cmd/derpprobe: check derper TLS certs too

Change-Id: If8c48e012b294570ebbb1a46bacdc58fafbfbcc5
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

.github/workflows/cifuzz.yml

@@ -19,7 +19,7 @@ jobs:
         dry-run: false
         language: go
     - name: Upload Crash
-      uses: actions/upload-artifact@v2.2.4
+      uses: actions/upload-artifact@v2.3.1
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts

.github/workflows/cross-darwin.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
       id: go

.github/workflows/cross-freebsd.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
       id: go

.github/workflows/cross-openbsd.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
       id: go

.github/workflows/cross-windows.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
       id: go

.github/workflows/depaware.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
 

.github/workflows/go_generate.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Set up Go
-        uses: actions/setup-go@v2.1.4
+        uses: actions/setup-go@v2.1.5
         with:
           go-version: 1.17
 

.github/workflows/license.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
 

.github/workflows/linux-race.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
       id: go

.github/workflows/linux.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
       id: go

.github/workflows/linux32.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
       id: go

.github/workflows/staticcheck.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17
 

.github/workflows/vm.yml

@@ -12,11 +12,13 @@ jobs:
     if: "!contains(github.event.head_commit.message, '[ci skip]')"
 
     steps:
+      - name: Set GOPATH
+        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
+
       - name: Set up Go
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v2.1.5
         with:
           go-version: 1.17
-        id: go
 
       - name: Checkout Code
         uses: actions/checkout@v1

.github/workflows/windows-race.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Install Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17.x
 

.github/workflows/windows.yml

@@ -17,7 +17,7 @@ jobs:
     steps:
 
     - name: Install Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2.1.5
       with:
         go-version: 1.17.x
 

.gitignore

@@ -5,6 +5,7 @@
 *.dll
 *.so
 *.dylib
+*.spk
 
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled

Dockerfile

@@ -50,7 +50,7 @@ ARG VERSION_GIT_HASH=""
 ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH
 
-RUN GOARCH=$TARGETARCH go install -tags=xversion -ldflags="\
+RUN GOARCH=$TARGETARCH go install -ldflags="\
       -X tailscale.com/version.Long=$VERSION_LONG \
       -X tailscale.com/version.Short=$VERSION_SHORT \
       -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \

Dockerfile.base

@@ -2,5 +2,5 @@
 # Use of this source code is governed by a BSD-style
 # license that can be found in the LICENSE file.
 
-FROM alpine:3.14
+FROM alpine:3.15
 RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables

Makefile

@@ -1,4 +1,6 @@
 IMAGE_REPO ?= tailscale/tailscale
+SYNO_ARCH ?= "amd64"
+SYNO_DSM ?= "7"
 
 usage:
 	echo "See Makefile"
@@ -32,9 +34,13 @@ staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)
 
 spk:
-	go run github.com/tailscale/tailscale-synology@main --version=build -o tailscale.spk --source=.
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}
+
+spkall:
+	mkdir -p spks
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all
 
 pushspk: spk
-	echo "Pushing SPKG to root@${SYNOHOST} (env var SYNOHOST) ..."
-	scp tailscale.spk root@${SYNOHOST}:
-	ssh root@${SYNOHOST} /usr/syno/bin/synopkg install tailscale.spk
+	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
+	scp tailscale.spk root@${SYNO_HOST}:
+	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk

VERSION.txt

@@ -1 +1 @@
-1.19.0
+1.21.0

api.md

@@ -23,6 +23,11 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
   - [Devices](#tailnet-devices)
     - [GET tailnet devices](#tailnet-devices-get)
+  - [Keys](#tailnet-keys)
+    - [GET tailnet keys](#tailnet-keys-get)
+    - [POST tailnet key](#tailnet-keys-post)
+    - [GET tailnet key](#tailnet-keys-key-get)
+    - [DELETE tailnet key](#tailnet-keys-key-delete)
   - [DNS](#tailnet-dns)
     - [GET tailnet DNS nameservers](#tailnet-dns-nameservers-get)
     - [POST tailnet DNS nameservers](#tailnet-dns-nameservers-post)
@@ -670,6 +675,159 @@ Response
 }
 ```
 
+<a name=tailnet-keys></a>
+
+### Keys
+
+<a name=tailnet-keys-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/keys` - list the keys for a tailnet
+
+Returns a list of active keys for a tailnet
+for the user who owns the API key used to perform this query.
+Supply the tailnet of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Returns
+
+Returns a JSON object with the IDs of all active keys.
+This includes both API keys and also machine authentication keys.
+In the future, this may provide more information about each key than just the ID.
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys' \
+  -u "tskey-yourapikey123:"
+```
+
+Response:
+```
+{"keys": [
+	{"id": "kYKVU14CNTRL"},
+	{"id": "k68VdZ3CNTRL"},
+	{"id": "kJ9nq43CNTRL"},
+	{"id": "kkThgj1CNTRL"}
+]}
+```
+
+<a name=tailnet-keys-post></a>
+
+#### `POST /api/v2/tailnet/:tailnet/keys` - create a new key for a tailnet
+
+Create a new key in a tailnet associated
+with the user who owns the API key used to perform this request.
+Supply the tailnet in the path.
+
+##### Parameters
+
+###### POST Body
+`capabilities` - A mapping of resources to permissible actions.
+```
+{
+	"capabilities": {
+    "devices": {
+      "create": {
+        "reusable": false,
+        "ephemeral": false
+      }
+    }
+  }
+}
+```
+
+##### Returns
+
+Returns a JSON object with the provided capabilities in addition to the
+generated key. The key should be recorded and kept safe and secure as it
+wields the capabilities specified in the request. The identity of the key
+is embedded in the key itself and can be used to perform operations on
+the key (e.g., revoking it or retrieving information about it).
+The full key can no longer be retrieved by the server.
+
+##### Example
+
+```
+echo '{
+	"capabilities": {
+    "devices": {
+      "create": {
+        "reusable": false,
+        "ephemeral": false
+      }
+    }
+  }
+}' | curl -X POST --data-binary @- https://api.tailscale.com/api/v2/tailnet/example.com/keys \
+  -u "tskey-yourapikey123:" \
+  -H "Content-Type: application/json" | jsonfmt
+```
+
+Response:
+```
+{
+	"id":           "k123456CNTRL",
+	"key":          "tskey-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
+	"created":      "2021-12-09T23:22:39Z",
+	"expires":      "2022-03-09T23:22:39Z",
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
+}
+```
+
+<a name=tailnet-keys-key-get></a>
+
+#### `GET /api/v2/tailnet/:tailnet/keys/:keyid` - get information for a specific key
+
+Returns a JSON object with information about specific key.
+Supply the tailnet and key ID of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Returns
+
+Returns a JSON object with information about the key such as
+when it was created and when it expires.
+It also lists the capabilities associated with the key.
+
+##### Example
+
+```
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
+  -u "tskey-yourapikey123:"
+```
+
+Response:
+```
+{
+	"id":           "k123456CNTRL",
+	"created":      "2021-12-09T22:13:53Z",
+	"expires":      "2022-03-09T22:13:53Z",
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
+}
+```
+
+<a name=tailnet-keys-key-delete></a>
+
+#### `DELETE /api/v2/tailnet/:tailnet/keys/:keyid` - delete a specific key
+
+Deletes a specific key.
+Supply the tailnet and key ID of interest in the path.
+
+##### Parameters
+No parameters.
+
+##### Returns
+This reports status 200 upon success.
+
+##### Example
+
+```
+curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
+  -u "tskey-yourapikey123:"
+```
+
 <a name=tailnet-dns></a>
 
 ### DNS

build_dist.sh

@@ -45,4 +45,4 @@ EOF
 	exit 0
 fi
 
-exec go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"
+exec ./tool/go build -ldflags "-X tailscale.com/version.Long=${LONG} -X tailscale.com/version.Short=${SHORT} -X tailscale.com/version.GitCommit=${GIT_HASH}" "$@"

build_docker.sh

@@ -19,10 +19,20 @@
 
 set -eu
 
+# Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
+export PATH=$PWD/tool:$PATH
+
 eval $(./build_dist.sh shellvars)
+DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
+DEFAULT_REPOS="tailscale/tailscale,ghcr.io/tailscale/tailscale"
+DEFAULT_BASE="ghcr.io/tailscale/alpine-base:3.14"
+
+PUSH="${PUSH:-false}"
+REPOS="${REPOS:-${DEFAULT_REPOS}}"
+TAGS="${TAGS:-${DEFAULT_TAGS}}"
+BASE="${BASE:-${DEFAULT_BASE}}"
 
 go run github.com/tailscale/mkctr@latest \
-  --base="ghcr.io/tailscale/alpine-base:3.14" \
   --gopaths="\
     tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
     tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled" \
@@ -30,6 +40,7 @@ go run github.com/tailscale/mkctr@latest \
     -X tailscale.com/version.Long=${VERSION_LONG} \
     -X tailscale.com/version.Short=${VERSION_SHORT} \
     -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
-  --tags="v${VERSION_SHORT},v${VERSION_MINOR}" \
-  --repos="tailscale/tailscale,ghcr.io/tailscale/tailscale" \
-  --push
+  --base="${BASE}" \
+  --tags="${TAGS}" \
+  --repos="${REPOS}" \
+  --push="${PUSH}"

client/tailscale/tailscale.go

@@ -104,6 +104,10 @@ func doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
 		if server := res.Header.Get("Tailscale-Version"); server != "" && server != version.Long && onVersionMismatch != nil {
 			onVersionMismatch(version.Long, server)
 		}
+		if res.StatusCode == 403 {
+			all, _ := ioutil.ReadAll(res.Body)
+			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
+		}
 		return res, nil
 	}
 	if ue, ok := err.(*url.Error); ok {
@@ -179,10 +183,6 @@ func send(ctx context.Context, method, path string, wantStatus int, body io.Read
 		return nil, err
 	}
 	if res.StatusCode != wantStatus {
-		if res.StatusCode == 403 {
-			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(slurp))}
-		}
-		err := fmt.Errorf("HTTP %s: %s (expected %v)", res.Status, slurp, wantStatus)
 		return nil, bestError(err, slurp)
 	}
 	return slurp, nil
@@ -240,6 +240,16 @@ func BugReport(ctx context.Context, note string) (string, error) {
 	return strings.TrimSpace(string(body)), nil
 }
 
+// DebugAction invokes a debug action, such as "rebind" or "restun".
+// These are development tools and subject to change or removal over time.
+func DebugAction(ctx context.Context, action string) error {
+	body, err := send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	return nil
+}
+
 // Status returns the Tailscale daemon's status.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return status(ctx, "")
@@ -284,7 +294,7 @@ func GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, siz
 	if err != nil {
 		return nil, 0, err
 	}
-	res, err := DoLocalRequest(req)
+	res, err := doLocalRequestNiceError(req)
 	if err != nil {
 		return nil, 0, err
 	}
@@ -333,7 +343,7 @@ func PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name
 		return nil
 	}
 	all, _ := io.ReadAll(res.Body)
-	return fmt.Errorf("%s: %s", res.Status, all)
+	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
 }
 
 func CheckIPForwarding(ctx context.Context) error {

cmd/derper/cert.go

@@ -67,8 +67,8 @@ func NewManualCertManager(certdir, hostname string) (certProvider, error) {
 	if err != nil {
 		return nil, fmt.Errorf("can not load cert: %w", err)
 	}
-	if x509Cert.VerifyHostname(hostname) != nil {
-		return nil, errors.New("refuse to load cert: hostname mismatch with key")
+	if err := x509Cert.VerifyHostname(hostname); err != nil {
+		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
 	}
 	return &manualCertManager{cert: &cert, hostname: hostname}, nil
 }

cmd/derper/derper.go

@@ -51,9 +51,11 @@ var (
 )
 
 var (
-	stats           = new(metrics.Set)
-	stunDisposition = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+	stats             = new(metrics.Set)
+	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
+	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
+	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
+	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
 
 	stunReadError  = stunDisposition.Get("read_error")
 	stunNotSTUN    = stunDisposition.Get("not_stun")
@@ -68,6 +70,8 @@ func init() {
 	stats.Set("counter_requests", stunDisposition)
 	stats.Set("counter_addrfamily", stunAddrFamily)
 	expvar.Publish("stun", stats)
+	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
+	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
 }
 
 type config struct {
@@ -238,6 +242,23 @@ func main() {
 			return cert, nil
 		}
 		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.TLS != nil {
+				label := "unknown"
+				switch r.TLS.Version {
+				case tls.VersionTLS10:
+					label = "1.0"
+				case tls.VersionTLS11:
+					label = "1.1"
+				case tls.VersionTLS12:
+					label = "1.2"
+				case tls.VersionTLS13:
+					label = "1.3"
+				}
+				tlsRequestVersion.Add(label, 1)
+				tlsActiveVersion.Add(label, 1)
+				defer tlsActiveVersion.Add(label, -1)
+			}
+
 			// Set HTTP headers to appease automated security scanners.
 			//
 			// Security automation gets cranky when HTTPS sites don't

cmd/derpprobe/derpprobe.go

@@ -9,7 +9,9 @@ import (
 	"bytes"
 	"context"
 	crand "crypto/rand"
+	"crypto/x509"
 	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"html"
@@ -38,6 +40,7 @@ var (
 	state         = map[nodePair]pairStatus{}
 	lastDERPMap   *tailcfg.DERPMap
 	lastDERPMapAt time.Time
+	certs         = map[string]*x509.Certificate{}
 )
 
 func main() {
@@ -46,6 +49,13 @@ func main() {
 	log.Fatal(http.ListenAndServe(*listen, http.HandlerFunc(serve)))
 }
 
+func setCert(name string, cert *x509.Certificate) {
+	mu.Lock()
+	defer mu.Unlock()
+	certs[name] = cert
+	log.Printf("Cert %q: not before/after: %v, %v", name, cert.NotBefore, cert.NotAfter)
+}
+
 type overallStatus struct {
 	good, bad []string
 }
@@ -93,6 +103,27 @@ func getOverallStatus() (o overallStatus) {
 			}
 		}
 	}
+
+	var subjs []string
+	for k := range certs {
+		subjs = append(subjs, k)
+	}
+	sort.Strings(subjs)
+	reissueTime := time.Unix(1643226768, 0)     // assume certs before this need reissuance by LetsEncrypt due to ALPN bug
+	soon := time.Now().Add(14 * 24 * time.Hour) // in 2 weeks; autocert does 30 days by default
+	for _, s := range subjs {
+		cert := certs[s]
+		if cert.NotBefore.Before(reissueTime) {
+			o.addBadf("cert %q needs reissuing; NotBefore=%v", s, cert.NotBefore.Format(time.RFC3339))
+			continue
+		}
+		if cert.NotAfter.Before(soon) {
+			o.addBadf("cert %q expiring soon (%v); wasn't auto-refreshed", s, cert.NotAfter.Format(time.RFC3339))
+			continue
+		}
+		o.addGoodf("cert %q good %v - %v", s, cert.NotBefore.Format(time.RFC3339), cert.NotAfter.Format(time.RFC3339))
+	}
+
 	return
 }
 
@@ -359,6 +390,21 @@ func newConn(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (*de
 	if err != nil {
 		return nil, err
 	}
+	cs, ok := dc.TLSConnectionState()
+	if !ok {
+		dc.Close()
+		return nil, errors.New("no TLS state")
+	}
+	if len(cs.PeerCertificates) == 0 {
+		dc.Close()
+		return nil, errors.New("no peer certificates")
+	}
+	if cs.ServerName != n.HostName {
+		dc.Close()
+		return nil, fmt.Errorf("TLS server name %q != derp hostname %q", cs.ServerName, n.HostName)
+	}
+	setCert(cs.ServerName, cs.PeerCertificates[0])
+
 	errc := make(chan error, 1)
 	go func() {
 		m, err := dc.Recv()

cmd/hello/hello.go

@@ -2,13 +2,15 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// The hello binary runs hello.ipn.dev.
+// The hello binary runs hello.ts.net.
 package main // import "tailscale.com/cmd/hello"
 
 import (
 	"context"
+	"crypto/tls"
 	_ "embed"
 	"encoding/json"
+	"errors"
 	"flag"
 	"html/template"
 	"io/ioutil"
@@ -16,6 +18,7 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"time"
 
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
@@ -69,11 +72,31 @@ func main() {
 	if *httpsAddr != "" {
 		log.Printf("running HTTPS server on %s", *httpsAddr)
 		go func() {
-			errc <- http.ListenAndServeTLS(*httpsAddr,
-				"/etc/hello/hello.ipn.dev.crt",
-				"/etc/hello/hello.ipn.dev.key",
-				nil,
-			)
+			hs := &http.Server{
+				Addr: *httpsAddr,
+				TLSConfig: &tls.Config{
+					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+						switch hi.ServerName {
+						case "hello.ts.net":
+							return tailscale.GetCertificate(hi)
+						case "hello.ipn.dev":
+							c, err := tls.LoadX509KeyPair(
+								"/etc/hello/hello.ipn.dev.crt",
+								"/etc/hello/hello.ipn.dev.key",
+							)
+							if err != nil {
+								return nil, err
+							}
+							return &c, nil
+						}
+						return nil, errors.New("invalid SNI name")
+					},
+				},
+				IdleTimeout:       30 * time.Second,
+				ReadHeaderTimeout: 20 * time.Second,
+				MaxHeaderBytes:    10 << 10,
+			}
+			errc <- hs.ListenAndServeTLS("", "")
 		}()
 	}
 	log.Fatal(<-errc)
@@ -127,8 +150,9 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 func root(w http.ResponseWriter, r *http.Request) {
 	if r.TLS == nil && *httpsAddr != "" {
 		host := r.Host
-		if strings.Contains(r.Host, "100.101.102.103") {
-			host = "hello.ipn.dev"
+		if strings.Contains(r.Host, "100.101.102.103") ||
+			strings.Contains(r.Host, "hello.ipn.dev") {
+			host = "hello.ts.net"
 		}
 		http.Redirect(w, r, "https://"+host, http.StatusFound)
 		return
@@ -137,6 +161,10 @@ func root(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/", http.StatusFound)
 		return
 	}
+	if r.TLS != nil && *httpsAddr != "" && strings.Contains(r.Host, "hello.ipn.dev") {
+		http.Redirect(w, r, "https://hello.ts.net", http.StatusFound)
+		return
+	}
 	tmpl, err := getTmpl()
 	if err != nil {
 		w.Header().Set("Content-Type", "text/plain")

cmd/printdep/printdep.go

@@ -0,0 +1,46 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The printdep command is a build system tool for printing out information
+// about dependencies.
+package main
+
+import (
+	"flag"
+	"fmt"
+	"log"
+	"runtime"
+	"strings"
+
+	ts "tailscale.com"
+)
+
+var (
+	goToolchain    = flag.Bool("go", false, "print the supported Go toolchain git hash (a github.com/tailscale/go commit)")
+	goToolchainURL = flag.Bool("go-url", false, "print the URL to the tarball of the Tailscale Go toolchain")
+)
+
+func main() {
+	flag.Parse()
+	if *goToolchain {
+		fmt.Println(strings.TrimSpace(ts.GoToolchainRev))
+	}
+	if *goToolchainURL {
+		var suffix string
+		switch runtime.GOARCH {
+		case "amd64":
+			// None
+		case "arm64":
+			suffix = "-" + runtime.GOARCH
+		default:
+			log.Fatalf("unsupported GOARCH %q", runtime.GOARCH)
+		}
+		switch runtime.GOOS {
+		case "linux", "darwin":
+		default:
+			log.Fatalf("unsupported GOOS %q", runtime.GOOS)
+		}
+		fmt.Printf("https://github.com/tailscale/go/releases/download/build-%s/%s%s.tar.gz\n", strings.TrimSpace(ts.GoToolchainRev), runtime.GOOS, suffix)
+	}
+}

cmd/tailscale/cli/cert.go

@@ -13,7 +13,6 @@ import (
 	"log"
 	"net/http"
 	"os"
-	"runtime"
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
@@ -92,9 +91,6 @@ func runCert(ctx context.Context, args []string) error {
 		certArgs.keyFile = domain + ".key"
 	}
 	certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
-	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
-		return fmt.Errorf("%v\n\nUse 'sudo tailscale cert' or 'tailscale up --operator=$USER' to not require root.", err)
-	}
 	if err != nil {
 		return err
 	}
@@ -108,7 +104,7 @@ func runCert(ctx context.Context, args []string) error {
 		if version.IsMacSysExt() {
 			dir = "io.tailscale.ipn.macsys"
 		}
-		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s\n", dir)
+		printf("Warning: the macOS CLI runs in a sandbox; this binary's filesystem writes go to $HOME/Library/Containers/%s/Data\n", dir)
 	}
 	if certArgs.certFile != "" {
 		certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)

cmd/tailscale/cli/cli.go

@@ -171,6 +171,9 @@ change in the future.
 	})
 
 	err := rootCmd.Run(context.Background())
+	if tailscale.IsAccessDeniedError(err) && os.Getuid() != 0 && runtime.GOOS != "windows" {
+		return fmt.Errorf("%v\n\nUse 'sudo tailscale %s' or 'tailscale up --operator=$USER' to not require root.", err, strings.Join(args, " "))
+	}
 	if errors.Is(err, flag.ErrHelp) {
 		return nil
 	}

cmd/tailscale/cli/cli_test.go

@@ -786,6 +786,16 @@ func TestUpdatePrefs(t *testing.T) {
 			wantSimpleUp:   true,
 			wantJustEditMP: &ipn.MaskedPrefs{WantRunningSet: true},
 		},
+		{
+			name:  "just_edit_reset",
+			flags: []string{"--reset"},
+			curPrefs: &ipn.Prefs{
+				ControlURL: ipn.DefaultControlURL,
+				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
+			},
+			env:            upCheckEnv{backendState: "Running"},
+			wantJustEditMP: &ipn.MaskedPrefs{WantRunningSet: true},
+		},
 		{
 			name:  "control_synonym",
 			flags: []string{},

cmd/tailscale/cli/debug.go

@@ -70,6 +70,16 @@ var debugCmd = &ffcli.Command{
 			Exec:      runLocalCreds,
 			ShortHelp: "print how to access Tailscale local API",
 		},
+		{
+			Name:      "restun",
+			Exec:      localAPIAction("restun"),
+			ShortHelp: "force a magicsock restun",
+		},
+		{
+			Name:      "rebind",
+			Exec:      localAPIAction("rebind"),
+			ShortHelp: "force a magicsock rebind",
+		},
 		{
 			Name:      "prefs",
 			Exec:      runPrefs,
@@ -244,6 +254,15 @@ func runDERPMap(ctx context.Context, args []string) error {
 	return nil
 }
 
+func localAPIAction(action string) func(context.Context, []string) error {
+	return func(ctx context.Context, args []string) error {
+		if len(args) > 0 {
+			return errors.New("unexpected arguments")
+		}
+		return tailscale.DebugAction(ctx, action)
+	}
+}
+
 func runEnv(ctx context.Context, args []string) error {
 	for _, e := range os.Environ() {
 		outln(e)

cmd/tailscale/cli/file.go

@@ -16,7 +16,6 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"time"
 	"unicode/utf8"
@@ -26,6 +25,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
@@ -148,7 +148,7 @@ func runCp(ctx context.Context, args []string) error {
 				name = filepath.Base(fileArg)
 			}
 
-			if slow, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_SLOW_PUSH")); slow {
+			if envknob.Bool("TS_DEBUG_SLOW_PUSH") {
 				fileContents = &slowReader{r: fileContents}
 			}
 		}
@@ -324,7 +324,7 @@ func runFileGet(ctx context.Context, args []string) error {
 	for {
 		wfs, err = tailscale.WaitingFiles(ctx)
 		if err != nil {
-			return fmt.Errorf("getting WaitingFiles: %v", err)
+			return fmt.Errorf("getting WaitingFiles: %w", err)
 		}
 		if len(wfs) != 0 || !getArgs.wait {
 			break
@@ -379,7 +379,7 @@ func wipeInbox(ctx context.Context) error {
 	}
 	wfs, err := tailscale.WaitingFiles(ctx)
 	if err != nil {
-		return fmt.Errorf("getting WaitingFiles: %v", err)
+		return fmt.Errorf("getting WaitingFiles: %w", err)
 	}
 	deleted := 0
 	for _, wf := range wfs {

cmd/tailscale/cli/netcheck.go

@@ -13,13 +13,13 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
-	"os"
 	"sort"
 	"strings"
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
 	"tailscale.com/net/portmapper"
@@ -49,7 +49,7 @@ var netcheckArgs struct {
 
 func runNetcheck(ctx context.Context, args []string) error {
 	c := &netcheck.Client{
-		UDPBindAddr: os.Getenv("TS_DEBUG_NETCHECK_UDP_BIND"),
+		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
 		PortMapper:  portmapper.NewClient(logger.WithPrefix(log.Printf, "portmap: "), nil),
 	}
 	if netcheckArgs.verbose {

cmd/tailscale/cli/ping.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"log"
 	"net"
+	"os"
 	"strings"
 	"time"
 
@@ -64,6 +65,16 @@ var pingArgs struct {
 }
 
 func runPing(ctx context.Context, args []string) error {
+	st, err := tailscale.Status(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		printf("%s\n", description)
+		os.Exit(1)
+	}
+
 	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()
 

cmd/tailscale/cli/status.go

@@ -121,24 +121,10 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}
 
-	switch st.BackendState {
-	default:
-		fmt.Fprintf(Stderr, "unexpected state: %s\n", st.BackendState)
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		outln(description)
 		os.Exit(1)
-	case ipn.Stopped.String():
-		outln("Tailscale is stopped.")
-		os.Exit(1)
-	case ipn.NeedsLogin.String():
-		outln("Logged out.")
-		if st.AuthURL != "" {
-			printf("\nLog in at: %s\n", st.AuthURL)
-		}
-		os.Exit(1)
-	case ipn.NeedsMachineAuth.String():
-		outln("Machine is not yet authorized by tailnet admin.")
-		os.Exit(1)
-	case ipn.Running.String(), ipn.Starting.String():
-		// Run below.
 	}
 
 	if len(st.Health) > 0 {
@@ -222,6 +208,27 @@ func runStatus(ctx context.Context, args []string) error {
 	return nil
 }
 
+// isRunningOrStarting reports whether st is in state Running or Starting.
+// It also returns a description of the status suitable to display to a user.
+func isRunningOrStarting(st *ipnstate.Status) (description string, ok bool) {
+	switch st.BackendState {
+	default:
+		return fmt.Sprintf("unexpected state: %s", st.BackendState), false
+	case ipn.Stopped.String():
+		return "Tailscale is stopped.", false
+	case ipn.NeedsLogin.String():
+		s := "Logged out."
+		if st.AuthURL != "" {
+			s += fmt.Sprintf("\nLog in at: %s", st.AuthURL)
+		}
+		return s, false
+	case ipn.NeedsMachineAuth.String():
+		return "Machine is not yet authorized by tailnet admin.", false
+	case ipn.Running.String(), ipn.Starting.String():
+		return st.BackendState, true
+	}
+}
+
 func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
 	if baseName != "" {

cmd/tailscale/cli/up.go

@@ -24,6 +24,7 @@ import (
 	qrcode "github.com/skip2/go-qrcode"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/safesocket"
@@ -81,6 +82,8 @@ func acceptRouteDefault(goos string) bool {
 
 var upFlagSet = newUpFlagSet(effectiveGOOS(), &upArgs)
 
+func inTest() bool { return flag.Lookup("test.v") != nil }
+
 func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf := newFlagSet("up")
 
@@ -96,6 +99,9 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+	if envknob.UseWIPCode() || inTest() {
+		upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
+	}
 	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
 	upf.StringVar(&upArgs.authKeyOrFile, "authkey", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
@@ -131,6 +137,7 @@ type upArgsT struct {
 	exitNodeIP             string
 	exitNodeAllowLANAccess bool
 	shieldsUp              bool
+	runSSH                 bool
 	forceReauth            bool
 	forceDaemon            bool
 	advertiseRoutes        string
@@ -352,6 +359,7 @@ func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goo
 	prefs.CorpDNS = upArgs.acceptDNS
 	prefs.AllowSingleHosts = upArgs.singleRoutes
 	prefs.ShieldsUp = upArgs.shieldsUp
+	prefs.RunSSH = upArgs.runSSH
 	prefs.AdvertiseRoutes = routes
 	prefs.AdvertiseTags = tags
 	prefs.Hostname = upArgs.hostname
@@ -413,7 +421,6 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 
 	justEdit := env.backendState == ipn.Running.String() &&
 		!env.upArgs.forceReauth &&
-		!env.upArgs.reset &&
 		env.upArgs.authKeyOrFile == "" &&
 		!controlURLChanged &&
 		!tagsChanged
@@ -713,6 +720,7 @@ func init() {
 	addPrefFlagMapping("exit-node-allow-lan-access", "ExitNodeAllowLANAccess")
 	addPrefFlagMapping("unattended", "ForceDaemon")
 	addPrefFlagMapping("operator", "OperatorUser")
+	addPrefFlagMapping("ssh", "RunSSH")
 }
 
 func addPrefFlagMapping(flagName string, prefNames ...string) {
@@ -903,6 +911,8 @@ func prefsToFlags(env upCheckEnv, prefs *ipn.Prefs) (flagVal map[string]interfac
 		switch f.Name {
 		default:
 			panic(fmt.Sprintf("unhandled flag %q", f.Name))
+		case "ssh":
+			set(prefs.RunSSH)
 		case "login-server":
 			set(prefs.ControlURL)
 		case "accept-routes":

cmd/tailscale/cli/web.go

@@ -270,14 +270,14 @@ func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
 	// We need a SynoToken for authenticate.cgi.
 	// So we tell the client to get one.
 	serverURL := r.URL.Scheme + "://" + r.URL.Host
-	fmt.Fprintf(w, synoTokenRedirectHTML, serverURL)
+	synoTokenRedirectHTML.Execute(w, serverURL)
 	return true
 }
 
-const synoTokenRedirectHTML = `<html><body>
+var synoTokenRedirectHTML = template.Must(template.New("redirect").Parse(`<html><body>
 Redirecting with session token...
 <script>
-var serverURL = %q;
+var serverURL = {{ . }};
 var req = new XMLHttpRequest();
 req.overrideMimeType("application/json");
 req.open("GET", serverURL + "/webman/login.cgi", true);
@@ -289,7 +289,7 @@ req.onload = function() {
 req.send(null);
 </script>
 </body></html>
-`
+`))
 
 func webHandler(w http.ResponseWriter, r *http.Request) {
 	if authRedirect(w, r) {
@@ -375,7 +375,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			data.AdvertiseExitNode = true
 		} else {
 			if data.AdvertiseRoutes != "" {
-				data.AdvertiseRoutes = ","
+				data.AdvertiseRoutes += ","
 			}
 			data.AdvertiseRoutes += r.String()
 		}

cmd/tailscale/depaware.txt

@@ -38,6 +38,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
    L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
         tailscale.com/disco                                          from tailscale.com/derp
+        tailscale.com/envknob                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/hostinfo                                       from tailscale.com/net/interfaces
         tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
         tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
@@ -47,6 +48,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
      💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
+        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter

cmd/tailscaled/debug.go

@@ -24,6 +24,7 @@ import (
 
 	"inet.af/netaddr"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/portmapper"
@@ -224,7 +225,7 @@ func debugPortmap(ctx context.Context) error {
 	defer cancel()
 
 	portmapper.VerboseLogs = true
-	switch os.Getenv("TS_DEBUG_PORTMAP_TYPE") {
+	switch envknob.String("TS_DEBUG_PORTMAP_TYPE") {
 	case "":
 	case "pmp":
 		portmapper.DisablePCP = true

cmd/tailscaled/depaware.txt

@@ -3,6 +3,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+   L    github.com/anmitsu/go-shlex                                  from github.com/gliderlabs/ssh
    L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
    L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/aws
@@ -60,11 +61,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
    L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
    L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+   L 💣 github.com/creack/pty                                        from tailscale.com/wgengine/netstack
+   L    github.com/gliderlabs/ssh                                    from tailscale.com/wgengine/netstack
    W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
    W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
    L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
         github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
+        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
    L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
    L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
    L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
@@ -115,46 +118,46 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device
      💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
    W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/cmd/tailscaled+
+        gvisor.dev/gvisor/pkg/atomicbitops                           from gvisor.dev/gvisor/pkg/tcpip+
+     💣 gvisor.dev/gvisor/pkg/buffer                                 from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/context                                from gvisor.dev/gvisor/pkg/refs+
+     💣 gvisor.dev/gvisor/pkg/gohacks                                from gvisor.dev/gvisor/pkg/state/wire+
+        gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
+        gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
+        gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/refsvfs2
+        gvisor.dev/gvisor/pkg/refsvfs2                               from gvisor.dev/gvisor/pkg/tcpip/stack
+     💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
+     💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
+        gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
+     💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
+     💣 gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
+        gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/internal/tcp                     from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/link/channel                     from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/network/hash                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation   from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/internal/ip              from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv4                     from tailscale.com/net/tstun+
+        gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
+        gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
+     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/noop          from gvisor.dev/gvisor/pkg/tcpip/transport/raw
+        gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
+        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+     💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
         inet.af/netaddr                                              from inet.af/wf+
-        inet.af/netstack/atomicbitops                                from inet.af/netstack/tcpip+
-     💣 inet.af/netstack/buffer                                      from inet.af/netstack/tcpip/stack
-        inet.af/netstack/context                                     from inet.af/netstack/refs+
-     💣 inet.af/netstack/gohacks                                     from inet.af/netstack/state/wire+
-        inet.af/netstack/linewriter                                  from inet.af/netstack/log
-        inet.af/netstack/log                                         from inet.af/netstack/state+
-        inet.af/netstack/rand                                        from inet.af/netstack/tcpip/network/hash+
-        inet.af/netstack/refs                                        from inet.af/netstack/refsvfs2
-        inet.af/netstack/refsvfs2                                    from inet.af/netstack/tcpip/stack
-     💣 inet.af/netstack/sleep                                       from inet.af/netstack/tcpip/transport/tcp
-     💣 inet.af/netstack/state                                       from inet.af/netstack/atomicbitops+
-        inet.af/netstack/state/wire                                  from inet.af/netstack/state
-     💣 inet.af/netstack/sync                                        from inet.af/netstack/linewriter+
-        inet.af/netstack/tcpip                                       from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/adapters/gonet                        from tailscale.com/wgengine/netstack
-     💣 inet.af/netstack/tcpip/buffer                                from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/hash/jenkins                          from inet.af/netstack/tcpip/stack+
-        inet.af/netstack/tcpip/header                                from inet.af/netstack/tcpip/header/parse+
-        inet.af/netstack/tcpip/header/parse                          from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/internal/tcp                          from inet.af/netstack/tcpip/stack+
-        inet.af/netstack/tcpip/link/channel                          from tailscale.com/wgengine/netstack
-        inet.af/netstack/tcpip/network/hash                          from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/internal/fragmentation        from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/internal/ip                   from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/net/tstun+
-        inet.af/netstack/tcpip/network/ipv6                          from tailscale.com/wgengine/netstack
-        inet.af/netstack/tcpip/ports                                 from inet.af/netstack/tcpip/stack+
-        inet.af/netstack/tcpip/seqnum                                from inet.af/netstack/tcpip/header+
-     💣 inet.af/netstack/tcpip/stack                                 from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/transport                             from inet.af/netstack/tcpip/transport/icmp+
-        inet.af/netstack/tcpip/transport/icmp                        from tailscale.com/wgengine/netstack
-        inet.af/netstack/tcpip/transport/internal/network            from inet.af/netstack/tcpip/transport/icmp+
-        inet.af/netstack/tcpip/transport/internal/noop               from inet.af/netstack/tcpip/transport/raw
-        inet.af/netstack/tcpip/transport/packet                      from inet.af/netstack/tcpip/transport/raw
-        inet.af/netstack/tcpip/transport/raw                         from inet.af/netstack/tcpip/transport/icmp+
-     💣 inet.af/netstack/tcpip/transport/tcp                         from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/tcpip/transport/tcpconntrack                from inet.af/netstack/tcpip/stack
-        inet.af/netstack/tcpip/transport/udp                         from inet.af/netstack/tcpip/adapters/gonet+
-        inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
         inet.af/peercred                                             from tailscale.com/ipn/ipnserver
    W 💣 inet.af/wf                                                   from tailscale.com/wf
    L    nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
@@ -171,6 +174,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscaled+
    L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
         tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/envknob                                        from tailscale.com/cmd/tailscaled+
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
         tailscale.com/ipn                                            from tailscale.com/client/tailscale+
@@ -181,13 +185,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/ipn/store/aws                                  from tailscale.com/ipn/ipnserver
         tailscale.com/kube                                           from tailscale.com/ipn
-        tailscale.com/log/filelogger                                 from tailscale.com/ipn/ipnserver
+        tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
         tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
-        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled
+        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
         tailscale.com/logtail                                        from tailscale.com/logpolicy+
         tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
         tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
-     💣 tailscale.com/metrics                                        from tailscale.com/derp
+     💣 tailscale.com/metrics                                        from tailscale.com/derp+
         tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
         tailscale.com/net/dns/resolver                               from tailscale.com/net/dns+
         tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
@@ -195,6 +199,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
      💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscaled+
         tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
+        tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
         tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
      💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
@@ -218,6 +223,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
      💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
         tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tsweb                                          from tailscale.com/cmd/tailscaled
         tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
         tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
@@ -253,7 +259,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
         tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine+
         tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscaled+
-        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
+     💣 tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
         tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
         tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
@@ -262,16 +268,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+   L    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from crypto/tls+
+   L    golang.org/x/crypto/ed25519                                  from golang.org/x/crypto/ssh
         golang.org/x/crypto/hkdf                                     from crypto/tls
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+   L    golang.org/x/crypto/ssh                                      from github.com/gliderlabs/ssh+
         golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from net/http+
@@ -297,26 +306,26 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
         golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
         golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
-        golang.org/x/time/rate                                       from inet.af/netstack/tcpip/stack+
+        golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/tcpip/stack+
         bufio                                                        from compress/flate+
         bytes                                                        from bufio+
         compress/flate                                               from compress/gzip+
         compress/gzip                                                from internal/profile+
-        container/heap                                               from inet.af/netstack/tcpip/transport/tcp
+        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
         container/list                                               from crypto/tls+
         context                                                      from crypto/tls+
         crypto                                                       from crypto/ecdsa+
         crypto/aes                                                   from crypto/ecdsa+
         crypto/cipher                                                from crypto/aes+
         crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
+        crypto/dsa                                                   from crypto/x509+
         crypto/ecdsa                                                 from crypto/tls+
         crypto/ed25519                                               from crypto/tls+
         crypto/elliptic                                              from crypto/ecdsa+
         crypto/hmac                                                  from crypto/tls+
         crypto/md5                                                   from crypto/tls+
         crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
+        crypto/rc4                                                   from crypto/tls+
         crypto/rsa                                                   from crypto/tls+
         crypto/sha1                                                  from crypto/tls+
         crypto/sha256                                                from crypto/tls+
@@ -340,7 +349,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         fmt                                                          from compress/flate+
         hash                                                         from crypto+
         hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from inet.af/netstack/tcpip/network/ipv6+
+        hash/fnv                                                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv6+
         hash/maphash                                                 from go4.org/mem
         html                                                         from net/http/pprof+
         io                                                           from bufio+

cmd/tailscaled/tailscaled.go

@@ -23,12 +23,12 @@ import (
 	"path/filepath"
 	"runtime"
 	"runtime/debug"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"
 
 	"inet.af/netaddr"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
@@ -41,6 +41,7 @@ import (
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
+	"tailscale.com/tsweb"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
@@ -223,7 +224,7 @@ func statePathOrDefault() string {
 func ipnServerOpts() (o ipnserver.Options) {
 	// Allow changing the OS-specific IPN behavior for tests
 	// so we can e.g. test Windows-specific behaviors on Linux.
-	goos := os.Getenv("TS_DEBUG_TAILSCALED_IPN_GOOS")
+	goos := envknob.String("TS_DEBUG_TAILSCALED_IPN_GOOS")
 	if goos == "" {
 		goos = runtime.GOOS
 	}
@@ -271,13 +272,13 @@ func run() error {
 	}
 
 	var logf logger.Logf = log.Printf
-	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_MEMORY")); v {
+	if envknob.Bool("TS_DEBUG_MEMORY") {
 		logf = logger.RusagePrefixLog(logf)
 	}
 	logf = logger.RateLimitedFn(logf, 5*time.Second, 5, 100)
 
 	if args.cleanup {
-		if os.Getenv("TS_PLEASE_PANIC") != "" {
+		if envknob.Bool("TS_PLEASE_PANIC") {
 			panic("TS_PLEASE_PANIC asked us to panic")
 		}
 		dns.Cleanup(logf, args.tunname)
@@ -295,7 +296,6 @@ func run() error {
 	var debugMux *http.ServeMux
 	if args.debug != "" {
 		debugMux = newDebugMux()
-		go runDebugServer(debugMux, args.debug)
 	}
 
 	linkMon, err := monitor.New(logf)
@@ -314,6 +314,14 @@ func run() error {
 	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
 		panic("internal error: exit node resolver not wired up")
 	}
+	if debugMux != nil {
+		if ig, ok := e.(wgengine.InternalsGetter); ok {
+			if _, mc, ok := ig.GetInternals(); ok {
+				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
+			}
+		}
+		go runDebugServer(debugMux, args.debug)
+	}
 
 	ns, err := newNetstack(logf, dialer, e)
 	if err != nil {
@@ -321,9 +329,6 @@ func run() error {
 	}
 	ns.ProcessLocalIPs = useNetstack
 	ns.ProcessSubnets = useNetstack || wrapNetstack
-	if err := ns.Start(); err != nil {
-		return fmt.Errorf("failed to start netstack: %w", err)
-	}
 
 	if useNetstack {
 		dialer.UseNetstackForIP = func(ip netaddr.IP) bool {
@@ -334,7 +339,6 @@ func run() error {
 			return ns.DialContextTCP(ctx, dst)
 		}
 	}
-
 	if socksListener != nil || httpProxyListener != nil {
 		if httpProxyListener != nil {
 			hs := &http.Server{Handler: httpProxyHandler(dialer.UserDial)}
@@ -384,6 +388,10 @@ func run() error {
 	if err != nil {
 		return fmt.Errorf("ipnserver.New: %w", err)
 	}
+	ns.SetLocalBackend(srv.LocalBackend())
+	if err := ns.Start(); err != nil {
+		log.Fatalf("failed to start netstack: %v", err)
+	}
 
 	if debugMux != nil {
 		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
@@ -423,11 +431,7 @@ func createEngine(logf logger.Logf, linkMon *monitor.Mon, dialer *tsdial.Dialer)
 var wrapNetstack = shouldWrapNetstack()
 
 func shouldWrapNetstack() bool {
-	if e := os.Getenv("TS_DEBUG_WRAP_NETSTACK"); e != "" {
-		v, err := strconv.ParseBool(e)
-		if err != nil {
-			log.Fatalf("invalid TS_DEBUG_WRAP_NETSTACK value: %v", err)
-		}
+	if v, ok := envknob.LookupBool("TS_DEBUG_WRAP_NETSTACK"); ok {
 		return v
 	}
 	if distro.Get() == distro.Synology {
@@ -507,6 +511,7 @@ func newDebugMux() *http.ServeMux {
 
 func servePrometheusMetrics(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/plain")
+	tsweb.VarzHandler(w, r)
 	clientmetric.WritePrometheusExpositionFormat(w)
 }
 

cmd/tailscaled/tailscaled_windows.go

@@ -29,6 +29,7 @@ import (
 	"golang.org/x/sys/windows/svc"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
@@ -55,6 +56,11 @@ func isWindowsService() bool {
 	return v
 }
 
+// runWindowsService starts running Tailscale under the Windows
+// Service environment.
+//
+// At this point we're still the parent process that
+// Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
 	return svc.Run(serviceName, &ipnService{Policy: pol})
 }
@@ -93,6 +99,7 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 		select {
 		case <-doneCh:
 		case cmd := <-r:
+			log.Printf("Got Windows Service event: %v", cmdName(cmd.Cmd))
 			switch cmd.Cmd {
 			case svc.Stop:
 				cancel()
@@ -109,6 +116,42 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	return false, windows.NO_ERROR
 }
 
+func cmdName(c svc.Cmd) string {
+	switch c {
+	case svc.Stop:
+		return "Stop"
+	case svc.Pause:
+		return "Pause"
+	case svc.Continue:
+		return "Continue"
+	case svc.Interrogate:
+		return "Interrogate"
+	case svc.Shutdown:
+		return "Shutdown"
+	case svc.ParamChange:
+		return "ParamChange"
+	case svc.NetBindAdd:
+		return "NetBindAdd"
+	case svc.NetBindRemove:
+		return "NetBindRemove"
+	case svc.NetBindEnable:
+		return "NetBindEnable"
+	case svc.NetBindDisable:
+		return "NetBindDisable"
+	case svc.DeviceEvent:
+		return "DeviceEvent"
+	case svc.HardwareProfileChange:
+		return "HardwareProfileChange"
+	case svc.PowerEvent:
+		return "PowerEvent"
+	case svc.SessionChange:
+		return "SessionChange"
+	case svc.PreShutdown:
+		return "PreShutdown"
+	}
+	return fmt.Sprintf("Unknown-Service-Cmd-%d", c)
+}
+
 func beWindowsSubprocess() bool {
 	if beFirewallKillswitch() {
 		return true
@@ -272,7 +315,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 	// not called concurrently and is not called again once it
 	// successfully returns an engine.
 	getEngine := func() (wgengine.Engine, error) {
-		if msg := os.Getenv("TS_DEBUG_WIN_FAIL"); msg != "" {
+		if msg := envknob.String("TS_DEBUG_WIN_FAIL"); msg != "" {
 			return nil, fmt.Errorf("pretending to be a service failure: %v", msg)
 		}
 		for {

control/controlbase/conn.go

@@ -2,12 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package noise implements the base transport of the Tailscale 2021
-// control protocol.
+// Package controlbase implements the base transport of the Tailscale
+// 2021 control protocol.
 //
 // The base transport implements Noise IK, instantiated with
 // Curve25519, ChaCha20Poly1305 and BLAKE2s.
-package noise
+package controlbase
 
 import (
 	"crypto/cipher"

control/controlbase/conn_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package noise
+package controlbase
 
 import (
 	"bufio"
@@ -202,7 +202,7 @@ func TestConnStd(t *testing.T) {
 		serverErr := make(chan error, 1)
 		go func() {
 			var err error
-			c2, err = Server(context.Background(), s2, controlKey)
+			c2, err = Server(context.Background(), s2, controlKey, nil)
 			serverErr <- err
 		}()
 		c1, err = Client(context.Background(), s1, machineKey, controlKey.Public())
@@ -319,7 +319,7 @@ func pairWithConns(t *testing.T, clientConn, serverConn net.Conn) (*Conn, *Conn)
 	)
 	go func() {
 		var err error
-		server, err = Server(context.Background(), serverConn, controlKey)
+		server, err = Server(context.Background(), serverConn, controlKey, nil)
 		serverErr <- err
 	}()
 

control/controlbase/handshake.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package noise
+package controlbase
 
 import (
 	"context"
@@ -50,21 +50,23 @@ func protocolVersionPrologue(version uint16) []byte {
 	return strconv.AppendUint(ret, uint64(version), 10)
 }
 
-// Client initiates a control client handshake, returning the resulting
-// control connection.
-//
-// The context deadline, if any, covers the entire handshaking
-// process. Any preexisting Conn deadline is removed.
-func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
-	if deadline, ok := ctx.Deadline(); ok {
-		if err := conn.SetDeadline(deadline); err != nil {
-			return nil, fmt.Errorf("setting conn deadline: %w", err)
-		}
-		defer func() {
-			conn.SetDeadline(time.Time{})
-		}()
-	}
+// HandshakeContinuation upgrades a net.Conn to a Conn. The net.Conn
+// is assumed to have already sent the client>server handshake
+// initiation message.
+type HandshakeContinuation func(context.Context, net.Conn) (*Conn, error)
 
+// ClientDeferred initiates a control client handshake, returning the
+// initial message to send to the server and a continuation to
+// finalize the handshake.
+//
+// ClientDeferred is split in this way for RTT reduction: we run this
+// protocol after negotiating a protocol switch from HTTP/HTTPS. If we
+// completely serialized the negotiation followed by the handshake,
+// we'd pay an extra RTT to transmit the handshake initiation after
+// protocol switching. By splitting the handshake into an initial
+// message and a continuation, we can embed the handshake initiation
+// into the HTTP protocol switching request and avoid a bit of delay.
+func ClientDeferred(machineKey key.MachinePrivate, controlKey key.MachinePublic) (initialHandshake []byte, continueHandshake HandshakeContinuation, err error) {
 	var s symmetricState
 	s.Initialize()
 
@@ -83,18 +85,53 @@ func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, c
 	s.MixHash(machineEphemeralPub.UntypedBytes())
 	cipher, err := s.MixDH(machineEphemeral, controlKey)
 	if err != nil {
-		return nil, fmt.Errorf("computing es: %w", err)
+		return nil, nil, fmt.Errorf("computing es: %w", err)
 	}
 	machineKeyPub := machineKey.Public()
 	s.EncryptAndHash(cipher, init.MachinePub(), machineKeyPub.UntypedBytes())
 	cipher, err = s.MixDH(machineKey, controlKey)
 	if err != nil {
-		return nil, fmt.Errorf("computing ss: %w", err)
+		return nil, nil, fmt.Errorf("computing ss: %w", err)
 	}
 	s.EncryptAndHash(cipher, init.Tag(), nil) // empty message payload
 
-	if _, err := conn.Write(init[:]); err != nil {
-		return nil, fmt.Errorf("writing initiation: %w", err)
+	cont := func(ctx context.Context, conn net.Conn) (*Conn, error) {
+		return continueClientHandshake(ctx, conn, &s, machineKey, machineEphemeral, controlKey)
+	}
+	return init[:], cont, nil
+}
+
+// Client wraps ClientDeferred and immediately invokes the returned
+// continuation with conn.
+//
+// This is a helper for when you don't need the fancy
+// continuation-style handshake, and just want to synchronously
+// upgrade a net.Conn to a secure transport.
+func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
+	init, cont, err := ClientDeferred(machineKey, controlKey)
+	if err != nil {
+		return nil, err
+	}
+	if _, err := conn.Write(init); err != nil {
+		return nil, err
+	}
+	return cont(ctx, conn)
+}
+
+func continueClientHandshake(ctx context.Context, conn net.Conn, s *symmetricState, machineKey, machineEphemeral key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
+	// No matter what, this function can only run once per s. Ensure
+	// attempted reuse causes a panic.
+	defer func() {
+		s.finished = true
+	}()
+
+	if deadline, ok := ctx.Deadline(); ok {
+		if err := conn.SetDeadline(deadline); err != nil {
+			return nil, fmt.Errorf("setting conn deadline: %w", err)
+		}
+		defer func() {
+			conn.SetDeadline(time.Time{})
+		}()
 	}
 
 	// Read in the payload and look for errors/protocol violations from the server.
@@ -122,10 +159,10 @@ func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, c
 	// <- e, ee, se
 	controlEphemeralPub := key.MachinePublicFromRaw32(mem.B(resp.EphemeralPub()))
 	s.MixHash(controlEphemeralPub.UntypedBytes())
-	if _, err = s.MixDH(machineEphemeral, controlEphemeralPub); err != nil {
+	if _, err := s.MixDH(machineEphemeral, controlEphemeralPub); err != nil {
 		return nil, fmt.Errorf("computing ee: %w", err)
 	}
-	cipher, err = s.MixDH(machineKey, controlEphemeralPub)
+	cipher, err := s.MixDH(machineKey, controlEphemeralPub)
 	if err != nil {
 		return nil, fmt.Errorf("computing se: %w", err)
 	}
@@ -156,9 +193,13 @@ func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, c
 // Server initiates a control server handshake, returning the resulting
 // control connection.
 //
+// optionalInit can be the client's initial handshake message as
+// returned by ClientDeferred, or nil in which case the initial
+// message is read from conn.
+//
 // The context deadline, if any, covers the entire handshaking
 // process.
-func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate) (*Conn, error) {
+func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate, optionalInit []byte) (*Conn, error) {
 	if deadline, ok := ctx.Deadline(); ok {
 		if err := conn.SetDeadline(deadline); err != nil {
 			return nil, fmt.Errorf("setting conn deadline: %w", err)
@@ -190,7 +231,12 @@ func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate) (
 	s.Initialize()
 
 	var init initiationMessage
-	if _, err := io.ReadFull(conn, init.Header()); err != nil {
+	if optionalInit != nil {
+		if len(optionalInit) != len(init) {
+			return nil, sendErr("wrong handshake initiation size")
+		}
+		copy(init[:], optionalInit)
+	} else if _, err := io.ReadFull(conn, init.Header()); err != nil {
 		return nil, err
 	}
 	if init.Version() != protocolVersion {
@@ -202,8 +248,11 @@ func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate) (
 	if init.Length() != len(init.Payload()) {
 		return nil, sendErr("wrong handshake initiation length")
 	}
-	if _, err := io.ReadFull(conn, init.Payload()); err != nil {
-		return nil, err
+	// if optionalInit was provided, we have the payload already.
+	if optionalInit == nil {
+		if _, err := io.ReadFull(conn, init.Payload()); err != nil {
+			return nil, err
+		}
 	}
 
 	// prologue. Can only do this once we at least think the client is

control/controlbase/handshake_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package noise
+package controlbase
 
 import (
 	"bytes"
@@ -26,7 +26,7 @@ func TestHandshake(t *testing.T) {
 	)
 	go func() {
 		var err error
-		server, err = Server(context.Background(), serverConn, serverKey)
+		server, err = Server(context.Background(), serverConn, serverKey, nil)
 		serverErr <- err
 	}()
 
@@ -78,7 +78,7 @@ func TestNoReuse(t *testing.T) {
 		)
 		go func() {
 			var err error
-			server, err = Server(context.Background(), serverConn, serverKey)
+			server, err = Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 		}()
 
@@ -172,7 +172,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			_, err := Server(context.Background(), serverConn, serverKey)
+			_, err := Server(context.Background(), serverConn, serverKey, nil)
 			// If the server failed, we have to close the Conn to
 			// unblock the client.
 			if err != nil {
@@ -200,7 +200,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			_, err := Server(context.Background(), serverConn, serverKey)
+			_, err := Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 		}()
 
@@ -225,7 +225,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			server, err := Server(context.Background(), serverConn, serverKey)
+			server, err := Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 			_, err = io.WriteString(server, strings.Repeat("a", 14))
 			serverErr <- err
@@ -266,7 +266,7 @@ func TestTampering(t *testing.T) {
 			serverErr             = make(chan error, 1)
 		)
 		go func() {
-			server, err := Server(context.Background(), serverConn, serverKey)
+			server, err := Server(context.Background(), serverConn, serverKey, nil)
 			serverErr <- err
 			var bs [100]byte
 			// The server needs a timeout if the tampering is hitting the length header.

control/controlbase/interop_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package noise
+package controlbase
 
 import (
 	"context"
@@ -29,7 +29,7 @@ func TestInteropClient(t *testing.T) {
 	)
 
 	go func() {
-		server, err := Server(context.Background(), s2, controlKey)
+		server, err := Server(context.Background(), s2, controlKey, nil)
 		serverErr <- err
 		if err != nil {
 			return

control/controlbase/messages.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-package noise
+package controlbase
 
 import "encoding/binary"
 

control/controlbase/noiseexplorer_test.go

@@ -24,7 +24,7 @@ IK:
  * PARAMETERS                                                       *
  * ---------------------------------------------------------------- */
 
-package noise
+package controlbase
 
 import (
 	"crypto/rand"

control/controlclient/direct.go

@@ -21,7 +21,6 @@ import (
 	"os/exec"
 	"reflect"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -30,6 +29,7 @@ import (
 	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlknobs"
+	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
@@ -874,8 +874,8 @@ func decode(res *http.Response, v interface{}, serverKey key.MachinePublic, mkey
 }
 
 var (
-	debugMap, _      = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
-	debugRegister, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_REGISTER"))
+	debugMap      = envknob.Bool("TS_DEBUG_MAP")
+	debugRegister = envknob.Bool("TS_DEBUG_REGISTER")
 )
 
 var jsonEscapedZero = []byte(`\u0000`)
@@ -985,26 +985,14 @@ type debug struct {
 
 func initDebug() debug {
 	return debug{
-		NetMap:         envBool("TS_DEBUG_NETMAP"),
-		ProxyDNS:       envBool("TS_DEBUG_PROXY_DNS"),
-		StripEndpoints: envBool("TS_DEBUG_STRIP_ENDPOINTS"),
-		StripCaps:      envBool("TS_DEBUG_STRIP_CAPS"),
-		Disco:          os.Getenv("TS_DEBUG_USE_DISCO") == "" || envBool("TS_DEBUG_USE_DISCO"),
+		NetMap:         envknob.Bool("TS_DEBUG_NETMAP"),
+		ProxyDNS:       envknob.Bool("TS_DEBUG_PROXY_DNS"),
+		StripEndpoints: envknob.Bool("TS_DEBUG_STRIP_ENDPOINTS"),
+		StripCaps:      envknob.Bool("TS_DEBUG_STRIP_CAPS"),
+		Disco:          envknob.BoolDefaultTrue("TS_DEBUG_USE_DISCO"),
 	}
 }
 
-func envBool(k string) bool {
-	e := os.Getenv(k)
-	if e == "" {
-		return false
-	}
-	v, err := strconv.ParseBool(e)
-	if err != nil {
-		panic(fmt.Sprintf("invalid non-bool %q for env var %q", e, k))
-	}
-	return v
-}
-
 var clockNow = time.Now
 
 // opt.Bool configs from control.

control/controlclient/map.go

@@ -6,11 +6,10 @@ package controlclient
 
 import (
 	"log"
-	"os"
 	"sort"
-	"strconv"
 
 	"inet.af/netaddr"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -289,7 +288,7 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 	return v2
 }
 
-var debugSelfIPv6Only, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_SELF_V6_ONLY"))
+var debugSelfIPv6Only = envknob.Bool("TS_DEBUG_SELF_V6_ONLY")
 
 func filterSelfAddresses(in []netaddr.IPPrefix) (ret []netaddr.IPPrefix) {
 	switch {

control/controlhttp/client.go

@@ -0,0 +1,242 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package controlhttp implements the Tailscale 2021 control protocol
+// base transport over HTTP.
+//
+// This tunnels the protocol in control/controlbase over HTTP with a
+// variety of compatibility fallbacks for handling picky or deep
+// inspecting proxies.
+//
+// In the happy path, a client makes a single cleartext HTTP request
+// to the server, the server responds with 101 Switching Protocols,
+// and the control base protocol takes place over plain TCP.
+//
+// In the compatibility path, the client does the above over HTTPS,
+// resulting in double encryption (once for the control transport, and
+// once for the outer TLS layer).
+package controlhttp
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+
+	"tailscale.com/control/controlbase"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/net/dnsfallback"
+	"tailscale.com/net/netns"
+	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/types/key"
+)
+
+// upgradeHeader is the value of the Upgrade HTTP header used to
+// indicate the Tailscale control protocol.
+const (
+	upgradeHeaderValue  = "tailscale-control-protocol"
+	handshakeHeaderName = "X-Tailscale-Handshake"
+)
+
+// Dial connects to the HTTP server at addr, requests to switch to the
+// Tailscale control protocol, and returns an established control
+// protocol connection.
+//
+// If Dial fails to connect using addr, it also tries to tunnel over
+// TLS to <addr's host>:443 as a compatibility fallback.
+func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*controlbase.Conn, error) {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+	a := &dialParams{
+		ctx:        ctx,
+		host:       host,
+		httpPort:   port,
+		httpsPort:  "443",
+		machineKey: machineKey,
+		controlKey: controlKey,
+		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
+	}
+	return a.dial()
+}
+
+type dialParams struct {
+	ctx        context.Context
+	host       string
+	httpPort   string
+	httpsPort  string
+	machineKey key.MachinePrivate
+	controlKey key.MachinePublic
+	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
+
+	// For tests only
+	insecureTLS bool
+}
+
+func (a *dialParams) dial() (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey)
+	if err != nil {
+		return nil, err
+	}
+
+	u := &url.URL{
+		Scheme: "http",
+		Host:   net.JoinHostPort(a.host, a.httpPort),
+		Path:   "/switch",
+	}
+	conn, httpErr := a.tryURL(u, init)
+	if httpErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
+	}
+
+	// Connecting over plain HTTP failed, assume it's an HTTP proxy
+	// being difficult and see if we can get through over HTTPS.
+	u.Scheme = "https"
+	u.Host = net.JoinHostPort(a.host, a.httpsPort)
+	init, cont, err = controlbase.ClientDeferred(a.machineKey, a.controlKey)
+	if err != nil {
+		return nil, err
+	}
+	conn, tlsErr := a.tryURL(u, init)
+	if tlsErr == nil {
+		ret, err := cont(a.ctx, conn)
+		if err != nil {
+			conn.Close()
+			return nil, err
+		}
+		return ret, nil
+	}
+
+	return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", httpErr, tlsErr)
+}
+
+func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
+	dns := &dnscache.Resolver{
+		Forward:          dnscache.Get().Forward,
+		LookupIPFallback: dnsfallback.Lookup,
+		UseLastGood:      true,
+	}
+	dialer := netns.NewDialer(log.Printf)
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	defer tr.CloseIdleConnections()
+	tr.Proxy = a.proxyFunc
+	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
+	tr.DialContext = dnscache.Dialer(dialer.DialContext, dns)
+	// Disable HTTP2, since h2 can't do protocol switching.
+	tr.TLSClientConfig.NextProtos = []string{}
+	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
+	tr.TLSClientConfig = tlsdial.Config(a.host, tr.TLSClientConfig)
+	if a.insecureTLS {
+		tr.TLSClientConfig.InsecureSkipVerify = true
+		tr.TLSClientConfig.VerifyConnection = nil
+	}
+	tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dns, tr.TLSClientConfig)
+	tr.DisableCompression = true
+
+	// (mis)use httptrace to extract the underlying net.Conn from the
+	// transport. We make exactly 1 request using this transport, so
+	// there will be exactly 1 GotConn call. Additionally, the
+	// transport handles 101 Switching Protocols correctly, such that
+	// the Conn will not be reused or kept alive by the transport once
+	// the response has been handed back from RoundTrip.
+	//
+	// In theory, the machinery of net/http should make it such that
+	// the trace callback happens-before we get the response, but
+	// there's no promise of that. So, to make sure, we use a buffered
+	// channel as a synchronization step to avoid data races.
+	//
+	// Note that even though we're able to extract a net.Conn via this
+	// mechanism, we must still keep using the eventual resp.Body to
+	// read from, because it includes a buffer we can't get rid of. If
+	// the server never sends any data after sending the HTTP
+	// response, we could get away with it, but violating this
+	// assumption leads to very mysterious transport errors (lockups,
+	// unexpected EOFs...), and we're bound to forget someday and
+	// introduce a protocol optimization at a higher level that starts
+	// eagerly transmitting from the server.
+	connCh := make(chan net.Conn, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+	}
+	ctx := httptrace.WithClientTrace(a.ctx, &trace)
+	req := &http.Request{
+		Method: "POST",
+		URL:    u,
+		Header: http.Header{
+			"Upgrade":           []string{upgradeHeaderValue},
+			"Connection":        []string{"upgrade"},
+			handshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
+		},
+	}
+	req = req.WithContext(ctx)
+
+	resp, err := tr.RoundTrip(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusSwitchingProtocols {
+		return nil, fmt.Errorf("unexpected HTTP response: %s", resp.Status)
+	}
+
+	// From here on, the underlying net.Conn is ours to use, but there
+	// is still a read buffer attached to it within resp.Body. So, we
+	// must direct I/O through resp.Body, but we can still use the
+	// underlying net.Conn for stuff like deadlines.
+	var switchedConn net.Conn
+	select {
+	case switchedConn = <-connCh:
+	default:
+	}
+	if switchedConn == nil {
+		resp.Body.Close()
+		return nil, fmt.Errorf("httptrace didn't provide a connection")
+	}
+
+	if next := resp.Header.Get("Upgrade"); next != upgradeHeaderValue {
+		resp.Body.Close()
+		return nil, fmt.Errorf("server switched to unexpected protocol %q", next)
+	}
+
+	rwc, ok := resp.Body.(io.ReadWriteCloser)
+	if !ok {
+		resp.Body.Close()
+		return nil, errors.New("http Transport did not provide a writable body")
+	}
+
+	return &wrappedConn{switchedConn, rwc}, nil
+}
+
+type wrappedConn struct {
+	net.Conn
+	rwc io.ReadWriteCloser
+}
+
+func (w *wrappedConn) Read(bs []byte) (int, error) {
+	return w.rwc.Read(bs)
+}
+
+func (w *wrappedConn) Write(bs []byte) (int, error) {
+	return w.rwc.Write(bs)
+}
+
+func (w *wrappedConn) Close() error {
+	return w.rwc.Close()
+}

control/controlhttp/http_test.go

@@ -0,0 +1,398 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlhttp
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strconv"
+	"sync"
+	"testing"
+
+	"tailscale.com/control/controlbase"
+	"tailscale.com/net/socks5"
+	"tailscale.com/types/key"
+)
+
+func TestControlHTTP(t *testing.T) {
+	tests := []struct {
+		name  string
+		proxy proxy
+	}{
+		// direct connection
+		{
+			name:  "no_proxy",
+			proxy: nil,
+		},
+		// SOCKS5
+		{
+			name:  "socks5",
+			proxy: &socksProxy{},
+		},
+		// HTTP->HTTP
+		{
+			name: "http_to_http",
+			proxy: &httpProxy{
+				useTLS:       false,
+				allowConnect: false,
+				allowHTTP:    true,
+			},
+		},
+		// HTTP->HTTPS
+		{
+			name: "http_to_https",
+			proxy: &httpProxy{
+				useTLS:       false,
+				allowConnect: true,
+				allowHTTP:    false,
+			},
+		},
+		// HTTP->any (will pick HTTP)
+		{
+			name: "http_to_any",
+			proxy: &httpProxy{
+				useTLS:       false,
+				allowConnect: true,
+				allowHTTP:    true,
+			},
+		},
+		// HTTPS->HTTP
+		{
+			name: "https_to_http",
+			proxy: &httpProxy{
+				useTLS:       true,
+				allowConnect: false,
+				allowHTTP:    true,
+			},
+		},
+		// HTTPS->HTTPS
+		{
+			name: "https_to_https",
+			proxy: &httpProxy{
+				useTLS:       true,
+				allowConnect: true,
+				allowHTTP:    false,
+			},
+		},
+		// HTTPS->any (will pick HTTP)
+		{
+			name: "https_to_any",
+			proxy: &httpProxy{
+				useTLS:       true,
+				allowConnect: true,
+				allowHTTP:    true,
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			testControlHTTP(t, test.proxy)
+		})
+	}
+}
+
+func testControlHTTP(t *testing.T, proxy proxy) {
+	client, server := key.NewMachine(), key.NewMachine()
+
+	sch := make(chan serverResult, 1)
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		conn, err := AcceptHTTP(context.Background(), w, r, server)
+		if err != nil {
+			log.Print(err)
+		}
+		res := serverResult{
+			err: err,
+		}
+		if conn != nil {
+			res.clientAddr = conn.RemoteAddr().String()
+			res.version = conn.ProtocolVersion()
+			res.peer = conn.Peer()
+			res.conn = conn
+		}
+		sch <- res
+	})
+
+	httpLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("HTTP listen: %v", err)
+	}
+	httpsLn, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("HTTPS listen: %v", err)
+	}
+
+	httpServer := &http.Server{Handler: handler}
+	go httpServer.Serve(httpLn)
+	defer httpServer.Close()
+
+	httpsServer := &http.Server{
+		Handler:   handler,
+		TLSConfig: tlsConfig(t),
+	}
+	go httpsServer.ServeTLS(httpsLn, "", "")
+	defer httpsServer.Close()
+
+	//ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	//defer cancel()
+
+	a := dialParams{
+		ctx:         context.Background(), //ctx,
+		host:        "localhost",
+		httpPort:    strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:   strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:  client,
+		controlKey:  server.Public(),
+		insecureTLS: true,
+	}
+
+	if proxy != nil {
+		proxyEnv := proxy.Start(t)
+		defer proxy.Close()
+		proxyURL, err := url.Parse(proxyEnv)
+		if err != nil {
+			t.Fatal(err)
+		}
+		a.proxyFunc = func(*http.Request) (*url.URL, error) {
+			return proxyURL, nil
+		}
+	} else {
+		a.proxyFunc = func(*http.Request) (*url.URL, error) {
+			return nil, nil
+		}
+	}
+
+	conn, err := a.dial()
+	if err != nil {
+		t.Fatalf("dialing controlhttp: %v", err)
+	}
+	defer conn.Close()
+	si := <-sch
+	if si.conn != nil {
+		defer si.conn.Close()
+	}
+	if si.err != nil {
+		t.Fatalf("controlhttp server got error: %v", err)
+	}
+	if clientVersion := conn.ProtocolVersion(); si.version != clientVersion {
+		t.Fatalf("client and server don't agree on protocol version: %d vs %d", clientVersion, si.version)
+	}
+	if si.peer != client.Public() {
+		t.Fatalf("server got peer pubkey %s, want %s", si.peer, client.Public())
+	}
+	if spub := conn.Peer(); spub != server.Public() {
+		t.Fatalf("client got peer pubkey %s, want %s", spub, server.Public())
+	}
+	if proxy != nil && !proxy.ConnIsFromProxy(si.clientAddr) {
+		t.Fatalf("client connected from %s, which isn't the proxy", si.clientAddr)
+	}
+}
+
+type serverResult struct {
+	err        error
+	clientAddr string
+	version    int
+	peer       key.MachinePublic
+	conn       *controlbase.Conn
+}
+
+type proxy interface {
+	Start(*testing.T) string
+	Close()
+	ConnIsFromProxy(string) bool
+}
+
+type socksProxy struct {
+	sync.Mutex
+	proxy           socks5.Server
+	ln              net.Listener
+	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
+}
+
+func (s *socksProxy) Start(t *testing.T) (url string) {
+	t.Helper()
+	s.Lock()
+	defer s.Unlock()
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listening for SOCKS server: %v", err)
+	}
+	s.ln = ln
+	s.clientConnAddrs = map[string]bool{}
+	s.proxy.Logf = t.Logf
+	s.proxy.Dialer = s.dialAndRecord
+	go s.proxy.Serve(ln)
+	return fmt.Sprintf("socks5://%s", ln.Addr().String())
+}
+
+func (s *socksProxy) Close() {
+	s.Lock()
+	defer s.Unlock()
+	s.ln.Close()
+}
+
+func (s *socksProxy) dialAndRecord(ctx context.Context, network, addr string) (net.Conn, error) {
+	var d net.Dialer
+	conn, err := d.DialContext(ctx, network, addr)
+	if err != nil {
+		return nil, err
+	}
+	s.Lock()
+	defer s.Unlock()
+	s.clientConnAddrs[conn.LocalAddr().String()] = true
+	return conn, nil
+}
+
+func (s *socksProxy) ConnIsFromProxy(addr string) bool {
+	s.Lock()
+	defer s.Unlock()
+	return s.clientConnAddrs[addr]
+}
+
+type httpProxy struct {
+	useTLS       bool // take incoming connections over TLS
+	allowConnect bool // allow CONNECT for TLS
+	allowHTTP    bool // allow plain HTTP proxying
+
+	sync.Mutex
+	ln              net.Listener
+	rp              httputil.ReverseProxy
+	s               http.Server
+	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
+}
+
+func (h *httpProxy) Start(t *testing.T) (url string) {
+	t.Helper()
+	h.Lock()
+	defer h.Unlock()
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatalf("listening for HTTP proxy: %v", err)
+	}
+	h.ln = ln
+	h.rp = httputil.ReverseProxy{
+		Director: func(*http.Request) {},
+		Transport: &http.Transport{
+			DialContext: h.dialAndRecord,
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true,
+			},
+			TLSNextProto: map[string]func(string, *tls.Conn) http.RoundTripper{},
+		},
+	}
+	h.clientConnAddrs = map[string]bool{}
+	h.s.Handler = h
+	if h.useTLS {
+		h.s.TLSConfig = tlsConfig(t)
+		go h.s.ServeTLS(h.ln, "", "")
+		return fmt.Sprintf("https://%s", ln.Addr().String())
+	} else {
+		go h.s.Serve(h.ln)
+		return fmt.Sprintf("http://%s", ln.Addr().String())
+	}
+}
+
+func (h *httpProxy) Close() {
+	h.Lock()
+	defer h.Unlock()
+	h.s.Close()
+}
+
+func (h *httpProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "CONNECT" {
+		if !h.allowHTTP {
+			http.Error(w, "http proxy not allowed", 500)
+			return
+		}
+		h.rp.ServeHTTP(w, r)
+		return
+	}
+
+	if !h.allowConnect {
+		http.Error(w, "connect not allowed", 500)
+		return
+	}
+
+	dst := r.RequestURI
+	c, err := h.dialAndRecord(context.Background(), "tcp", dst)
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	defer c.Close()
+
+	cc, ccbuf, err := w.(http.Hijacker).Hijack()
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	defer cc.Close()
+
+	io.WriteString(cc, "HTTP/1.1 200 OK\r\n\r\n")
+
+	errc := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(cc, c)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(c, ccbuf)
+		errc <- err
+	}()
+	<-errc
+}
+
+func (h *httpProxy) dialAndRecord(ctx context.Context, network, addr string) (net.Conn, error) {
+	var d net.Dialer
+	conn, err := d.DialContext(ctx, network, addr)
+	if err != nil {
+		return nil, err
+	}
+	h.Lock()
+	defer h.Unlock()
+	h.clientConnAddrs[conn.LocalAddr().String()] = true
+	return conn, nil
+}
+
+func (h *httpProxy) ConnIsFromProxy(addr string) bool {
+	h.Lock()
+	defer h.Unlock()
+	return h.clientConnAddrs[addr]
+}
+
+func tlsConfig(t *testing.T) *tls.Config {
+	// Cert and key taken from the example code in the crypto/tls
+	// package.
+	certPem := []byte(`-----BEGIN CERTIFICATE-----
+MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw
+DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow
+EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d
+7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B
+5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr
+BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1
+NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l
+Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc
+6MF9+Yw1Yy0t
+-----END CERTIFICATE-----`)
+	keyPem := []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49
+AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q
+EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
+-----END EC PRIVATE KEY-----`)
+	cert, err := tls.X509KeyPair(certPem, keyPem)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return &tls.Config{
+		Certificates: []tls.Certificate{cert},
+	}
+}

control/controlhttp/server.go

@@ -0,0 +1,95 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlhttp
+
+import (
+	"bufio"
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+
+	"tailscale.com/control/controlbase"
+	"tailscale.com/types/key"
+)
+
+// AcceptHTTP upgrades the HTTP request given by w and r into a
+// Tailscale control protocol base transport connection.
+//
+// AcceptHTTP always writes an HTTP response to w. The caller must not
+// attempt their own response after calling AcceptHTTP.
+func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate) (*controlbase.Conn, error) {
+	next := r.Header.Get("Upgrade")
+	if next == "" {
+		http.Error(w, "missing next protocol", http.StatusBadRequest)
+		return nil, errors.New("no next protocol in HTTP request")
+	}
+	if next != upgradeHeaderValue {
+		http.Error(w, "unknown next protocol", http.StatusBadRequest)
+		return nil, fmt.Errorf("client requested unhandled next protocol %q", next)
+	}
+
+	initB64 := r.Header.Get(handshakeHeaderName)
+	if initB64 == "" {
+		http.Error(w, "missing Tailscale handshake header", http.StatusBadRequest)
+		return nil, errors.New("no tailscale handshake header in HTTP request")
+	}
+	init, err := base64.StdEncoding.DecodeString(initB64)
+	if err != nil {
+		http.Error(w, "invalid tailscale handshake header", http.StatusBadRequest)
+		return nil, fmt.Errorf("decoding base64 handshake header: %v", err)
+	}
+
+	hijacker, ok := w.(http.Hijacker)
+	if !ok {
+		http.Error(w, "make request over HTTP/1", http.StatusBadRequest)
+		return nil, errors.New("can't hijack client connection")
+	}
+
+	w.Header().Set("Upgrade", upgradeHeaderValue)
+	w.Header().Set("Connection", "upgrade")
+	w.WriteHeader(http.StatusSwitchingProtocols)
+
+	conn, brw, err := hijacker.Hijack()
+	if err != nil {
+		return nil, fmt.Errorf("hijacking client connection: %w", err)
+	}
+	if err := brw.Flush(); err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("flushing hijacked HTTP buffer: %w", err)
+	}
+	if brw.Reader.Buffered() > 0 {
+		conn = &drainBufConn{conn, brw.Reader}
+	}
+
+	nc, err := controlbase.Server(ctx, conn, private, init)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("noise handshake failed: %w", err)
+	}
+
+	return nc, nil
+}
+
+// drainBufConn is a net.Conn with an initial bunch of bytes in a
+// bufio.Reader. Read drains the bufio.Reader until empty, then passes
+// through subsequent reads to the Conn directly.
+type drainBufConn struct {
+	net.Conn
+	r *bufio.Reader
+}
+
+func (b *drainBufConn) Read(bs []byte) (int, error) {
+	if b.r == nil {
+		return b.Conn.Read(bs)
+	}
+	n, err := b.r.Read(bs)
+	if b.r.Buffered() == 0 {
+		b.r = nil
+	}
+	return n, err
+}

control/controlknobs/controlknobs.go

@@ -7,9 +7,7 @@
 package controlknobs
 
 import (
-	"os"
-	"strconv"
-
+	"tailscale.com/envknob"
 	"tailscale.com/syncs"
 )
 
@@ -17,8 +15,7 @@ import (
 var disableUPnP syncs.AtomicBool
 
 func init() {
-	v, _ := strconv.ParseBool(os.Getenv("TS_DISABLE_UPNP"))
-	SetDisableUPnP(v)
+	SetDisableUPnP(envknob.Bool("TS_DISABLE_UPNP"))
 }
 
 // DisableUPnP reports the last reported value from control

derp/derp_client.go

@@ -12,10 +12,12 @@ import (
 	"fmt"
 	"io"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"go4.org/mem"
 	"golang.org/x/time/rate"
+	"inet.af/netaddr"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -37,8 +39,8 @@ type Client struct {
 	rate *rate.Limiter // if non-nil, rate limiter to use
 
 	// Owned by Recv:
-	peeked  int   // bytes to discard on next Recv
-	readErr error // sticky read error
+	peeked  int          // bytes to discard on next Recv
+	readErr atomic.Value // of error; sticky (set by Recv)
 }
 
 // ClientOpt is an option passed to NewClient.
@@ -261,10 +263,18 @@ func (c *Client) ForwardPacket(srcKey, dstKey key.NodePublic, pkt []byte) (err e
 
 func (c *Client) writeTimeoutFired() { c.nc.Close() }
 
+func (c *Client) SendPing(data [8]byte) error {
+	return c.sendPingOrPong(framePing, data)
+}
+
 func (c *Client) SendPong(data [8]byte) error {
+	return c.sendPingOrPong(framePong, data)
+}
+
+func (c *Client) sendPingOrPong(typ frameType, data [8]byte) error {
 	c.wmu.Lock()
 	defer c.wmu.Unlock()
-	if err := writeFrameHeader(c.bw, framePong, 8); err != nil {
+	if err := writeFrameHeader(c.bw, typ, 8); err != nil {
 		return err
 	}
 	if _, err := c.bw.Write(data[:]); err != nil {
@@ -375,6 +385,12 @@ type PingMessage [8]byte
 
 func (PingMessage) msg() {}
 
+// PongMessage is a reply to a PingMessage from a client or server
+// with the payload sent previously in a PingMessage.
+type PongMessage [8]byte
+
+func (PongMessage) msg() {}
+
 // KeepAliveMessage is a one-way empty message from server to client, just to
 // keep the connection alive. It's like a PingMessage, but doesn't solicit
 // a reply from the client.
@@ -427,13 +443,14 @@ func (c *Client) Recv() (m ReceivedMessage, err error) {
 }
 
 func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err error) {
-	if c.readErr != nil {
-		return nil, c.readErr
+	readErr, _ := c.readErr.Load().(error)
+	if readErr != nil {
+		return nil, readErr
 	}
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("derp.Recv: %w", err)
-			c.readErr = err
+			c.readErr.Store(err)
 		}
 	}()
 
@@ -536,6 +553,15 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			copy(pm[:], b[:])
 			return pm, nil
 
+		case framePong:
+			var pm PongMessage
+			if n < 8 {
+				c.logf("[unexpected] dropping short ping frame")
+				continue
+			}
+			copy(pm[:], b[:])
+			return pm, nil
+
 		case frameHealth:
 			return HealthMessage{Problem: string(b[:])}, nil
 
@@ -564,3 +590,22 @@ func (c *Client) setSendRateLimiter(sm ServerInfoMessage) {
 			sm.TokenBucketBytesBurst)
 	}
 }
+
+// LocalAddr returns the TCP connection's local address.
+//
+// If the client is broken in some previously detectable way, it
+// returns an error.
+func (c *Client) LocalAddr() (netaddr.IPPort, error) {
+	readErr, _ := c.readErr.Load().(error)
+	if readErr != nil {
+		return netaddr.IPPort{}, readErr
+	}
+	if c.nc == nil {
+		return netaddr.IPPort{}, errors.New("nil conn")
+	}
+	a := c.nc.LocalAddr()
+	if a == nil {
+		return netaddr.IPPort{}, errors.New("nil addr")
+	}
+	return netaddr.ParseIPPort(a.String())
+}

derp/derp_server.go

@@ -23,8 +23,8 @@ import (
 	"math"
 	"math/big"
 	"math/rand"
+	"net"
 	"net/http"
-	"os"
 	"os/exec"
 	"runtime"
 	"strconv"
@@ -39,6 +39,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/disco"
+	"tailscale.com/envknob"
 	"tailscale.com/metrics"
 	"tailscale.com/syncs"
 	"tailscale.com/types/key"
@@ -47,14 +48,14 @@ import (
 	"tailscale.com/version"
 )
 
-var debug, _ = strconv.ParseBool(os.Getenv("DERP_DEBUG_LOGS"))
+var debug = envknob.Bool("DERP_DEBUG_LOGS")
 
 // verboseDropKeys is the set of destination public keys that should
 // verbosely log whenever DERP drops a packet.
 var verboseDropKeys = map[key.NodePublic]bool{}
 
 func init() {
-	keys := os.Getenv("TS_DEBUG_VERBOSE_DROPS")
+	keys := envknob.String("TS_DEBUG_VERBOSE_DROPS")
 	if keys == "" {
 		return
 	}
@@ -124,6 +125,8 @@ type Server struct {
 	packetsForwardedOut          expvar.Int
 	packetsForwardedIn           expvar.Int
 	peerGoneFrames               expvar.Int // number of peer gone frames sent
+	gotPing                      expvar.Int // number of ping frames from client
+	sentPong                     expvar.Int // number of pong frames enqueued to client
 	accepts                      expvar.Int
 	curClients                   expvar.Int
 	curHomeClients               expvar.Int // ones with preferred
@@ -283,9 +286,8 @@ type PacketForwarder interface {
 // It is a defined type so that non-net connections can be used.
 type Conn interface {
 	io.WriteCloser
-
+	LocalAddr() net.Addr
 	// The *Deadline methods follow the semantics of net.Conn.
-
 	SetDeadline(time.Time) error
 	SetReadDeadline(time.Time) error
 	SetWriteDeadline(time.Time) error
@@ -662,6 +664,7 @@ func (s *Server) accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string, connN
 		connectedAt:    time.Now(),
 		sendQueue:      make(chan pkt, perClientSendQueueDepth),
 		discoSendQueue: make(chan pkt, perClientSendQueueDepth),
+		sendPongCh:     make(chan [8]byte, 1),
 		peerGone:       make(chan key.NodePublic),
 		canMesh:        clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
 	}
@@ -729,6 +732,8 @@ func (c *sclient) run(ctx context.Context) error {
 			err = c.handleFrameWatchConns(ft, fl)
 		case frameClosePeer:
 			err = c.handleFrameClosePeer(ft, fl)
+		case framePing:
+			err = c.handleFramePing(ft, fl)
 		default:
 			err = c.handleUnknownFrame(ft, fl)
 		}
@@ -766,6 +771,33 @@ func (c *sclient) handleFrameWatchConns(ft frameType, fl uint32) error {
 	return nil
 }
 
+func (c *sclient) handleFramePing(ft frameType, fl uint32) error {
+	c.s.gotPing.Add(1)
+	var m PingMessage
+	if fl < uint32(len(m)) {
+		return fmt.Errorf("short ping: %v", fl)
+	}
+	if fl > 1000 {
+		// unreasonably extra large. We leave some extra
+		// space for future extensibility, but not too much.
+		return fmt.Errorf("ping body too large: %v", fl)
+	}
+	_, err := io.ReadFull(c.br, m[:])
+	if err != nil {
+		return err
+	}
+	if extra := int64(fl) - int64(len(m)); extra > 0 {
+		_, err = io.CopyN(ioutil.Discard, c.br, extra)
+	}
+	select {
+	case c.sendPongCh <- [8]byte(m):
+	default:
+		// They're pinging too fast. Ignore.
+		// TODO(bradfitz): add a rate limiter too.
+	}
+	return err
+}
+
 func (c *sclient) handleFrameClosePeer(ft frameType, fl uint32) error {
 	if fl != keyLen {
 		return fmt.Errorf("handleFrameClosePeer wrong size")
@@ -1202,6 +1234,7 @@ type sclient struct {
 	remoteIPPort   netaddr.IPPort      // zero if remoteAddr is not ip:port.
 	sendQueue      chan pkt            // packets queued to this client; never closed
 	discoSendQueue chan pkt            // important packets queued to this client; never closed
+	sendPongCh     chan [8]byte        // pong replies to send to the client; never closed
 	peerGone       chan key.NodePublic // write request that a previous sender has disconnected (not used by mesh peers)
 	meshUpdate     chan struct{}       // write request to write peerStateChange
 	canMesh        bool                // clientInfo had correct mesh token for inter-region routing
@@ -1342,6 +1375,9 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 			werr = c.sendPacket(msg.src, msg.bs)
 			c.recordQueueTime(msg.enqueuedAt)
 			continue
+		case msg := <-c.sendPongCh:
+			werr = c.sendPong(msg)
+			continue
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 			continue
@@ -1368,6 +1404,9 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		case msg := <-c.discoSendQueue:
 			werr = c.sendPacket(msg.src, msg.bs)
 			c.recordQueueTime(msg.enqueuedAt)
+		case msg := <-c.sendPongCh:
+			werr = c.sendPong(msg)
+			continue
 		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 		}
@@ -1384,6 +1423,17 @@ func (c *sclient) sendKeepAlive() error {
 	return writeFrameHeader(c.bw.bw(), frameKeepAlive, 0)
 }
 
+// sendPong sends a pong reply, without flushing.
+func (c *sclient) sendPong(data [8]byte) error {
+	c.s.sentPong.Add(1)
+	c.setWriteDeadline()
+	if err := writeFrameHeader(c.bw.bw(), framePong, uint32(len(data))); err != nil {
+		return err
+	}
+	_, err := c.bw.Write(data[:])
+	return err
+}
+
 // sendPeerGone sends a peerGone frame, without flushing.
 func (c *sclient) sendPeerGone(peer key.NodePublic) error {
 	c.s.peerGoneFrames.Add(1)
@@ -1625,6 +1675,8 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("unknown_frames", &s.unknownFrames)
 	m.Set("home_moves_in", &s.homeMovesIn)
 	m.Set("home_moves_out", &s.homeMovesOut)
+	m.Set("got_ping", &s.gotPing)
+	m.Set("sent_pong", &s.sentPong)
 	m.Set("peer_gone_frames", &s.peerGoneFrames)
 	m.Set("packets_forwarded_out", &s.packetsForwardedOut)
 	m.Set("packets_forwarded_in", &s.packetsForwardedIn)

derp/derp_test.go

@@ -812,6 +812,14 @@ func TestClientRecv(t *testing.T) {
 			},
 			want: PingMessage{1, 2, 3, 4, 5, 6, 7, 8},
 		},
+		{
+			name: "pong",
+			input: []byte{
+				byte(framePong), 0, 0, 0, 8,
+				1, 2, 3, 4, 5, 6, 7, 8,
+			},
+			want: PongMessage{1, 2, 3, 4, 5, 6, 7, 8},
+		},
 		{
 			name: "health_bad",
 			input: []byte{
@@ -858,6 +866,23 @@ func TestClientRecv(t *testing.T) {
 	}
 }
 
+func TestClientSendPing(t *testing.T) {
+	var buf bytes.Buffer
+	c := &Client{
+		bw: bufio.NewWriter(&buf),
+	}
+	if err := c.SendPing([8]byte{1, 2, 3, 4, 5, 6, 7, 8}); err != nil {
+		t.Fatal(err)
+	}
+	want := []byte{
+		byte(framePing), 0, 0, 0, 8,
+		1, 2, 3, 4, 5, 6, 7, 8,
+	}
+	if !bytes.Equal(buf.Bytes(), want) {
+		t.Errorf("unexpected output\nwrote: % 02x\n want: % 02x", buf.Bytes(), want)
+	}
+}
+
 func TestClientSendPong(t *testing.T) {
 	var buf bytes.Buffer
 	c := &Client{
@@ -873,7 +898,6 @@ func TestClientSendPong(t *testing.T) {
 	if !bytes.Equal(buf.Bytes(), want) {
 		t.Errorf("unexpected output\nwrote: % 02x\n want: % 02x", buf.Bytes(), want)
 	}
-
 }
 
 func TestServerDupClients(t *testing.T) {
@@ -1316,3 +1340,30 @@ func TestClientSendRateLimiting(t *testing.T) {
 		t.Errorf("limited conn's bytes count = %v; want >=%v, <%v", bytesLimited, bytes1K*2, bytes1K)
 	}
 }
+
+func TestServerRepliesToPing(t *testing.T) {
+	ts := newTestServer(t)
+	defer ts.close(t)
+
+	tc := newRegularClient(t, ts, "alice")
+
+	data := [8]byte{1, 2, 3, 4, 5, 6, 7, 42}
+
+	if err := tc.c.SendPing(data); err != nil {
+		t.Fatal(err)
+	}
+
+	for {
+		m, err := tc.c.recvTimeout(time.Second)
+		if err != nil {
+			t.Fatal(err)
+		}
+		switch m := m.(type) {
+		case PongMessage:
+			if ([8]byte(m)) != data {
+				t.Fatalf("got pong %2x; want %2x", [8]byte(m), data)
+			}
+			return
+		}
+	}
+}

derp/derphttp/derphttp_client.go

@@ -13,6 +13,7 @@ package derphttp
 import (
 	"bufio"
 	"context"
+	"crypto/rand"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
@@ -22,9 +23,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"os"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -32,6 +31,7 @@ import (
 	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/derp"
+	"tailscale.com/envknob"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
@@ -72,6 +72,8 @@ type Client struct {
 	client       *derp.Client
 	connGen      int // incremented once per new connection; valid values are >0
 	serverPubKey key.NodePublic
+	tlsState     *tls.ConnectionState
+	pingOut      map[derp.PingMessage]chan<- bool // chan to send to on pong
 }
 
 // NewRegionClient returns a new DERP-over-HTTP client. It connects lazily.
@@ -123,6 +125,17 @@ func (c *Client) Connect(ctx context.Context) error {
 	return err
 }
 
+// TLSConnectionState returns the last TLS connection state, if any.
+// The client must already be connected.
+func (c *Client) TLSConnectionState() (_ *tls.ConnectionState, ok bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.closed || c.client == nil {
+		return nil, false
+	}
+	return c.tlsState, c.tlsState != nil
+}
+
 // ServerPublicKey returns the server's public key.
 //
 // It only returns a non-zero value once a connection has succeeded
@@ -188,8 +201,7 @@ func useWebsockets() bool {
 		return true
 	}
 	if dialWebsocketFunc != nil {
-		v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_DERP_WS_CLIENT"))
-		return v
+		return envknob.Bool("TS_DEBUG_DERP_WS_CLIENT")
 	}
 	return false
 }
@@ -318,6 +330,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	var httpConn net.Conn        // a TCP conn or a TLS conn; what we speak HTTP to
 	var serverPub key.NodePublic // or zero if unknown (if not using TLS or TLS middlebox eats it)
 	var serverProtoVersion int
+	var tlsState *tls.ConnectionState
 	if c.useHTTPS() {
 		tlsConn := c.tlsClient(tcpConn, node)
 		httpConn = tlsConn
@@ -340,9 +353,10 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		// Note that we're not specifically concerned about TLS downgrade
 		// attacks. TLS handles that fine:
 		// https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html
-		connState := tlsConn.ConnectionState()
-		if connState.Version >= tls.VersionTLS13 {
-			serverPub, serverProtoVersion = parseMetaCert(connState.PeerCertificates)
+		cs := tlsConn.ConnectionState()
+		tlsState = &cs
+		if cs.Version >= tls.VersionTLS13 {
+			serverPub, serverProtoVersion = parseMetaCert(cs.PeerCertificates)
 		}
 	} else {
 		httpConn = tcpConn
@@ -409,6 +423,7 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	c.serverPubKey = derpClient.ServerPublicKey()
 	c.client = derpClient
 	c.netConn = tcpConn
+	c.tlsState = tlsState
 	c.connGen++
 	return c.client, c.connGen, nil
 }
@@ -698,6 +713,95 @@ func (c *Client) Send(dstKey key.NodePublic, b []byte) error {
 	return err
 }
 
+func (c *Client) registerPing(m derp.PingMessage, ch chan<- bool) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.pingOut == nil {
+		c.pingOut = map[derp.PingMessage]chan<- bool{}
+	}
+	c.pingOut[m] = ch
+}
+
+func (c *Client) unregisterPing(m derp.PingMessage) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	delete(c.pingOut, m)
+}
+
+func (c *Client) handledPong(m derp.PongMessage) bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	k := derp.PingMessage(m)
+	if ch, ok := c.pingOut[k]; ok {
+		ch <- true
+		delete(c.pingOut, k)
+		return true
+	}
+	return false
+}
+
+// Ping sends a ping to the peer and waits for it either to be
+// acknowledged (in which case Ping returns nil) or waits for ctx to
+// be over and returns an error. It will wait at most 5 seconds
+// before returning an error.
+//
+// Another goroutine must be in a loop calling Recv or
+// RecvDetail or ping responses won't be handled.
+func (c *Client) Ping(ctx context.Context) error {
+	maxDL := time.Now().Add(5 * time.Second)
+	if dl, ok := ctx.Deadline(); !ok || dl.After(maxDL) {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithDeadline(ctx, maxDL)
+		defer cancel()
+	}
+	var data derp.PingMessage
+	rand.Read(data[:])
+	gotPing := make(chan bool, 1)
+	c.registerPing(data, gotPing)
+	defer c.unregisterPing(data)
+	if err := c.SendPing(data); err != nil {
+		return err
+	}
+	select {
+	case <-gotPing:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
+// SendPing writes a ping message, without any implicit connect or
+// reconnect. This is a lower-level interface that writes a frame
+// without any implicit handling of the response pong, if any. For a
+// higher-level interface, use Ping.
+func (c *Client) SendPing(data [8]byte) error {
+	c.mu.Lock()
+	closed, client := c.closed, c.client
+	c.mu.Unlock()
+	if closed {
+		return ErrClientClosed
+	}
+	if client == nil {
+		return errors.New("client not connected")
+	}
+	return client.SendPing(data)
+}
+
+// LocalAddr reports c's local TCP address, without any implicit
+// connect or reconnect.
+func (c *Client) LocalAddr() (netaddr.IPPort, error) {
+	c.mu.Lock()
+	closed, client := c.closed, c.client
+	c.mu.Unlock()
+	if closed {
+		return netaddr.IPPort{}, ErrClientClosed
+	}
+	if client == nil {
+		return netaddr.IPPort{}, errors.New("client not connected")
+	}
+	return client.LocalAddr()
+}
+
 func (c *Client) ForwardPacket(from, to key.NodePublic, b []byte) error {
 	client, _, err := c.connect(context.TODO(), "derphttp.Client.ForwardPacket")
 	if err != nil {
@@ -805,14 +909,22 @@ func (c *Client) RecvDetail() (m derp.ReceivedMessage, connGen int, err error) {
 	if err != nil {
 		return nil, 0, err
 	}
-	m, err = client.Recv()
-	if err != nil {
-		c.closeForReconnect(client)
-		if c.isClosed() {
-			err = ErrClientClosed
+	for {
+		m, err = client.Recv()
+		switch m := m.(type) {
+		case derp.PongMessage:
+			if c.handledPong(m) {
+				continue
+			}
 		}
+		if err != nil {
+			c.closeForReconnect(client)
+			if c.isClosed() {
+				err = ErrClientClosed
+			}
+		}
+		return m, connGen, err
 	}
-	return m, connGen, err
 }
 
 func (c *Client) isClosed() bool {

derp/derphttp/derphttp_test.go

@@ -154,3 +154,55 @@ func waitConnect(t testing.TB, c *Client) {
 		t.Fatalf("client first Recv was unexpected type %T", v)
 	}
 }
+
+func TestPing(t *testing.T) {
+	serverPrivateKey := key.NewNode()
+	s := derp.NewServer(serverPrivateKey, t.Logf)
+	defer s.Close()
+
+	httpsrv := &http.Server{
+		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
+		Handler:      Handler(s),
+	}
+
+	ln, err := net.Listen("tcp4", "localhost:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	serverURL := "http://" + ln.Addr().String()
+	t.Logf("server URL: %s", serverURL)
+
+	go func() {
+		if err := httpsrv.Serve(ln); err != nil {
+			if err == http.ErrServerClosed {
+				return
+			}
+			panic(err)
+		}
+	}()
+
+	c, err := NewClient(key.NewNode(), serverURL, t.Logf)
+	if err != nil {
+		t.Fatalf("NewClient: %v", err)
+	}
+	defer c.Close()
+	if err := c.Connect(context.Background()); err != nil {
+		t.Fatalf("client Connect: %v", err)
+	}
+
+	errc := make(chan error, 1)
+	go func() {
+		for {
+			m, err := c.Recv()
+			if err != nil {
+				errc <- err
+				return
+			}
+			t.Logf("Recv: %T", m)
+		}
+	}()
+	err = c.Ping(context.Background())
+	if err != nil {
+		t.Fatalf("Ping: %v", err)
+	}
+}

envknob/envknob.go

@@ -0,0 +1,106 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package envknob provides access to environment-variable tweakable
+// debug settings.
+//
+// These are primarily knobs used by Tailscale developers during
+// development or by users when instructed to by Tailscale developers
+// when debugging something. They are not a stable interface and may
+// be removed or any time.
+//
+// A related package, control/controlknobs, are knobs that can be
+// changed at runtime by the control plane. Sometimes both are used:
+// an envknob for the default/explicit value, else falling back
+// to the controlknob value.
+package envknob
+
+import (
+	"log"
+	"os"
+	"strconv"
+
+	"tailscale.com/types/opt"
+)
+
+// String returns the named environment variable, using os.Getenv.
+//
+// In the future it will also track usage for reporting on debug pages.
+func String(envVar string) string {
+	return os.Getenv(envVar)
+}
+
+// Bool returns the boolean value of the named environment variable.
+// If the variable is not set, it returns false.
+// An invalid value exits the binary with a failure.
+func Bool(envVar string) bool {
+	return boolOr(envVar, false)
+}
+
+// BoolDefaultTrue is like Bool, but returns true by default if the
+// environment variable isn't present.
+func BoolDefaultTrue(envVar string) bool {
+	return boolOr(envVar, true)
+}
+
+func boolOr(envVar string, implicitValue bool) bool {
+	val := os.Getenv(envVar)
+	if val == "" {
+		return implicitValue
+	}
+	b, err := strconv.ParseBool(val)
+	if err == nil {
+		return b
+	}
+	log.Fatalf("invalid environment variable %s value %q: %v", envVar, val, err)
+	panic("unreachable")
+}
+
+// LookupBool returns the boolean value of the named environment value.
+// The ok result is whether a value was set.
+// If the value isn't a valid int, it exits the program with a failure.
+func LookupBool(envVar string) (v bool, ok bool) {
+	val := os.Getenv(envVar)
+	if val == "" {
+		return false, false
+	}
+	b, err := strconv.ParseBool(val)
+	if err == nil {
+		return b, true
+	}
+	log.Fatalf("invalid environment variable %s value %q: %v", envVar, val, err)
+	panic("unreachable")
+}
+
+// OptBool is like Bool, but returns an opt.Bool, so the caller can
+// distinguish between implicitly and explicitly false.
+func OptBool(envVar string) opt.Bool {
+	b, ok := LookupBool(envVar)
+	if !ok {
+		return ""
+	}
+	var ret opt.Bool
+	ret.Set(b)
+	return ret
+}
+
+// LookupInt returns the integer value of the named environment value.
+// The ok result is whether a value was set.
+// If the value isn't a valid int, it exits the program with a failure.
+func LookupInt(envVar string) (v int, ok bool) {
+	val := os.Getenv(envVar)
+	if val == "" {
+		return 0, false
+	}
+	v, err := strconv.Atoi(val)
+	if err == nil {
+		return v, true
+	}
+	log.Fatalf("invalid environment variable %s value %q: %v", envVar, val, err)
+	panic("unreachable")
+}
+
+// UseWIPCode is whether TAILSCALE_USE_WIP_CODE is set to permit use
+// of Work-In-Progress code.
+func UseWIPCode() bool { return Bool("TAILSCALE_USE_WIP_CODE") }

go.mod

@@ -56,9 +56,9 @@ require (
 	golang.org/x/tools v0.1.8
 	golang.zx2c4.com/wireguard v0.0.0-20211116201604-de7c702ace45
 	golang.zx2c4.com/wireguard/windows v0.4.10
+	gvisor.dev/gvisor v0.0.0-20220126021142-d8aa030b2591
 	honnef.co/go/tools v0.2.2
 	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
-	inet.af/netstack v0.0.0-20211120045802-8aa80cf23d3c
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/wf v0.0.0-20211204062712-86aaea0a7310
 	nhooyr.io/websocket v1.8.7

go.sum

@@ -189,7 +189,6 @@ github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacM
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
@@ -469,7 +468,6 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/goterm v0.0.0-20190703233501-fc88cf888a3f/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 h1:CVuJwN34x4xM2aT4sIKhmeib40NeBPhRihNjQmpJsA4=
 github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -1113,12 +1111,10 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tomarrell/wrapcheck v0.0.0-20200807122107-df9e8bcb914d/go.mod h1:yiFB6fFoV7saXirUGfuK+cPtUh4NX/Hf5y2WC2lehu0=
-github.com/tomarrell/wrapcheck v0.0.0-20201130113247-1683564d9756 h1:zV5mu0ESwb+WnzqVaW2z1DdbAP0S46UtjY8DHQupQP4=
 github.com/tomarrell/wrapcheck v0.0.0-20201130113247-1683564d9756/go.mod h1:yiFB6fFoV7saXirUGfuK+cPtUh4NX/Hf5y2WC2lehu0=
 github.com/tomarrell/wrapcheck/v2 v2.4.0 h1:mU4H9KsqqPZUALOUbVOpjy8qNQbWLoLI9fV68/1tq30=
 github.com/tomarrell/wrapcheck/v2 v2.4.0/go.mod h1:68bQ/eJg55BROaRTbMjC7vuhL2OgfoG8bLp9ZyoBfyY=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
-github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa h1:RC4maTWLKKwb7p1cnoygsbKIgNlJqSYBeAFON3Ar8As=
 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/tommy-muehle/go-mnd/v2 v2.4.0 h1:1t0f8Uiaq+fqKteUR4N9Umr6E99R+lDnLnq7PwX2PPE=
 github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
@@ -1178,7 +1174,6 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/ziutek/telnet v0.0.0-20180329124119-c3b780dc415b/go.mod h1:IZpXDfkJ6tWD3PhBK5YzgQT+xJWh7OsdwiG8hA2MkO4=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
@@ -1229,7 +1224,6 @@ golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
@@ -1351,7 +1345,6 @@ golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211101193420-4a448f8816b3/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211201190559-0a0e4e1bb54c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211205041911-012df41ee64c h1:7SfqwP5fxEtl/P02w5IhKc86ziJ+A25yFrkVgoy2FT8=
@@ -1497,7 +1490,6 @@ golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E=
@@ -1825,6 +1817,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gvisor.dev/gvisor v0.0.0-20220126021142-d8aa030b2591 h1:acuXPUADpJMtawdLCUje9xKlQN/8utegCB/Hr/ZgEuY=
+gvisor.dev/gvisor v0.0.0-20220126021142-d8aa030b2591/go.mod h1:vmN0Pug/s8TJmpnt30DvrEfZ5vDl52psGLU04tFuK2U=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1842,8 +1836,6 @@ howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
 inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6 h1:acCzuUSQ79tGsM/O50VRFySfMm19IoMKL+sZztZkCxw=
 inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6/go.mod h1:y3MGhcFMlh0KZPMuXXow8mpjxxAk3yoDNsp4cQz54i8=
-inet.af/netstack v0.0.0-20211120045802-8aa80cf23d3c h1:nr31qYr+91rWD8klUkPx3eGTZzumCC414UJG1QRKZTc=
-inet.af/netstack v0.0.0-20211120045802-8aa80cf23d3c/go.mod h1:KOJdAzQzMLKzwFEdOOnrnSrLIhaFVB+NQoME/e5wllA=
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a h1:qdkS8Q5/i10xU2ArJMKYhVa1DORzBfYS/qA2UK2jheg=
 inet.af/peercred v0.0.0-20210906144145-0893ea02156a/go.mod h1:FjawnflS/udxX+SvpsMgZfdqx2aykOlkISeAsADi5IU=
 inet.af/wf v0.0.0-20211204062712-86aaea0a7310 h1:0jKHTf+W75kYRyg5bto1UT+r18QmAz2u/5pAs/fx4zo=

go.toolchain.branch

@@ -0,0 +1 @@
+tailscale.go1.17

go.toolchain.rev

@@ -0,0 +1 @@
+25fe91a25c9630a50138a135105af19ae7c7c3e7

health/health.go

@@ -9,13 +9,14 @@ package health
 import (
 	"errors"
 	"fmt"
-	"os"
+	"net/http"
 	"runtime"
 	"sort"
 	"sync"
 	"sync/atomic"
 	"time"
 
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/multierr"
 )
@@ -28,6 +29,8 @@ var (
 	watchers = map[*watchHandle]func(Subsystem, error){} // opt func to run if error state changes
 	timer    *time.Timer
 
+	debugHandler = map[string]http.Handler{}
+
 	inMapPoll               bool
 	inMapPollSince          time.Time
 	lastMapPollEndedAt      time.Time
@@ -116,6 +119,18 @@ func SetNetworkCategoryHealth(err error) { set(SysNetworkCategory, err) }
 
 func NetworkCategoryHealth() error { return get(SysNetworkCategory) }
 
+func RegisterDebugHandler(typ string, h http.Handler) {
+	mu.Lock()
+	defer mu.Unlock()
+	debugHandler[typ] = h
+}
+
+func DebugHandler(typ string) http.Handler {
+	mu.Lock()
+	defer mu.Unlock()
+	return debugHandler[typ]
+}
+
 func get(key Subsystem) error {
 	mu.Lock()
 	defer mu.Unlock()
@@ -168,7 +183,8 @@ func GotStreamedMapResponse() {
 	selfCheckLocked()
 }
 
-// SetInPollNetMap records that we're in
+// SetInPollNetMap records whether the client has an open
+// HTTP long poll open to the control plane.
 func SetInPollNetMap(v bool) {
 	mu.Lock()
 	defer mu.Unlock()
@@ -183,6 +199,14 @@ func SetInPollNetMap(v bool) {
 	}
 }
 
+// GetInPollNetMap reports whether the client has an open
+// HTTP long poll open to the control plane.
+func GetInPollNetMap() bool {
+	mu.Lock()
+	defer mu.Unlock()
+	return inMapPoll
+}
+
 // SetMagicSockDERPHome notes what magicsock's view of its home DERP is.
 func SetMagicSockDERPHome(region int) {
 	mu.Lock()
@@ -284,7 +308,7 @@ func OverallError() error {
 	return overallErrorLocked()
 }
 
-var fakeErrForTesting = os.Getenv("TS_DEBUG_FAKE_HEALTH_ERROR")
+var fakeErrForTesting = envknob.String("TS_DEBUG_FAKE_HEALTH_ERROR")
 
 func overallErrorLocked() error {
 	if !anyInterfaceUp {

ipn/ipnlocal/dnsconfig_test.go

@@ -111,7 +111,8 @@ func TestDNSConfigForNetmap(t *testing.T) {
 			},
 			prefs: &ipn.Prefs{},
 			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+				OnlyIPv6: true,
+				Routes:   map[dnsname.FQDN][]dnstype.Resolver{},
 				Hosts: map[dnsname.FQDN][]netaddr.IP{
 					"b.net.":       ips("fe75::2"),
 					"myname.net.":  ips("fe75::1"),

ipn/ipnlocal/local.go

@@ -27,6 +27,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
@@ -38,6 +39,7 @@ import (
 	"tailscale.com/net/tsdial"
 	"tailscale.com/paths"
 	"tailscale.com/portlist"
+	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
@@ -55,6 +57,7 @@ import (
 	"tailscale.com/version/distro"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
+	"tailscale.com/wgengine/magicsock"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/wgcfg"
 	"tailscale.com/wgengine/wgcfg/nmcfg"
@@ -63,7 +66,7 @@ import (
 var controlDebugFlags = getControlDebugFlags()
 
 func getControlDebugFlags() []string {
-	if e := os.Getenv("TS_DEBUG_CONTROL_FLAGS"); e != "" {
+	if e := envknob.String("TS_DEBUG_CONTROL_FLAGS"); e != "" {
 		return strings.Split(e, ",")
 	}
 	return nil
@@ -98,6 +101,7 @@ type LocalBackend struct {
 	serverURL             string           // tailcontrol URL
 	newDecompressor       func() (controlclient.Decompressor, error)
 	varRoot               string // or empty if SetVarRoot never called
+	sshAtomicBool         syncs.AtomicBool
 
 	filterHash deephash.Sum
 
@@ -377,9 +381,11 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 		if b.netMap != nil {
 			s.MagicDNSSuffix = b.netMap.MagicDNSSuffix()
 			s.CertDomains = append([]string(nil), b.netMap.DNS.CertDomains...)
+			s.TailnetName = b.netMap.Domain
 		}
 	})
 	sb.MutateSelfStatus(func(ss *ipnstate.PeerStatus) {
+		ss.Online = health.GetInPollNetMap()
 		if b.netMap != nil {
 			ss.HostName = b.netMap.Hostinfo.Hostname
 			ss.DNSName = b.netMap.Name
@@ -536,6 +542,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		// Since st.NetMap==nil means "netmap is unchanged", there is
 		// no other way to represent this change.
 		b.setNetMapLocked(nil)
+		b.e.SetNetworkMap(new(netmap.NetworkMap))
 	}
 
 	prefs := b.prefs
@@ -1018,7 +1025,12 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 				// wifi": you get internet access, but to additionally
 				// get LAN access the LAN(s) need to be offered
 				// explicitly as well.
-				s, err := shrinkDefaultRoute(r)
+				localInterfaceRoutes, hostIPs, err := interfaceRoutes()
+				if err != nil {
+					b.logf("getting local interface routes: %v", err)
+					continue
+				}
+				s, err := shrinkDefaultRoute(r, localInterfaceRoutes, hostIPs)
 				if err != nil {
 					b.logf("computing default route filter: %v", err)
 					continue
@@ -1162,17 +1174,14 @@ func interfaceRoutes() (ips *netaddr.IPSet, hostIPs []netaddr.IP, err error) {
 }
 
 // shrinkDefaultRoute returns an IPSet representing the IPs in route,
-// minus those in removeFromDefaultRoute and local interface subnets.
-func shrinkDefaultRoute(route netaddr.IPPrefix) (*netaddr.IPSet, error) {
-	interfaceRoutes, hostIPs, err := interfaceRoutes()
-	if err != nil {
-		return nil, err
-	}
+// minus those in removeFromDefaultRoute and localInterfaceRoutes,
+// plus the IPs in hostIPs.
+func shrinkDefaultRoute(route netaddr.IPPrefix, localInterfaceRoutes *netaddr.IPSet, hostIPs []netaddr.IP) (*netaddr.IPSet, error) {
 	var b netaddr.IPSetBuilder
 	// Add the default route.
 	b.AddPrefix(route)
 	// Remove the local interface routes.
-	b.RemoveSet(interfaceRoutes)
+	b.RemoveSet(localInterfaceRoutes)
 
 	// Having removed all the LAN subnets, re-add the hosts's own
 	// IPs. It's fine for clients to connect to an exit node's public
@@ -1344,7 +1353,7 @@ func (b *LocalBackend) popBrowserAuthNow() {
 }
 
 // For testing lazy machine key generation.
-var panicOnMachineKeyGeneration, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_PANIC_MACHINE_KEY"))
+var panicOnMachineKeyGeneration = envknob.Bool("TS_DEBUG_PANIC_MACHINE_KEY")
 
 func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePrivate, error) {
 	var cache atomic.Value
@@ -1530,6 +1539,9 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 	}
 
 	b.logf("backend prefs for %q: %s", key, b.prefs.Pretty())
+
+	b.sshAtomicBool.Set(b.prefs != nil && b.prefs.RunSSH)
+
 	return nil
 }
 
@@ -1703,6 +1715,8 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {
 	netMap := b.netMap
 	stateKey := b.stateKey
 
+	b.sshAtomicBool.Set(newp.RunSSH)
+
 	oldp := b.prefs
 	newp.Persist = oldp.Persist // caller isn't allowed to override this
 	b.prefs = newp
@@ -1946,6 +1960,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 	// selfV6Only is whether we only have IPv6 addresses ourselves.
 	selfV6Only := tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs6) &&
 		!tsaddr.PrefixesContainsFunc(nm.Addresses, tsaddr.PrefixIs4)
+	dcfg.OnlyIPv6 = selfV6Only
 
 	// Populate MagicDNS records. We do this unconditionally so that
 	// quad-100 can always respond to MagicDNS queries, even if the OS
@@ -2115,7 +2130,7 @@ func (b *LocalBackend) TailscaleVarRoot() string {
 		return b.varRoot
 	}
 	switch runtime.GOOS {
-	case "ios", "android":
+	case "ios", "android", "darwin":
 		dir, _ := paths.AppSharedDir.Load().(string)
 		return dir
 	}
@@ -2377,7 +2392,9 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs) *router
 		}
 	}
 
-	rs.Routes = append(rs.Routes, netaddr.IPPrefixFrom(tsaddr.TailscaleServiceIP(), 32))
+	if tsaddr.PrefixesContainsFunc(rs.LocalAddrs, tsaddr.PrefixIs4) {
+		rs.Routes = append(rs.Routes, netaddr.IPPrefixFrom(tsaddr.TailscaleServiceIP(), 32))
+	}
 
 	return rs
 }
@@ -2609,8 +2626,11 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 	b.authURL = ""
 	b.authURLSticky = ""
 	b.activeLogin = ""
+	b.sshAtomicBool.Set(false)
 }
 
+func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Get() }
+
 // Logout tells the controlclient that we want to log out, and
 // transitions the local engine to the logged-out state without
 // waiting for controlclient to be in that state.
@@ -3134,3 +3154,33 @@ func exitNodeCanProxyDNS(nm *netmap.NetworkMap, exitNodeID tailcfg.StableNodeID)
 	}
 	return "", false
 }
+
+func (b *LocalBackend) DebugRebind() error {
+	mc, err := b.magicConn()
+	if err != nil {
+		return err
+	}
+	mc.Rebind()
+	return nil
+}
+
+func (b *LocalBackend) DebugReSTUN() error {
+	mc, err := b.magicConn()
+	if err != nil {
+		return err
+	}
+	mc.ReSTUN("explicit-debug")
+	return nil
+}
+
+func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
+	ig, ok := b.e.(wgengine.InternalsGetter)
+	if !ok {
+		return nil, errors.New("engine isn't InternalsGetter")
+	}
+	_, mc, ok := ig.GetInternals()
+	if !ok {
+		return nil, errors.New("failed to get internals")
+	}
+	return mc, nil
+}

ipn/ipnlocal/local_test.go

@@ -178,9 +178,31 @@ func TestShrinkDefaultRoute(t *testing.T) {
 		},
 	}
 
+	// Construct a fake local network environment to make this test hermetic.
+	// localInterfaceRoutes and hostIPs would normally come from calling interfaceRoutes,
+	// and localAddresses would normally come from calling interfaces.LocalAddresses.
+	var b netaddr.IPSetBuilder
+	for _, c := range []string{"127.0.0.0/8", "192.168.9.0/24", "fe80::/32"} {
+		p := netaddr.MustParseIPPrefix(c)
+		b.AddPrefix(p)
+	}
+	localInterfaceRoutes, err := b.IPSet()
+	if err != nil {
+		t.Fatal(err)
+	}
+	hostIPs := []netaddr.IP{
+		netaddr.MustParseIP("127.0.0.1"),
+		netaddr.MustParseIP("192.168.9.39"),
+		netaddr.MustParseIP("fe80::1"),
+		netaddr.MustParseIP("fe80::437d:feff:feca:49a7"),
+	}
+	localAddresses := []netaddr.IP{
+		netaddr.MustParseIP("192.168.9.39"),
+	}
+
 	for _, test := range tests {
 		def := netaddr.MustParseIPPrefix(test.route)
-		got, err := shrinkDefaultRoute(def)
+		got, err := shrinkDefaultRoute(def, localInterfaceRoutes, hostIPs)
 		if err != nil {
 			t.Fatalf("shrinkDefaultRoute(%q): %v", test.route, err)
 		}
@@ -194,11 +216,7 @@ func TestShrinkDefaultRoute(t *testing.T) {
 				t.Errorf("shrink(%q).Contains(%v) = true, want false", test.route, ip)
 			}
 		}
-		ips, _, err := interfaces.LocalAddresses()
-		if err != nil {
-			t.Fatal(err)
-		}
-		for _, ip := range ips {
+		for _, ip := range localAddresses {
 			want := test.localIPFn(ip)
 			if gotContains := got.Contains(ip); gotContains != want {
 				t.Errorf("shrink(%q).Contains(%v) = %v, want %v", test.route, ip, gotContains, want)

ipn/ipnlocal/peerapi.go

@@ -32,6 +32,7 @@ import (
 	"golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/health"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/logtail/backoff"
@@ -553,6 +554,12 @@ func (h *peerAPIHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case "/v0/metrics":
 		h.handleServeMetrics(w, r)
 		return
+	case "/v0/magicsock":
+		h.handleServeMagicsock(w, r)
+		return
+	case "/v0/dnsfwd":
+		h.handleServeDNSFwd(w, r)
+		return
 	}
 	who := h.peerUser.DisplayName
 	fmt.Fprintf(w, `<html>
@@ -781,6 +788,21 @@ func (h *peerAPIHandler) handleServeEnv(w http.ResponseWriter, r *http.Request)
 	json.NewEncoder(w).Encode(data)
 }
 
+func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Request) {
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
+		return
+	}
+	eng := h.ps.b.e
+	if ig, ok := eng.(wgengine.InternalsGetter); ok {
+		if _, mc, ok := ig.GetInternals(); ok {
+			mc.ServeHTTPDebug(w, r)
+			return
+		}
+	}
+	http.Error(w, "miswired", 500)
+}
+
 func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Request) {
 	if !h.isSelf {
 		http.Error(w, "not owner", http.StatusForbidden)
@@ -790,6 +812,19 @@ func (h *peerAPIHandler) handleServeMetrics(w http.ResponseWriter, r *http.Reque
 	clientmetric.WritePrometheusExpositionFormat(w)
 }
 
+func (h *peerAPIHandler) handleServeDNSFwd(w http.ResponseWriter, r *http.Request) {
+	if !h.isSelf {
+		http.Error(w, "not owner", http.StatusForbidden)
+		return
+	}
+	dh := health.DebugHandler("dnsfwd")
+	if dh == nil {
+		http.Error(w, "not wired up", 500)
+		return
+	}
+	dh.ServeHTTP(w, r)
+}
+
 func (h *peerAPIHandler) replyToDNSQueries() bool {
 	if h.isSelf {
 		// If the peer is owned by the same user, just allow it

ipn/ipnlocal/state_test.go

@@ -87,8 +87,9 @@ func (nt *notifyThrottler) drain(count int) []ipn.Notify {
 type mockControl struct {
 	tb         testing.TB
 	opts       controlclient.Options
-	logf       logger.Logf
+	logfActual logger.Logf
 	statusFunc func(controlclient.Status)
+	preventLog syncs.AtomicBool
 
 	mu          sync.Mutex
 	calls       []string
@@ -104,6 +105,13 @@ func newMockControl(tb testing.TB) *mockControl {
 	}
 }
 
+func (cc *mockControl) logf(format string, args ...interface{}) {
+	if cc.preventLog.Get() || cc.logfActual == nil {
+		return
+	}
+	cc.logfActual(format, args...)
+}
+
 func (cc *mockControl) SetStatusFunc(fn func(controlclient.Status)) {
 	cc.statusFunc = fn
 }
@@ -284,6 +292,7 @@ func TestStateMachine(t *testing.T) {
 	t.Cleanup(e.Close)
 
 	cc := newMockControl(t)
+	t.Cleanup(func() { cc.preventLog.Set(true) }) // hacky way to pacify issue 3020
 	b, err := NewLocalBackend(logf, "logid", store, nil, e)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
@@ -291,7 +300,7 @@ func TestStateMachine(t *testing.T) {
 	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
 		cc.mu.Lock()
 		cc.opts = opts
-		cc.logf = opts.Logf
+		cc.logfActual = opts.Logf
 		cc.authBlocked = true
 		cc.persist = cc.opts.Persist
 		cc.mu.Unlock()
@@ -305,6 +314,9 @@ func TestStateMachine(t *testing.T) {
 	notifies.expect(0)
 
 	b.SetNotifyCallback(func(n ipn.Notify) {
+		if cc.preventLog.Get() {
+			return
+		}
 		if n.State != nil ||
 			n.Prefs != nil ||
 			n.BrowseToURL != nil ||
@@ -315,6 +327,7 @@ func TestStateMachine(t *testing.T) {
 			logf("\n(ignored) %v\n\n", n)
 		}
 	})
+	t.Cleanup(func() { b.SetNotifyCallback(nil) }) // hacky way to pacify issue 3020
 
 	// Check that it hasn't called us right away.
 	// The state machine should be idle until we call Start().
@@ -948,7 +961,7 @@ func TestWGEngineStatusRace(t *testing.T) {
 	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
 		cc.mu.Lock()
 		defer cc.mu.Unlock()
-		cc.logf = opts.Logf
+		cc.logfActual = opts.Logf
 		return cc, nil
 	})
 

ipn/ipnserver/proxyconnect.go

@@ -0,0 +1,74 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipnserver
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"net"
+	"net/http"
+	"time"
+
+	"tailscale.com/logpolicy"
+	"tailscale.com/types/logger"
+)
+
+// handleProxyConnectConn handles a CONNECT request to
+// log.tailscale.io (or whatever the configured log server is). This
+// is intended for use by the Windows GUI client to log via when an
+// exit node is in use, so the logs don't go out via the exit node and
+// instead go directly, like tailscaled's. The dialer tried to do that
+// in the unprivileged GUI by binding to a specific interface, but the
+// "Internet Kill Switch" installed by tailscaled for exit nodes
+// precludes that from working and instead the GUI fails to dial out.
+// So, go through tailscaled (with a CONNECT request) instead.
+func (s *Server) handleProxyConnectConn(ctx context.Context, br *bufio.Reader, c net.Conn, logf logger.Logf) {
+	defer c.Close()
+
+	c.SetReadDeadline(time.Now().Add(5 * time.Second)) // should be long enough to send the HTTP headers
+	req, err := http.ReadRequest(br)
+	if err != nil {
+		logf("ReadRequest: %v", err)
+		return
+	}
+	c.SetReadDeadline(time.Time{})
+
+	if req.Method != "CONNECT" {
+		logf("ReadRequest: unexpected method %q, not CONNECT", req.Method)
+		return
+	}
+
+	hostPort := req.RequestURI
+	logHost := logpolicy.LogHost()
+	allowed := net.JoinHostPort(logHost, "443")
+	if hostPort != allowed {
+		logf("invalid CONNECT target %q; want %q", hostPort, allowed)
+		io.WriteString(c, "HTTP/1.1 403 Forbidden\r\n\r\nBad CONNECT target.\n")
+		return
+	}
+
+	tr := logpolicy.NewLogtailTransport(logHost)
+	back, err := tr.DialContext(ctx, "tcp", hostPort)
+	if err != nil {
+		logf("error CONNECT dialing %v: %v", hostPort, err)
+		io.WriteString(c, "HTTP/1.1 502 Fail\r\n\r\nConnect failure.\n")
+		return
+	}
+	defer back.Close()
+
+	io.WriteString(c, "HTTP/1.1 200 OK\r\n\r\n")
+
+	errc := make(chan error, 2)
+	go func() {
+		_, err := io.Copy(c, back)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(back, br)
+		errc <- err
+	}()
+	<-errc
+}

ipn/ipnserver/server.go

@@ -20,6 +20,7 @@ import (
 	"os/exec"
 	"os/signal"
 	"os/user"
+	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
@@ -31,11 +32,11 @@ import (
 	"inet.af/netaddr"
 	"inet.af/peercred"
 	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/localapi"
 	"tailscale.com/ipn/store/aws"
-	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/netstat"
 	"tailscale.com/net/tsdial"
@@ -239,12 +240,28 @@ func bufferHasHTTPRequest(br *bufio.Reader) bool {
 		mem.Contains(mem.B(peek), mem.S(" HTTP/"))
 }
 
+// bufferIsConnect reports whether br looks like it's likely an HTTP
+// CONNECT request.
+//
+// Invariant: br has already had at least 4 bytes Peek'ed.
+func bufferIsConnect(br *bufio.Reader) bool {
+	peek, _ := br.Peek(br.Buffered())
+	return mem.HasPrefix(mem.B(peek), mem.S("CONN"))
+}
+
 func (s *Server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	// First see if it's an HTTP request.
 	br := bufio.NewReader(c)
 	c.SetReadDeadline(time.Now().Add(time.Second))
 	br.Peek(4)
 	c.SetReadDeadline(time.Time{})
+
+	// Handle logtail CONNECT requests early. (See docs on handleProxyConnectConn)
+	if bufferIsConnect(br) {
+		s.handleProxyConnectConn(ctx, br, c, logf)
+		return
+	}
+
 	isHTTPReq := bufferHasHTTPRequest(br)
 
 	ci, err := s.addConn(c, isHTTPReq)
@@ -429,6 +446,26 @@ func (s *Server) localAPIPermissions(ci connIdentity) (read, write bool) {
 	return false, false
 }
 
+// connCanFetchCerts reports whether ci is allowed to fetch HTTPS
+// certs from this server when it wouldn't otherwise be able to.
+//
+// That is, this reports whether ci should grant additional
+// capabilities over what the conn would otherwise be able to do.
+//
+// For now this only returns true on Unix machines when
+// TS_PERMIT_CERT_UID is set the to the userid of the peer
+// connection. It's intended to give your non-root webserver access
+// (www-data, caddy, nginx, etc) to certs.
+func (s *Server) connCanFetchCerts(ci connIdentity) bool {
+	if ci.IsUnixSock && ci.Creds != nil {
+		connUID, ok := ci.Creds.UserID()
+		if ok && connUID == envknob.String("TS_PERMIT_CERT_UID") {
+			return true
+		}
+	}
+	return false
+}
+
 // registerDisconnectSub adds ch as a subscribe to connection disconnect
 // events. If add is false, the subscriber is removed.
 func (s *Server) registerDisconnectSub(ch chan<- struct{}, add bool) {
@@ -869,14 +906,6 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		panic("cannot determine executable: " + err.Error())
 	}
 
-	if runtime.GOOS == "windows" {
-		if len(args) != 2 && args[0] != "/subproc" {
-			panic(fmt.Sprintf("unexpected arguments %q", args))
-		}
-		logID := args[1]
-		logf = filelogger.New("tailscale-service", logID, logf)
-	}
-
 	var proc struct {
 		mu sync.Mutex
 		p  *os.Process
@@ -908,6 +937,14 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		startTime := time.Now()
 		log.Printf("exec: %#v %v", executable, args)
 		cmd := exec.Command(executable, args...)
+		if runtime.GOOS == "windows" {
+			extraEnv, err := loadExtraEnv()
+			if err != nil {
+				logf("errors loading extra env file; ignoring: %v", err)
+			} else {
+				cmd.Env = append(os.Environ(), extraEnv...)
+			}
+		}
 
 		// Create a pipe object to use as the subproc's stdin.
 		// When the writer goes away, the reader gets EOF.
@@ -1059,6 +1096,7 @@ func (psc *protoSwitchConn) Close() error {
 func (s *Server) localhostHandler(ci connIdentity) http.Handler {
 	lah := localapi.NewHandler(s.b, s.logf, s.backendLogID)
 	lah.PermitRead, lah.PermitWrite = s.localAPIPermissions(ci)
+	lah.PermitCert = s.connCanFetchCerts(ci)
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if strings.HasPrefix(r.URL.Path, "/localapi/") {
@@ -1177,3 +1215,47 @@ func findTrueNASTaildropDir(name string) (dir string, err error) {
 	}
 	return "", fmt.Errorf("shared folder %q not found", name)
 }
+
+func loadExtraEnv() (env []string, err error) {
+	if runtime.GOOS != "windows" {
+		return nil, nil
+	}
+	name := filepath.Join(os.Getenv("ProgramData"), "Tailscale", "tailscaled-env.txt")
+	contents, err := os.ReadFile(name)
+	if os.IsNotExist(err) {
+		return nil, nil
+	}
+	if err != nil {
+		return nil, err
+	}
+	for _, line := range strings.Split(string(contents), "\n") {
+		line = strings.TrimSpace(line)
+		if line == "" || line[0] == '#' {
+			continue
+		}
+		k, v, ok := stringsCut(line, "=")
+		if !ok || k == "" {
+			continue
+		}
+		if strings.HasPrefix(v, `"`) {
+			var err error
+			v, err = strconv.Unquote(v)
+			if err != nil {
+				return nil, fmt.Errorf("invalid value in line %q: %v", line, err)
+			}
+			env = append(env, k+"="+v)
+		} else {
+			env = append(env, line)
+		}
+	}
+	return env, nil
+}
+
+// stringsCut is Go 1.18's strings.Cut.
+// TODO(bradfitz): delete this when we depend on Go 1.18.
+func stringsCut(s, sep string) (before, after string, found bool) {
+	if i := strings.Index(s, sep); i >= 0 {
+		return s[:i], s[i+len(sep):], true
+	}
+	return s, "", false
+}

ipn/ipnstate/ipnstate.go

@@ -33,6 +33,10 @@ type Status struct {
 	//  "Starting", "Running".
 	BackendState string
 
+	// TailnetName is the name of the network that's currently in
+	// use.
+	TailnetName string
+
 	AuthURL      string       // current URL provided by control to authorize client
 	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node
 	Self         *PeerStatus

ipn/localapi/cert.go

@@ -29,12 +29,12 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"golang.org/x/crypto/acme"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/types/logger"
 )
@@ -63,10 +63,10 @@ func (h *Handler) certDir() (string, error) {
 	return full, nil
 }
 
-var acmeDebug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_ACME"))
+var acmeDebug = envknob.Bool("TS_DEBUG_ACME")
 
 func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
+	if !h.PermitWrite && !h.PermitCert {
 		http.Error(w, "cert access denied", http.StatusForbidden)
 		return
 	}

ipn/localapi/localapi.go

@@ -52,8 +52,15 @@ type Handler struct {
 	PermitRead bool
 
 	// PermitWrite is whether mutating HTTP handlers are allowed.
+	// If PermitWrite is true, everything is allowed.
+	// It effectively means that the user is root or the admin
+	// (operator user).
 	PermitWrite bool
 
+	// PermitCert is whether the client is additionally granted
+	// cert fetching access.
+	PermitCert bool
+
 	b            *ipnlocal.LocalBackend
 	logf         logger.Logf
 	backendLogID string
@@ -113,6 +120,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveDERPMap(w, r)
 	case "/localapi/v0/metrics":
 		h.serveMetrics(w, r)
+	case "/localapi/v0/debug":
+		h.serveDebug(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -195,6 +204,35 @@ func (h *Handler) serveMetrics(w http.ResponseWriter, r *http.Request) {
 	clientmetric.WritePrometheusExpositionFormat(w)
 }
 
+func (h *Handler) serveDebug(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "debug access denied", http.StatusForbidden)
+		return
+	}
+	if r.Method != "POST" {
+		http.Error(w, "POST required", http.StatusMethodNotAllowed)
+		return
+	}
+	action := r.FormValue("action")
+	var err error
+	switch action {
+	case "rebind":
+		err = h.b.DebugRebind()
+	case "restun":
+		err = h.b.DebugReSTUN()
+	case "":
+		err = fmt.Errorf("missing parameter 'action'")
+	default:
+		err = fmt.Errorf("unknown action %q", action)
+	}
+	if err != nil {
+		http.Error(w, err.Error(), 400)
+		return
+	}
+	w.Header().Set("Content-Type", "text/plain")
+	io.WriteString(w, "done\n")
+}
+
 // serveProfileFunc is the implementation of Handler.serveProfile, after auth,
 // for platforms where we want to link it in.
 var serveProfileFunc func(http.ResponseWriter, *http.Request)

ipn/prefs.go

@@ -98,6 +98,11 @@ type Prefs struct {
 	// DNS configuration, if it exists.
 	CorpDNS bool
 
+	// RunSSH bool is whether this node should run an SSH
+	// server, permitting access to peers according to the
+	// policies as configured by the Tailnet's admin(s).
+	RunSSH bool
+
 	// WantRunning indicates whether networking should be active on
 	// this node.
 	WantRunning bool
@@ -193,6 +198,7 @@ type MaskedPrefs struct {
 	ExitNodeIPSet             bool `json:",omitempty"`
 	ExitNodeAllowLANAccessSet bool `json:",omitempty"`
 	CorpDNSSet                bool `json:",omitempty"`
+	RunSSHSet                 bool `json:",omitempty"`
 	WantRunningSet            bool `json:",omitempty"`
 	LoggedOutSet              bool `json:",omitempty"`
 	ShieldsUpSet              bool `json:",omitempty"`
@@ -277,6 +283,9 @@ func (p *Prefs) pretty(goos string) string {
 		sb.WriteString("mesh=false ")
 	}
 	fmt.Fprintf(&sb, "dns=%v want=%v ", p.CorpDNS, p.WantRunning)
+	if p.RunSSH {
+		sb.WriteString("ssh=true ")
+	}
 	if p.LoggedOut {
 		sb.WriteString("loggedout=true ")
 	}
@@ -348,6 +357,7 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.ExitNodeIP == p2.ExitNodeIP &&
 		p.ExitNodeAllowLANAccess == p2.ExitNodeAllowLANAccess &&
 		p.CorpDNS == p2.CorpDNS &&
+		p.RunSSH == p2.RunSSH &&
 		p.WantRunning == p2.WantRunning &&
 		p.LoggedOut == p2.LoggedOut &&
 		p.NotepadURLs == p2.NotepadURLs &&
@@ -426,6 +436,47 @@ func (p *Prefs) AdminPageURL() string {
 	return url + "/admin/machines"
 }
 
+// AdvertisesExitNode reports whether p is advertising both the v4 and
+// v6 /0 exit node routes.
+func (p *Prefs) AdvertisesExitNode() bool {
+	if p == nil {
+		return false
+	}
+	var v4, v6 bool
+	for _, r := range p.AdvertiseRoutes {
+		if r.Bits() != 0 {
+			continue
+		}
+		if r.IP().Is4() {
+			v4 = true
+		} else if r.IP().Is6() {
+			v6 = true
+		}
+	}
+	return v4 && v6
+}
+
+// SetAdvertiseExitNode mutates p (if non-nil) to add or remove the two
+// /0 exit node routes.
+func (p *Prefs) SetAdvertiseExitNode(runExit bool) {
+	if p == nil {
+		return
+	}
+	all := p.AdvertiseRoutes
+	p.AdvertiseRoutes = p.AdvertiseRoutes[:0]
+	for _, r := range all {
+		if r.Bits() != 0 {
+			p.AdvertiseRoutes = append(p.AdvertiseRoutes, r)
+		}
+	}
+	if !runExit {
+		return
+	}
+	p.AdvertiseRoutes = append(p.AdvertiseRoutes,
+		netaddr.IPPrefixFrom(netaddr.IPv4(0, 0, 0, 0), 0),
+		netaddr.IPPrefixFrom(netaddr.IPv6Unspecified(), 0))
+}
+
 // PrefsFromBytes deserializes Prefs from a JSON blob. If
 // enforceDefaults is true, Prefs.RouteAll and Prefs.AllowSingleHosts
 // are forced on.

ipn/prefs_clone.go

@@ -40,6 +40,7 @@ var _PrefsCloneNeedsRegeneration = Prefs(struct {
 	ExitNodeIP             netaddr.IP
 	ExitNodeAllowLANAccess bool
 	CorpDNS                bool
+	RunSSH                 bool
 	WantRunning            bool
 	LoggedOut              bool
 	ShieldsUp              bool

ipn/prefs_test.go

@@ -42,6 +42,7 @@ func TestPrefsEqual(t *testing.T) {
 		"ExitNodeIP",
 		"ExitNodeAllowLANAccess",
 		"CorpDNS",
+		"RunSSH",
 		"WantRunning",
 		"LoggedOut",
 		"ShieldsUp",
@@ -646,3 +647,35 @@ func TestMaskedPrefsPretty(t *testing.T) {
 		}
 	}
 }
+
+func TestPrefsExitNode(t *testing.T) {
+	var p *Prefs
+	if p.AdvertisesExitNode() {
+		t.Errorf("nil shouldn't advertise exit node")
+	}
+	p = NewPrefs()
+	if p.AdvertisesExitNode() {
+		t.Errorf("default shouldn't advertise exit node")
+	}
+	p.AdvertiseRoutes = []netaddr.IPPrefix{
+		netaddr.MustParseIPPrefix("10.0.0.0/16"),
+	}
+	p.SetAdvertiseExitNode(true)
+	if got, want := len(p.AdvertiseRoutes), 3; got != want {
+		t.Errorf("routes = %d; want %d", got, want)
+	}
+	p.SetAdvertiseExitNode(true)
+	if got, want := len(p.AdvertiseRoutes), 3; got != want {
+		t.Errorf("routes = %d; want %d", got, want)
+	}
+	if !p.AdvertisesExitNode() {
+		t.Errorf("not advertising after enable")
+	}
+	p.SetAdvertiseExitNode(false)
+	if p.AdvertisesExitNode() {
+		t.Errorf("advertising after disable")
+	}
+	if got, want := len(p.AdvertiseRoutes), 1; got != want {
+		t.Errorf("routes = %d; want %d", got, want)
+	}
+}

logpolicy/logpolicy.go

@@ -8,11 +8,14 @@
 package logpolicy
 
 import (
+	"bufio"
 	"bytes"
 	"context"
 	"crypto/tls"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"log"
 	"net"
@@ -22,13 +25,14 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
-	"strconv"
 	"strings"
 	"sync"
 	"time"
 
 	"golang.org/x/term"
 	"tailscale.com/atomicfile"
+	"tailscale.com/envknob"
+	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail"
 	"tailscale.com/logtail/filch"
 	"tailscale.com/net/dnscache"
@@ -38,6 +42,7 @@ import (
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/paths"
+	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
@@ -65,6 +70,15 @@ func getLogTarget() string {
 	return getLogTargetOnce.v
 }
 
+// LogHost returns the hostname only (without port) of the configured
+// logtail server, or the default.
+func LogHost() string {
+	if v := getLogTarget(); v != "" {
+		return v
+	}
+	return logtail.DefaultHost
+}
+
 // Config represents an instance of logs in a collection.
 type Config struct {
 	Collection string
@@ -213,7 +227,7 @@ func runningUnderSystemd() bool {
 }
 
 func redirectStderrToLogPanics() bool {
-	return runningUnderSystemd() || os.Getenv("TS_PLEASE_PANIC") != ""
+	return runningUnderSystemd() || envknob.Bool("TS_PLEASE_PANIC")
 }
 
 // winProgramDataAccessible reports whether the directory (assumed to
@@ -391,7 +405,7 @@ func New(collection string) *Policy {
 	} else {
 		lflags = log.LstdFlags
 	}
-	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_LOG_TIME")); v {
+	if envknob.Bool("TS_DEBUG_LOG_TIME") {
 		lflags = log.LstdFlags | log.Lmicroseconds
 	}
 	if runningUnderSystemd() {
@@ -524,8 +538,20 @@ func New(collection string) *Policy {
 		}
 	}
 	lw := logtail.NewLogger(c, log.Printf)
+
+	var logOutput io.Writer = lw
+
+	if runtime.GOOS == "windows" && c.Collection == logtail.CollectionNode {
+		logID := newc.PublicID.String()
+		exe, _ := os.Executable()
+		if strings.EqualFold(filepath.Base(exe), "tailscaled.exe") {
+			diskLogf := filelogger.New("tailscale-service", logID, lw.Logf)
+			logOutput = logger.FuncWriter(diskLogf)
+		}
+	}
+
 	log.SetFlags(0) // other logflags are set on console, not here
-	log.SetOutput(lw)
+	log.SetOutput(logOutput)
 
 	log.Printf("Program starting: v%v, Go %v: %#v",
 		version.Long,
@@ -602,6 +628,24 @@ func NewLogtailTransport(host string) *http.Transport {
 			return c, nil
 		}
 
+		if version.IsWindowsGUI() && strings.HasPrefix(netw, "tcp") {
+			if c, err := safesocket.Connect(safesocket.DefaultConnectionStrategy("")); err == nil {
+				fmt.Fprintf(c, "CONNECT %s HTTP/1.0\r\n\r\n", addr)
+				br := bufio.NewReader(c)
+				res, err := http.ReadResponse(br, nil)
+				if err == nil && res.StatusCode != 200 {
+					err = errors.New(res.Status)
+				}
+				if err != nil {
+					log.Printf("logtail: CONNECT response from tailscaled: %v", err)
+					c.Close()
+				} else {
+					log.Printf("logtail: connected via tailscaled")
+					return c, nil
+				}
+			}
+		}
+
 		// If we failed to dial, try again with bootstrap DNS.
 		log.Printf("logtail: dial %q failed: %v (in %v), trying bootstrap...", addr, err, d)
 		dnsCache := &dnscache.Resolver{
@@ -626,7 +670,7 @@ func NewLogtailTransport(host string) *http.Transport {
 	// TODO(bradfitz): remove this debug knob once we've decided
 	// to upload via HTTP/1 or HTTP/2 (probably HTTP/1). Or we might just enforce
 	// it server-side.
-	if h1, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_FORCE_H1_LOGS")); h1 {
+	if envknob.Bool("TS_DEBUG_FORCE_H1_LOGS") {
 		tr.TLSClientConfig = nil // DefaultTransport's was already initialized w/ h2
 		tr.ForceAttemptHTTP2 = false
 		tr.TLSNextProto = map[string]func(authority string, c *tls.Conn) http.RoundTripper{}

logtail/logtail.go

@@ -431,6 +431,21 @@ func (l *Logger) encodeText(buf []byte, skipClientTime bool) []byte {
 	// For now just factor in a dozen.
 	overhead += 12
 
+	// Put a sanity cap on buf's size.
+	max := 16 << 10
+	if l.lowMem {
+		max = 255
+	}
+	var nTruncated int
+	if len(buf) > max {
+		nTruncated = len(buf) - max
+		// TODO: this can break a UTF-8 character
+		// mid-encoding.  We don't tend to log
+		// non-ASCII stuff ourselves, but e.g. client
+		// names might be.
+		buf = buf[:max]
+	}
+
 	b := make([]byte, 0, len(buf)+overhead)
 	b = append(b, '{')
 
@@ -449,7 +464,7 @@ func (l *Logger) encodeText(buf []byte, skipClientTime bool) []byte {
 	}
 
 	b = append(b, "\"text\": \""...)
-	for i, c := range buf {
+	for _, c := range buf {
 		switch c {
 		case '\b':
 			b = append(b, '\\', 'b')
@@ -469,14 +484,10 @@ func (l *Logger) encodeText(buf []byte, skipClientTime bool) []byte {
 			// TODO: what about binary gibberish or non UTF-8?
 			b = append(b, c)
 		}
-		if l.lowMem && i > 254 {
-			// TODO: this can break a UTF-8 character
-			// mid-encoding.  We don't tend to log
-			// non-ASCII stuff ourselves, but e.g. client
-			// names might be.
-			b = append(b, "…"...)
-			break
-		}
+	}
+	if nTruncated > 0 {
+		b = append(b, "…+"...)
+		b = strconv.AppendInt(b, int64(nTruncated), 10)
 	}
 	b = append(b, "\"}\n"...)
 	return b
@@ -523,6 +534,11 @@ func (l *Logger) encode(buf []byte) []byte {
 	return b
 }
 
+// Logf logs to l using the provided fmt-style format and optional arguments.
+func (l *Logger) Logf(format string, args ...interface{}) {
+	fmt.Fprintf(l, format, args...)
+}
+
 // Write logs an encoded JSON blob.
 //
 // If the []byte passed to Write is not an encoded JSON blob,

logtail/logtail_test.go

@@ -5,6 +5,7 @@
 package logtail
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"io"
@@ -323,3 +324,14 @@ func unmarshalOne(t *testing.T, body []byte) map[string]interface{} {
 	}
 	return entries[0]
 }
+
+func TestEncodeTextTruncation(t *testing.T) {
+	lg := &Logger{timeNow: time.Now, lowMem: true}
+	in := bytes.Repeat([]byte("a"), 300)
+	b := lg.encodeText(in, true)
+	got := string(b)
+	want := `{"text": "` + strings.Repeat("a", 255) + `…+45"}` + "\n"
+	if got != want {
+		t.Errorf("got:\n%qwant:\n%q\n", got, want)
+	}
+}

net/dns/config.go

@@ -11,6 +11,7 @@ import (
 
 	"inet.af/netaddr"
 	"tailscale.com/net/dns/resolver"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/util/dnsname"
 )
@@ -40,6 +41,16 @@ type Config struct {
 	// it to resolve, you also need to add appropriate routes to
 	// Routes.
 	Hosts map[dnsname.FQDN][]netaddr.IP
+	// OnlyIPv6, if true, uses the IPv6 service IP (for MagicDNS)
+	// instead of the IPv4 version (100.100.100.100).
+	OnlyIPv6 bool
+}
+
+func (c *Config) serviceIP() netaddr.IP {
+	if c.OnlyIPv6 {
+		return tsaddr.TailscaleServiceIPv6()
+	}
+	return tsaddr.TailscaleServiceIP()
 }
 
 // WriteToBufioWriter write a debug version of c for logs to w, omitting

net/dns/direct.go

@@ -344,7 +344,14 @@ func (m *directManager) SetDNS(config OSConfig) (err error) {
 	// cause a disruptive DNS outage each time we reset an empty
 	// OS configuration.
 	if changed && isResolvedRunning() && !runningAsGUIDesktopUser() {
-		exec.Command("systemctl", "restart", "systemd-resolved.service").Run()
+		t0 := time.Now()
+		err := restartResolved()
+		d := time.Since(t0).Round(time.Millisecond)
+		if err != nil {
+			m.logf("error restarting resolved after %v: %v", d, err)
+		} else {
+			m.logf("restarted resolved after %v", d)
+		}
 	}
 
 	return nil

net/dns/manager.go

@@ -12,7 +12,6 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/health"
 	"tailscale.com/net/dns/resolver"
-	"tailscale.com/net/tsaddr"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/logger"
@@ -122,7 +121,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 		// through quad-100.
 		rcfg.Routes = routes
 		rcfg.Routes["."] = cfg.DefaultResolvers
-		ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+		ocfg.Nameservers = []netaddr.IP{cfg.serviceIP()}
 		return rcfg, ocfg, nil
 	}
 
@@ -159,7 +158,7 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 	// or routes + MagicDNS, or just MagicDNS, or on an OS that cannot
 	// split-DNS. Install a split config pointing at quad-100.
 	rcfg.Routes = routes
-	ocfg.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
+	ocfg.Nameservers = []netaddr.IP{cfg.serviceIP()}
 
 	// If the OS can't do native split-dns, read out the underlying
 	// resolver config and blend it into our config.

net/dns/manager_linux.go

@@ -95,6 +95,7 @@ func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
 		// try to program resolved in that case.
 		// https://github.com/tailscale/tailscale/issues/2136
 		if err := resolvedIsActuallyResolver(bs); err != nil {
+			logf("dns: resolvedIsActuallyResolver error: %v", err)
 			dbg("resolved", "not-in-use")
 			return "direct", nil
 		}
@@ -184,6 +185,7 @@ func dnsMode(logf logger.Logf, env newOSConfigEnv) (ret string, err error) {
 		// Sometimes, NetworkManager owns the configuration but points
 		// it at systemd-resolved.
 		if err := resolvedIsActuallyResolver(bs); err != nil {
+			logf("dns: resolvedIsActuallyResolver error: %v", err)
 			dbg("resolved", "not-in-use")
 			// You'd think we would use newNMManager here. However, as
 			// explained in
@@ -300,7 +302,7 @@ func resolvedIsActuallyResolver(bs []byte) error {
 	}
 	for _, ns := range cfg.Nameservers {
 		if ns != netaddr.IPv4(127, 0, 0, 53) {
-			return errors.New("resolv.conf doesn't point to systemd-resolved")
+			return fmt.Errorf("resolv.conf doesn't point to systemd-resolved; points to %v", cfg.Nameservers)
 		}
 	}
 	return nil

net/dns/manager_linux_test.go

@@ -34,8 +34,9 @@ func TestLinuxDNSMode(t *testing.T) {
 				resolvDotConf(
 					"# Managed by NetworkManager",
 					"nameserver 10.0.0.1")),
-			wantLog: "dns: [rc=nm resolved=not-in-use ret=direct]",
-			want:    "direct",
+			wantLog: "dns: resolvedIsActuallyResolver error: resolv.conf doesn't point to systemd-resolved; points to [10.0.0.1]\n" +
+				"dns: [rc=nm resolved=not-in-use ret=direct]",
+			want: "direct",
 		},
 		{
 			name:    "resolvconf_but_no_resolvconf_binary",
@@ -123,10 +124,11 @@ func TestLinuxDNSMode(t *testing.T) {
 			// alleged that it was managed by systemd-resolved, but it
 			// was actually a completely static config file pointing
 			// elsewhere.
-			name:    "allegedly_resolved_but_not_in_resolv.conf",
-			env:     env(resolvDotConf("# Managed by systemd-resolved", "nameserver 10.0.0.1")),
-			wantLog: "dns: [rc=resolved resolved=not-in-use ret=direct]",
-			want:    "direct",
+			name: "allegedly_resolved_but_not_in_resolv.conf",
+			env:  env(resolvDotConf("# Managed by systemd-resolved", "nameserver 10.0.0.1")),
+			wantLog: "dns: resolvedIsActuallyResolver error: resolv.conf doesn't point to systemd-resolved; points to [10.0.0.1]\n" +
+				"dns: [rc=resolved resolved=not-in-use ret=direct]",
+			want: "direct",
 		},
 		{
 			// We used to incorrectly decide that resolved wasn't in

net/dns/manager_openbsd.go

@@ -4,8 +4,71 @@
 
 package dns
 
-import "tailscale.com/types/logger"
+import (
+	"bytes"
+	"fmt"
+	"os"
 
-func NewOSConfigurator(logf logger.Logf, _ string) (OSConfigurator, error) {
+	"tailscale.com/types/logger"
+)
+
+type kv struct {
+	k, v string
+}
+
+func (kv kv) String() string {
+	return fmt.Sprintf("%s=%s", kv.k, kv.v)
+}
+
+func NewOSConfigurator(logf logger.Logf, interfaceName string) (OSConfigurator, error) {
+	return newOSConfigurator(logf, interfaceName,
+		newOSConfigEnv{
+			rcIsResolvd: rcIsResolvd,
+			fs:          directFS{},
+		})
+}
+
+// newOSConfigEnv are the funcs newOSConfigurator needs, pulled out for testing.
+type newOSConfigEnv struct {
+	fs          directFS
+	rcIsResolvd func(resolvConfContents []byte) bool
+}
+
+func newOSConfigurator(logf logger.Logf, interfaceName string, env newOSConfigEnv) (ret OSConfigurator, err error) {
+	var debug []kv
+	dbg := func(k, v string) {
+		debug = append(debug, kv{k, v})
+	}
+	defer func() {
+		if ret != nil {
+			dbg("ret", fmt.Sprintf("%T", ret))
+		}
+		logf("dns: %v", debug)
+	}()
+
+	bs, err := env.fs.ReadFile(resolvConf)
+	if os.IsNotExist(err) {
+		dbg("rc", "missing")
+		return newDirectManager(logf), nil
+	}
+	if err != nil {
+		return nil, fmt.Errorf("reading /etc/resolv.conf: %w", err)
+	}
+
+	if env.rcIsResolvd(bs) {
+		dbg("resolvd", "yes")
+		return newResolvdManager(logf, interfaceName)
+	}
+
+	dbg("resolvd", "missing")
 	return newDirectManager(logf), nil
 }
+
+func rcIsResolvd(resolvConfContents []byte) bool {
+	// If we have the string "# resolvd:" in resolv.conf resolvd(8) is
+	// managing things.
+	if bytes.Contains(resolvConfContents, []byte("# resolvd:")) {
+		return true
+	}
+	return false
+}

net/dns/manager_windows.go

@@ -17,6 +17,7 @@ import (
 	"golang.org/x/sys/windows/registry"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
+	"tailscale.com/envknob"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 )
@@ -34,6 +35,8 @@ const (
 	versionKey = `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
 )
 
+var configureWSL = envknob.Bool("TS_DEBUG_CONFIGURE_WSL")
+
 type windowsManager struct {
 	logf       logger.Logf
 	guid       string
@@ -307,13 +310,15 @@ func (m windowsManager) SetDNS(cfg OSConfig) error {
 
 	// On initial setup of WSL, the restart caused by --shutdown is slow,
 	// so we do it out-of-line.
-	go func() {
-		if err := m.wslManager.SetDNS(cfg); err != nil {
-			m.logf("WSL SetDNS: %v", err) // continue
-		} else {
-			m.logf("WSL SetDNS: success")
-		}
-	}()
+	if configureWSL {
+		go func() {
+			if err := m.wslManager.SetDNS(cfg); err != nil {
+				m.logf("WSL SetDNS: %v", err) // continue
+			} else {
+				m.logf("WSL SetDNS: success")
+			}
+		}()
+	}
 
 	return nil
 }

net/dns/resolvd.go

@@ -0,0 +1,161 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build openbsd
+// +build openbsd
+
+package dns
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"regexp"
+	"strings"
+
+	"inet.af/netaddr"
+	"tailscale.com/types/logger"
+	"tailscale.com/util/dnsname"
+)
+
+func newResolvdManager(logf logger.Logf, interfaceName string) (*resolvdManager, error) {
+	return &resolvdManager{
+		logf:   logf,
+		ifName: interfaceName,
+		fs:     directFS{},
+	}, nil
+}
+
+// resolvdManager is an OSConfigurator which uses route(1) to teach OpenBSD's
+// resolvd(8) about DNS servers.
+type resolvdManager struct {
+	logf   logger.Logf
+	ifName string
+	fs     directFS
+}
+
+func (m *resolvdManager) SetDNS(config OSConfig) error {
+	args := []string{
+		"nameserver",
+		m.ifName,
+	}
+
+	origResolv, err := m.readAndCopy(resolvConf, backupConf, 0644)
+	if err != nil {
+		return err
+	}
+	newResolvConf := removeSearchLines(origResolv)
+
+	for _, ns := range config.Nameservers {
+		args = append(args, ns.String())
+	}
+
+	var newSearch = []string{
+		"search",
+	}
+	for _, s := range config.SearchDomains {
+		newSearch = append(newSearch, s.WithoutTrailingDot())
+	}
+
+	newResolvConf = append(newResolvConf, []byte(strings.Join(newSearch, " "))...)
+
+	err = m.fs.WriteFile(resolvConf, newResolvConf, 0644)
+	if err != nil {
+		return err
+	}
+
+	cmd := exec.Command("/sbin/route", args...)
+	return cmd.Run()
+}
+
+func (m *resolvdManager) SupportsSplitDNS() bool {
+	return false
+}
+
+func (m *resolvdManager) GetBaseConfig() (OSConfig, error) {
+	cfg, err := m.readResolvConf()
+	if err != nil {
+		return OSConfig{}, err
+	}
+
+	return cfg, nil
+}
+
+func (m *resolvdManager) Close() error {
+	// resolvd handles teardown of nameservers so we only need to write back the original
+	// config and be done.
+
+	_, err := m.readAndCopy(backupConf, resolvConf, 0644)
+	if err != nil {
+		return err
+	}
+
+	return m.fs.Remove(backupConf)
+}
+
+func (m *resolvdManager) readAndCopy(a, b string, mode os.FileMode) ([]byte, error) {
+	orig, err := m.fs.ReadFile(a)
+	if err != nil {
+		return nil, err
+	}
+	err = m.fs.WriteFile(b, orig, mode)
+	if err != nil {
+		return nil, err
+	}
+
+	return orig, nil
+}
+
+func (m resolvdManager) readResolvConf() (config OSConfig, err error) {
+	b, err := m.fs.ReadFile(resolvConf)
+	if err != nil {
+		return OSConfig{}, err
+	}
+
+	scanner := bufio.NewScanner(bytes.NewReader(b))
+	for scanner.Scan() {
+		line := strings.TrimSpace(scanner.Text())
+
+		// resolvd manages "nameserver" lines, we only need to handle
+		// "search".
+		if strings.HasPrefix(line, "search") {
+			domain := strings.TrimPrefix(line, "search")
+			domain = strings.TrimSpace(domain)
+			fqdn, err := dnsname.ToFQDN(domain)
+			if err != nil {
+				return OSConfig{}, fmt.Errorf("parsing search domains %q: %w", line, err)
+			}
+			config.SearchDomains = append(config.SearchDomains, fqdn)
+			continue
+		}
+
+		if strings.HasPrefix(line, "nameserver") {
+			s := strings.TrimPrefix(line, "nameserver")
+			parts := strings.Split(s, " # ")
+			if len(parts) == 0 {
+				return OSConfig{}, err
+			}
+			nameserver := strings.TrimSpace(parts[0])
+			ip, err := netaddr.ParseIP(nameserver)
+			if err != nil {
+				return OSConfig{}, err
+			}
+			config.Nameservers = append(config.Nameservers, ip)
+			continue
+		}
+	}
+
+	if err = scanner.Err(); err != nil {
+		return OSConfig{}, err
+	}
+
+	return config, nil
+}
+
+func removeSearchLines(orig []byte) []byte {
+	re := regexp.MustCompile(`(?m)^search\s+.+$`)
+	return re.ReplaceAll(orig, []byte(""))
+}

net/dns/resolver/debug.go

@@ -0,0 +1,78 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package resolver
+
+import (
+	"fmt"
+	"html"
+	"net/http"
+	"strconv"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"tailscale.com/health"
+)
+
+func init() {
+	health.RegisterDebugHandler("dnsfwd", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		n, _ := strconv.Atoi(r.FormValue("n"))
+		if n <= 0 {
+			n = 100
+		} else if n > 10000 {
+			n = 10000
+		}
+		fl, ok := fwdLogAtomic.Load().(*fwdLog)
+		if !ok || n != len(fl.ent) {
+			fl = &fwdLog{ent: make([]fwdLogEntry, n)}
+			fwdLogAtomic.Store(fl)
+		}
+		fl.ServeHTTP(w, r)
+	}))
+}
+
+var fwdLogAtomic atomic.Value // of *fwdLog
+
+type fwdLog struct {
+	mu  sync.Mutex
+	pos int // ent[pos] is next entry
+	ent []fwdLogEntry
+}
+
+type fwdLogEntry struct {
+	Domain string
+	Time   time.Time
+}
+
+func (fl *fwdLog) addName(name string) {
+	if fl == nil {
+		return
+	}
+	fl.mu.Lock()
+	defer fl.mu.Unlock()
+	if len(fl.ent) == 0 {
+		return
+	}
+	fl.ent[fl.pos] = fwdLogEntry{Domain: name, Time: time.Now()}
+	fl.pos++
+	if fl.pos == len(fl.ent) {
+		fl.pos = 0
+	}
+}
+
+func (fl *fwdLog) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	fl.mu.Lock()
+	defer fl.mu.Unlock()
+
+	fmt.Fprintf(w, "<html><h1>DNS forwards</h1>")
+	now := time.Now()
+	for i := 0; i < len(fl.ent); i++ {
+		ent := fl.ent[(i+fl.pos)%len(fl.ent)]
+		if ent.Domain == "" {
+			continue
+		}
+		fmt.Fprintf(w, "%v ago: %v<br>\n", now.Sub(ent.Time).Round(time.Second), html.EscapeString(ent.Domain))
+	}
+}

net/dns/resolver/forwarder.go

@@ -25,6 +25,7 @@ import (
 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
+	"tailscale.com/net/neterror"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/types/dnstype"
@@ -482,7 +483,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		if err := ctx.Err(); err != nil {
 			return nil, err
 		}
-		if packetWasTruncated(err) {
+		if neterror.PacketWasTruncated(err) {
 			err = nil
 		} else {
 			metricDNSFwdUDPErrorRead.Add(1)
@@ -576,8 +577,8 @@ func (f *forwarder) forward(query packet) error {
 	return f.forwardWithDestChan(ctx, query, f.responses)
 }
 
-// forward forwards the query to all upstream nameservers and waits
-// for the first response.
+// forwardWithDestChan forwards the query to all upstream nameservers
+// and waits for the first response.
 //
 // It either sends to responseChan and returns nil, or returns a
 // non-nil error (without sending to the channel).
@@ -598,7 +599,21 @@ func (f *forwarder) forwardWithDestChan(ctx context.Context, query packet, respo
 	// out, playing on Sonos still works.
 	if hasRDNSBonjourPrefix(domain) {
 		metricDNSFwdDropBonjour.Add(1)
-		return nil
+		res, err := nxDomainResponse(query)
+		if err != nil {
+			f.logf("error parsing bonjour query: %v", err)
+			return nil
+		}
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case responseChan <- res:
+			return nil
+		}
+	}
+
+	if fl, ok := fwdLogAtomic.Load().(*fwdLog); ok {
+		fl.addName(string(domain))
 	}
 
 	clampEDNSSize(query.bs, maxResponseBytes)
@@ -696,6 +711,28 @@ func nameFromQuery(bs []byte) (dnsname.FQDN, error) {
 	return dnsname.ToFQDN(rawNameToLower(n))
 }
 
+// nxDomainResponse returns an NXDomain DNS reply for the provided request.
+func nxDomainResponse(req packet) (res packet, err error) {
+	p := dnsParserPool.Get().(*dnsParser)
+	defer dnsParserPool.Put(p)
+
+	if err := p.parseQuery(req.bs); err != nil {
+		return packet{}, err
+	}
+
+	h := p.Header
+	h.Response = true
+	h.RecursionAvailable = h.RecursionDesired
+	h.RCode = dns.RCodeNameError
+	b := dns.NewBuilder(nil, h)
+	// TODO(bradfitz): should we add an SOA record in the Authority
+	// section too? (for the nxdomain negative caching TTL)
+	// For which zone? Does iOS care?
+	res.bs, err = b.Finish()
+	res.addr = req.addr
+	return res, err
+}
+
 // closePool is a dynamic set of io.Closers to close as a group.
 // It's intended to be Closed at most once.
 //

net/dns/resolver/forwarder_test.go

@@ -168,3 +168,25 @@ func TestMaxDoHInFlight(t *testing.T) {
 		})
 	}
 }
+
+func BenchmarkNameFromQuery(b *testing.B) {
+	builder := dns.NewBuilder(nil, dns.Header{})
+	builder.StartQuestions()
+	builder.Question(dns.Question{
+		Name:  dns.MustNewName("foo.example."),
+		Type:  dns.TypeA,
+		Class: dns.ClassINET,
+	})
+	msg, err := builder.Finish()
+	if err != nil {
+		b.Fatal(err)
+	}
+	b.ResetTimer()
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		_, err := nameFromQuery(msg)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}

net/dns/resolver/neterr_darwin.go

@@ -1,30 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package resolver
-
-import (
-	"errors"
-	"syscall"
-)
-
-// Avoid allocation when calling errors.Is below
-// by converting syscall.Errno to error here.
-var (
-	networkDown        error = syscall.ENETDOWN
-	networkUnreachable error = syscall.ENETUNREACH
-)
-
-func networkIsDown(err error) bool {
-	return errors.Is(err, networkDown)
-}
-
-func networkIsUnreachable(err error) bool {
-	return errors.Is(err, networkUnreachable)
-}
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool { return false }

net/dns/resolver/neterr_other.go

@@ -1,16 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !darwin && !windows
-// +build !darwin,!windows
-
-package resolver
-
-func networkIsDown(err error) bool        { return false }
-func networkIsUnreachable(err error) bool { return false }
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. It always returns false on this
-// platform.
-func packetWasTruncated(err error) bool { return false }

net/dns/resolver/neterr_windows.go

@@ -1,43 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package resolver
-
-import (
-	"errors"
-	"net"
-	"os"
-
-	"golang.org/x/sys/windows"
-)
-
-func networkIsDown(err error) bool {
-	if oe, ok := err.(*net.OpError); ok && oe.Op == "write" {
-		if se, ok := oe.Err.(*os.SyscallError); ok {
-			if se.Syscall == "wsasendto" && se.Err == windows.WSAENETUNREACH {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-func networkIsUnreachable(err error) bool {
-	// TODO(bradfitz,josharian): something here? what is the
-	// difference between down and unreachable? Add comments.
-	return false
-}
-
-// packetWasTruncated returns true if err indicates truncation but the RecvFrom
-// that generated err was otherwise successful. On Windows, Go's UDP RecvFrom
-// calls WSARecvFrom which returns the WSAEMSGSIZE error code when the received
-// datagram is larger than the provided buffer. When that happens, both a valid
-// size and an error are returned (as per the partial fix for golang/go#14074).
-// If the WSAEMSGSIZE error is returned, then we ignore the error to get
-// semantics similar to the POSIX operating systems. One caveat is that it
-// appears that the source address is not returned when WSAEMSGSIZE occurs, but
-// we do not currently look at the source address.
-func packetWasTruncated(err error) bool {
-	return errors.Is(err, windows.WSAEMSGSIZE)
-}

net/dns/resolver/tsdns.go

@@ -357,10 +357,7 @@ func (r *Resolver) HandleExitNodeDNSQuery(ctx context.Context, q []byte, from ne
 	switch runtime.GOOS {
 	default:
 		return nil, errors.New("unsupported exit node OS")
-	case "windows":
-		// TODO: use DnsQueryEx and write to ch.
-		// See https://docs.microsoft.com/en-us/windows/win32/api/windns/nf-windns-dnsqueryex.
-		// For now just use the net package:
+	case "windows", "android":
 		return handleExitNodeDNSQueryWithNetPkg(ctx, nil, resp)
 	case "darwin":
 		// /etc/resolv.conf is a lie and only says one upstream DNS
@@ -377,7 +374,7 @@ func (r *Resolver) HandleExitNodeDNSQuery(ctx context.Context, q []byte, from ne
 		// TODO: more than 1 resolver from /etc/resolv.conf?
 
 		var resolvers []resolverAndDelay
-		if nameserver == tsaddr.TailscaleServiceIP() {
+		if nameserver == tsaddr.TailscaleServiceIP() || nameserver == tsaddr.TailscaleServiceIPv6() {
 			// If resolv.conf says 100.100.100.100, it's coming right back to us anyway
 			// so avoid the loop through the kernel and just do what we
 			// would've done anyway. By not passing any resolvers, the forwarder
@@ -532,6 +529,10 @@ func stubResolverForOS() (ip netaddr.IP, err error) {
 	if c, ok := resolvConfCacheValue.Load().(resolvConfCache); ok && c.mod == cur.mod && c.size == cur.size {
 		return c.ip, nil
 	}
+	// TODO(bradfitz): unify this /etc/resolv.conf parsing code with readResolv
+	// in net/dns, which we can't use due to circular dependency reasons.
+	// Move it to a leaf, including the OSConfig type (perhaps in its own dnstype
+	// package?)
 	err = lineread.File("/etc/resolv.conf", func(line []byte) error {
 		if !ip.IsZero() {
 			return nil
@@ -540,6 +541,12 @@ func stubResolverForOS() (ip netaddr.IP, err error) {
 		if len(line) == 0 || line[0] == '#' {
 			return nil
 		}
+		// Normalize tabs to spaces to simplify parsing code later.
+		for i, b := range line {
+			if b == '\t' {
+				line[i] = ' '
+			}
+		}
 		if mem.HasPrefix(mem.B(line), mem.S("nameserver ")) {
 			s := strings.TrimSpace(strings.TrimPrefix(string(line), "nameserver "))
 			ip, err = netaddr.ParseIP(s)
@@ -1087,11 +1094,13 @@ func rdnsNameToIPv6(name dnsname.FQDN) (ip netaddr.IP, ok bool) {
 // It is assumed that resp.Question is populated by respond before this is called.
 func (r *Resolver) respondReverse(query []byte, name dnsname.FQDN, resp *response) ([]byte, error) {
 	if hasRDNSBonjourPrefix(name) {
+		metricDNSReverseMissBonjour.Add(1)
 		return nil, errNotOurName
 	}
 
 	resp.Name, resp.Header.RCode = r.resolveLocalReverse(name)
 	if resp.Header.RCode == dns.RCodeRefused {
+		metricDNSReverseMissOther.Add(1)
 		return nil, errNotOurName
 	}
 
@@ -1235,4 +1244,7 @@ var (
 	metricDNSResolveLocalNoAll        = clientmetric.NewCounter("dns_resolve_local_no_all")
 	metricDNSResolveNotImplType       = clientmetric.NewCounter("dns_resolve_local_not_impl_type")
 	metricDNSResolveNoRecordType      = clientmetric.NewCounter("dns_resolve_local_no_record_type")
+
+	metricDNSReverseMissBonjour = clientmetric.NewCounter("dns_reverse_miss_bonjour")
+	metricDNSReverseMissOther   = clientmetric.NewCounter("dns_reverse_miss_other")
 )

net/dnscache/dnscache.go

@@ -15,14 +15,13 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"os"
 	"runtime"
-	"strconv"
 	"sync"
 	"time"
 
 	"golang.org/x/sync/singleflight"
 	"inet.af/netaddr"
+	"tailscale.com/envknob"
 )
 
 var single = &Resolver{
@@ -100,7 +99,7 @@ func (r *Resolver) ttl() time.Duration {
 	return 10 * time.Minute
 }
 
-var debug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_DNS_CACHE"))
+var debug = envknob.Bool("TS_DEBUG_DNS_CACHE")
 
 // LookupIP returns the host's primary IP address (either IPv4 or
 // IPv6, but preferring IPv4) and optionally its IPv6 address, if
@@ -444,24 +443,9 @@ func TLSDialer(fwd DialContextFunc, dnsCache *Resolver, tlsConfigBase *tls.Confi
 		}
 		tlsConn := tls.Client(tcpConn, cfg)
 
-		errc := make(chan error, 2)
 		handshakeCtx, handshakeTimeoutCancel := context.WithTimeout(ctx, 5*time.Second)
 		defer handshakeTimeoutCancel()
-		done := make(chan bool)
-		defer close(done)
-		go func() {
-			select {
-			case <-done:
-			case <-handshakeCtx.Done():
-				errc <- errTLSHandshakeTimeout
-			}
-		}()
-		go func() {
-			err := tlsConn.Handshake()
-			handshakeTimeoutCancel()
-			errc <- err
-		}()
-		if err := <-errc; err != nil {
+		if err := tlsConn.HandshakeContext(handshakeCtx); err != nil {
 			tcpConn.Close()
 			// TODO: if err != errTLSHandshakeTimeout,
 			// assume it might be some captive portal or