        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
+        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
+        golang.org/x/crypto/argon2                                   from tailscale.com/tka
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/blake2s                                  from tailscale.com/tka
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
+        golang.org/x/net/proxy                                       from tailscale.com/net/netns
+   D    golang.org/x/net/route                                       from net+
+        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
+   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        golang.org/x/time/rate                                       from tailscale.com/cmd/derper+
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        compress/flate                                               from compress/gzip+
+        compress/gzip                                                from internal/profile+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdsa+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from golang.org/x/crypto/acme+
+        crypto/x509                                                  from crypto/tls+
+        crypto/x509/pkix                                             from crypto/x509+
+        embed                                                        from crypto/internal/nistec+
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base32                                              from tailscale.com/tka
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from tailscale.com/cmd/derper+
+        flag                                                         from tailscale.com/cmd/derper
+        fmt                                                          from compress/flate+
+        hash                                                         from crypto+
+        hash/crc32                                                   from compress/gzip+
+        hash/maphash                                                 from go4.org/mem
+        html                                                         from net/http/pprof+
+        io                                                           from bufio+
+        io/fs                                                        from crypto/x509+
+        io/ioutil                                                    from github.com/mitchellh/go-ps+
+        log                                                          from expvar+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from github.com/mdlayher/netlink+
+        mime                                                         from mime/multipart+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from net/http+
+        net/http/internal                                            from net/http
+        net/http/pprof                                               from tailscale.com/tsweb
+        net/netip                                                    from go4.org/netipx+
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        path                                                         from golang.org/x/crypto/acme/autocert+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from internal/profile+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from golang.org/x/crypto/acme+
+        runtime/pprof                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from runtime/pprof
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from crypto/x509+
+        unicode/utf8                                                 from bufio+

cmd/derper/derper.go

@@ -14,22 +14,22 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"math"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 
+	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
-	"tailscale.com/logpolicy"
 	"tailscale.com/metrics"
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
@@ -37,21 +37,22 @@ import (
 )
 
 var (
-	dev           = flag.Bool("dev", false, "run in localhost development mode")
-	addr          = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
-	httpPort      = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort      = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	configPath    = flag.String("c", "", "config file path")
-	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
-	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
-	runSTUN       = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
+	dev        = flag.Bool("dev", false, "run in localhost development mode")
+	addr       = flag.String("a", ":443", "server HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces.")
+	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
+	configPath = flag.String("c", "", "config file path")
+	certMode   = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
+	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
+	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
 
-	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS  = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
+	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
+	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
+	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
+	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
 
 	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
 	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
@@ -97,7 +98,7 @@ func loadConfig() config {
 		}
 		log.Printf("no config path specified; using %s", *configPath)
 	}
-	b, err := ioutil.ReadFile(*configPath)
+	b, err := os.ReadFile(*configPath)
 	switch {
 	case errors.Is(err, os.ErrNotExist):
 		return writeNewConfig()
@@ -135,7 +136,6 @@ func main() {
 	flag.Parse()
 
 	if *dev {
-		*logCollection = ""
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
 		tsweb.DevMode = true
@@ -146,12 +146,6 @@ func main() {
 		log.Fatalf("invalid server address: %v", err)
 	}
 
-	var logPol *logpolicy.Policy
-	if *logCollection != "" {
-		logPol = logpolicy.New(*logCollection)
-		log.SetOutput(logPol.Logtail)
-	}
-
 	cfg := loadConfig()
 
 	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
@@ -160,7 +154,7 @@ func main() {
 	s.SetVerifyClient(*verifyClients)
 
 	if *meshPSKFile != "" {
-		b, err := ioutil.ReadFile(*meshPSKFile)
+		b, err := os.ReadFile(*meshPSKFile)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -177,9 +171,15 @@ func main() {
 	expvar.Publish("derp", s.ExpVar())
 
 	mux := http.NewServeMux()
-	derpHandler := derphttp.Handler(s)
-	derpHandler = addWebSocketSupport(s, derpHandler)
-	mux.Handle("/derp", derpHandler)
+	if *runDERP {
+		derpHandler := derphttp.Handler(s)
+		derpHandler = addWebSocketSupport(s, derpHandler)
+		mux.Handle("/derp", derpHandler)
+	} else {
+		mux.Handle("/derp", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			http.Error(w, "derp server disabled", http.StatusNotFound)
+		}))
+	}
 	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
 	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
@@ -195,10 +195,17 @@ func main() {
   server.
 </p>
 `)
+		if !*runDERP {
+			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
+		}
 		if tsweb.AllowDebugAccess(r) {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
+	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		io.WriteString(w, "User-agent: *\nDisallow: /\n")
+	}))
+	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
 	debug := tsweb.Debugger(mux)
 	debug.KV("TLS hostname", *hostname)
 	debug.KV("Mesh key", s.HasMeshKey())
@@ -216,9 +223,11 @@ func main() {
 		go serveSTUN(listenHost, *stunPort)
 	}
 
+	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
-		Addr:    *addr,
-		Handler: mux,
+		Addr:     *addr,
+		Handler:  mux,
+		ErrorLog: quietLogger,
 
 		// Set read/write timeout. For derper, this basically
 		// only affects TLS setup, as read/write deadlines are
@@ -284,9 +293,13 @@ func main() {
 		})
 		if *httpPort > -1 {
 			go func() {
+				port80mux := http.NewServeMux()
+				port80mux.HandleFunc("/generate_204", serveNoContent)
+				port80mux.Handle("/", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 				port80srv := &http.Server{
 					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
-					Handler:     certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}),
+					Handler:     port80mux,
+					ErrorLog:    quietLogger,
 					ReadTimeout: 30 * time.Second,
 					// Crank up WriteTimeout a bit more than usually
 					// necessary just so we can do long CPU profiles
@@ -312,6 +325,11 @@ func main() {
 	}
 }
 
+// For captive portal detection
+func serveNoContent(w http.ResponseWriter, r *http.Request) {
+	w.WriteHeader(http.StatusNoContent)
+}
+
 // probeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
 func probeHandler(w http.ResponseWriter, r *http.Request) {
@@ -365,7 +383,8 @@ func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
 		} else {
 			stunIPv6.Add(1)
 		}
-		res := stun.Response(txid, ua.IP, uint16(ua.Port))
+		addr, _ := netip.AddrFromSlice(ua.IP)
+		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
 		_, err = pc.WriteTo(res, ua)
 		if err != nil {
 			stunWriteError.Add(1)
@@ -456,3 +475,22 @@ func (l *rateLimitedListener) Accept() (net.Conn, error) {
 	l.numAccepts.Add(1)
 	return cn, nil
 }
+
+// logFilter is used to filter out useless error logs that are logged to
+// the net/http.Server.ErrorLog logger.
+type logFilter struct{}
+
+func (logFilter) Write(p []byte) (int, error) {
+	b := mem.B(p)
+	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
+		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
+		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
+		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
+		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
+		// Skip this log message, but say that we processed it
+		return len(p), nil
+	}
+
+	log.Printf("%s", p)
+	return len(p), nil
+}

cmd/derper/websocket.go

@@ -33,6 +33,12 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
 			Subprotocols:   []string{"derp"},
 			OriginPatterns: []string{"*"},
+			// Disable compression because we transmit WireGuard messages that
+			// are not compressible.
+			// Additionally, Safari has a broken implementation of compression
+			// (see https://github.com/nhooyr/websocket/issues/218) that makes
+			// enabling it actively harmful.
+			CompressionMode: websocket.CompressionDisabled,
 		})
 		if err != nil {
 			log.Printf("websocket.Accept: %v", err)

cmd/derpprobe/derpprobe.go

@@ -360,7 +360,7 @@ func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (la
 				time.Sleep(100 * time.Millisecond)
 				continue
 			}
-			txBack, _, _, err := stun.ParseResponse(buf[:n])
+			txBack, _, err := stun.ParseResponse(buf[:n])
 			if err != nil {
 				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
 			}

cmd/gitops-pusher/.gitignore

@@ -0,0 +1 @@
+version-cache.json

cmd/gitops-pusher/cache.go

@@ -0,0 +1,67 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"encoding/json"
+	"os"
+)
+
+// Cache contains cached information about the last time this tool was run.
+//
+// This is serialized to a JSON file that should NOT be checked into git.
+// It should be managed with either CI cache tools or stored locally somehow. The
+// exact mechanism is irrelevant as long as it is consistent.
+//
+// This allows gitops-pusher to detect external ACL changes. I'm not sure what to
+// call this problem, so I've been calling it the "three version problem" in my
+// notes. The basic problem is that at any given time we only have two versions
+// of the ACL file at any given point. In order to check if there has been
+// tampering of the ACL files in the admin panel, we need to have a _third_ version
+// to compare against.
+//
+// In this case I am not storing the old ACL entirely (though that could be a
+// reasonable thing to add in the future), but only its sha256sum. This allows
+// us to detect if the shasum in control matches the shasum we expect, and if that
+// expectation fails, then we can react accordingly.
+type Cache struct {
+	PrevETag string // Stores the previous ETag of the ACL to allow
+}
+
+// Save persists the cache to a given file.
+func (c *Cache) Save(fname string) error {
+	os.Remove(fname)
+	fout, err := os.Create(fname)
+	if err != nil {
+		return err
+	}
+	defer fout.Close()
+
+	return json.NewEncoder(fout).Encode(c)
+}
+
+// LoadCache loads the cache from a given file.
+func LoadCache(fname string) (*Cache, error) {
+	var result Cache
+
+	fin, err := os.Open(fname)
+	if err != nil {
+		return nil, err
+	}
+	defer fin.Close()
+
+	err = json.NewDecoder(fin).Decode(&result)
+	if err != nil {
+		return nil, err
+	}
+
+	return &result, nil
+}
+
+// Shuck removes the first and last character of a string, analogous to
+// shucking off the husk of an ear of corn.
+func Shuck(s string) string {
+	return s[1 : len(s)-1]
+}

cmd/gitops-pusher/gitops-pusher.go

@@ -8,6 +8,7 @@
 package main
 
 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/json"
@@ -15,7 +16,6 @@ import (
 	"fmt"
 	"log"
 	"net/http"
-	"net/http/httputil"
 	"os"
 	"regexp"
 	"strings"
@@ -28,11 +28,20 @@ import (
 var (
 	rootFlagSet  = flag.NewFlagSet("gitops-pusher", flag.ExitOnError)
 	policyFname  = rootFlagSet.String("policy-file", "./policy.hujson", "filename for policy file")
+	cacheFname   = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
 	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
 	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
 )
 
-func apply(tailnet, apiKey string) func(context.Context, []string) error {
+func modifiedExternallyError() {
+	if *githubSyntax {
+		fmt.Printf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
+	} else {
+		fmt.Printf("The policy file was modified externally in the admin console.\n")
+	}
+}
+
+func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
 		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
@@ -44,10 +53,21 @@ func apply(tailnet, apiKey string) func(context.Context, []string) error {
 			return err
 		}
 
+		if cache.PrevETag == "" {
+			log.Println("no previous etag found, assuming local file is correct and recording that")
+			cache.PrevETag = localEtag
+		}
+
 		log.Printf("control: %s", controlEtag)
 		log.Printf("local:   %s", localEtag)
+		log.Printf("cache:   %s", cache.PrevETag)
+
+		if cache.PrevETag != controlEtag {
+			modifiedExternallyError()
+		}
 
 		if controlEtag == localEtag {
+			cache.PrevETag = localEtag
 			log.Println("no update needed, doing nothing")
 			return nil
 		}
@@ -56,11 +76,13 @@ func apply(tailnet, apiKey string) func(context.Context, []string) error {
 			return err
 		}
 
+		cache.PrevETag = localEtag
+
 		return nil
 	}
 }
 
-func test(tailnet, apiKey string) func(context.Context, []string) error {
+func test(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
 		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
@@ -72,8 +94,18 @@ func test(tailnet, apiKey string) func(context.Context, []string) error {
 			return err
 		}
 
+		if cache.PrevETag == "" {
+			log.Println("no previous etag found, assuming local file is correct and recording that")
+			cache.PrevETag = localEtag
+		}
+
 		log.Printf("control: %s", controlEtag)
 		log.Printf("local:   %s", localEtag)
+		log.Printf("cache:   %s", cache.PrevETag)
+
+		if cache.PrevETag != controlEtag {
+			modifiedExternallyError()
+		}
 
 		if controlEtag == localEtag {
 			log.Println("no updates found, doing nothing")
@@ -87,7 +119,7 @@ func test(tailnet, apiKey string) func(context.Context, []string) error {
 	}
 }
 
-func getChecksums(tailnet, apiKey string) func(context.Context, []string) error {
+func getChecksums(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
 	return func(ctx context.Context, args []string) error {
 		controlEtag, err := getACLETag(ctx, tailnet, apiKey)
 		if err != nil {
@@ -99,8 +131,14 @@ func getChecksums(tailnet, apiKey string) func(context.Context, []string) error
 			return err
 		}
 
+		if cache.PrevETag == "" {
+			log.Println("no previous etag found, assuming local file is correct and recording that")
+			cache.PrevETag = Shuck(localEtag)
+		}
+
 		log.Printf("control: %s", controlEtag)
 		log.Printf("local:   %s", localEtag)
+		log.Printf("cache:   %s", cache.PrevETag)
 
 		return nil
 	}
@@ -115,13 +153,22 @@ func main() {
 	if !ok {
 		log.Fatal("set envvar TS_API_KEY to your Tailscale API key")
 	}
+	cache, err := LoadCache(*cacheFname)
+	if err != nil {
+		if os.IsNotExist(err) {
+			cache = &Cache{}
+		} else {
+			log.Fatalf("error loading cache: %v", err)
+		}
+	}
+	defer cache.Save(*cacheFname)
 
 	applyCmd := &ffcli.Command{
 		Name:       "apply",
 		ShortUsage: "gitops-pusher [options] apply",
 		ShortHelp:  "Pushes changes to CONTROL",
 		LongHelp:   `Pushes changes to CONTROL`,
-		Exec:       apply(tailnet, apiKey),
+		Exec:       apply(cache, tailnet, apiKey),
 	}
 
 	testCmd := &ffcli.Command{
@@ -129,7 +176,7 @@ func main() {
 		ShortUsage: "gitops-pusher [options] test",
 		ShortHelp:  "Tests ACL changes",
 		LongHelp:   "Tests ACL changes",
-		Exec:       test(tailnet, apiKey),
+		Exec:       test(cache, tailnet, apiKey),
 	}
 
 	cksumCmd := &ffcli.Command{
@@ -137,7 +184,7 @@ func main() {
 		ShortUsage: "Shows checksums of ACL files",
 		ShortHelp:  "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
 		LongHelp:   "Fetch checksum of CONTROL's ACL and the local ACL for comparison",
-		Exec:       getChecksums(tailnet, apiKey),
+		Exec:       getChecksums(cache, tailnet, apiKey),
 	}
 
 	root := &ffcli.Command{
@@ -177,7 +224,7 @@ func sumFile(fname string) (string, error) {
 		return "", err
 	}
 
-	return fmt.Sprintf("\"%x\"", h.Sum(nil)), nil
+	return fmt.Sprintf("%x", h.Sum(nil)), nil
 }
 
 func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag string) error {
@@ -194,7 +241,7 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 
 	req.SetBasicAuth(apiKey, "")
 	req.Header.Set("Content-Type", "application/hujson")
-	req.Header.Set("If-Match", oldEtag)
+	req.Header.Set("If-Match", `"`+oldEtag+`"`)
 
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
@@ -218,13 +265,16 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 }
 
 func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
-	fin, err := os.Open(policyFname)
+	data, err := os.ReadFile(policyFname)
+	if err != nil {
+		return err
+	}
+	data, err = hujson.Standardize(data)
 	if err != nil {
 		return err
 	}
-	defer fin.Close()
 
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), fin)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
@@ -251,15 +301,13 @@ func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
-		data, _ := httputil.DumpResponse(resp, true)
-		os.Stderr.Write(data)
 		return fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
 	}
 
 	return nil
 }
 
-var lineColMessageSplit = regexp.MustCompile(`^line ([0-9]+), column ([0-9]+): (.*)$`)
+var lineColMessageSplit = regexp.MustCompile(`line ([0-9]+), column ([0-9]+): (.*)$`)
 
 type ACLTestError struct {
 	Message string               `json:"message"`
@@ -318,5 +366,5 @@ func getACLETag(ctx context.Context, tailnet, apiKey string) (string, error) {
 		return "", fmt.Errorf("wanted HTTP status code %d but got %d", want, got)
 	}
 
-	return resp.Header.Get("ETag"), nil
+	return Shuck(resp.Header.Get("ETag")), nil
 }

cmd/hello/hello.go

@@ -13,7 +13,6 @@ import (
 	"errors"
 	"flag"
 	"html/template"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -106,7 +105,7 @@ func devMode() bool { return *httpsAddr == "" && *httpAddr != "" }
 
 func getTmpl() (*template.Template, error) {
 	if devMode() {
-		tmplData, err := ioutil.ReadFile("hello.tmpl.html")
+		tmplData, err := os.ReadFile("hello.tmpl.html")
 		if os.IsNotExist(err) {
 			log.Printf("using baked-in template in dev mode; can't find hello.tmpl.html in current directory")
 			return tmpl, nil
@@ -135,13 +134,13 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 		return ""
 	}
 	for _, nodeIP := range who.Node.Addresses {
-		if nodeIP.IP().Is4() && nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+		if nodeIP.Addr().Is4() && nodeIP.IsSingleIP() {
+			return nodeIP.Addr().String()
 		}
 	}
 	for _, nodeIP := range who.Node.Addresses {
 		if nodeIP.IsSingleIP() {
-			return nodeIP.IP().String()
+			return nodeIP.Addr().String()
 		}
 	}
 	return ""

cmd/nginx-auth/nginx-auth.go

@@ -63,17 +63,19 @@ func main() {
 			return
 		}
 
-		_, tailnet, ok := strings.Cut(info.Node.Name, info.Node.ComputedName+".")
-		if !ok {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-			return
-		}
-		tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
-		if !ok {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-			return
+		// tailnet of connected node. When accessing shared nodes, this
+		// will be empty because the tailnet of the sharee is not exposed.
+		var tailnet string
+
+		if !info.Node.Hostinfo.ShareeNode() {
+			var ok bool
+			_, tailnet, ok = strings.Cut(info.Node.Name, info.Node.ComputedName+".")
+			if !ok {
+				w.WriteHeader(http.StatusUnauthorized)
+				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+				return
+			}
+			tailnet = strings.TrimSuffix(tailnet, ".beta.tailscale.net")
 		}
 
 		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -14,14 +14,14 @@
 //
 // Use this Grafana configuration to enable the auth proxy:
 //
-//     [auth.proxy]
-//     enabled = true
-//     header_name = X-WEBAUTH-USER
-//     header_property = username
-//     auto_sign_up = true
-//     whitelist = 127.0.0.1
-//     headers = Name:X-WEBAUTH-NAME
-//     enable_login_token = true
+//	[auth.proxy]
+//	enabled = true
+//	header_name = X-WEBAUTH-USER
+//	header_property = username
+//	auto_sign_up = true
+//	whitelist = 127.0.0.1
+//	headers = Name:X-WEBAUTH-NAME
+//	enable_login_token = true
 package main
 
 import (

cmd/speedtest/speedtest.go

@@ -110,11 +110,12 @@ func runSpeedtest(ctx context.Context, args []string) error {
 	w := tabwriter.NewWriter(os.Stdout, 12, 0, 0, ' ', tabwriter.TabIndent)
 	fmt.Println("Results:")
 	fmt.Fprintln(w, "Interval\t\tTransfer\t\tBandwidth\t\t")
+	startTime := results[0].IntervalStart
 	for _, r := range results {
 		if r.Total {
 			fmt.Fprintln(w, "-------------------------------------------------------------------------")
 		}
-		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Seconds(), r.IntervalEnd.Seconds(), r.MegaBits(), r.MBitsPerSecond())
+		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Sub(startTime).Seconds(), r.IntervalEnd.Sub(startTime).Seconds(), r.MegaBits(), r.MBitsPerSecond())
 	}
 	w.Flush()
 	return nil

cmd/tailscale/cli/cert.go

@@ -29,7 +29,7 @@ var certCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),

cmd/tailscale/cli/cli.go

@@ -29,7 +29,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/syncs"
 	"tailscale.com/version/distro"
 )
 
@@ -170,6 +169,8 @@ change in the future.
 			fileCmd,
 			bugReportCmd,
 			certCmd,
+			netlockCmd,
+			licensesCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -230,8 +231,6 @@ var rootArgs struct {
 	socket string
 }
 
-var gotSignal syncs.AtomicBool
-
 func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
 	s := safesocket.DefaultConnectionStrategy(rootArgs.socket)
 	c, err := safesocket.Connect(s)
@@ -257,7 +256,6 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 			signal.Reset(syscall.SIGINT, syscall.SIGTERM)
 			return
 		}
-		gotSignal.Set(true)
 		c.Close()
 		cancel()
 	}()

cmd/tailscale/cli/cli_test.go

@@ -9,13 +9,13 @@ import (
 	"encoding/json"
 	"flag"
 	"fmt"
+	"net/netip"
 	"reflect"
 	"strings"
 	"testing"
 
 	qt "github.com/frankban/quicktest"
 	"github.com/google/go-cmp/cmp"
-	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tstest"
@@ -56,7 +56,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		flags    []string // argv to be parsed by FlagSet
 		curPrefs *ipn.Prefs
 
-		curExitNodeIP netaddr.IP
+		curExitNodeIP netip.Addr
 		curUser       string // os.Getenv("USER") on the client side
 		goos          string // empty means "linux"
 		distro        distro.Distro
@@ -152,10 +152,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.42.0/24"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("10.0.42.0/24"),
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=10.0.42.0/24 --advertise-exit-node",
@@ -168,10 +168,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.42.0/24"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("10.0.42.0/24"),
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
 				},
 			},
 			want: "",
@@ -184,10 +184,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.42.0/24"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("10.0.42.0/24"),
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
 				},
 			},
 			want: "",
@@ -212,8 +212,8 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
 
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -226,10 +226,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
+					netip.MustParsePrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -255,16 +255,16 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
+				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("10.0.0.0/16"),
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -280,14 +280,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				ControlURL:       ipn.DefaultControlURL,
 				RouteAll:         true,
 				AllowSingleHosts: false,
-				ExitNodeIP:       netaddr.MustParseIP("100.64.5.6"),
+				ExitNodeIP:       netip.MustParseAddr("100.64.5.6"),
 				CorpDNS:          false,
 				ShieldsUp:        true,
 				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
 				Hostname:         "myhostname",
 				ForceDaemon:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("10.0.0.0/16"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("10.0.0.0/16"),
 				},
 				NetfilterMode: preftype.NetfilterNoDivert,
 				OperatorUser:  "alice",
@@ -344,10 +344,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
+					netip.MustParsePrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --operator=expbits --advertise-exit-node --advertise-routes=1.2.0.0/16",
@@ -360,10 +360,10 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
-					netaddr.MustParseIPPrefix("1.2.0.0/16"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
+					netip.MustParsePrefix("1.2.0.0/16"),
 				},
 			},
 			want: accidentalUpPrefix + " --advertise-routes=1.2.0.0/16 --operator=expbits --advertise-exit-node",
@@ -391,14 +391,14 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
 
-				ExitNodeIP: netaddr.MustParseIP("100.64.5.4"),
+				ExitNodeIP: netip.MustParseAddr("100.64.5.4"),
 			},
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.4",
 		},
 		{
 			name:          "error_exit_node_omit_with_id_pref",
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netaddr.MustParseIP("100.64.5.7"),
+			curExitNodeIP: netip.MustParseAddr("100.64.5.7"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -412,7 +412,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		{
 			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
 			flags:         []string{"--hostname=foo"},
-			curExitNodeIP: netaddr.MustParseIP("100.2.3.4"),
+			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
 				ControlURL:       ipn.DefaultControlURL,
 				AllowSingleHosts: true,
@@ -562,9 +562,9 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				WantRunning:      true,
 				AllowSingleHosts: true,
 				CorpDNS:          true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("0.0.0.0/0"),
-					netaddr.MustParseIPPrefix("::/0"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("0.0.0.0/0"),
+					netip.MustParsePrefix("::/0"),
 				},
 				NetfilterMode: preftype.NetfilterOn,
 			},
@@ -631,7 +631,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				exitNodeIP: "100.105.106.107",
 			},
 			st: &ipnstate.Status{
-				TailscaleIPs: []netaddr.IP{netaddr.MustParseIP("100.105.106.107")},
+				TailscaleIPs: []netip.Addr{netip.MustParseAddr("100.105.106.107")},
 			},
 			wantErr: `cannot use 100.105.106.107 as an exit node as it is a local IP address to this machine; did you mean --advertise-exit-node?`,
 		},
@@ -671,8 +671,8 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			want: &ipn.Prefs{
 				WantRunning: true,
 				NoSNAT:      true,
-				AdvertiseRoutes: []netaddr.IPPrefix{
-					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
+				AdvertiseRoutes: []netip.Prefix{
+					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
 				},
 			},
 		},
@@ -762,6 +762,9 @@ func TestPrefFlagMapping(t *testing.T) {
 		case "NotepadURLs":
 			// TODO(bradfitz): https://github.com/tailscale/tailscale/issues/1830
 			continue
+		case "Egg":
+			// Not applicable.
+			continue
 		}
 		t.Errorf("unexpected new ipn.Pref field %q is not handled by up.go (see addPrefFlagMapping and checkForAccidentalSettingReverts)", prefName)
 	}
@@ -786,6 +789,10 @@ func TestUpdatePrefs(t *testing.T) {
 		curPrefs *ipn.Prefs
 		env      upCheckEnv // empty goos means "linux"
 
+		// sshOverTailscale specifies if the cmd being run over SSH over Tailscale.
+		// It is used to test the --accept-risks flag.
+		sshOverTailscale bool
+
 		// checkUpdatePrefsMutations, if non-nil, is run with the new prefs after
 		// updatePrefs might've mutated them (from applyImplicitPrefs).
 		checkUpdatePrefsMutations func(t *testing.T, newPrefs *ipn.Prefs)
@@ -913,15 +920,159 @@ func TestUpdatePrefs(t *testing.T) {
 				}
 			},
 		},
+		{
+			name:  "enable_ssh",
+			flags: []string{"--ssh"},
+			curPrefs: &ipn.Prefs{
+				ControlURL:       "https://login.tailscale.com",
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				AllowSingleHosts: true,
+				CorpDNS:          true,
+				NetfilterMode:    preftype.NetfilterOn,
+			},
+			wantJustEditMP: &ipn.MaskedPrefs{
+				RunSSHSet:      true,
+				WantRunningSet: true,
+			},
+			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
+				if !newPrefs.RunSSH {
+					t.Errorf("RunSSH not set to true")
+				}
+			},
+			env: upCheckEnv{backendState: "Running"},
+		},
+		{
+			name:  "disable_ssh",
+			flags: []string{"--ssh=false"},
+			curPrefs: &ipn.Prefs{
+				ControlURL:       "https://login.tailscale.com",
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				AllowSingleHosts: true,
+				CorpDNS:          true,
+				RunSSH:           true,
+				NetfilterMode:    preftype.NetfilterOn,
+			},
+			wantJustEditMP: &ipn.MaskedPrefs{
+				RunSSHSet:      true,
+				WantRunningSet: true,
+			},
+			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
+				if newPrefs.RunSSH {
+					t.Errorf("RunSSH not set to false")
+				}
+			},
+			env: upCheckEnv{backendState: "Running", upArgs: upArgsT{
+				runSSH: true,
+			}},
+		},
+		{
+			name:             "disable_ssh_over_ssh_no_risk",
+			flags:            []string{"--ssh=false"},
+			sshOverTailscale: true,
+			curPrefs: &ipn.Prefs{
+				ControlURL:       "https://login.tailscale.com",
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				AllowSingleHosts: true,
+				CorpDNS:          true,
+				NetfilterMode:    preftype.NetfilterOn,
+				RunSSH:           true,
+			},
+			wantJustEditMP: &ipn.MaskedPrefs{
+				RunSSHSet:      true,
+				WantRunningSet: true,
+			},
+			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
+				if !newPrefs.RunSSH {
+					t.Errorf("RunSSH not set to true")
+				}
+			},
+			env:          upCheckEnv{backendState: "Running"},
+			wantErrSubtr: "aborted, no changes made",
+		},
+		{
+			name:             "enable_ssh_over_ssh_no_risk",
+			flags:            []string{"--ssh=true"},
+			sshOverTailscale: true,
+			curPrefs: &ipn.Prefs{
+				ControlURL:       "https://login.tailscale.com",
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				AllowSingleHosts: true,
+				CorpDNS:          true,
+				NetfilterMode:    preftype.NetfilterOn,
+			},
+			wantJustEditMP: &ipn.MaskedPrefs{
+				RunSSHSet:      true,
+				WantRunningSet: true,
+			},
+			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
+				if !newPrefs.RunSSH {
+					t.Errorf("RunSSH not set to true")
+				}
+			},
+			env:          upCheckEnv{backendState: "Running"},
+			wantErrSubtr: "aborted, no changes made",
+		},
+		{
+			name:             "enable_ssh_over_ssh",
+			flags:            []string{"--ssh=true", "--accept-risk=lose-ssh"},
+			sshOverTailscale: true,
+			curPrefs: &ipn.Prefs{
+				ControlURL:       "https://login.tailscale.com",
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				AllowSingleHosts: true,
+				CorpDNS:          true,
+				NetfilterMode:    preftype.NetfilterOn,
+			},
+			wantJustEditMP: &ipn.MaskedPrefs{
+				RunSSHSet:      true,
+				WantRunningSet: true,
+			},
+			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
+				if !newPrefs.RunSSH {
+					t.Errorf("RunSSH not set to true")
+				}
+			},
+			env: upCheckEnv{backendState: "Running"},
+		},
+		{
+			name:             "disable_ssh_over_ssh",
+			flags:            []string{"--ssh=false", "--accept-risk=lose-ssh"},
+			sshOverTailscale: true,
+			curPrefs: &ipn.Prefs{
+				ControlURL:       "https://login.tailscale.com",
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
+				AllowSingleHosts: true,
+				CorpDNS:          true,
+				RunSSH:           true,
+				NetfilterMode:    preftype.NetfilterOn,
+			},
+			wantJustEditMP: &ipn.MaskedPrefs{
+				RunSSHSet:      true,
+				WantRunningSet: true,
+			},
+			checkUpdatePrefsMutations: func(t *testing.T, newPrefs *ipn.Prefs) {
+				if newPrefs.RunSSH {
+					t.Errorf("RunSSH not set to false")
+				}
+			},
+			env: upCheckEnv{backendState: "Running"},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			if tt.sshOverTailscale {
+				old := getSSHClientEnvVar
+				getSSHClientEnvVar = func() string { return "100.100.100.100 1 1" }
+				t.Cleanup(func() { getSSHClientEnvVar = old })
+			}
 			if tt.env.goos == "" {
 				tt.env.goos = "linux"
 			}
 			tt.env.flagSet = newUpFlagSet(tt.env.goos, &tt.env.upArgs)
 			flags := CleanUpArgs(tt.flags)
-			tt.env.flagSet.Parse(flags)
+			if err := tt.env.flagSet.Parse(flags); err != nil {
+				t.Fatal(err)
+			}
 
 			newPrefs, err := prefsFromUpArgs(tt.env.upArgs, t.Logf, new(ipnstate.Status), tt.env.goos)
 			if err != nil {
@@ -936,6 +1087,8 @@ func TestUpdatePrefs(t *testing.T) {
 					return
 				}
 				t.Fatal(err)
+			} else if tt.wantErrSubtr != "" {
+				t.Fatalf("want error %q, got nil", tt.wantErrSubtr)
 			}
 			if tt.checkUpdatePrefsMutations != nil {
 				tt.checkUpdatePrefsMutations(t, newPrefs)
@@ -949,14 +1102,19 @@ func TestUpdatePrefs(t *testing.T) {
 				justEditMP.Prefs = ipn.Prefs{} // uninteresting
 			}
 			if !reflect.DeepEqual(justEditMP, tt.wantJustEditMP) {
-				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was %+v", oldEditPrefs)
+				t.Logf("justEditMP != wantJustEditMP; following diff omits the Prefs field, which was \n%v", asJSON(oldEditPrefs))
 				t.Fatalf("justEditMP: %v\n\n: ", cmp.Diff(justEditMP, tt.wantJustEditMP, cmpIP))
 			}
 		})
 	}
 }
 
-var cmpIP = cmp.Comparer(func(a, b netaddr.IP) bool {
+func asJSON(v any) string {
+	b, _ := json.MarshalIndent(v, "", "\t")
+	return string(b)
+}
+
+var cmpIP = cmp.Comparer(func(a, b netip.Addr) bool {
 	return a == b
 })
 

cmd/tailscale/cli/configure-host.go

@@ -48,11 +48,11 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
 	}
-	osVer := hostinfo.GetOSVersion()
-	isDSM6 := strings.HasPrefix(osVer, "Synology 6")
-	isDSM7 := strings.HasPrefix(osVer, "Synology 7")
+	hi:= hostinfo.New()
+	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
+	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
 	if !isDSM6 && !isDSM7 {
-		return fmt.Errorf("unsupported DSM version %q", osVer)
+		return fmt.Errorf("unsupported DSM version %q", hi.DistroVersion)
 	}
 	if _, err := os.Stat("/dev/net/tun"); os.IsNotExist(err) {
 		if err := os.MkdirAll("/dev/net", 0755); err != nil {
@@ -62,11 +62,14 @@ func runConfigureHost(ctx context.Context, args []string) error {
 			return fmt.Errorf("creating /dev/net/tun: %v, %s", err, out)
 		}
 	}
+	if err := os.Chmod("/dev/net", 0755); err != nil {
+		return err
+	}
 	if err := os.Chmod("/dev/net/tun", 0666); err != nil {
 		return err
 	}
 	if isDSM6 {
-		fmt.Printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
+		printf("/dev/net/tun exists and has permissions 0666. Skipping setcap on DSM6.\n")
 		return nil
 	}
 
@@ -80,6 +83,6 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if out, err := exec.Command("/bin/setcap", "cap_net_admin,cap_net_raw+eip", daemonBin).CombinedOutput(); err != nil {
 		return fmt.Errorf("setcap: %v, %s", err, out)
 	}
-	fmt.Printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
+	printf("Done. To restart Tailscale to use the new permissions, run:\n\n  sudo synosystemctl restart pkgctl-Tailscale.service\n\n")
 	return nil
 }

cmd/tailscale/cli/debug.go

@@ -17,6 +17,7 @@ import (
 	"log"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
@@ -24,7 +25,6 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
 	"tailscale.com/control/controlhttp"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -308,18 +308,18 @@ func runStat(ctx context.Context, args []string) error {
 	for _, a := range args {
 		fi, err := os.Lstat(a)
 		if err != nil {
-			fmt.Printf("%s: %v\n", a, err)
+			printf("%s: %v\n", a, err)
 			continue
 		}
-		fmt.Printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
+		printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
 		if fi.IsDir() {
 			ents, _ := os.ReadDir(a)
 			for i, ent := range ents {
 				if i == 25 {
-					fmt.Printf("  ...\n")
+					printf("  ...\n")
 					break
 				}
-				fmt.Printf("  - %s\n", ent.Name())
+				printf("  - %s\n", ent.Name())
 			}
 		}
 	}
@@ -404,23 +404,23 @@ func runVia(ctx context.Context, args []string) error {
 	default:
 		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
 	case 1:
-		ipp, err := netaddr.ParseIPPrefix(args[0])
+		ipp, err := netip.ParsePrefix(args[0])
 		if err != nil {
 			return err
 		}
-		if !ipp.IP().Is6() {
+		if !ipp.Addr().Is6() {
 			return errors.New("with one argument, expect an IPv6 CIDR")
 		}
-		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
+		if !tsaddr.TailscaleViaRange().Contains(ipp.Addr()) {
 			return errors.New("not a via route")
 		}
 		if ipp.Bits() < 96 {
 			return errors.New("short length, want /96 or more")
 		}
-		v4 := tsaddr.UnmapVia(ipp.IP())
-		a := ipp.IP().As16()
+		v4 := tsaddr.UnmapVia(ipp.Addr())
+		a := ipp.Addr().As16()
 		siteID := binary.BigEndian.Uint32(a[8:12])
-		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
+		printf("site %v (0x%x), %v\n", siteID, siteID, netip.PrefixFrom(v4, ipp.Bits()-96))
 	case 2:
 		siteID, err := strconv.ParseUint(args[0], 0, 32)
 		if err != nil {
@@ -429,7 +429,7 @@ func runVia(ctx context.Context, args []string) error {
 		if siteID > 0xff {
 			return fmt.Errorf("site-id values over 255 are currently reserved")
 		}
-		ipp, err := netaddr.ParseIPPrefix(args[1])
+		ipp, err := netip.ParsePrefix(args[1])
 		if err != nil {
 			return err
 		}
@@ -437,7 +437,7 @@ func runVia(ctx context.Context, args []string) error {
 		if err != nil {
 			return err
 		}
-		fmt.Println(via)
+		outln(via)
 	}
 	return nil
 }
@@ -489,7 +489,15 @@ func runTS2021(ctx context.Context, args []string) error {
 		return c, err
 	}
 
-	conn, err := controlhttp.Dial(ctx, net.JoinHostPort(ts2021Args.host, "80"), machinePrivate, keys.PublicKey, uint16(ts2021Args.version), dialFunc)
+	conn, err := (&controlhttp.Dialer{
+		Hostname:        ts2021Args.host,
+		HTTPPort:        "80",
+		HTTPSPort:       "443",
+		MachineKey:      machinePrivate,
+		ControlKey:      keys.PublicKey,
+		ProtocolVersion: uint16(ts2021Args.version),
+		Dialer:          dialFunc,
+	}).Dial(ctx)
 	log.Printf("controlhttp.Dial = %p, %v", conn, err)
 	if err != nil {
 		return err

cmd/tailscale/cli/down.go

@@ -22,9 +22,13 @@ var downCmd = &ffcli.Command{
 	FlagSet: newDownFlagSet(),
 }
 
+var downArgs struct {
+	acceptedRisks string
+}
+
 func newDownFlagSet() *flag.FlagSet {
 	downf := newFlagSet("down")
-	registerAcceptRiskFlag(downf)
+	registerAcceptRiskFlag(downf, &downArgs.acceptedRisks)
 	return downf
 }
 
@@ -34,7 +38,7 @@ func runDown(ctx context.Context, args []string) error {
 	}
 
 	if isSSHOverTailscale() {
-		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`); err != nil {
+		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`, downArgs.acceptedRisks); err != nil {
 			return err
 		}
 	}

cmd/tailscale/cli/file.go

@@ -14,6 +14,7 @@ import (
 	"log"
 	"mime"
 	"net/http"
+	"net/netip"
 	"os"
 	"path"
 	"path/filepath"
@@ -23,7 +24,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
-	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -85,7 +85,7 @@ func runCp(ctx context.Context, args []string) error {
 		hadBrackets = true
 		target = strings.TrimSuffix(strings.TrimPrefix(target, "["), "]")
 	}
-	if ip, err := netaddr.ParseIP(target); err == nil && ip.Is6() && !hadBrackets {
+	if ip, err := netip.ParseAddr(target); err == nil && ip.Is6() && !hadBrackets {
 		return fmt.Errorf("an IPv6 literal must be written as [%s]", ip)
 	} else if hadBrackets && (err != nil || !ip.Is6()) {
 		return errors.New("unexpected brackets around target")
@@ -168,7 +168,7 @@ func runCp(ctx context.Context, args []string) error {
 }
 
 func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNodeID, isOffline bool, err error) {
-	ip, err := netaddr.ParseIP(ipStr)
+	ip, err := netip.ParseAddr(ipStr)
 	if err != nil {
 		return "", false, err
 	}
@@ -179,7 +179,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 	for _, ft := range fts {
 		n := ft.Node
 		for _, a := range n.Addresses {
-			if a.IP() != ip {
+			if a.Addr() != ip {
 				continue
 			}
 			isOffline = n.Online != nil && !*n.Online
@@ -191,7 +191,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 
 // fileTargetErrorDetail returns a non-nil error saying why ip is an
 // invalid file sharing target.
-func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
+func fileTargetErrorDetail(ctx context.Context, ip netip.Addr) error {
 	found := false
 	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
 		for _, peer := range st.Peer {
@@ -281,7 +281,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 		if detail != "" {
 			detail = "\t" + detail
 		}
-		printf("%s\t%s%s\n", n.Addresses[0].IP(), n.ComputedName, detail)
+		printf("%s\t%s%s\n", n.Addresses[0].Addr(), n.ComputedName, detail)
 	}
 	return nil
 }

cmd/tailscale/cli/id-token.go

@@ -7,7 +7,6 @@ package cli
 import (
 	"context"
 	"errors"
-	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 )
@@ -29,6 +28,6 @@ func runIDToken(ctx context.Context, args []string) error {
 		return err
 	}
 
-	fmt.Println(tr.IDToken)
+	outln(tr.IDToken)
 	return nil
 }

cmd/tailscale/cli/ip.go

@@ -9,9 +9,9 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"net/netip"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 )
 
@@ -100,7 +100,7 @@ func runIP(ctx context.Context, args []string) error {
 }
 
 func peerMatchingIP(st *ipnstate.Status, ipStr string) (ps *ipnstate.PeerStatus, ok bool) {
-	ip, err := netaddr.ParseIP(ipStr)
+	ip, err := netip.ParseAddr(ipStr)
 	if err != nil {
 		return
 	}

cmd/tailscale/cli/licenses.go

@@ -0,0 +1,45 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+)
+
+var licensesCmd = &ffcli.Command{
+	Name:       "licenses",
+	ShortUsage: "licenses",
+	ShortHelp:  "Get open source license information",
+	LongHelp:   "Get open source license information",
+	Exec:       runLicenses,
+}
+
+// licensesURL returns the absolute URL containing open source license information for the current platform.
+func licensesURL() string {
+	switch runtime.GOOS {
+	case "android":
+		return "https://tailscale.com/licenses/android"
+	case "darwin", "ios":
+		return "https://tailscale.com/licenses/apple"
+	case "windows":
+		return "https://tailscale.com/licenses/windows"
+	default:
+		return "https://tailscale.com/licenses/tailscale"
+	}
+}
+
+func runLicenses(ctx context.Context, args []string) error {
+	licenses := licensesURL()
+	outln(`
+Tailscale wouldn't be possible without the contributions of thousands of open
+source developers. To see the open source packages included in Tailscale and
+their respective license information, visit:
+
+    ` + licenses)
+	return nil
+}

cmd/tailscale/cli/netcheck.go

@@ -10,7 +10,6 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"sort"
@@ -134,6 +133,9 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
 	printf("\t* HairPinning: %v\n", report.HairPinning)
 	printf("\t* PortMapping: %v\n", portMapping(report))
+	if report.CaptivePortal != "" {
+		printf("\t* CaptivePortal: %v\n", report.CaptivePortal)
+	}
 
 	// When DERP latency checking failed,
 	// magicsock will try to pick the DERP server that
@@ -202,7 +204,7 @@ func prodDERPMap(ctx context.Context, httpc *http.Client) (*tailcfg.DERPMap, err
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return nil, fmt.Errorf("fetch prodDERPMap failed: %w", err)
 	}

cmd/tailscale/cli/network-lock.go

@@ -0,0 +1,101 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/tka"
+	"tailscale.com/types/key"
+)
+
+var netlockCmd = &ffcli.Command{
+	Name:        "lock",
+	ShortUsage:  "lock <sub-command> <arguments>",
+	ShortHelp:   "Manipulate the tailnet key authority",
+	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
+	Exec:        runNetworkLockStatus,
+}
+
+var nlInitCmd = &ffcli.Command{
+	Name:       "init",
+	ShortUsage: "init <public-key>...",
+	ShortHelp:  "Initialize the tailnet key authority",
+	Exec:       runNetworkLockInit,
+}
+
+func runNetworkLockInit(ctx context.Context, args []string) error {
+	st, err := localClient.NetworkLockStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	if st.Enabled {
+		return errors.New("network-lock is already enabled")
+	}
+
+	// Parse the set of initially-trusted keys.
+	// Keys are specified using their key.NLPublic.MarshalText representation,
+	// with an optional '?<votes>' suffix.
+	var keys []tka.Key
+	for i, a := range args {
+		var key key.NLPublic
+		spl := strings.SplitN(a, "?", 2)
+		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
+			return fmt.Errorf("parsing key %d: %v", i+1, err)
+		}
+
+		k := tka.Key{
+			Kind:   tka.Key25519,
+			Public: key.Verifier(),
+			Votes:  1,
+		}
+		if len(spl) > 1 {
+			votes, err := strconv.Atoi(spl[1])
+			if err != nil {
+				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
+			}
+			k.Votes = uint(votes)
+		}
+		keys = append(keys, k)
+	}
+
+	status, err := localClient.NetworkLockInit(ctx, keys)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Status: %+v\n\n", status)
+	return nil
+}
+
+var nlStatusCmd = &ffcli.Command{
+	Name:       "status",
+	ShortUsage: "status",
+	ShortHelp:  "Outputs the state of network lock",
+	Exec:       runNetworkLockStatus,
+}
+
+func runNetworkLockStatus(ctx context.Context, args []string) error {
+	st, err := localClient.NetworkLockStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	if st.Enabled {
+		fmt.Println("Network-lock is ENABLED.")
+	} else {
+		fmt.Println("Network-lock is NOT enabled.")
+	}
+	p, err := st.PublicKey.MarshalText()
+	if err != nil {
+		return err
+	}
+	fmt.Printf("our public-key: %s\n", p)
+	return nil
+}

cmd/tailscale/cli/ping.go

@@ -11,12 +11,12 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"net/netip"
 	"os"
 	"strings"
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )
@@ -116,7 +116,7 @@ func runPing(ctx context.Context, args []string) error {
 	for {
 		n++
 		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netaddr.MustParseIP(ip), pingType())
+		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType())
 		cancel()
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) {

cmd/tailscale/cli/risks.go

@@ -16,9 +16,8 @@ import (
 )
 
 var (
-	riskTypes     []string
-	acceptedRisks string
-	riskLoseSSH   = registerRiskType("lose-ssh")
+	riskTypes   []string
+	riskLoseSSH = registerRiskType("lose-ssh")
 )
 
 func registerRiskType(riskType string) string {
@@ -28,12 +27,13 @@ func registerRiskType(riskType string) string {
 
 // registerAcceptRiskFlag registers the --accept-risk flag. Accepted risks are accounted for
 // in presentRiskToUser.
-func registerAcceptRiskFlag(f *flag.FlagSet) {
-	f.StringVar(&acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
+func registerAcceptRiskFlag(f *flag.FlagSet, acceptedRisks *string) {
+	f.StringVar(acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
 }
 
-// riskAccepted reports whether riskType is in acceptedRisks.
-func riskAccepted(riskType string) bool {
+// isRiskAccepted reports whether riskType is in the comma-separated list of
+// risks in acceptedRisks.
+func isRiskAccepted(riskType, acceptedRisks string) bool {
 	for _, r := range strings.Split(acceptedRisks, ",") {
 		if r == riskType {
 			return true
@@ -49,14 +49,18 @@ var errAborted = errors.New("aborted, no changes made")
 // It is used by the presentRiskToUser function below.
 const riskAbortTimeSeconds = 5
 
-// presentRiskToUser displays the risk message and waits for the user to
-// cancel. It returns errorAborted if the user aborts.
-func presentRiskToUser(riskType, riskMessage string) error {
-	if riskAccepted(riskType) {
+// presentRiskToUser displays the risk message and waits for the user to cancel.
+// It returns errorAborted if the user aborts. In tests it returns errAborted
+// immediately unless the risk has been explicitly accepted.
+func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
+	if isRiskAccepted(riskType, acceptedRisks) {
 		return nil
 	}
-	fmt.Println(riskMessage)
-	fmt.Printf("To skip this warning, use --accept-risk=%s\n", riskType)
+	if inTest() {
+		return errAborted
+	}
+	outln(riskMessage)
+	printf("To skip this warning, use --accept-risk=%s\n", riskType)
 
 	interrupt := make(chan os.Signal, 1)
 	signal.Notify(interrupt, syscall.SIGINT)
@@ -64,15 +68,15 @@ func presentRiskToUser(riskType, riskMessage string) error {
 	for left := riskAbortTimeSeconds; left > 0; left-- {
 		msg := fmt.Sprintf("\rContinuing in %d seconds...", left)
 		msgLen = len(msg)
-		fmt.Print(msg)
+		printf(msg)
 		select {
 		case <-interrupt:
-			fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen+1))
+			printf("\r%s\r", strings.Repeat("x", msgLen+1))
 			return errAborted
 		case <-time.After(time.Second):
 			continue
 		}
 	}
-	fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen))
+	printf("\r%s\r", strings.Repeat(" ", msgLen))
 	return errAborted
 }

cmd/tailscale/cli/ssh.go

@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"net/netip"
 	"os"
 	"os/user"
 	"path/filepath"
@@ -17,7 +18,6 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -163,10 +163,10 @@ func nodeDNSNameFromArg(st *ipnstate.Status, arg string) (dnsName string, ok boo
 	if arg == "" {
 		return
 	}
-	argIP, _ := netaddr.ParseIP(arg)
+	argIP, _ := netip.ParseAddr(arg)
 	for _, ps := range st.Peer {
 		dnsName = ps.DNSName
-		if !argIP.IsZero() {
+		if argIP.IsValid() {
 			for _, ip := range ps.TailscaleIPs {
 				if ip == argIP {
 					return dnsName, true
@@ -202,7 +202,7 @@ func isSSHOverTailscale() bool {
 	if !ok {
 		return false
 	}
-	ip, err := netaddr.ParseIP(ipStr)
+	ip, err := netip.ParseAddr(ipStr)
 	if err != nil {
 		return false
 	}

cmd/tailscale/cli/status.go

@@ -13,12 +13,12 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
-	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -260,7 +260,7 @@ func ownerLogin(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	return u.LoginName
 }
 
-func firstIPString(v []netaddr.IP) string {
+func firstIPString(v []netip.Addr) string {
 	if len(v) == 0 {
 		return ""
 	}

cmd/tailscale/cli/up.go

@@ -13,6 +13,7 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"net/netip"
 	"os"
 	"reflect"
 	"runtime"
@@ -24,7 +25,6 @@ import (
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
-	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -116,7 +116,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
 	}
 	upf.DurationVar(&upArgs.timeout, "timeout", 0, "maximum amount of time to wait for tailscaled to enter a Running state; default (0s) blocks forever")
-	registerAcceptRiskFlag(upf)
+	registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
 	return upf
 }
 
@@ -150,6 +150,7 @@ type upArgsT struct {
 	opUser                 string
 	json                   bool
 	timeout                time.Duration
+	acceptedRisks          string
 }
 
 func (a upArgsT) getAuthKey() (string, error) {
@@ -178,15 +179,16 @@ var upArgs upArgsT
 // JSON block will be output. The AuthURL and QR fields will not be present, the
 // BackendState and Error fields will give the result of the authentication.
 // Ex:
-// {
-//    "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
-//    "QR": "data:image/png;base64,0123...cdef"
-//    "BackendState": "NeedsLogin"
-// }
-// {
-//    "BackendState": "Running"
-// }
 //
+//	{
+//	   "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
+//	   "QR": "data:image/png;base64,0123...cdef"
+//	   "BackendState": "NeedsLogin"
+//	}
+//
+//	{
+//	   "BackendState": "Running"
+//	}
 type upOutputJSON struct {
 	AuthURL      string `json:",omitempty"` // Authentication URL of the form https://login.tailscale.com/a/0123456789
 	QR           string `json:",omitempty"` // a DataURL (base64) PNG of a QR code AuthURL
@@ -199,18 +201,18 @@ func warnf(format string, args ...any) {
 }
 
 var (
-	ipv4default = netaddr.MustParseIPPrefix("0.0.0.0/0")
-	ipv6default = netaddr.MustParseIPPrefix("::/0")
+	ipv4default = netip.MustParsePrefix("0.0.0.0/0")
+	ipv6default = netip.MustParsePrefix("::/0")
 )
 
-func validateViaPrefix(ipp netaddr.IPPrefix) error {
+func validateViaPrefix(ipp netip.Prefix) error {
 	if !tsaddr.IsViaPrefix(ipp) {
 		return fmt.Errorf("%v is not a 4-in-6 prefix", ipp)
 	}
 	if ipp.Bits() < (128 - 32) {
 		return fmt.Errorf("%v 4-in-6 prefix must be at least a /%v", ipp, 128-32)
 	}
-	a := ipp.IP().As16()
+	a := ipp.Addr().As16()
 	// The first 64 bits of a are the via prefix.
 	// The next 32 bits are the "site ID".
 	// The last 32 bits are the IPv4.
@@ -223,13 +225,13 @@ func validateViaPrefix(ipp netaddr.IPPrefix) error {
 	return nil
 }
 
-func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netaddr.IPPrefix, error) {
-	routeMap := map[netaddr.IPPrefix]bool{}
+func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netip.Prefix, error) {
+	routeMap := map[netip.Prefix]bool{}
 	if advertiseRoutes != "" {
 		var default4, default6 bool
 		advroutes := strings.Split(advertiseRoutes, ",")
 		for _, s := range advroutes {
-			ipp, err := netaddr.ParseIPPrefix(s)
+			ipp, err := netip.ParsePrefix(s)
 			if err != nil {
 				return nil, fmt.Errorf("%q is not a valid IP address or CIDR prefix", s)
 			}
@@ -251,14 +253,14 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if default4 && !default6 {
 			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
 		} else if default6 && !default4 {
-			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
+			return nil, fmt.Errorf("%s advertised without its IPv4 counterpart, please also advertise %s", ipv6default, ipv4default)
 		}
 	}
 	if advertiseDefaultRoute {
-		routeMap[netaddr.MustParseIPPrefix("0.0.0.0/0")] = true
-		routeMap[netaddr.MustParseIPPrefix("::/0")] = true
+		routeMap[netip.MustParsePrefix("0.0.0.0/0")] = true
+		routeMap[netip.MustParsePrefix("::/0")] = true
 	}
-	routes := make([]netaddr.IPPrefix, 0, len(routeMap))
+	routes := make([]netip.Prefix, 0, len(routeMap))
 	for r := range routeMap {
 		routes = append(routes, r)
 	}
@@ -266,7 +268,7 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if routes[i].Bits() != routes[j].Bits() {
 			return routes[i].Bits() < routes[j].Bits()
 		}
-		return routes[i].IP().Less(routes[j].IP())
+		return routes[i].Addr().Less(routes[j].Addr())
 	})
 	return routes, nil
 }
@@ -375,6 +377,20 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 		return false, nil, fmt.Errorf("can't change --login-server without --force-reauth")
 	}
 
+	// Do this after validations to avoid the 5s delay if we're going to error
+	// out anyway.
+	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
+	if wantSSH != haveSSH && isSSHOverTailscale() {
+		if wantSSH {
+			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
+		} else {
+			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`, env.upArgs.acceptedRisks)
+		}
+		if err != nil {
+			return false, nil, err
+		}
+	}
+
 	tagsChanged := !reflect.DeepEqual(curPrefs.AdvertiseTags, prefs.AdvertiseTags)
 
 	simpleUp = env.flagSet.NFlag() == 0 &&
@@ -405,8 +421,12 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 }
 
 func runUp(ctx context.Context, args []string) (retErr error) {
+	var egg bool
 	if len(args) > 0 {
-		fatalf("too many non-flag arguments: %q", args)
+		egg = fmt.Sprint(args) == "[up down down left right left right b a]"
+		if !egg {
+			fatalf("too many non-flag arguments: %q", args)
+		}
 	}
 
 	st, err := localClient.Status(ctx)
@@ -470,17 +490,6 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		curExitNodeIP: exitNodeIP(curPrefs, st),
 	}
 
-	if upArgs.runSSH != curPrefs.RunSSH && isSSHOverTailscale() {
-		if upArgs.runSSH {
-			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`)
-		} else {
-			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`)
-		}
-		if err != nil {
-			return err
-		}
-	}
-
 	defer func() {
 		if retErr == nil {
 			checkSSHUpWarnings(ctx)
@@ -492,6 +501,7 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
+		justEditMP.EggSet = true
 		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}
@@ -570,9 +580,9 @@ func runUp(ctx context.Context, args []string) (retErr error) {
 
 				data, err := json.MarshalIndent(js, "", "\t")
 				if err != nil {
-					log.Printf("upOutputJSON marshalling error: %v", err)
+					printf("upOutputJSON marshalling error: %v", err)
 				} else {
-					fmt.Println(string(data))
+					outln(string(data))
 				}
 			} else {
 				fmt.Fprintf(Stderr, "\nTo authenticate, visit:\n\n\t%s\n\n", *url)
@@ -710,7 +720,7 @@ func printUpDoneJSON(state ipn.State, errorString string) {
 	if err != nil {
 		log.Printf("printUpDoneJSON marshalling error: %v", err)
 	} else {
-		fmt.Println(string(data))
+		outln(string(data))
 	}
 }
 
@@ -790,7 +800,7 @@ type upCheckEnv struct {
 	flagSet       *flag.FlagSet
 	upArgs        upArgsT
 	backendState  string
-	curExitNodeIP netaddr.IP
+	curExitNodeIP netip.Addr
 	distro        distro.Distro
 }
 
@@ -913,10 +923,10 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]any) {
 	ret := make(map[string]any)
 
 	exitNodeIPStr := func() string {
-		if !prefs.ExitNodeIP.IsZero() {
+		if prefs.ExitNodeIP.IsValid() {
 			return prefs.ExitNodeIP.String()
 		}
-		if prefs.ExitNodeID.IsZero() || env.curExitNodeIP.IsZero() {
+		if prefs.ExitNodeID.IsZero() || !env.curExitNodeIP.IsValid() {
 			return ""
 		}
 		return env.curExitNodeIP.String()
@@ -991,13 +1001,13 @@ func fmtFlagValueArg(flagName string, val any) string {
 	return fmt.Sprintf("--%s=%v", flagName, shellquote.Join(fmt.Sprint(val)))
 }
 
-func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
+func hasExitNodeRoutes(rr []netip.Prefix) bool {
 	var v4, v6 bool
 	for _, r := range rr {
 		if r.Bits() == 0 {
-			if r.IP().Is4() {
+			if r.Addr().Is4() {
 				v4 = true
-			} else if r.IP().Is6() {
+			} else if r.Addr().Is6() {
 				v6 = true
 			}
 		}
@@ -1008,11 +1018,11 @@ func hasExitNodeRoutes(rr []netaddr.IPPrefix) bool {
 // withoutExitNodes returns rr unchanged if it has only 1 or 0 /0
 // routes. If it has both IPv4 and IPv6 /0 routes, then it returns
 // a copy with all /0 routes removed.
-func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
+func withoutExitNodes(rr []netip.Prefix) []netip.Prefix {
 	if !hasExitNodeRoutes(rr) {
 		return rr
 	}
-	var out []netaddr.IPPrefix
+	var out []netip.Prefix
 	for _, r := range rr {
 		if r.Bits() > 0 {
 			out = append(out, r)
@@ -1023,11 +1033,11 @@ func withoutExitNodes(rr []netaddr.IPPrefix) []netaddr.IPPrefix {
 
 // exitNodeIP returns the exit node IP from p, using st to map
 // it from its ID form to an IP address if needed.
-func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netaddr.IP) {
+func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
 	if p == nil {
 		return
 	}
-	if !p.ExitNodeIP.IsZero() {
+	if p.ExitNodeIP.IsValid() {
 		return p.ExitNodeIP
 	}
 	id := p.ExitNodeID

cmd/tailscale/cli/web.go

@@ -15,11 +15,11 @@ import (
 	"fmt"
 	"html/template"
 	"io"
-	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/http/cgi"
+	"net/netip"
 	"net/url"
 	"os"
 	"os/exec"
@@ -27,7 +27,6 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
@@ -59,6 +58,7 @@ type tmplData struct {
 	IP                string
 	AdvertiseExitNode bool
 	AdvertiseRoutes   string
+	LicensesURL       string
 }
 
 var webCmd = &ffcli.Command{
@@ -253,7 +253,7 @@ func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
 		return "", nil, err
 	}
 	defer resp.Body.Close()
-	out, err := ioutil.ReadAll(resp.Body)
+	out, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return "", nil, err
 	}
@@ -392,9 +392,10 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		Profile:      profile,
 		Status:       st.BackendState,
 		DeviceName:   deviceName,
+		LicensesURL:  licensesURL(),
 	}
-	exitNodeRouteV4 := netaddr.MustParseIPPrefix("0.0.0.0/0")
-	exitNodeRouteV6 := netaddr.MustParseIPPrefix("::/0")
+	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
+	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
 	for _, r := range prefs.AdvertiseRoutes {
 		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
 			data.AdvertiseExitNode = true

cmd/tailscale/cli/web.html

@@ -11,7 +11,7 @@
 </head>
 
 <body class="py-14">
-<main class="container max-w-lg mx-auto py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
+<main class="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
 	<header class="flex justify-between items-center min-width-0 py-2 mb-8">
 		<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
 			class="flex-shrink-0 mr-4">
@@ -100,6 +100,9 @@
 	</div>
 	{{ end }}
 </main>
+<footer class="container max-w-lg mx-auto text-center">
+	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
+</footer>
 <script>(function () {
 const advertiseExitNode = {{.AdvertiseExitNode}};
 let fetchingUrl = false;

cmd/tailscale/depaware.txt

@@ -1,9 +1,13 @@
 tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
 
+        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
+        filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
    L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
@@ -26,11 +30,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
         github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-     💣 go4.org/intern                                               from inet.af/netaddr
+        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
      💣 go4.org/mem                                                  from tailscale.com/derp+
-        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
+        go4.org/netipx                                               from tailscale.com/wgengine/filter
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
         nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
         nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
         nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
@@ -54,12 +57,14 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
         tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
      💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
         tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
         tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
@@ -67,8 +72,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
         tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
         tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
         tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/tka                                            from tailscale.com/client/tailscale+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
      💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
@@ -78,11 +84,13 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/types/key                                      from tailscale.com/derp+
         tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
         tailscale.com/types/netmap                                   from tailscale.com/ipn
+        tailscale.com/types/nettype                                  from tailscale.com/net/netcheck+
         tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
         tailscale.com/types/pad32                                    from tailscale.com/derp
         tailscale.com/types/persist                                  from tailscale.com/ipn
         tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/types/structs                                  from tailscale.com/ipn+
+        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
         tailscale.com/types/views                                    from tailscale.com/tailcfg+
         tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
@@ -91,13 +99,17 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    W    tailscale.com/util/endian                                    from tailscale.com/net/netns
         tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
+        tailscale.com/util/mak                                       from tailscale.com/net/netcheck
+        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp
         tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
    W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from tailscale.com/control/controlbase
+        golang.org/x/crypto/argon2                                   from tailscale.com/tka
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/blake2s                                  from tailscale.com/control/controlbase+
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
         golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
@@ -107,12 +119,15 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http+
         golang.org/x/net/http/httpproxy                              from net/http
         golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/icmp                                        from tailscale.com/net/ping
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/ipv4                                        from golang.org/x/net/icmp+
+        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
         golang.org/x/sync/errgroup                                   from tailscale.com/derp+
@@ -155,6 +170,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         embed                                                        from tailscale.com/cmd/tailscale/cli+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
+        encoding/base32                                              from tailscale.com/tka
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+
@@ -175,7 +191,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         image/color                                                  from github.com/skip2/go-qrcode+
         image/png                                                    from github.com/skip2/go-qrcode
         io                                                           from bufio+
-        io/fs                                                        from crypto/rand+
+        io/fs                                                        from crypto/x509+
         io/ioutil                                                    from golang.org/x/sys/cpu+
         log                                                          from expvar+
         math                                                         from compress/flate+
@@ -190,7 +206,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
         net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
         net/http/internal                                            from net/http
-        net/netip                                                    from net
+        net/netip                                                    from net+
         net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
         os                                                           from crypto/rand+

cmd/tailscaled/debug.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package main
 
@@ -15,17 +15,16 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
+	"net/netip"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 
-	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -173,7 +172,7 @@ func checkDerp(ctx context.Context, derpRegion string) error {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
 	defer res.Body.Close()
-	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
+	b, err := io.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
 		return fmt.Errorf("fetch derp map failed: %w", err)
 	}
@@ -266,11 +265,11 @@ func debugPortmap(ctx context.Context) error {
 		return err
 	}
 
-	gatewayAndSelfIP := func() (gw, self netaddr.IP, ok bool) {
+	gatewayAndSelfIP := func() (gw, self netip.Addr, ok bool) {
 		if v := os.Getenv("TS_DEBUG_GW_SELF"); strings.Contains(v, "/") {
 			i := strings.Index(v, "/")
-			gw = netaddr.MustParseIP(v[:i])
-			self = netaddr.MustParseIP(v[i+1:])
+			gw = netip.MustParseAddr(v[:i])
+			self = netip.MustParseAddr(v[i+1:])
 			return gw, self, true
 		}
 		return linkMon.GatewayAndSelfIP()

cmd/tailscaled/depaware.txt

@@ -1,5 +1,7 @@
 tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)
 
+        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
+        filippo.io/edwards25519/field                                from filippo.io/edwards25519
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
@@ -62,11 +64,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
   LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
+        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
    W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
    W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
    L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
         github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
    L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
    L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -113,9 +117,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
    L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
-     💣 go4.org/intern                                               from inet.af/netaddr
+        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
      💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
-        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
+        go4.org/netipx                                               from tailscale.com/ipn/ipnlocal+
    W 💣 golang.zx2c4.com/wintun                                      from golang.zx2c4.com/wireguard/tun
      💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
    W 💣 golang.zx2c4.com/wireguard/conn/winrio                       from golang.zx2c4.com/wireguard/conn
@@ -129,7 +133,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
         gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
-     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/bits                                   from gvisor.dev/gvisor/pkg/bufferv2
+     💣 gvisor.dev/gvisor/pkg/bufferv2                               from gvisor.dev/gvisor/pkg/tcpip+
         gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs+
      💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
         gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
@@ -143,7 +148,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
         gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
-     💣 gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
         gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -152,6 +156,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast       from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
         gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
         gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
@@ -167,7 +172,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
         gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from tailscale.com/net/tstun+
         gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
-        inet.af/netaddr                                              from tailscale.com/control/controlclient+
         inet.af/peercred                                             from tailscale.com/ipn/ipnserver
    W 💣 inet.af/wf                                                   from tailscale.com/wf
         nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
@@ -208,13 +212,14 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
      💣 tailscale.com/metrics                                        from tailscale.com/derp+
         tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
-        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver
+        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
         tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
         tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
         tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
         tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
      💣 tailscale.com/net/interfaces                                 from tailscale.com/control/controlclient+
+        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
         tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
         tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns+
@@ -222,6 +227,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
      💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
         tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/packet                                     from tailscale.com/net/tstun+
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
         tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
@@ -236,9 +242,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
         tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
   LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
-        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
+        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
         tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
   LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
+        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
         tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
      💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -251,12 +258,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/key                                      from tailscale.com/control/controlbase+
         tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
         tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
-        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock+
         tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
         tailscale.com/types/pad32                                    from tailscale.com/derp
         tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
         tailscale.com/types/preftype                                 from tailscale.com/ipn+
         tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+        tailscale.com/types/tkatype                                  from tailscale.com/tka+
         tailscale.com/types/views                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
         tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
@@ -265,14 +273,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
   LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
+     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
         tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
         tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
-        tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
         tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
         tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
         tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
+        tailscale.com/util/strs                                      from tailscale.com/hostinfo+
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
      💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
@@ -281,16 +290,18 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
         tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
+     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
    W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
         golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/argon2                                   from tailscale.com/tka
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
         golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
   LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf+
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
@@ -305,6 +316,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
   LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
+        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -312,8 +325,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
         golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
         golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
+        golang.org/x/net/icmp                                        from tailscale.com/net/ping
         golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
+        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device+
         golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from net+
@@ -361,6 +375,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         embed                                                        from tailscale.com+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
+        encoding/base32                                              from tailscale.com/tka
         encoding/base64                                              from encoding/json+
         encoding/binary                                              from compress/gzip+
         encoding/hex                                                 from crypto/x509+
@@ -377,7 +392,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         hash/maphash                                                 from go4.org/mem
         html                                                         from tailscale.com/ipn/ipnlocal+
         io                                                           from bufio+
-        io/fs                                                        from crypto/rand+
+        io/fs                                                        from crypto/x509+
         io/ioutil                                                    from github.com/godbus/dbus/v5+
         log                                                          from expvar+
   LD    log/syslog                                                   from tailscale.com/ssh/tailssh
@@ -390,6 +405,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         mime/quotedprintable                                         from mime/multipart
         net                                                          from crypto/tls+
         net/http                                                     from expvar+
+        net/http/httptest                                            from tailscale.com/control/controlclient
         net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
         net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
         net/http/internal                                            from net/http+

cmd/tailscaled/install_darwin.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package main
 
@@ -11,7 +11,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -142,7 +141,7 @@ func installSystemDaemonDarwin(args []string) (err error) {
 		return err
 	}
 
-	if err := ioutil.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
+	if err := os.WriteFile(sysPlist, []byte(darwinLaunchdPlist), 0700); err != nil {
 		return err
 	}
 

cmd/tailscaled/install_windows.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package main
 

cmd/tailscaled/proxy.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 // HTTP proxy code
 

cmd/tailscaled/required_version.go

@@ -2,11 +2,11 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !go1.18
-// +build !go1.18
+//go:build !go1.19
+// +build !go1.19
 
 package main
 
 func init() {
-	you_need_Go_1_18_to_compile_Tailscale()
+	you_need_Go_1_19_to_compile_Tailscale()
 }

cmd/tailscaled/tailscaled.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 // The tailscaled program is the Tailscale client daemon. It's configured
 // and controlled via the tailscale CLI program.
@@ -21,15 +21,16 @@ import (
 	"net"
 	"net/http"
 	"net/http/pprof"
+	"net/netip"
 	"os"
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
 
-	"inet.af/netaddr"
 	"tailscale.com/cmd/tailscaled/childproc"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
@@ -97,6 +98,20 @@ func defaultTunName() string {
 	return "tailscale0"
 }
 
+// defaultPort returns the default UDP port to listen on for disco+wireguard.
+// By default it returns 0, to pick one randomly from the kernel.
+// If the environment variable PORT is set, that's used instead.
+// The PORT environment variable is chosen to match what the Linux systemd
+// unit uses, to make documentation more consistent.
+func defaultPort() uint16 {
+	if s := envknob.String("PORT"); s != "" {
+		if p, err := strconv.ParseUint(s, 10, 16); err == nil {
+			return uint16(p)
+		}
+	}
+	return 0
+}
+
 var args struct {
 	// tunname is a /dev/net/tun tunnel name ("tailscale0"), the
 	// string "userspace-networking", "tap:TAPNAME[:BRIDGENAME]"
@@ -113,6 +128,7 @@ var args struct {
 	verbose        int
 	socksAddr      string // listen address for SOCKS5 server
 	httpProxyAddr  string // listen address for HTTP proxy server
+	disableLogs    bool
 }
 
 var (
@@ -128,7 +144,12 @@ var subCommands = map[string]*func([]string) error{
 	"be-child":                &beChildFunc,
 }
 
+var beCLI func() // non-nil if CLI is linked in
+
 func main() {
+	envknob.PanicIfAnyEnvCheckedInInit()
+	envknob.ApplyDiskConfig()
+
 	printVersion := false
 	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
@@ -136,12 +157,18 @@ func main() {
 	flag.StringVar(&args.socksAddr, "socks5-server", "", `optional [ip]:port to run a SOCK5 server (e.g. "localhost:1080")`)
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
-	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
 	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
+	flag.BoolVar(&args.disableLogs, "no-logs-no-support", false, "disable log uploads; this also disables any technical support")
+
+	if len(os.Args) > 0 && filepath.Base(os.Args[0]) == "tailscale" && beCLI != nil {
+		beCLI()
+		return
+	}
 
 	if len(os.Args) > 1 {
 		sub := os.Args[1]
@@ -192,6 +219,10 @@ func main() {
 		args.statepath = paths.DefaultTailscaledStateFile()
 	}
 
+	if args.disableLogs {
+		envknob.SetNoLogsNoSupport()
+	}
+
 	if beWindowsSubprocess() {
 		return
 	}
@@ -295,6 +326,10 @@ func run() error {
 		pol.Shutdown(ctx)
 	}()
 
+	if err := envknob.ApplyDiskConfigError(); err != nil {
+		log.Printf("Error reading environment config: %v", err)
+	}
+
 	if isWindowsService() {
 		// Run the IPN server from the Windows service manager.
 		log.Printf("Running service...")
@@ -363,14 +398,14 @@ func run() error {
 		return fmt.Errorf("newNetstack: %w", err)
 	}
 	ns.ProcessLocalIPs = useNetstack
-	ns.ProcessSubnets = useNetstack || wrapNetstack
+	ns.ProcessSubnets = useNetstack || shouldWrapNetstack()
 
 	if useNetstack {
-		dialer.UseNetstackForIP = func(ip netaddr.IP) bool {
+		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
 		}
-		dialer.NetstackDialTCP = func(ctx context.Context, dst netaddr.IPPort) (net.Conn, error) {
+		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
 			return ns.DialContextTCP(ctx, dst)
 		}
 	}
@@ -464,8 +499,6 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 	return nil, false, multierr.New(errs...)
 }
 
-var wrapNetstack = shouldWrapNetstack()
-
 func shouldWrapNetstack() bool {
 	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
@@ -474,7 +507,7 @@ func shouldWrapNetstack() bool {
 		return true
 	}
 	switch runtime.GOOS {
-	case "windows", "darwin", "freebsd":
+	case "windows", "darwin", "freebsd", "openbsd":
 		// Enable on Windows and tailscaled-on-macOS (this doesn't
 		// affect the GUI clients), and on FreeBSD.
 		return true
@@ -536,7 +569,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer, na
 		}
 		conf.DNS = d
 		conf.Router = r
-		if wrapNetstack {
+		if shouldWrapNetstack() {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
 		}
 	}

cmd/tailscaled/tailscaled.service

@@ -7,7 +7,7 @@ After=network-pre.target NetworkManager.service systemd-resolved.service
 [Service]
 EnvironmentFile=/etc/default/tailscaled
 ExecStartPre=/usr/sbin/tailscaled --cleanup
-ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
+ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS
 ExecStopPost=/usr/sbin/tailscaled --cleanup
 
 Restart=on-failure

cmd/tailscaled/tailscaled_bird.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18 && (linux || darwin || freebsd || openbsd)
-// +build go1.18
+//go:build go1.19 && (linux || darwin || freebsd || openbsd)
+// +build go1.19
 // +build linux darwin freebsd openbsd
 
 package main

cmd/tailscaled/tailscaled_notwindows.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !windows && go1.18
-// +build !windows,go1.18
+//go:build !windows && go1.19
+// +build !windows,go1.19
 
 package main // import "tailscale.com/cmd/tailscaled"
 

cmd/tailscaled/tailscaled_windows.go

@@ -2,8 +2,8 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build go1.18
-// +build go1.18
+//go:build go1.19
+// +build go1.19
 
 package main // import "tailscale.com/cmd/tailscaled"
 
@@ -25,6 +25,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"log"
+	"net/netip"
 	"os"
 	"time"
 
@@ -32,7 +33,6 @@ import (
 	"golang.org/x/sys/windows/svc"
 	"golang.org/x/sys/windows/svc/eventlog"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
-	"inet.af/netaddr"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store"
@@ -197,6 +197,9 @@ func beWindowsSubprocess() bool {
 
 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
 	log.Printf("subproc mode: logid=%v", logid)
+	if err := envknob.ApplyDiskConfigError(); err != nil {
+		log.Printf("Error reading environment config: %v", err)
+	}
 
 	go func() {
 		b := make([]byte, 16)
@@ -245,7 +248,7 @@ func beFirewallKillswitch() bool {
 	// is passed in via stdin encoded in json.
 	dcd := json.NewDecoder(os.Stdin)
 	for {
-		var routes []netaddr.IPPrefix
+		var routes []netip.Prefix
 		if err := dcd.Decode(&routes); err != nil {
 			log.Fatalf("parent process died or requested exit, exiting (%v)", err)
 		}
@@ -274,7 +277,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			dev.Close()
 			return nil, nil, fmt.Errorf("router: %w", err)
 		}
-		if wrapNetstack {
+		if shouldWrapNetstack() {
 			r = netstack.NewSubnetRouterWrapper(r)
 		}
 		d, err := dns.NewOSConfigurator(logf, devName)
@@ -301,7 +304,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 			return nil, nil, fmt.Errorf("newNetstack: %w", err)
 		}
 		ns.ProcessLocalIPs = false
-		ns.ProcessSubnets = wrapNetstack
+		ns.ProcessSubnets = shouldWrapNetstack()
 		if err := ns.Start(); err != nil {
 			return nil, nil, fmt.Errorf("failed to start netstack: %w", err)
 		}

cmd/tailscaled/with_cli.go

@@ -0,0 +1,25 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build ts_include_cli
+// +build ts_include_cli
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"tailscale.com/cmd/tailscale/cli"
+)
+
+func init() {
+	beCLI = func() {
+		args := os.Args[1:]
+		if err := cli.Run(args); err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			os.Exit(1)
+		}
+	}
+}

cmd/tsconnect/.gitignore

@@ -1,4 +1,3 @@
-src/wasm_exec.js
-src/main.wasm
 node_modules/
-dist/
+/dist
+/pkg

cmd/tsconnect/README.md

@@ -0,0 +1,49 @@
+# tsconnect
+
+The tsconnect command builds and serves the static site that is generated for
+the Tailscale Connect JS/WASM client.
+
+## Development
+
+To start the development server:
+
+```
+./tool/go run ./cmd/tsconnect dev
+```
+
+The site is served at http://localhost:9090/. JavaScript and CSS changes can be picked up with a browser reload. Go changes (including to the `wasm` package) require the server to be stopped and restarted. In development mode the state the Tailscale client is stored in `sessionStorage` and will thus survive page reloads (but not the tab being closed).
+
+## Deployment
+
+To build the static assets necessary for serving, run:
+
+```
+./tool/go run ./cmd/tsconnect build
+```
+
+To serve them, run:
+
+```
+./tool/go run ./cmd/tsconnect serve
+```
+
+By default the build output is placed in the `dist/` directory and embedded in the binary, but this can be controlled by the `-distdir` flag. The `-addr` flag controls the interface and port that the serve listens on.
+
+# Library / NPM Package
+
+The client is also available as an NPM package. To build it, run:
+
+```
+./tool/go run ./cmd/tsconnect build-pkg
+```
+
+That places the output in the `pkg/` directory, which may then be uploaded to a package registry (or installed from the file path directly).
+
+To do two-sided development (on both the NPM package and code that uses it), run:
+
+```
+./tool/go run ./cmd/tsconnect dev-pkg
+
+```
+
+This serves the module at http://localhost:9090/pkg/pkg.js and the generated wasm file at http://localhost:9090/pkg/main.wasm. The two files can be used as drop-in replacements for normal imports of the NPM module.

cmd/tsconnect/build-pkg.go

@@ -0,0 +1,74 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"path"
+
+	"github.com/tailscale/hujson"
+	"tailscale.com/version"
+)
+
+func runBuildPkg() {
+	buildOptions, err := commonPkgSetup(prodMode)
+	if err != nil {
+		log.Fatalf("Cannot setup: %v", err)
+	}
+
+	log.Printf("Linting...\n")
+	if err := runYarn("lint"); err != nil {
+		log.Fatalf("Linting failed: %v", err)
+	}
+
+	if err := cleanDir(*pkgDir, "package.json"); err != nil {
+		log.Fatalf("Cannot clean %s: %v", *pkgDir, err)
+	}
+
+	buildOptions.Write = true
+	buildOptions.MinifyWhitespace = true
+	buildOptions.MinifyIdentifiers = true
+	buildOptions.MinifySyntax = true
+
+	runEsbuild(*buildOptions)
+
+	log.Printf("Generating types...\n")
+	if err := runYarn("pkg-types"); err != nil {
+		log.Fatalf("Type generation failed: %v", err)
+	}
+
+	if err := updateVersion(); err != nil {
+		log.Fatalf("Cannot update version: %v", err)
+	}
+
+	log.Printf("Built package version %s", version.Long)
+}
+
+func updateVersion() error {
+	packageJSONBytes, err := os.ReadFile("package.json.tmpl")
+	if err != nil {
+		return fmt.Errorf("Could not read package.json: %w", err)
+	}
+
+	var packageJSON map[string]any
+	packageJSONBytes, err = hujson.Standardize(packageJSONBytes)
+	if err != nil {
+		return fmt.Errorf("Could not standardize template package.json: %w", err)
+	}
+	if err := json.Unmarshal(packageJSONBytes, &packageJSON); err != nil {
+		return fmt.Errorf("Could not unmarshal package.json: %w", err)
+	}
+	packageJSON["version"] = version.Long
+
+	packageJSONBytes, err = json.MarshalIndent(packageJSON, "", "  ")
+	if err != nil {
+		return fmt.Errorf("Could not marshal package.json: %w", err)
+	}
+
+	return os.WriteFile(path.Join(*pkgDir, "package.json"), packageJSONBytes, 0644)
+}

cmd/tsconnect/build.go

@@ -5,21 +5,14 @@
 package main
 
 import (
-	"bytes"
-	"compress/gzip"
 	"encoding/json"
 	"fmt"
-	"io"
-	"io/fs"
-	"io/ioutil"
 	"log"
 	"os"
 	"path"
 	"path/filepath"
 
-	"github.com/andybalholm/brotli"
-	esbuild "github.com/evanw/esbuild/pkg/api"
-	"golang.org/x/sync/errgroup"
+	"tailscale.com/util/precompress"
 )
 
 func runBuild() {
@@ -28,7 +21,12 @@ func runBuild() {
 		log.Fatalf("Cannot setup: %v", err)
 	}
 
-	if err := cleanDist(); err != nil {
+	log.Printf("Linting...\n")
+	if err := runYarn("lint"); err != nil {
+		log.Fatalf("Linting failed: %v", err)
+	}
+
+	if err := cleanDir(*distDir, "placeholder"); err != nil {
 		log.Fatalf("Cannot clean %s: %v", *distDir, err)
 	}
 
@@ -41,32 +39,18 @@ func runBuild() {
 	buildOptions.AssetNames = "[name]-[hash]"
 	buildOptions.Metafile = true
 
-	log.Printf("Running esbuild...\n")
-	result := esbuild.Build(*buildOptions)
-	if len(result.Errors) > 0 {
-		log.Printf("ESBuild Error:\n")
-		for _, e := range result.Errors {
-			log.Printf("%v", e)
-		}
-		log.Fatal("Build failed")
-	}
-	if len(result.Warnings) > 0 {
-		log.Printf("ESBuild Warnings:\n")
-		for _, w := range result.Warnings {
-			log.Printf("%v", w)
-		}
-	}
+	result := runEsbuild(*buildOptions)
 
 	// Preserve build metadata so we can extract hashed file names for serving.
 	metadataBytes, err := fixEsbuildMetadataPaths(result.Metafile)
 	if err != nil {
 		log.Fatalf("Cannot fix esbuild metadata paths: %v", err)
 	}
-	if err := ioutil.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
+	if err := os.WriteFile(path.Join(*distDir, "/esbuild-metadata.json"), metadataBytes, 0666); err != nil {
 		log.Fatalf("Cannot write metadata: %v", err)
 	}
 
-	if er := precompressDist(); err != nil {
+	if er := precompressDist(*fastCompression); err != nil {
 		log.Fatalf("Cannot precompress resources: %v", er)
 	}
 }
@@ -98,8 +82,6 @@ func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	return json.Marshal(metadata)
 }
 
-// cleanDist removes files from the dist build directory, except the placeholder
-// one that we keep to make sure Git still creates the directory.
 func cleanDist() error {
 	log.Printf("Cleaning %s...\n", *distDir)
 	files, err := os.ReadDir(*distDir)
@@ -120,71 +102,12 @@ func cleanDist() error {
 	return nil
 }
 
-func precompressDist() error {
+func precompressDist(fastCompression bool) error {
 	log.Printf("Pre-compressing files in %s/...\n", *distDir)
-	var eg errgroup.Group
-	err := fs.WalkDir(os.DirFS(*distDir), ".", func(p string, d fs.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-		if d.IsDir() {
-			return nil
-		}
-		if !compressibleExtensions[filepath.Ext(p)] {
-			return nil
-		}
-		p = path.Join(*distDir, p)
-		log.Printf("Pre-compressing %v\n", p)
-
-		eg.Go(func() error {
-			return precompress(p)
-		})
-		return nil
+	return precompress.PrecompressDir(*distDir, precompress.Options{
+		FastCompression: fastCompression,
+		ProgressFn: func(path string) {
+			log.Printf("Pre-compressing %v\n", path)
+		},
 	})
-	if err != nil {
-		return err
-	}
-	return eg.Wait()
-}
-
-var compressibleExtensions = map[string]bool{
-	".js":   true,
-	".css":  true,
-	".wasm": true,
-}
-
-func precompress(path string) error {
-	contents, err := os.ReadFile(path)
-	if err != nil {
-		return err
-	}
-	fi, err := os.Lstat(path)
-	if err != nil {
-		return err
-	}
-
-	err = writeCompressed(contents, func(w io.Writer) (io.WriteCloser, error) {
-		return gzip.NewWriterLevel(w, gzip.BestCompression)
-	}, path+".gz", fi.Mode())
-	if err != nil {
-		return err
-	}
-	return writeCompressed(contents, func(w io.Writer) (io.WriteCloser, error) {
-		return brotli.NewWriterLevel(w, brotli.BestCompression), nil
-	}, path+".br", fi.Mode())
-}
-
-func writeCompressed(contents []byte, compressedWriterCreator func(io.Writer) (io.WriteCloser, error), outputPath string, outputMode fs.FileMode) error {
-	var buf bytes.Buffer
-	compressedWriter, err := compressedWriterCreator(&buf)
-	if err != nil {
-		return err
-	}
-	if _, err := compressedWriter.Write(contents); err != nil {
-		return err
-	}
-	if err := compressedWriter.Close(); err != nil {
-		return err
-	}
-	return os.WriteFile(outputPath, buf.Bytes(), outputMode)
 }

cmd/tsconnect/common.go

@@ -7,14 +7,17 @@ package main
 import (
 	"fmt"
 	"log"
+	"net"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"
 	"strconv"
+	"time"
 
 	esbuild "github.com/evanw/esbuild/pkg/api"
+	"golang.org/x/exp/slices"
 )
 
 const (
@@ -31,77 +34,198 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 			return nil, fmt.Errorf("Cannot change cwd: %w", err)
 		}
 	}
-	if err := buildDeps(dev); err != nil {
-		return nil, fmt.Errorf("Cannot build deps: %w", err)
+	if err := installJSDeps(); err != nil {
+		return nil, fmt.Errorf("Cannot install JS deps: %w", err)
 	}
 
 	return &esbuild.BuildOptions{
-		EntryPoints: []string{"src/index.js", "src/index.css"},
-		Loader:      map[string]esbuild.Loader{".wasm": esbuild.LoaderFile},
+		EntryPoints: []string{"src/app/index.ts", "src/app/index.css"},
 		Outdir:      *distDir,
 		Bundle:      true,
 		Sourcemap:   esbuild.SourceMapLinked,
 		LogLevel:    esbuild.LogLevelInfo,
 		Define:      map[string]string{"DEBUG": strconv.FormatBool(dev)},
 		Target:      esbuild.ES2017,
+		Plugins: []esbuild.Plugin{
+			{
+				Name: "tailscale-tailwind",
+				Setup: func(build esbuild.PluginBuild) {
+					setupEsbuildTailwind(build, dev)
+				},
+			},
+			{
+				Name:  "tailscale-go-wasm-exec-js",
+				Setup: setupEsbuildWasmExecJS,
+			},
+			{
+				Name: "tailscale-wasm",
+				Setup: func(build esbuild.PluginBuild) {
+					setupEsbuildWasm(build, dev)
+				},
+			},
+		},
+		JSXMode: esbuild.JSXModeAutomatic,
 	}, nil
 }
 
-// buildDeps builds the static assets that are needed for the server (except for
-// JS/CSS bundling, which is  handled by esbuild).
-func buildDeps(dev bool) error {
-	if err := copyWasmExec(); err != nil {
-		return fmt.Errorf("Cannot copy wasm_exec.js: %w", err)
+func commonPkgSetup(dev bool) (*esbuild.BuildOptions, error) {
+	buildOptions, err := commonSetup(dev)
+	if err != nil {
+		return nil, err
 	}
-	if err := buildWasm(dev); err != nil {
-		return fmt.Errorf("Cannot build main.wasm: %w", err)
+	buildOptions.EntryPoints = []string{"src/pkg/pkg.ts", "src/pkg/pkg.css"}
+	buildOptions.Outdir = *pkgDir
+	buildOptions.Format = esbuild.FormatESModule
+	buildOptions.AssetNames = "[name]"
+	return buildOptions, nil
+}
+
+// cleanDir removes files from dirPath, except the ones specified by
+// preserveFiles.
+func cleanDir(dirPath string, preserveFiles ...string) error {
+	log.Printf("Cleaning %s...\n", dirPath)
+	files, err := os.ReadDir(dirPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return os.MkdirAll(dirPath, 0755)
+		}
+		return err
 	}
-	if err := installJSDeps(); err != nil {
-		return fmt.Errorf("Cannot install JS deps: %w", err)
+
+	for _, file := range files {
+		if !slices.Contains(preserveFiles, file.Name()) {
+			if err := os.Remove(filepath.Join(dirPath, file.Name())); err != nil {
+				return err
+			}
+		}
 	}
 	return nil
 }
 
-// copyWasmExec grabs the current wasm_exec.js runtime helper library from the
-// Go toolchain.
-func copyWasmExec() error {
-	log.Printf("Copying wasm_exec.js...\n")
-	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
-	wasmExecDstPath := filepath.Join("src", "wasm_exec.js")
-	contents, err := os.ReadFile(wasmExecSrcPath)
+func runEsbuildServe(buildOptions esbuild.BuildOptions) {
+	host, portStr, err := net.SplitHostPort(*addr)
 	if err != nil {
-		return err
+		log.Fatalf("Cannot parse addr: %v", err)
 	}
-	return os.WriteFile(wasmExecDstPath, contents, 0600)
+	port, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		log.Fatalf("Cannot parse port: %v", err)
+	}
+	result, err := esbuild.Serve(esbuild.ServeOptions{
+		Port:     uint16(port),
+		Host:     host,
+		Servedir: "./",
+	}, buildOptions)
+	if err != nil {
+		log.Fatalf("Cannot start esbuild server: %v", err)
+	}
+	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
+	result.Wait()
 }
 
-// buildWasm builds the Tailscale wasm binary and places it where the JS can
-// load it.
-func buildWasm(dev bool) error {
-	log.Printf("Building wasm...\n")
+func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
+	log.Printf("Running esbuild...\n")
+	result := esbuild.Build(buildOptions)
+	if len(result.Errors) > 0 {
+		log.Printf("ESBuild Error:\n")
+		for _, e := range result.Errors {
+			log.Printf("%v", e)
+		}
+		log.Fatal("Build failed")
+	}
+	if len(result.Warnings) > 0 {
+		log.Printf("ESBuild Warnings:\n")
+		for _, w := range result.Warnings {
+			log.Printf("%v", w)
+		}
+	}
+	return result
+}
+
+// setupEsbuildWasmExecJS generates an esbuild plugin that serves the current
+// wasm_exec.js runtime helper library from the Go toolchain.
+func setupEsbuildWasmExecJS(build esbuild.PluginBuild) {
+	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
+	build.OnResolve(esbuild.OnResolveOptions{
+		Filter: "./wasm_exec$",
+	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {
+		return esbuild.OnResolveResult{Path: wasmExecSrcPath}, nil
+	})
+}
+
+// setupEsbuildWasm generates an esbuild plugin that builds the Tailscale wasm
+// binary and serves it as a file that the JS can load.
+func setupEsbuildWasm(build esbuild.PluginBuild, dev bool) {
+	// Add a resolve hook to convince esbuild that the path exists.
+	build.OnResolve(esbuild.OnResolveOptions{
+		Filter: "./main.wasm$",
+	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {
+		return esbuild.OnResolveResult{
+			Path:      "./src/main.wasm",
+			Namespace: "generated",
+		}, nil
+	})
+	build.OnLoad(esbuild.OnLoadOptions{
+		Filter: "./src/main.wasm$",
+	}, func(args esbuild.OnLoadArgs) (esbuild.OnLoadResult, error) {
+		contents, err := buildWasm(dev)
+		if err != nil {
+			return esbuild.OnLoadResult{}, fmt.Errorf("Cannot build main.wasm: %w", err)
+		}
+		contentsStr := string(contents)
+		return esbuild.OnLoadResult{
+			Contents: &contentsStr,
+			Loader:   esbuild.LoaderFile,
+		}, nil
+	})
+}
+
+func buildWasm(dev bool) ([]byte, error) {
+	start := time.Now()
+	outputFile, err := os.CreateTemp("", "main.*.wasm")
+	if err != nil {
+		return nil, fmt.Errorf("Cannot create main.wasm output file: %w", err)
+	}
+	outputPath := outputFile.Name()
+	defer os.Remove(outputPath)
+
 	args := []string{"build", "-tags", "tailscale_go,osusergo,netgo,nethttpomithttp2,omitidna,omitpemdecrypt"}
 	if !dev {
+		if *devControl != "" {
+			return nil, fmt.Errorf("Development control URL can only be used in dev mode.")
+		}
 		// Omit long paths and debug symbols in release builds, to reduce the
 		// generated WASM binary size.
 		args = append(args, "-trimpath", "-ldflags", "-s -w")
+	} else if *devControl != "" {
+		args = append(args, "-ldflags", fmt.Sprintf("-X 'main.ControlURL=%v'", *devControl))
 	}
-	args = append(args, "-o", "src/main.wasm", "./wasm")
+
+	args = append(args, "-o", outputPath, "./wasm")
 	cmd := exec.Command(filepath.Join(runtime.GOROOT(), "bin", "go"), args...)
 	cmd.Env = append(os.Environ(), "GOOS=js", "GOARCH=wasm")
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
-	return cmd.Run()
+	err = cmd.Run()
+	if err != nil {
+		return nil, fmt.Errorf("Cannot build main.wasm: %w", err)
+	}
+	log.Printf("Built wasm in %v\n", time.Since(start))
+	return os.ReadFile(outputPath)
 }
 
 // installJSDeps installs the JavaScript dependencies specified by package.json
 func installJSDeps() error {
 	log.Printf("Installing JS deps...\n")
-	stdoutStderr, err := exec.Command("yarn").CombinedOutput()
-	if err != nil {
-		log.Printf("yarn failed: %s", stdoutStderr)
-	}
-	return err
+	return runYarn()
+}
+
+func runYarn(args ...string) error {
+	cmd := exec.Command(*yarnPath, args...)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	return cmd.Run()
 }
 
 // EsbuildMetadata is the subset of metadata struct (described by
@@ -109,6 +233,36 @@ func installJSDeps() error {
 // from entry points to hashed file names.
 type EsbuildMetadata struct {
 	Outputs map[string]struct {
+		Inputs map[string]struct {
+			BytesInOutput int64 `json:"bytesInOutput"`
+		} `json:"inputs,omitempty"`
 		EntryPoint string `json:"entryPoint,omitempty"`
 	} `json:"outputs,omitempty"`
 }
+
+func setupEsbuildTailwind(build esbuild.PluginBuild, dev bool) {
+	build.OnLoad(esbuild.OnLoadOptions{
+		Filter: "./src/.*\\.css$",
+	}, func(args esbuild.OnLoadArgs) (esbuild.OnLoadResult, error) {
+		start := time.Now()
+		yarnArgs := []string{"--silent", "tailwind", "-i", args.Path}
+		if !dev {
+			yarnArgs = append(yarnArgs, "--minify")
+		}
+		cmd := exec.Command(*yarnPath, yarnArgs...)
+		tailwindOutput, err := cmd.Output()
+		log.Printf("Ran tailwind in %v\n", time.Since(start))
+		if err != nil {
+			if exitErr, ok := err.(*exec.ExitError); ok {
+				log.Printf("Tailwind stderr: %s", exitErr.Stderr)
+			}
+			return esbuild.OnLoadResult{}, fmt.Errorf("Cannot run tailwind: %w", err)
+		}
+		tailwindOutputStr := string(tailwindOutput)
+		return esbuild.OnLoadResult{
+			Contents: &tailwindOutputStr,
+			Loader:   esbuild.LoaderCSS,
+		}, nil
+
+	})
+}

cmd/tsconnect/dev-pkg.go

@@ -0,0 +1,17 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"log"
+)
+
+func runDevPkg() {
+	buildOptions, err := commonPkgSetup(devMode)
+	if err != nil {
+		log.Fatalf("Cannot setup: %v", err)
+	}
+	runEsbuildServe(*buildOptions)
+}

cmd/tsconnect/dev.go

@@ -6,10 +6,6 @@ package main
 
 import (
 	"log"
-	"net"
-	"strconv"
-
-	esbuild "github.com/evanw/esbuild/pkg/api"
 )
 
 func runDev() {
@@ -17,22 +13,5 @@ func runDev() {
 	if err != nil {
 		log.Fatalf("Cannot setup: %v", err)
 	}
-	host, portStr, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("Cannot parse addr: %v", err)
-	}
-	port, err := strconv.ParseUint(portStr, 10, 16)
-	if err != nil {
-		log.Fatalf("Cannot parse port: %v", err)
-	}
-	result, err := esbuild.Serve(esbuild.ServeOptions{
-		Port:     uint16(port),
-		Host:     host,
-		Servedir: "./",
-	}, *buildOptions)
-	if err != nil {
-		log.Fatalf("Cannot start esbuild server: %v", err)
-	}
-	log.Printf("Listening on http://%s:%d\n", result.Host, result.Port)
-	result.Wait()
+	runEsbuildServe(*buildOptions)
 }

cmd/tsconnect/index.html

@@ -3,14 +3,18 @@
   <head>
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Tailscale Connect</title>
     <link rel="stylesheet" type="text/css" href="dist/index.css" />
+    <script src="dist/index.js" defer></script>
   </head>
-  <body>
-    <div id="header">
-      <h1>Tailscale Connect</h1>
-      <div id="state">Loading…</div>
+  <body class="flex flex-col h-screen overflow-hidden">
+    <!-- Placeholder so that we don't have an empty page while the JS loads.
+      It should match the markup generated by Header component. -->
+    <div class="bg-gray-100 border-b border-gray-200 pt-4 pb-2">
+      <header class="container mx-auto px-4 flex flex-row items-center">
+        <h1 class="text-3xl font-bold grow">Tailscale Connect</h1>
+        <div class="text-gray-600">Loading…</div>
+      </header>
     </div>
-    <div id="peers"></div>
-    <script src="dist/index.js"></script>
   </body>
 </html>

cmd/tsconnect/package.json

@@ -1,9 +1,22 @@
 {
-  "name": "@tailscale/ssh",
+  "name": "tsconnect",
   "version": "0.0.1",
+  "license": "BSD-3-Clause",
   "devDependencies": {
+    "@types/golang-wasm-exec": "^1.15.0",
+    "@types/qrcode": "^1.4.2",
+    "dts-bundle-generator": "^6.12.0",
+    "preact": "^10.10.0",
     "qrcode": "^1.5.0",
-    "xterm": "^4.18.0"
+    "tailwindcss": "^3.1.6",
+    "typescript": "^4.7.4",
+    "xterm": "5.0.0-beta.58",
+    "xterm-addon-fit": "^0.5.0",
+    "xterm-addon-web-links": "0.7.0-beta.6"
+  },
+  "scripts": {
+    "lint": "tsc --noEmit",
+    "pkg-types": "dts-bundle-generator --inline-declare-global=true --no-banner -o pkg/pkg.d.ts src/pkg/pkg.ts"
   },
   "prettier": {
     "semi": false,

cmd/tsconnect/package.json.tmpl

@@ -0,0 +1,17 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Template for the package.json that is generated by the build-pkg command.
+// The version number will be replaced by the current Tailscale client version
+// number.
+{
+  "author": "Tailscale Inc.",
+  "description": "Tailscale Connect SDK",
+  "license": "BSD-3-Clause",
+  "name": "tailscale-connect",
+  "type": "module",
+  "main": "./pkg.js",
+  "types": "./pkg.d.ts",
+  "version": "AUTO_GENERATED"
+}

cmd/tsconnect/serve.go

@@ -11,7 +11,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -19,6 +18,7 @@ import (
 	"time"
 
 	"tailscale.com/tsweb"
+	"tailscale.com/util/precompress"
 )
 
 //go:embed index.html
@@ -74,7 +74,7 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 		return nil, fmt.Errorf("Could not open esbuild-metadata.json: %w", err)
 	}
 	defer esbuildMetadataFile.Close()
-	esbuildMetadataBytes, err := ioutil.ReadAll(esbuildMetadataFile)
+	esbuildMetadataBytes, err := io.ReadAll(esbuildMetadataFile)
 	if err != nil {
 		return nil, fmt.Errorf("Could not read esbuild-metadata.json: %w", err)
 	}
@@ -83,10 +83,19 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 		return nil, fmt.Errorf("Could not parse esbuild-metadata.json: %w", err)
 	}
 	entryPointsToHashedDistPaths := make(map[string]string)
+	mainWasmPath := ""
 	for outputPath, output := range esbuildMetadata.Outputs {
 		if output.EntryPoint != "" {
 			entryPointsToHashedDistPaths[output.EntryPoint] = path.Join("dist", outputPath)
 		}
+		if path.Ext(outputPath) == ".wasm" {
+			for input := range output.Inputs {
+				if input == "src/main.wasm" {
+					mainWasmPath = path.Join("dist", outputPath)
+					break
+				}
+			}
+		}
 	}
 
 	indexBytes := rawIndexBytes
@@ -96,39 +105,25 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 			indexBytes = bytes.ReplaceAll(indexBytes, []byte(defaultDistPath), []byte(hashedDistPath))
 		}
 	}
+	if mainWasmPath != "" {
+		mainWasmPrefetch := fmt.Sprintf("</title>\n<link rel='preload' as='fetch' crossorigin='anonymous' href='%s'>", mainWasmPath)
+		indexBytes = bytes.ReplaceAll(indexBytes, []byte("</title>"), []byte(mainWasmPrefetch))
+	}
 
 	return indexBytes, nil
 }
 
 var entryPointsToDefaultDistPaths = map[string]string{
-	"src/index.css": "dist/index.css",
-	"src/index.js":  "dist/index.js",
+	"src/app/index.css": "dist/index.css",
+	"src/app/index.ts":  "dist/index.js",
 }
 
 func handleServeDist(w http.ResponseWriter, r *http.Request, distFS fs.FS) {
 	path := r.URL.Path
-	var f fs.File
-	// Prefer pre-compressed versions generated during the build step.
-	if tsweb.AcceptsEncoding(r, "br") {
-		if brotliFile, err := distFS.Open(path + ".br"); err == nil {
-			f = brotliFile
-			w.Header().Set("Content-Encoding", "br")
-		}
-	}
-	if f == nil && tsweb.AcceptsEncoding(r, "gzip") {
-		if gzipFile, err := distFS.Open(path + ".gz"); err == nil {
-			f = gzipFile
-			w.Header().Set("Content-Encoding", "gzip")
-		}
-	}
-
-	if f == nil {
-		if rawFile, err := distFS.Open(path); err == nil {
-			f = rawFile
-		} else {
-			http.Error(w, err.Error(), http.StatusNotFound)
-			return
-		}
+	f, err := precompress.OpenPrecompressedFile(w, r, path, distFS)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusNotFound)
+		return
 	}
 	defer f.Close()
 

cmd/tsconnect/src/app/app.tsx

@@ -0,0 +1,129 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+import { render, Component } from "preact"
+import { URLDisplay } from "./url-display"
+import { Header } from "./header"
+import { GoPanicDisplay } from "./go-panic-display"
+import { SSH } from "./ssh"
+
+type AppState = {
+  ipn?: IPN
+  ipnState: IPNState
+  netMap?: IPNNetMap
+  browseToURL?: string
+  goPanicError?: string
+}
+
+class App extends Component<{}, AppState> {
+  state: AppState = { ipnState: "NoState" }
+  #goPanicTimeout?: number
+
+  render() {
+    const { ipn, ipnState, goPanicError, netMap, browseToURL } = this.state
+
+    let goPanicDisplay
+    if (goPanicError) {
+      goPanicDisplay = (
+        <GoPanicDisplay error={goPanicError} dismiss={this.clearGoPanic} />
+      )
+    }
+
+    let urlDisplay
+    if (browseToURL) {
+      urlDisplay = <URLDisplay url={browseToURL} />
+    }
+
+    let machineAuthInstructions
+    if (ipnState === "NeedsMachineAuth") {
+      machineAuthInstructions = (
+        <div class="container mx-auto px-4 text-center">
+          An administrator needs to authorize this device.
+        </div>
+      )
+    }
+
+    let ssh
+    if (ipn && ipnState === "Running" && netMap) {
+      ssh = <SSH netMap={netMap} ipn={ipn} />
+    }
+
+    return (
+      <>
+        <Header state={ipnState} ipn={ipn} />
+        {goPanicDisplay}
+        <div class="flex-grow flex flex-col justify-center overflow-hidden">
+          {urlDisplay}
+          {machineAuthInstructions}
+          {ssh}
+        </div>
+      </>
+    )
+  }
+
+  runWithIPN(ipn: IPN) {
+    this.setState({ ipn }, () => {
+      ipn.run({
+        notifyState: this.handleIPNState,
+        notifyNetMap: this.handleNetMap,
+        notifyBrowseToURL: this.handleBrowseToURL,
+        notifyPanicRecover: this.handleGoPanic,
+      })
+    })
+  }
+
+  handleIPNState = (state: IPNState) => {
+    const { ipn } = this.state
+    this.setState({ ipnState: state })
+    if (state === "NeedsLogin") {
+      ipn?.login()
+    } else if (["Running", "NeedsMachineAuth"].includes(state)) {
+      this.setState({ browseToURL: undefined })
+    }
+  }
+
+  handleNetMap = (netMapStr: string) => {
+    const netMap = JSON.parse(netMapStr) as IPNNetMap
+    if (DEBUG) {
+      console.log("Received net map: " + JSON.stringify(netMap, null, 2))
+    }
+    this.setState({ netMap })
+  }
+
+  handleBrowseToURL = (url: string) => {
+    if (this.state.ipnState === "Running") {
+      // Ignore URL requests if we're already running -- it's most likely an
+      // SSH check mode trigger and we already linkify the displayed URL
+      // in the terminal.
+      return
+    }
+    this.setState({ browseToURL: url })
+  }
+
+  handleGoPanic = (error: string) => {
+    if (DEBUG) {
+      console.error("Go panic", error)
+    }
+    this.setState({ goPanicError: error })
+    if (this.#goPanicTimeout) {
+      window.clearTimeout(this.#goPanicTimeout)
+    }
+    this.#goPanicTimeout = window.setTimeout(this.clearGoPanic, 10000)
+  }
+
+  clearGoPanic = () => {
+    window.clearTimeout(this.#goPanicTimeout)
+    this.#goPanicTimeout = undefined
+    this.setState({ goPanicError: undefined })
+  }
+}
+
+export function renderApp(): Promise<App> {
+  return new Promise((resolve) => {
+    render(
+      <App ref={(app) => (app ? resolve(app) : undefined)} />,
+      document.body
+    )
+  })
+}

cmd/tsconnect/src/app/go-panic-display.tsx

@@ -0,0 +1,21 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+export function GoPanicDisplay({
+  error,
+  dismiss,
+}: {
+  error: string
+  dismiss: () => void
+}) {
+  return (
+    <div
+      class="rounded bg-red-500 p-2 absolute top-2 right-2 text-white font-bold text-right cursor-pointer"
+      onClick={dismiss}
+    >
+      Tailscale has encountered an error.
+      <div class="text-sm font-normal">Click to reload</div>
+    </div>
+  )
+}

cmd/tsconnect/src/app/header.tsx

@@ -0,0 +1,38 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+export function Header({ state, ipn }: { state: IPNState; ipn?: IPN }) {
+  const stateText = STATE_LABELS[state]
+
+  let logoutButton
+  if (state === "Running") {
+    logoutButton = (
+      <button
+        class="button bg-gray-500 border-gray-500 text-white hover:bg-gray-600 hover:border-gray-600 ml-2 font-bold"
+        onClick={() => ipn?.logout()}
+      >
+        Logout
+      </button>
+    )
+  }
+  return (
+    <div class="bg-gray-100 border-b border-gray-200 pt-4 pb-2">
+      <header class="container mx-auto px-4 flex flex-row items-center">
+        <h1 class="text-3xl font-bold grow">Tailscale Connect</h1>
+        <div class="text-gray-600">{stateText}</div>
+        {logoutButton}
+      </header>
+    </div>
+  )
+}
+
+const STATE_LABELS = {
+  NoState: "Initializing…",
+  InUseOtherUser: "In-use by another user",
+  NeedsLogin: "Needs login",
+  NeedsMachineAuth: "Needs authorization",
+  Stopped: "Stopped",
+  Starting: "Starting…",
+  Running: "Running",
+} as const