WIP

Signed-off-by: Andrew Dunham <andrew@tailscale.com>
wgengine: fix race on endpoints in getStatus
2022-09-01 18:31:11 -04:00 · 2022-09-01 10:58:04 -07:00 · 2022-09-01 10:57:00 -07:00 · 2022-09-01 13:38:32 -04:00 · 2022-08-31 20:18:13 -07:00 · 2022-08-31 15:38:41 -07:00
226 changed files with 8766 additions and 3203 deletions
--- a/.github/licenses.tmpl
+++ b/.github/licenses.tmpl
@@ -0,0 +1,17 @@
+# Tailscale CLI and daemon dependencies
+
+The following open source dependencies are used to build the [tailscale][] and
+[tailscaled][] commands. These are primarily used on Linux and BSD variants as
+well as an [option for macOS][].
+
+[tailscale]: https://pkg.go.dev/tailscale.com/cmd/tailscale
+[tailscaled]: https://pkg.go.dev/tailscale.com/cmd/tailscaled
+[option for macOS]: https://tailscale.com/kb/1065/macos-variants/
+
+## Go Packages
+
+Some packages may only be included on certain architectures or operating systems.
+
+{{ range . }}
+ - [{{.Name}}](https://pkg.go.dev/{{.Name}}) ([{{.LicenseName}}]({{.LicenseURL}}))
+{{- end }}
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -1,5 +1,10 @@
 name: CIFuzz
 on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,10 @@ on:
  schedule:
    - cron: '31 14 * * 5'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: macOS build cmd
      env:
        GOOS: darwin
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: FreeBSD build cmd
      env:
        GOOS: freebsd
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: OpenBSD build cmd
      env:
        GOOS: openbsd
--- a/.github/workflows/cross-wasm.yml
+++ b/.github/workflows/cross-wasm.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: Wasm client build
      env:
        GOOS: js
@@ -34,7 +37,9 @@ jobs:
    - name: tsconnect static build
      # Use our custom Go toolchain, we set build tags (to control binary size)
      # that depend on it.
-      run: ./tool/go run ./cmd/tsconnect --fast-compression build
+      run: |
+        ./tool/go run ./cmd/tsconnect --fast-compression build
+        ./tool/go run ./cmd/tsconnect build-pkg

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: Windows build cmd
      env:
        GOOS: windows
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -8,21 +8,25 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
    - name: Check out code
      uses: actions/checkout@v3

-    - name: depaware tailscaled
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod

-    - name: depaware tailscale
-      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
+    - name: depaware
+      run: go run github.com/tailscale/depaware --check
+        tailscale.com/cmd/tailscaled
+        tailscale.com/cmd/tailscale
+        tailscale.com/cmd/derper
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -0,0 +1,64 @@
+name: go-licenses
+
+on:
+  # run action when a change lands in the main branch which updates go.mod or
+  # our license template file. Also allow manual triggering.
+  push:
+    branches:
+      - main
+    paths:
+      - go.mod
+      - .github/licenses.tmpl
+      - .github/workflows/go-licenses.yml
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  tailscale:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Install go-licenses
+        run: |
+          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
+
+      - name: Run go-licenses
+        env:
+          # include all build tags to include platform-specific dependencies
+          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
+        run: |
+          [ -d licenses ] || mkdir licenses
+          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
+
+      - name: Get access token
+        uses: tibdex/github-app-token@f717b5ecd4534d3c4df4ce9b5c1c2214f0f7cd06 # v1.6.0
+        id: generate-token
+        with:
+          app_id: ${{ secrets.LICENSING_APP_ID }}
+          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
+          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
+
+      - name: Send pull request
+        uses: peter-evans/create-pull-request@18f90432bedd2afd6a825469ffd38aa24712a91d #v4.1.1
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          author: License Updater <noreply@tailscale.com>
+          committer: License Updater <noreply@tailscale.com>
+          branch: licenses/cli
+          commit-message: "licenses: update tailscale{,d} licenses"
+          title: "licenses: update tailscale{,d} licenses"
+          body: Triggered by ${{ github.repository }}@${{ github.sha }}
+          signoff: true
+          delete-branch: true
+          team-reviewers: opensource-license-reviewers
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -9,21 +9,25 @@ on:
    branches:
      - "*"

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  check:
    runs-on: ubuntu-latest

    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.19
-
      - name: Check out code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
      - name: check 'go generate' is clean
        run: |
          if [[ "${{github.ref}}" == release-branch/* ]]
--- a/.github/workflows/go_mod_tidy.yml
+++ b/.github/workflows/go_mod_tidy.yml
@@ -0,0 +1,35 @@
+name: go mod tidy
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - "*"
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: check 'go mod tidy' is clean
+        run: |
+          go mod tidy
+          echo
+          echo
+          git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -8,18 +8,22 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+
    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
-
-    - name: Check out code
-      uses: actions/checkout@v3
+        go-version-file: go.mod

    - name: Run license checker
      run: ./scripts/check_license_headers.sh .
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: Basic build
      run: go build ./cmd/...

--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: Basic build
      run: go build ./cmd/...

--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  build:
    runs-on: ubuntu-latest
@@ -15,16 +19,15 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3

    - name: Set up Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19
+        go-version-file: go.mod
      id: go

-    - name: Check out code into the Go module directory
-      uses: actions/checkout@v3
-
    - name: Basic build
      run: GOARCH=386 go build ./cmd/...

--- a/.github/workflows/static-analysis.yml
+++ b/.github/workflows/static-analysis.yml
@@ -0,0 +1,112 @@
+name: static-analysis
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  gofmt:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version-file: go.mod
+    - name: Run gofmt (goimports)
+      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  vet:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+    - name: Check out code
+      uses: actions/checkout@v3
+    - name: Run go vet
+      run: go vet ./...
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+
+  staticcheck:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        goos: [linux, windows, darwin]
+        goarch: [amd64]
+        include:
+          - goos: windows
+            goarch: 386
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.19
+
+    - name: Check out code
+      uses: actions/checkout@v3
+
+    - name: Install staticcheck
+      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
+
+    - name: Print staticcheck version
+      run: "staticcheck -version"
+
+    - name: "Run staticcheck (${{ matrix.goos }}/${{ matrix.goarch }})"
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -1,73 +0,0 @@
-name: staticcheck
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-
-    steps:
-    - name: Set up Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19
-
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Run gofmt (goimports)
-      run: go run golang.org/x/tools/cmd/goimports -d --format-only .
-
-    - name: Run go vet
-      run: go vet ./...
-
-    - name: Install staticcheck
-      run: "GOBIN=~/.local/bin go install honnef.co/go/tools/cmd/staticcheck"
-
-    - name: Print staticcheck version
-      run: "staticcheck -version"
-
-    - name: Run staticcheck (linux/amd64)
-      env:
-        GOOS: linux
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (darwin/amd64)
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (windows/amd64)
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - name: Run staticcheck (windows/386)
-      env:
-        GOOS: windows
-        GOARCH: "386"
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
--- a/.github/workflows/tsconnect-pkg-publish.yml
+++ b/.github/workflows/tsconnect-pkg-publish.yml
@@ -0,0 +1,30 @@
+name: "@tailscale/connect npm publish"
+
+on: workflow_dispatch
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up node
+        uses: actions/setup-node@v3
+        with:
+          node-version: "16.x"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Build package
+        # Build with build_dist.sh to ensure that version information is embedded.
+        # GOROOT is specified so that the Go/Wasm that is trigged by build-pk
+        # also picks up our custom Go toolchain.
+        run: |
+          ./build_dist.sh tailscale.com/cmd/tsconnect
+          GOROOT="${HOME}/.cache/tailscale-go" ./tsconnect build-pkg
+
+      - name: Publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.TSCONNECT_NPM_PUBLISH_AUTH_TOKEN }}
+        run: ./tool/yarn --cwd ./cmd/tsconnect/pkg publish --access public
--- a/.github/workflows/vm.yml
+++ b/.github/workflows/vm.yml
@@ -5,6 +5,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  ubuntu2004-LTS-cloud-base:
    runs-on: [ self-hosted, linux, vm ]
@@ -15,13 +19,13 @@ jobs:
      - name: Set GOPATH
        run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV

+      - name: Checkout Code
+        uses: actions/checkout@v3
+
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
-          go-version: 1.19
-
-      - name: Checkout Code
-        uses: actions/checkout@v3
+          go-version-file: go.mod

      - name: Run VM tests
        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -1,77 +0,0 @@
-name: Windows race
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - '*'
-
-jobs:
-  test:
-    runs-on: windows-latest
-
-    if: "!contains(github.event.head_commit.message, '[ci skip]')"
-
-    steps:
-
-    - name: Install Go
-      uses: actions/setup-go@v3
-      with:
-        go-version: 1.19.x
-
-    - name: Checkout code
-      uses: actions/checkout@v3
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike some other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        # The -race- here ensures that non-race builds and race builds do not
-        # overwrite each others cache, as while they share some files, they
-        # differ in most by volume (build cache).
-        # TODO(raggi): add a go version here.
-        key: ${{ runner.os }}-go-2-race-${{ hashFiles('**/go.sum') }}
-
-    - name: Print toolchain details
-      run: gcc -v
-
-    # There is currently an issue in the race detector in Go on Windows when
-    # used with a newer version of GCC.
-    # See https://github.com/tailscale/tailscale/issues/4926.
-    - name: Downgrade MinGW
-      shell: bash
-      run: |
-        choco install mingw --version 10.2.0 --allow-downgrade
-
-    - name: Test with -race flag
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go test -race -bench . -benchtime 1x ./...
-
-    - uses: k0kubun/action-slack@v2.0.0
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
-                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
-                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      if: failure() && github.event_name == 'push'
-
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -8,6 +8,10 @@ on:
    branches:
      - '*'

+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
 jobs:
  test:
    runs-on: windows-latest
@@ -15,14 +19,13 @@ jobs:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3

    - name: Install Go
      uses: actions/setup-go@v3
      with:
-        go-version: 1.19.x
-
-    - name: Checkout code
-      uses: actions/checkout@v3
+        go-version-file: go.mod

    - name: Restore Cache
      uses: actions/cache@v3
--- a/17
+++ b/17
@@ -12,12 +12,16 @@ tidy:
 	./tool/go mod tidy

 updatedeps:
-	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
-	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
+	./tool/go run github.com/tailscale/depaware --update \
+		tailscale.com/cmd/tailscaled \
+		tailscale.com/cmd/tailscale \
+		tailscale.com/cmd/derper

 depaware:
-	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
-	./tool/go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
+	./tool/go run github.com/tailscale/depaware --check \
+		tailscale.com/cmd/tailscaled \
+		tailscale.com/cmd/tailscale \
+		tailscale.com/cmd/derper

 buildwindows:
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
@@ -28,10 +32,13 @@ build386:
 buildlinuxarm:
 	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

+buildwasm:
+	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
+
 buildmultiarchimage:
 	./build_docker.sh

-check: staticcheck vet depaware buildwindows build386 buildlinuxarm
+check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm

 staticcheck:
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.29.0
+1.31.0
--- a/atomicfile/atomicfile.go
+++ b/atomicfile/atomicfile.go
@@ -16,7 +16,7 @@ import (
 )

 // WriteFile writes data to filename+some suffix, then renames it
-// into filename.
+// into filename. The perm argument is ignored on Windows.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
 	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -11,15 +11,31 @@ import (
 	"fmt"
 	"net"
 	"strings"
+	"time"
+)
+
+const (
+	// Maximum amount of time we should wait when reading a response from BIRD.
+	responseTimeout = 10 * time.Second
 )

 // New creates a BIRDClient.
 func New(socket string) (*BIRDClient, error) {
+	return newWithTimeout(socket, responseTimeout)
+}
+
+func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
-	b := &BIRDClient{socket: socket, conn: conn, scanner: bufio.NewScanner(conn)}
+	b := &BIRDClient{
+		socket:  socket,
+		conn:    conn,
+		scanner: bufio.NewScanner(conn),
+		timeNow: time.Now,
+		timeout: timeout,
+	}
 	// Read and discard the first line as that is the welcome message.
 	if _, err := b.readResponse(); err != nil {
 		return nil, err
@@ -32,6 +48,8 @@ type BIRDClient struct {
 	socket  string
 	conn    net.Conn
 	scanner *bufio.Scanner
+	timeNow func() time.Time
+	timeout time.Duration
 }

 // Close closes the underlying connection to BIRD.
@@ -81,10 +99,15 @@ func (b *BIRDClient) EnableProtocol(protocol string) error {
 // 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.

 func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
+	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
+		return "", err
+	}
 	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
 		return "", err
 	}
-	fmt.Fprintln(b.conn)
+	if _, err := fmt.Fprintln(b.conn); err != nil {
+		return "", err
+	}
 	return b.readResponse()
 }

@@ -105,14 +128,20 @@ func hasResponseCode(s []byte) bool {
 }

 func (b *BIRDClient) readResponse() (string, error) {
+	// Set the read timeout before we start reading anything.
+	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
+		return "", err
+	}
+
 	var resp strings.Builder
 	var done bool
 	for !done {
 		if !b.scanner.Scan() {
-			return "", fmt.Errorf("reading response from bird failed: %q", resp.String())
-		}
-		if err := b.scanner.Err(); err != nil {
-			return "", err
+			if err := b.scanner.Err(); err != nil {
+				return "", err
+			}
+
+			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
 		}
 		out := b.scanner.Bytes()
 		if _, err := resp.Write(out); err != nil {
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -8,9 +8,12 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"os"
 	"path/filepath"
 	"strings"
+	"sync"
 	"testing"
+	"time"
 )

 type fakeBIRD struct {
@@ -109,3 +112,82 @@ func TestChirp(t *testing.T) {
 		t.Fatalf("disabling %q succeded", "rando")
 	}
 }
+
+type hangingListener struct {
+	net.Listener
+	t    *testing.T
+	done chan struct{}
+	wg   sync.WaitGroup
+	sock string
+}
+
+func newHangingListener(t *testing.T) *hangingListener {
+	sock := filepath.Join(t.TempDir(), "sock")
+	l, err := net.Listen("unix", sock)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return &hangingListener{
+		Listener: l,
+		t:        t,
+		done:     make(chan struct{}),
+		sock:     sock,
+	}
+}
+
+func (hl *hangingListener) Stop() {
+	hl.Close()
+	close(hl.done)
+	hl.wg.Wait()
+}
+
+func (hl *hangingListener) listen() error {
+	for {
+		c, err := hl.Accept()
+		if err != nil {
+			if errors.Is(err, net.ErrClosed) {
+				return nil
+			}
+			return err
+		}
+		hl.wg.Add(1)
+		go hl.handle(c)
+	}
+}
+
+func (hl *hangingListener) handle(c net.Conn) {
+	defer hl.wg.Done()
+
+	// Write our fake first line of response so that we get into the read loop
+	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
+
+	ticker := time.NewTicker(2 * time.Second)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ticker.C:
+			hl.t.Logf("connection still hanging")
+		case <-hl.done:
+			return
+		}
+	}
+}
+
+func TestChirpTimeout(t *testing.T) {
+	fb := newHangingListener(t)
+	defer fb.Stop()
+	go fb.listen()
+
+	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = c.EnableProtocol("tailscale")
+	if err == nil {
+		t.Fatal("got err=nil, want timeout")
+	}
+	if !os.IsTimeout(err) {
+		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
+	}
+}
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -36,6 +36,7 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tka"
 )

 // defaultLocalClient is the default LocalClient when using the legacy
@@ -680,6 +681,42 @@ func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg
 	return pr, nil
 }

+// NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
+func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.NetworkLockStatus, error) {
+	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/status", 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
+// NetworkLockInit initializes the tailnet key authority.
+func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
+	var b bytes.Buffer
+	type initRequest struct {
+		Keys []tka.Key
+	}
+
+	if err := json.NewEncoder(&b).Encode(initRequest{Keys: keys}); err != nil {
+		return nil, err
+	}
+
+	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/init", 200, &b)
+	if err != nil {
+		return nil, fmt.Errorf("error: %w", err)
+	}
+
+	pr := new(ipnstate.NetworkLockStatus)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //
--- a/cmd/derper/bootstrap_dns.go
+++ b/cmd/derper/bootstrap_dns.go
@@ -12,11 +12,12 @@ import (
 	"net"
 	"net/http"
 	"strings"
-	"sync/atomic"
 	"time"
+
+	"tailscale.com/syncs"
 )

-var dnsCache atomic.Value // of []byte
+var dnsCache syncs.AtomicValue[[]byte]

 var bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")

@@ -58,7 +59,7 @@ func refreshBootstrapDNS() {
 func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
 	bootstrapDNSRequests.Add(1)
 	w.Header().Set("Content-Type", "application/json")
-	j, _ := dnsCache.Load().([]byte)
+	j := dnsCache.Load()
 	// Bootstrap DNS requests occur cross-regions,
 	// and are randomized per request,
 	// so keeping a connection open is pointlessly expensive.
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -20,6 +20,11 @@ var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)

 type certProvider interface {
 	// TLSConfig creates a new TLS config suitable for net/http.Server servers.
+	//
+	// The returned Config must have a GetCertificate function set and that
+	// function must return a unique *tls.Certificate for each call. The
+	// returned *tls.Certificate will be mutated by the caller to append to the
+	// (*tls.Certificate).Certificate field.
 	TLSConfig() *tls.Config
 	// HTTPHandler handle ACME related request, if any.
 	HTTPHandler(fallback http.Handler) http.Handler
@@ -87,7 +92,13 @@ func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certif
 	if hi.ServerName != m.hostname {
 		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
 	}
-	return m.cert, nil
+
+	// Return a shallow copy of the cert so the caller can append to its
+	// Certificate field.
+	certCopy := new(tls.Certificate)
+	*certCopy = *m.cert
+	certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
+	return certCopy, nil
 }

 func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -0,0 +1,197 @@
+tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depaware)
+
+        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
+        filippo.io/edwards25519/field                                from filippo.io/edwards25519
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
+   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
+        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
+        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
+   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
+   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
+     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
+        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
+     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
+        go4.org/netipx                                               from tailscale.com/wgengine/filter
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
+        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
+        tailscale.com                                                from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
+        tailscale.com/client/tailscale                               from tailscale.com/derp
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
+        tailscale.com/derp                                           from tailscale.com/cmd/derper+
+        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
+        tailscale.com/disco                                          from tailscale.com/derp
+        tailscale.com/envknob                                        from tailscale.com/derp+
+        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
+        tailscale.com/ipn                                            from tailscale.com/client/tailscale
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
+     💣 tailscale.com/metrics                                        from tailscale.com/cmd/derper+
+        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
+        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
+        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
+        tailscale.com/net/netknob                                    from tailscale.com/net/netns
+        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
+        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
+        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
+        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
+        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
+        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
+        tailscale.com/paths                                          from tailscale.com/client/tailscale
+        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
+        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
+        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
+        tailscale.com/tka                                            from tailscale.com/client/tailscale
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
+     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
+        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
+        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
+        tailscale.com/types/empty                                    from tailscale.com/ipn
+        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
+        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
+        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
+        tailscale.com/types/netmap                                   from tailscale.com/ipn
+        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
+        tailscale.com/types/pad32                                    from tailscale.com/derp
+        tailscale.com/types/persist                                  from tailscale.com/ipn
+        tailscale.com/types/preftype                                 from tailscale.com/ipn
+        tailscale.com/types/structs                                  from tailscale.com/ipn+
+        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
+        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
+        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
+   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
+        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
+   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
+        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
+   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
+        tailscale.com/version                                        from tailscale.com/derp+
+        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
+        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
+        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
+        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
+        golang.org/x/crypto/argon2                                   from tailscale.com/tka
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/blake2s                                  from tailscale.com/tka
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
+        golang.org/x/net/proxy                                       from tailscale.com/net/netns
+   D    golang.org/x/net/route                                       from net+
+        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
+   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
+        golang.org/x/time/rate                                       from tailscale.com/cmd/derper+
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        compress/flate                                               from compress/gzip+
+        compress/gzip                                                from internal/profile+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdsa+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from golang.org/x/crypto/acme+
+        crypto/x509                                                  from crypto/tls+
+        crypto/x509/pkix                                             from crypto/x509+
+        embed                                                        from crypto/internal/nistec+
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base32                                              from tailscale.com/tka
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from tailscale.com/cmd/derper+
+        flag                                                         from tailscale.com/cmd/derper
+        fmt                                                          from compress/flate+
+        hash                                                         from crypto+
+        hash/crc32                                                   from compress/gzip+
+        hash/maphash                                                 from go4.org/mem
+        html                                                         from net/http/pprof+
+        io                                                           from bufio+
+        io/fs                                                        from crypto/x509+
+        io/ioutil                                                    from github.com/mitchellh/go-ps+
+        log                                                          from expvar+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from github.com/mdlayher/netlink+
+        mime                                                         from mime/multipart+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from net/http+
+        net/http/internal                                            from net/http
+        net/http/pprof                                               from tailscale.com/tsweb
+        net/netip                                                    from go4.org/netipx+
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+        path                                                         from golang.org/x/crypto/acme/autocert+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from internal/profile+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from golang.org/x/crypto/acme+
+        runtime/pprof                                                from net/http/pprof
+        runtime/trace                                                from net/http/pprof
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from runtime/pprof
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from crypto/x509+
+        unicode/utf8                                                 from bufio+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -19,6 +19,7 @@ import (
 	"math"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"regexp"
@@ -356,7 +357,8 @@ func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
 		} else {
 			stunIPv6.Add(1)
 		}
-		res := stun.Response(txid, ua.IP, uint16(ua.Port))
+		addr, _ := netip.AddrFromSlice(ua.IP)
+		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
 		_, err = pc.WriteTo(res, ua)
 		if err != nil {
 			stunWriteError.Add(1)
--- a/cmd/derpprobe/derpprobe.go
+++ b/cmd/derpprobe/derpprobe.go
@@ -360,7 +360,7 @@ func probeUDP(ctx context.Context, dm *tailcfg.DERPMap, n *tailcfg.DERPNode) (la
 				time.Sleep(100 * time.Millisecond)
 				continue
 			}
-			txBack, _, _, err := stun.ParseResponse(buf[:n])
+			txBack, _, err := stun.ParseResponse(buf[:n])
 			if err != nil {
 				return 0, fmt.Errorf("parsing STUN response from %v: %v", ip, err)
 			}
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -8,6 +8,7 @@
 package main

 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/json"
@@ -30,17 +31,14 @@ var (
 	cacheFname   = rootFlagSet.String("cache-file", "./version-cache.json", "filename for the previous known version hash")
 	timeout      = rootFlagSet.Duration("timeout", 5*time.Minute, "timeout for the entire CI run")
 	githubSyntax = rootFlagSet.Bool("github-syntax", true, "use GitHub Action error syntax (https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-error-message)")
-
-	modifiedExternallyFailure = make(chan struct{}, 1)
 )

 func modifiedExternallyError() {
 	if *githubSyntax {
-		fmt.Printf("::error file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
+		fmt.Printf("::warning file=%s,line=1,col=1,title=Policy File Modified Externally::The policy file was modified externally in the admin console.\n", *policyFname)
 	} else {
 		fmt.Printf("The policy file was modified externally in the admin console.\n")
 	}
-	modifiedExternallyFailure <- struct{}{}
 }

 func apply(cache *Cache, tailnet, apiKey string) func(context.Context, []string) error {
@@ -207,10 +205,6 @@ func main() {
 		fmt.Println(err)
 		os.Exit(1)
 	}
-
-	if len(modifiedExternallyFailure) != 0 {
-		os.Exit(1)
-	}
 }

 func sumFile(fname string) (string, error) {
@@ -271,13 +265,16 @@ func applyNewACL(ctx context.Context, tailnet, apiKey, policyFname, oldEtag stri
 }

 func testNewACLs(ctx context.Context, tailnet, apiKey, policyFname string) error {
-	fin, err := os.Open(policyFname)
+	data, err := os.ReadFile(policyFname)
+	if err != nil {
+		return err
+	}
+	data, err = hujson.Standardize(data)
 	if err != nil {
 		return err
 	}
-	defer fin.Close()

-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), fin)
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, fmt.Sprintf("https://api.tailscale.com/api/v2/tailnet/%s/acl/validate", tailnet), bytes.NewBuffer(data))
 	if err != nil {
 		return err
 	}
--- a/cmd/nginx-auth/nginx-auth.go
+++ b/cmd/nginx-auth/nginx-auth.go
@@ -63,17 +63,19 @@ func main() {
 			return
 		}

-		_, tailnet, ok := strings.Cut(info.Node.Name, info.Node.ComputedName+".")
-		if !ok {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-			return
-		}
-		tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
-		if !ok {
-			w.WriteHeader(http.StatusUnauthorized)
-			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
-			return
+		// tailnet of connected node. When accessing shared nodes, this
+		// will be empty because the tailnet of the sharee is not exposed.
+		var tailnet string
+
+		if !info.Node.Hostinfo.ShareeNode() {
+			var ok bool
+			_, tailnet, ok = strings.Cut(info.Node.Name, info.Node.ComputedName+".")
+			if !ok {
+				w.WriteHeader(http.StatusUnauthorized)
+				log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+				return
+			}
+			tailnet = strings.TrimSuffix(tailnet, ".beta.tailscale.net")
 		}

 		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -29,7 +29,7 @@ var certCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("cert")
 		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.crt if --cert-file and --key-file are both unset")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
+		fs.StringVar(&certArgs.keyFile, "key-file", "", "output key file or \"-\" for stdout; defaults to DOMAIN.key if --cert-file and --key-file are both unset")
 		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
 		return fs
 	})(),
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -29,7 +29,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
-	"tailscale.com/syncs"
 	"tailscale.com/version/distro"
 )

@@ -170,6 +169,8 @@ change in the future.
 			fileCmd,
 			bugReportCmd,
 			certCmd,
+			netlockCmd,
+			licensesCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
@@ -230,8 +231,6 @@ var rootArgs struct {
 	socket string
 }

-var gotSignal syncs.AtomicBool
-
 func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context, context.CancelFunc) {
 	s := safesocket.DefaultConnectionStrategy(rootArgs.socket)
 	c, err := safesocket.Connect(s)
@@ -257,7 +256,6 @@ func connect(ctx context.Context) (net.Conn, *ipn.BackendClient, context.Context
 			signal.Reset(syscall.SIGINT, syscall.SIGTERM)
 			return
 		}
-		gotSignal.Set(true)
 		c.Close()
 		cancel()
 	}()
--- a/cmd/tailscale/cli/configure-host.go
+++ b/cmd/tailscale/cli/configure-host.go
@@ -62,6 +62,9 @@ func runConfigureHost(ctx context.Context, args []string) error {
 			return fmt.Errorf("creating /dev/net/tun: %v, %s", err, out)
 		}
 	}
+	if err := os.Chmod("/dev/net", 0755); err != nil {
+		return err
+	}
 	if err := os.Chmod("/dev/net/tun", 0666); err != nil {
 		return err
 	}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -489,7 +489,7 @@ func runTS2021(ctx context.Context, args []string) error {
 		return c, err
 	}

-	conn, err := controlhttp.Dial(ctx, net.JoinHostPort(ts2021Args.host, "80"), machinePrivate, keys.PublicKey, uint16(ts2021Args.version), dialFunc)
+	conn, err := controlhttp.Dial(ctx, ts2021Args.host, "80", "443", machinePrivate, keys.PublicKey, uint16(ts2021Args.version), dialFunc)
 	log.Printf("controlhttp.Dial = %p, %v", conn, err)
 	if err != nil {
 		return err
--- a/cmd/tailscale/cli/licenses.go
+++ b/cmd/tailscale/cli/licenses.go
@@ -0,0 +1,42 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+)
+
+var licensesCmd = &ffcli.Command{
+	Name:       "licenses",
+	ShortUsage: "licenses",
+	ShortHelp:  "Get open source license information",
+	LongHelp:   "Get open source license information",
+	Exec:       runLicenses,
+}
+
+func runLicenses(ctx context.Context, args []string) error {
+	var licenseURL string
+	switch runtime.GOOS {
+	case "android":
+		licenseURL = "https://tailscale.com/licenses/android"
+	case "darwin", "ios":
+		licenseURL = "https://tailscale.com/licenses/apple"
+	case "windows":
+		licenseURL = "https://tailscale.com/licenses/windows"
+	default:
+		licenseURL = "https://tailscale.com/licenses/tailscale"
+	}
+
+	outln(`
+Tailscale wouldn't be possible without the contributions of thousands of open
+source developers. To see the open source packages included in Tailscale and
+their respective license information, visit:
+
+    ` + licenseURL)
+	return nil
+}
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -0,0 +1,101 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strconv"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"tailscale.com/tka"
+	"tailscale.com/types/key"
+)
+
+var netlockCmd = &ffcli.Command{
+	Name:        "lock",
+	ShortUsage:  "lock <sub-command> <arguments>",
+	ShortHelp:   "Manipulate the tailnet key authority",
+	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
+	Exec:        runNetworkLockStatus,
+}
+
+var nlInitCmd = &ffcli.Command{
+	Name:       "init",
+	ShortUsage: "init <public-key>...",
+	ShortHelp:  "Initialize the tailnet key authority",
+	Exec:       runNetworkLockInit,
+}
+
+func runNetworkLockInit(ctx context.Context, args []string) error {
+	st, err := localClient.NetworkLockStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	if st.Enabled {
+		return errors.New("network-lock is already enabled")
+	}
+
+	// Parse the set of initially-trusted keys.
+	// Keys are specified using their key.NLPublic.MarshalText representation,
+	// with an optional '?<votes>' suffix.
+	var keys []tka.Key
+	for i, a := range args {
+		var key key.NLPublic
+		spl := strings.SplitN(a, "?", 2)
+		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
+			return fmt.Errorf("parsing key %d: %v", i+1, err)
+		}
+
+		k := tka.Key{
+			Kind:   tka.Key25519,
+			Public: key.Verifier(),
+			Votes:  1,
+		}
+		if len(spl) > 1 {
+			votes, err := strconv.Atoi(spl[1])
+			if err != nil {
+				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
+			}
+			k.Votes = uint(votes)
+		}
+		keys = append(keys, k)
+	}
+
+	status, err := localClient.NetworkLockInit(ctx, keys)
+	if err != nil {
+		return err
+	}
+
+	fmt.Printf("Status: %+v\n\n", status)
+	return nil
+}
+
+var nlStatusCmd = &ffcli.Command{
+	Name:       "status",
+	ShortUsage: "status",
+	ShortHelp:  "Outputs the state of network lock",
+	Exec:       runNetworkLockStatus,
+}
+
+func runNetworkLockStatus(ctx context.Context, args []string) error {
+	st, err := localClient.NetworkLockStatus(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	if st.Enabled {
+		fmt.Println("Network-lock is ENABLED.")
+	} else {
+		fmt.Println("Network-lock is NOT enabled.")
+	}
+	p, err := st.PublicKey.MarshalText()
+	if err != nil {
+		return err
+	}
+	fmt.Printf("our public-key: %s\n", p)
+	return nil
+}
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -252,7 +252,7 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 		if default4 && !default6 {
 			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
 		} else if default6 && !default4 {
-			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv6default, ipv4default)
+			return nil, fmt.Errorf("%s advertised without its IPv4 counterpart, please also advertise %s", ipv6default, ipv4default)
 		}
 	}
 	if advertiseDefaultRoute {
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -64,6 +64,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale+
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
@@ -71,9 +72,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/tka                                            from tailscale.com/types/key
+        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
@@ -89,6 +90,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
+        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
        tailscale.com/types/views                                    from tailscale.com/tailcfg+
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
@@ -97,7 +99,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
+        tailscale.com/util/mak                                       from tailscale.com/net/netcheck
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
@@ -114,12 +118,15 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from net/http+
        golang.org/x/net/http/httpproxy                              from net/http
        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/ipv4                                        from golang.org/x/net/icmp+
+        golang.org/x/net/ipv6                                        from golang.org/x/net/icmp
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
        golang.org/x/sync/errgroup                                   from tailscale.com/derp+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -227,6 +227,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
        tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/packet                                     from tailscale.com/net/tstun+
+        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
@@ -241,10 +242,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
-        tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
+        tailscale.com/syncs                                          from tailscale.com/net/netcheck+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
-        tailscale.com/tka                                            from tailscale.com/types/key+
+        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -263,6 +264,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+        tailscale.com/types/tkatype                                  from tailscale.com/tka+
        tailscale.com/types/views                                    from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
@@ -271,6 +273,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
+     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
@@ -278,6 +281,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
        tailscale.com/util/singleflight                              from tailscale.com/control/controlclient+
+   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
     💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
@@ -286,12 +290,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
-        tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
+     💣 tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
+     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
@@ -312,7 +317,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal
+        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
        golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -320,8 +325,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/net/http2                                       from golang.org/x/net/http2/h2c+
        golang.org/x/net/http2/h2c                                   from tailscale.com/ipn/ipnlocal
        golang.org/x/net/http2/hpack                                 from golang.org/x/net/http2+
+        golang.org/x/net/icmp                                        from tailscale.com/net/ping
        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device
+        golang.org/x/net/ipv4                                        from golang.zx2c4.com/wireguard/device+
        golang.org/x/net/ipv6                                        from golang.zx2c4.com/wireguard/device+
        golang.org/x/net/proxy                                       from tailscale.com/net/netns
   D    golang.org/x/net/route                                       from net+
@@ -399,6 +405,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        mime/quotedprintable                                         from mime/multipart
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
+        net/http/httptest                                            from tailscale.com/control/controlclient
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
        net/http/httputil                                            from github.com/aws/smithy-go/transport/http+
        net/http/internal                                            from net/http+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -481,7 +481,7 @@ func shouldWrapNetstack() bool {
 		return true
 	}
 	switch runtime.GOOS {
-	case "windows", "darwin", "freebsd":
+	case "windows", "darwin", "freebsd", "openbsd":
 		// Enable on Windows and tailscaled-on-macOS (this doesn't
 		// affect the GUI clients), and on FreeBSD.
 		return true
--- a/cmd/tsconnect/.gitignore
+++ b/cmd/tsconnect/.gitignore
@@ -1,4 +1,3 @@
-src/wasm_exec.js
-src/main.wasm
 node_modules/
-dist/
+/dist
+/pkg
--- a/cmd/tsconnect/README.md
+++ b/cmd/tsconnect/README.md
@@ -28,3 +28,13 @@ To serve them, run:
 ```

 By default the build output is placed in the `dist/` directory and embedded in the binary, but this can be controlled by the `-distdir` flag. The `-addr` flag controls the interface and port that the serve listens on.
+
+# Library / NPM Package
+
+The client is also available as an NPM package. To build it, run:
+
+```
+./tool/go run ./cmd/tsconnect build-pkg
+```
+
+That places the output in the `pkg/` directory, which may then be uploaded to a package registry (or installed from the file path directly).
--- a/cmd/tsconnect/build-pkg.go
+++ b/cmd/tsconnect/build-pkg.go
@@ -0,0 +1,79 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"path"
+
+	esbuild "github.com/evanw/esbuild/pkg/api"
+	"github.com/tailscale/hujson"
+	"tailscale.com/version"
+)
+
+func runBuildPkg() {
+	buildOptions, err := commonSetup(prodMode)
+	if err != nil {
+		log.Fatalf("Cannot setup: %v", err)
+	}
+
+	log.Printf("Linting...\n")
+	if err := runYarn("lint"); err != nil {
+		log.Fatalf("Linting failed: %v", err)
+	}
+
+	if err := cleanDir(*pkgDir, "package.json"); err != nil {
+		log.Fatalf("Cannot clean %s: %v", *pkgDir, err)
+	}
+
+	buildOptions.EntryPoints = []string{"src/pkg/pkg.ts", "src/pkg/pkg.css"}
+	buildOptions.Outdir = *pkgDir
+	buildOptions.Format = esbuild.FormatESModule
+	buildOptions.AssetNames = "[name]"
+	buildOptions.Write = true
+	buildOptions.MinifyWhitespace = true
+	buildOptions.MinifyIdentifiers = true
+	buildOptions.MinifySyntax = true
+
+	runEsbuild(*buildOptions)
+
+	log.Printf("Generating types...\n")
+	if err := runYarn("pkg-types"); err != nil {
+		log.Fatalf("Type generation failed: %v", err)
+	}
+
+	if err := updateVersion(); err != nil {
+		log.Fatalf("Cannot update version: %v", err)
+	}
+
+	log.Printf("Built package version %s", version.Long)
+}
+
+func updateVersion() error {
+	packageJSONBytes, err := os.ReadFile("package.json.tmpl")
+	if err != nil {
+		return fmt.Errorf("Could not read package.json: %w", err)
+	}
+
+	var packageJSON map[string]any
+	packageJSONBytes, err = hujson.Standardize(packageJSONBytes)
+	if err != nil {
+		return fmt.Errorf("Could not standardize template package.json: %w", err)
+	}
+	if err := json.Unmarshal(packageJSONBytes, &packageJSON); err != nil {
+		return fmt.Errorf("Could not unmarshal package.json: %w", err)
+	}
+	packageJSON["version"] = version.Long
+
+	packageJSONBytes, err = json.MarshalIndent(packageJSON, "", "  ")
+	if err != nil {
+		return fmt.Errorf("Could not marshal package.json: %w", err)
+	}
+
+	return os.WriteFile(path.Join(*pkgDir, "package.json"), packageJSONBytes, 0644)
+}
--- a/cmd/tsconnect/build.go
+++ b/cmd/tsconnect/build.go
@@ -13,7 +13,6 @@ import (
 	"path"
 	"path/filepath"

-	esbuild "github.com/evanw/esbuild/pkg/api"
 	"tailscale.com/util/precompress"
 )

@@ -28,7 +27,7 @@ func runBuild() {
 		log.Fatalf("Linting failed: %v", err)
 	}

-	if err := cleanDist(); err != nil {
+	if err := cleanDir(*distDir, "placeholder"); err != nil {
 		log.Fatalf("Cannot clean %s: %v", *distDir, err)
 	}

@@ -41,21 +40,7 @@ func runBuild() {
 	buildOptions.AssetNames = "[name]-[hash]"
 	buildOptions.Metafile = true

-	log.Printf("Running esbuild...\n")
-	result := esbuild.Build(*buildOptions)
-	if len(result.Errors) > 0 {
-		log.Printf("ESBuild Error:\n")
-		for _, e := range result.Errors {
-			log.Printf("%v", e)
-		}
-		log.Fatal("Build failed")
-	}
-	if len(result.Warnings) > 0 {
-		log.Printf("ESBuild Warnings:\n")
-		for _, w := range result.Warnings {
-			log.Printf("%v", w)
-		}
-	}
+	result := runEsbuild(*buildOptions)

 	// Preserve build metadata so we can extract hashed file names for serving.
 	metadataBytes, err := fixEsbuildMetadataPaths(result.Metafile)
@@ -98,8 +83,6 @@ func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	return json.Marshal(metadata)
 }

-// cleanDist removes files from the dist build directory, except the placeholder
-// one that we keep to make sure Git still creates the directory.
 func cleanDist() error {
 	log.Printf("Cleaning %s...\n", *distDir)
 	files, err := os.ReadDir(*distDir)
--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -6,6 +6,7 @@ package main

 import (
 	"fmt"
+	"io/ioutil"
 	"log"
 	"os"
 	"os/exec"
@@ -16,6 +17,7 @@ import (
 	"time"

 	esbuild "github.com/evanw/esbuild/pkg/api"
+	"golang.org/x/exp/slices"
 )

 const (
@@ -32,73 +34,152 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 			return nil, fmt.Errorf("Cannot change cwd: %w", err)
 		}
 	}
-	if err := buildDeps(dev); err != nil {
-		return nil, fmt.Errorf("Cannot build deps: %w", err)
+	if err := installJSDeps(); err != nil {
+		return nil, fmt.Errorf("Cannot install JS deps: %w", err)
 	}

 	return &esbuild.BuildOptions{
-		EntryPoints: []string{"src/index.ts", "src/index.css"},
-		Loader:      map[string]esbuild.Loader{".wasm": esbuild.LoaderFile},
+		EntryPoints: []string{"src/app/index.ts", "src/app/index.css"},
 		Outdir:      *distDir,
 		Bundle:      true,
 		Sourcemap:   esbuild.SourceMapLinked,
 		LogLevel:    esbuild.LogLevelInfo,
 		Define:      map[string]string{"DEBUG": strconv.FormatBool(dev)},
 		Target:      esbuild.ES2017,
-		Plugins: []esbuild.Plugin{{
-			Name: "tailscale-tailwind",
-			Setup: func(build esbuild.PluginBuild) {
-				setupEsbuildTailwind(build, dev)
+		Plugins: []esbuild.Plugin{
+			{
+				Name: "tailscale-tailwind",
+				Setup: func(build esbuild.PluginBuild) {
+					setupEsbuildTailwind(build, dev)
+				},
 			},
-		}},
+			{
+				Name:  "tailscale-go-wasm-exec-js",
+				Setup: setupEsbuildWasmExecJS,
+			},
+			{
+				Name: "tailscale-wasm",
+				Setup: func(build esbuild.PluginBuild) {
+					setupEsbuildWasm(build, dev)
+				},
+			},
+		},
+		JSXMode: esbuild.JSXModeAutomatic,
 	}, nil
 }

-// buildDeps builds the static assets that are needed for the server (except for
-// JS/CSS bundling, which is  handled by esbuild).
-func buildDeps(dev bool) error {
-	if err := copyWasmExec(); err != nil {
-		return fmt.Errorf("Cannot copy wasm_exec.js: %w", err)
+// cleanDir removes files from dirPath, except the ones specified by
+// preserveFiles.
+func cleanDir(dirPath string, preserveFiles ...string) error {
+	log.Printf("Cleaning %s...\n", dirPath)
+	files, err := os.ReadDir(dirPath)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return os.MkdirAll(dirPath, 0755)
+		}
+		return err
 	}
-	if err := buildWasm(dev); err != nil {
-		return fmt.Errorf("Cannot build main.wasm: %w", err)
-	}
-	if err := installJSDeps(); err != nil {
-		return fmt.Errorf("Cannot install JS deps: %w", err)
+
+	for _, file := range files {
+		if !slices.Contains(preserveFiles, file.Name()) {
+			if err := os.Remove(filepath.Join(dirPath, file.Name())); err != nil {
+				return err
+			}
+		}
 	}
 	return nil
 }

-// copyWasmExec grabs the current wasm_exec.js runtime helper library from the
-// Go toolchain.
-func copyWasmExec() error {
-	log.Printf("Copying wasm_exec.js...\n")
-	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
-	wasmExecDstPath := filepath.Join("src", "wasm_exec.js")
-	contents, err := os.ReadFile(wasmExecSrcPath)
-	if err != nil {
-		return err
+func runEsbuild(buildOptions esbuild.BuildOptions) esbuild.BuildResult {
+	log.Printf("Running esbuild...\n")
+	result := esbuild.Build(buildOptions)
+	if len(result.Errors) > 0 {
+		log.Printf("ESBuild Error:\n")
+		for _, e := range result.Errors {
+			log.Printf("%v", e)
+		}
+		log.Fatal("Build failed")
 	}
-	return os.WriteFile(wasmExecDstPath, contents, 0600)
+	if len(result.Warnings) > 0 {
+		log.Printf("ESBuild Warnings:\n")
+		for _, w := range result.Warnings {
+			log.Printf("%v", w)
+		}
+	}
+	return result
 }

-// buildWasm builds the Tailscale wasm binary and places it where the JS can
-// load it.
-func buildWasm(dev bool) error {
-	log.Printf("Building wasm...\n")
+// setupEsbuildWasmExecJS generates an esbuild plugin that serves the current
+// wasm_exec.js runtime helper library from the Go toolchain.
+func setupEsbuildWasmExecJS(build esbuild.PluginBuild) {
+	wasmExecSrcPath := filepath.Join(runtime.GOROOT(), "misc", "wasm", "wasm_exec.js")
+	build.OnResolve(esbuild.OnResolveOptions{
+		Filter: "./wasm_exec$",
+	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {
+		return esbuild.OnResolveResult{Path: wasmExecSrcPath}, nil
+	})
+}
+
+// setupEsbuildWasm generates an esbuild plugin that builds the Tailscale wasm
+// binary and serves it as a file that the JS can load.
+func setupEsbuildWasm(build esbuild.PluginBuild, dev bool) {
+	// Add a resolve hook to convince esbuild that the path exists.
+	build.OnResolve(esbuild.OnResolveOptions{
+		Filter: "./main.wasm$",
+	}, func(args esbuild.OnResolveArgs) (esbuild.OnResolveResult, error) {
+		return esbuild.OnResolveResult{
+			Path:      "./src/main.wasm",
+			Namespace: "generated",
+		}, nil
+	})
+	build.OnLoad(esbuild.OnLoadOptions{
+		Filter: "./src/main.wasm$",
+	}, func(args esbuild.OnLoadArgs) (esbuild.OnLoadResult, error) {
+		contents, err := buildWasm(dev)
+		if err != nil {
+			return esbuild.OnLoadResult{}, fmt.Errorf("Cannot build main.wasm: %w", err)
+		}
+		contentsStr := string(contents)
+		return esbuild.OnLoadResult{
+			Contents: &contentsStr,
+			Loader:   esbuild.LoaderFile,
+		}, nil
+	})
+}
+
+func buildWasm(dev bool) ([]byte, error) {
+	start := time.Now()
+	outputFile, err := ioutil.TempFile("", "main.*.wasm")
+	if err != nil {
+		return nil, fmt.Errorf("Cannot create main.wasm output file: %w", err)
+	}
+	outputPath := outputFile.Name()
+	defer os.Remove(outputPath)
+
 	args := []string{"build", "-tags", "tailscale_go,osusergo,netgo,nethttpomithttp2,omitidna,omitpemdecrypt"}
 	if !dev {
+		if *devControl != "" {
+			return nil, fmt.Errorf("Development control URL can only be used in dev mode.")
+		}
 		// Omit long paths and debug symbols in release builds, to reduce the
 		// generated WASM binary size.
 		args = append(args, "-trimpath", "-ldflags", "-s -w")
+	} else if *devControl != "" {
+		args = append(args, "-ldflags", fmt.Sprintf("-X 'main.ControlURL=%v'", *devControl))
 	}
-	args = append(args, "-o", "src/main.wasm", "./wasm")
+
+	args = append(args, "-o", outputPath, "./wasm")
 	cmd := exec.Command(filepath.Join(runtime.GOROOT(), "bin", "go"), args...)
 	cmd.Env = append(os.Environ(), "GOOS=js", "GOARCH=wasm")
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
-	return cmd.Run()
+	err = cmd.Run()
+	if err != nil {
+		return nil, fmt.Errorf("Cannot build main.wasm: %w", err)
+	}
+	log.Printf("Built wasm in %v\n", time.Since(start))
+	return os.ReadFile(outputPath)
 }

 // installJSDeps installs the JavaScript dependencies specified by package.json
@@ -128,7 +209,7 @@ type EsbuildMetadata struct {

 func setupEsbuildTailwind(build esbuild.PluginBuild, dev bool) {
 	build.OnLoad(esbuild.OnLoadOptions{
-		Filter: "./src/index.css$",
+		Filter: "./src/.*\\.css$",
 	}, func(args esbuild.OnLoadArgs) (esbuild.OnLoadResult, error) {
 		start := time.Now()
 		yarnArgs := []string{"--silent", "tailwind", "-i", args.Path}
--- a/cmd/tsconnect/index.html
+++ b/cmd/tsconnect/index.html
@@ -8,37 +8,13 @@
    <script src="dist/index.js" defer></script>
  </head>
  <body class="flex flex-col h-screen overflow-hidden">
+    <!-- Placeholder so that we don't have an empty page while the JS loads.
+      It should match the markup generated by Header component. -->
    <div class="bg-gray-100 border-b border-gray-200 pt-4 pb-2">
      <header class="container mx-auto px-4 flex flex-row items-center">
        <h1 class="text-3xl font-bold grow">Tailscale Connect</h1>
-        <div class="text-gray-600" id="state">Loading…</div>
+        <div class="text-gray-600">Loading…</div>
      </header>
    </div>
-    <div
-      id="content"
-      class="flex-grow flex flex-col justify-center overflow-hidden"
-    >
-      <form
-        id="ssh-form"
-        class="container mx-auto px-4 hidden flex justify-center"
-      >
-        <input type="text" class="input username" placeholder="Username" />
-        <div class="select-with-arrow mx-2">
-          <select class="select"></select>
-        </div>
-        <input
-          type="submit"
-          class="button bg-green-500 border-green-500 text-white hover:bg-green-600 hover:border-green-600"
-          value="SSH"
-        />
-      </form>
-      <div id="no-ssh" class="container mx-auto px-4 hidden text-center">
-        None of your machines have
-        <a href="https://tailscale.com/kb/1193/tailscale-ssh/" class="link"
-          >Tailscale SSH</a
-        >
-        enabled. Give it a try!
-      </div>
-    </div>
  </body>
 </html>
--- a/cmd/tsconnect/package.json
+++ b/cmd/tsconnect/package.json
@@ -5,6 +5,8 @@
  "devDependencies": {
    "@types/golang-wasm-exec": "^1.15.0",
    "@types/qrcode": "^1.4.2",
+    "dts-bundle-generator": "^6.12.0",
+    "preact": "^10.10.0",
    "qrcode": "^1.5.0",
    "tailwindcss": "^3.1.6",
    "typescript": "^4.7.4",
@@ -12,7 +14,8 @@
    "xterm-addon-fit": "^0.5.0"
  },
  "scripts": {
-    "lint": "tsc --noEmit"
+    "lint": "tsc --noEmit",
+    "pkg-types": "dts-bundle-generator --inline-declare-global=true --no-banner -o pkg/pkg.d.ts src/pkg/pkg.ts"
  },
  "prettier": {
    "semi": false,
--- a/cmd/tsconnect/package.json.tmpl
+++ b/cmd/tsconnect/package.json.tmpl
@@ -0,0 +1,17 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Template for the package.json that is generated by the build-pkg command.
+// The version number will be replaced by the current Tailscale client version
+// number.
+{
+  "author": "Tailscale Inc.",
+  "description": "Tailscale Connect SDK",
+  "license": "BSD-3-Clause",
+  "name": "tailscale-connect",
+  "type": "module",
+  "main": "./pkg.js",
+  "types": "./pkg.d.ts",
+  "version": "AUTO_GENERATED"
+}
--- a/cmd/tsconnect/serve.go
+++ b/cmd/tsconnect/serve.go
@@ -115,8 +115,8 @@ func generateServeIndex(distFS fs.FS) ([]byte, error) {
 }

 var entryPointsToDefaultDistPaths = map[string]string{
-	"src/index.css": "dist/index.css",
-	"src/index.ts":  "dist/index.js",
+	"src/app/index.css": "dist/index.css",
+	"src/app/index.ts":  "dist/index.js",
 }

 func handleServeDist(w http.ResponseWriter, r *http.Request, distFS fs.FS) {
--- a/cmd/tsconnect/src/app/app.tsx
+++ b/cmd/tsconnect/src/app/app.tsx
@@ -0,0 +1,123 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+import { render, Component } from "preact"
+import { URLDisplay } from "./url-display"
+import { Header } from "./header"
+import { GoPanicDisplay } from "./go-panic-display"
+import { SSH } from "./ssh"
+
+type AppState = {
+  ipn?: IPN
+  ipnState: IPNState
+  netMap?: IPNNetMap
+  browseToURL?: string
+  goPanicError?: string
+}
+
+class App extends Component<{}, AppState> {
+  state: AppState = { ipnState: "NoState" }
+  #goPanicTimeout?: number
+
+  render() {
+    const { ipn, ipnState, goPanicError, netMap, browseToURL } = this.state
+
+    let goPanicDisplay
+    if (goPanicError) {
+      goPanicDisplay = (
+        <GoPanicDisplay error={goPanicError} dismiss={this.clearGoPanic} />
+      )
+    }
+
+    let urlDisplay
+    if (browseToURL) {
+      urlDisplay = <URLDisplay url={browseToURL} />
+    }
+
+    let machineAuthInstructions
+    if (ipnState === "NeedsMachineAuth") {
+      machineAuthInstructions = (
+        <div class="container mx-auto px-4 text-center">
+          An administrator needs to authorize this device.
+        </div>
+      )
+    }
+
+    let ssh
+    if (ipn && ipnState === "Running" && netMap) {
+      ssh = <SSH netMap={netMap} ipn={ipn} />
+    }
+
+    return (
+      <>
+        <Header state={ipnState} ipn={ipn} />
+        {goPanicDisplay}
+        <div class="flex-grow flex flex-col justify-center overflow-hidden">
+          {urlDisplay}
+          {machineAuthInstructions}
+          {ssh}
+        </div>
+      </>
+    )
+  }
+
+  runWithIPN(ipn: IPN) {
+    this.setState({ ipn }, () => {
+      ipn.run({
+        notifyState: this.handleIPNState,
+        notifyNetMap: this.handleNetMap,
+        notifyBrowseToURL: this.handleBrowseToURL,
+        notifyPanicRecover: this.handleGoPanic,
+      })
+    })
+  }
+
+  handleIPNState = (state: IPNState) => {
+    const { ipn } = this.state
+    this.setState({ ipnState: state })
+    if (state === "NeedsLogin") {
+      ipn?.login()
+    } else if (["Running", "NeedsMachineAuth"].includes(state)) {
+      this.setState({ browseToURL: undefined })
+    }
+  }
+
+  handleNetMap = (netMapStr: string) => {
+    const netMap = JSON.parse(netMapStr) as IPNNetMap
+    if (DEBUG) {
+      console.log("Received net map: " + JSON.stringify(netMap, null, 2))
+    }
+    this.setState({ netMap })
+  }
+
+  handleBrowseToURL = (url: string) => {
+    this.setState({ browseToURL: url })
+  }
+
+  handleGoPanic = (error: string) => {
+    if (DEBUG) {
+      console.error("Go panic", error)
+    }
+    this.setState({ goPanicError: error })
+    if (this.#goPanicTimeout) {
+      window.clearTimeout(this.#goPanicTimeout)
+    }
+    this.#goPanicTimeout = window.setTimeout(this.clearGoPanic, 10000)
+  }
+
+  clearGoPanic = () => {
+    window.clearTimeout(this.#goPanicTimeout)
+    this.#goPanicTimeout = undefined
+    this.setState({ goPanicError: undefined })
+  }
+}
+
+export function renderApp(): Promise<App> {
+  return new Promise((resolve) => {
+    render(
+      <App ref={(app) => (app ? resolve(app) : undefined)} />,
+      document.body
+    )
+  })
+}
--- a/cmd/tsconnect/src/app/go-panic-display.tsx
+++ b/cmd/tsconnect/src/app/go-panic-display.tsx
@@ -0,0 +1,21 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+export function GoPanicDisplay({
+  error,
+  dismiss,
+}: {
+  error: string
+  dismiss: () => void
+}) {
+  return (
+    <div
+      class="rounded bg-red-500 p-2 absolute top-2 right-2 text-white font-bold text-right cursor-pointer"
+      onClick={dismiss}
+    >
+      Tailscale has encountered an error.
+      <div class="text-sm font-normal">Click to reload</div>
+    </div>
+  )
+}
--- a/cmd/tsconnect/src/app/header.tsx
+++ b/cmd/tsconnect/src/app/header.tsx
@@ -0,0 +1,38 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+export function Header({ state, ipn }: { state: IPNState; ipn?: IPN }) {
+  const stateText = STATE_LABELS[state]
+
+  let logoutButton
+  if (state === "Running") {
+    logoutButton = (
+      <button
+        class="button bg-gray-500 border-gray-500 text-white hover:bg-gray-600 hover:border-gray-600 ml-2 font-bold"
+        onClick={() => ipn?.logout()}
+      >
+        Logout
+      </button>
+    )
+  }
+  return (
+    <div class="bg-gray-100 border-b border-gray-200 pt-4 pb-2">
+      <header class="container mx-auto px-4 flex flex-row items-center">
+        <h1 class="text-3xl font-bold grow">Tailscale Connect</h1>
+        <div class="text-gray-600">{stateText}</div>
+        {logoutButton}
+      </header>
+    </div>
+  )
+}
+
+const STATE_LABELS = {
+  NoState: "Initializing…",
+  InUseOtherUser: "In-use by another user",
+  NeedsLogin: "Needs login",
+  NeedsMachineAuth: "Needs authorization",
+  Stopped: "Stopped",
+  Starting: "Starting…",
+  Running: "Running",
+} as const
--- a/cmd/tsconnect/src/app/index.css
+++ b/cmd/tsconnect/src/app/index.css
@@ -73,7 +73,3 @@
  background-color: currentColor;
  clip-path: polygon(100% 0%, 0 0%, 50% 100%);
 }
-
-body.ssh-active #ssh-form {
-  @apply hidden;
-}
--- a/cmd/tsconnect/src/app/index.ts
+++ b/cmd/tsconnect/src/app/index.ts
@@ -0,0 +1,37 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+import "../wasm_exec"
+import wasmUrl from "./main.wasm"
+import { sessionStateStorage } from "../lib/js-state-store"
+import { renderApp } from "./app"
+
+async function main() {
+  const app = await renderApp()
+  const go = new Go()
+  const wasmInstance = await WebAssembly.instantiateStreaming(
+    fetch(`./dist/${wasmUrl}`),
+    go.importObject
+  )
+  // The Go process should never exit, if it does then it's an unhandled panic.
+  go.run(wasmInstance.instance).then(() =>
+    app.handleGoPanic("Unexpected shutdown")
+  )
+
+  const params = new URLSearchParams(window.location.search)
+  const authKey = params.get("authkey") ?? undefined
+
+  const ipn = newIPN({
+    // Persist IPN state in sessionStorage in development, so that we don't need
+    // to re-authorize every time we reload the page.
+    stateStorage: DEBUG ? sessionStateStorage : undefined,
+    // authKey allows for an auth key to be
+    // specified as a url param which automatically
+    // authorizes the client for use.
+    authKey: DEBUG ? authKey : undefined,
+  })
+  app.runWithIPN(ipn)
+}
+
+main()
--- a/cmd/tsconnect/src/app/ssh.tsx
+++ b/cmd/tsconnect/src/app/ssh.tsx
@@ -0,0 +1,105 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+import { useState, useCallback } from "preact/hooks"
+import { runSSHSession, SSHSessionDef } from "../lib/ssh"
+
+export function SSH({ netMap, ipn }: { netMap: IPNNetMap; ipn: IPN }) {
+  const [sshSessionDef, setSSHSessionDef] = useState<SSHSessionDef | null>(null)
+  const clearSSHSessionDef = useCallback(() => setSSHSessionDef(null), [])
+  if (sshSessionDef) {
+    return (
+      <SSHSession def={sshSessionDef} ipn={ipn} onDone={clearSSHSessionDef} />
+    )
+  }
+  const sshPeers = netMap.peers.filter(
+    (p) => p.tailscaleSSHEnabled && p.online !== false
+  )
+
+  if (sshPeers.length == 0) {
+    return <NoSSHPeers />
+  }
+
+  return <SSHForm sshPeers={sshPeers} onSubmit={setSSHSessionDef} />
+}
+
+function SSHSession({
+  def,
+  ipn,
+  onDone,
+}: {
+  def: SSHSessionDef
+  ipn: IPN
+  onDone: () => void
+}) {
+  return (
+    <div
+      class="flex-grow bg-black p-2 overflow-hidden"
+      ref={(node) => {
+        if (node) {
+          // Run the SSH session aysnchronously, so that the React render
+          // loop is complete (otherwise the SSH form may still be visible,
+          // which affects the size of the terminal, leading to a spurious
+          // initial resize).
+          setTimeout(() => runSSHSession(node, def, ipn, onDone), 0)
+        }
+      }}
+    />
+  )
+}
+
+function NoSSHPeers() {
+  return (
+    <div class="container mx-auto px-4 text-center">
+      None of your machines have
+      <a href="https://tailscale.com/kb/1193/tailscale-ssh/" class="link">
+        Tailscale SSH
+      </a>
+      enabled. Give it a try!
+    </div>
+  )
+}
+
+function SSHForm({
+  sshPeers,
+  onSubmit,
+}: {
+  sshPeers: IPNNetMapPeerNode[]
+  onSubmit: (def: SSHSessionDef) => void
+}) {
+  sshPeers = sshPeers.slice().sort((a, b) => a.name.localeCompare(b.name))
+  const [username, setUsername] = useState("")
+  const [hostname, setHostname] = useState(sshPeers[0].name)
+  return (
+    <form
+      class="container mx-auto px-4 flex justify-center"
+      onSubmit={(e) => {
+        e.preventDefault()
+        onSubmit({ username, hostname })
+      }}
+    >
+      <input
+        type="text"
+        class="input username"
+        placeholder="Username"
+        onChange={(e) => setUsername(e.currentTarget.value)}
+      />
+      <div class="select-with-arrow mx-2">
+        <select
+          class="select"
+          onChange={(e) => setHostname(e.currentTarget.value)}
+        >
+          {sshPeers.map((p) => (
+            <option key={p.nodeKey}>{p.name.split(".")[0]}</option>
+          ))}
+        </select>
+      </div>
+      <input
+        type="submit"
+        class="button bg-green-500 border-green-500 text-white hover:bg-green-600 hover:border-green-600"
+        value="SSH"
+      />
+    </form>
+  )
+}
--- a/cmd/tsconnect/src/app/url-display.tsx
+++ b/cmd/tsconnect/src/app/url-display.tsx
@@ -0,0 +1,32 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+import { useState } from "preact/hooks"
+import * as qrcode from "qrcode"
+
+export function URLDisplay({ url }: { url: string }) {
+  const [dataURL, setDataURL] = useState("")
+  qrcode.toDataURL(url, { width: 512 }, (err, dataURL) => {
+    if (err) {
+      console.error("Error generating QR code", err)
+    } else {
+      setDataURL(dataURL)
+    }
+  })
+
+  return (
+    <div class="flex flex-col items-center justify-items-center">
+      <a href={url} class="link" target="_blank">
+        <img
+          src={dataURL}
+          class="mx-auto"
+          width="256"
+          height="256"
+          alt="QR Code of URL"
+        />
+        {url}
+      </a>
+    </div>
+  )
+}
--- a/cmd/tsconnect/src/index.ts
+++ b/cmd/tsconnect/src/index.ts
@@ -1,58 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import "./wasm_exec"
-import wasmUrl from "./main.wasm"
-import { notifyState, notifyNetMap, notifyBrowseToURL } from "./notifier"
-import { sessionStateStorage } from "./js-state-store"
-
-const go = new Go()
-WebAssembly.instantiateStreaming(
-  fetch(`./dist/${wasmUrl}`),
-  go.importObject
-).then((result) => {
-  // The Go process should never exit, if it does then it's an unhandled panic.
-  go.run(result.instance).then(() => handleGoPanic())
-  const ipn = newIPN({
-    // Persist IPN state in sessionStorage in development, so that we don't need
-    // to re-authorize every time we reload the page.
-    stateStorage: DEBUG ? sessionStateStorage : undefined,
-  })
-  ipn.run({
-    notifyState: notifyState.bind(null, ipn),
-    notifyNetMap: notifyNetMap.bind(null, ipn),
-    notifyBrowseToURL: notifyBrowseToURL.bind(null, ipn),
-    notifyPanicRecover: handleGoPanic,
-  })
-})
-
-function handleGoPanic(err?: string) {
-  if (DEBUG && err) {
-    console.error("Go panic", err)
-  }
-  if (panicNode) {
-    panicNode.remove()
-  }
-  panicNode = document.createElement("div")
-  panicNode.className =
-    "rounded bg-red-500 p-2 absolute top-2 right-2 text-white font-bold text-right cursor-pointer"
-  panicNode.textContent = "Tailscale has encountered an error."
-  const panicDetailNode = document.createElement("div")
-  panicDetailNode.className = "text-sm font-normal"
-  panicDetailNode.textContent = "Click to reload"
-  panicNode.appendChild(panicDetailNode)
-  panicNode.addEventListener("click", () => location.reload(), {
-    once: true,
-  })
-  document.body.appendChild(panicNode)
-  setTimeout(() => {
-    panicNode!.remove()
-  }, 10000)
-}
-
-let panicNode: HTMLDivElement | undefined
-
-export function getContentNode(): HTMLDivElement {
-  return document.querySelector("#content") as HTMLDivElement
-}
--- a/cmd/tsconnect/src/lib/js-state-store.ts
+++ b/cmd/tsconnect/src/lib/js-state-store.ts
--- a/cmd/tsconnect/src/lib/ssh.ts
+++ b/cmd/tsconnect/src/lib/ssh.ts
@@ -0,0 +1,65 @@
+import { Terminal } from "xterm"
+import { FitAddon } from "xterm-addon-fit"
+
+export type SSHSessionDef = {
+  username: string
+  hostname: string
+}
+
+export function runSSHSession(
+  termContainerNode: HTMLDivElement,
+  def: SSHSessionDef,
+  ipn: IPN,
+  onDone: () => void
+) {
+  const term = new Terminal({
+    cursorBlink: true,
+  })
+  const fitAddon = new FitAddon()
+  term.loadAddon(fitAddon)
+  term.open(termContainerNode)
+  fitAddon.fit()
+
+  let onDataHook: ((data: string) => void) | undefined
+  term.onData((e) => {
+    onDataHook?.(e)
+  })
+
+  term.focus()
+
+  let resizeObserver: ResizeObserver | undefined
+  let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined
+
+  const sshSession = ipn.ssh(def.hostname, def.username, {
+    writeFn(input) {
+      term.write(input)
+    },
+    writeErrorFn(err) {
+      console.error(err)
+      term.write(err)
+    },
+    setReadFn(hook) {
+      onDataHook = hook
+    },
+    rows: term.rows,
+    cols: term.cols,
+    onDone() {
+      resizeObserver?.disconnect()
+      term.dispose()
+      if (handleBeforeUnload) {
+        window.removeEventListener("beforeunload", handleBeforeUnload)
+      }
+      onDone()
+    },
+  })
+
+  // Make terminal and SSH session track the size of the containing DOM node.
+  resizeObserver = new ResizeObserver(() => fitAddon.fit())
+  resizeObserver.observe(termContainerNode)
+  term.onResize(({ rows, cols }) => sshSession.resize(rows, cols))
+
+  // Close the session if the user closes the window without an explicit
+  // exit.
+  handleBeforeUnload = () => sshSession.close()
+  window.addEventListener("beforeunload", handleBeforeUnload)
+}
--- a/cmd/tsconnect/src/login.ts
+++ b/cmd/tsconnect/src/login.ts
@@ -1,74 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import * as qrcode from "qrcode"
-import { getContentNode } from "./index"
-
-export async function showLoginURL(url: string) {
-  if (loginNode) {
-    loginNode.remove()
-  }
-  loginNode = document.createElement("div")
-  loginNode.className = "flex flex-col items-center justify-items-center"
-  const linkNode = document.createElement("a")
-  linkNode.className = "link"
-  linkNode.href = url
-  linkNode.target = "_blank"
-  loginNode.appendChild(linkNode)
-
-  try {
-    const dataURL = await qrcode.toDataURL(url, { width: 512 })
-    const imageNode = document.createElement("img")
-    imageNode.className = "mx-auto"
-    imageNode.src = dataURL
-    imageNode.width = 256
-    imageNode.height = 256
-    linkNode.appendChild(imageNode)
-  } catch (err) {
-    console.error("Could not generate QR code:", err)
-  }
-
-  linkNode.appendChild(document.createTextNode(url))
-
-  getContentNode().appendChild(loginNode)
-}
-
-export function hideLoginURL() {
-  if (!loginNode) {
-    return
-  }
-  loginNode.remove()
-  loginNode = undefined
-}
-
-let loginNode: HTMLDivElement | undefined
-
-export function showLogoutButton(ipn: IPN) {
-  if (logoutButtonNode) {
-    logoutButtonNode.remove()
-  }
-  logoutButtonNode = document.createElement("button")
-  logoutButtonNode.className =
-    "button bg-gray-500 border-gray-500 text-white hover:bg-gray-600 hover:border-gray-600 ml-2 font-bold"
-  logoutButtonNode.textContent = "Logout"
-  logoutButtonNode.addEventListener(
-    "click",
-    () => {
-      ipn.logout()
-    },
-    { once: true }
-  )
-  const headerNode = document.getElementsByTagName("header")[0]!
-  headerNode.appendChild(logoutButtonNode)
-}
-
-export function hideLogoutButton() {
-  if (!logoutButtonNode) {
-    return
-  }
-  logoutButtonNode.remove()
-  logoutButtonNode = undefined
-}
-
-let logoutButtonNode: HTMLButtonElement | undefined
--- a/cmd/tsconnect/src/notifier.ts
+++ b/cmd/tsconnect/src/notifier.ts
@@ -1,65 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import {
-  showLoginURL,
-  hideLoginURL,
-  showLogoutButton,
-  hideLogoutButton,
-} from "./login"
-import { showSSHForm, hideSSHForm } from "./ssh"
-import { IPNState } from "./wasm_js"
-
-/**
- * @fileoverview Notification callback functions (bridged from ipn.Notify)
- */
-
-export function notifyState(ipn: IPN, state: IPNState) {
-  let stateLabel
-  switch (state) {
-    case IPNState.NoState:
-      stateLabel = "Initializing…"
-      break
-    case IPNState.InUseOtherUser:
-      stateLabel = "In-use by another user"
-      break
-    case IPNState.NeedsLogin:
-      stateLabel = "Needs Login"
-      hideLogoutButton()
-      hideSSHForm()
-      ipn.login()
-      break
-    case IPNState.NeedsMachineAuth:
-      stateLabel = "Needs authorization"
-      break
-    case IPNState.Stopped:
-      stateLabel = "Stopped"
-      hideLogoutButton()
-      hideSSHForm()
-      break
-    case IPNState.Starting:
-      stateLabel = "Starting…"
-      break
-    case IPNState.Running:
-      stateLabel = "Running"
-      hideLoginURL()
-      showLogoutButton(ipn)
-      break
-  }
-  const stateNode = document.querySelector("#state") as HTMLDivElement
-  stateNode.textContent = stateLabel ?? ""
-}
-
-export function notifyNetMap(ipn: IPN, netMapStr: string) {
-  const netMap = JSON.parse(netMapStr) as IPNNetMap
-  if (DEBUG) {
-    console.log("Received net map: " + JSON.stringify(netMap, null, 2))
-  }
-
-  showSSHForm(netMap.peers, ipn)
-}
-
-export function notifyBrowseToURL(ipn: IPN, url: string) {
-  showLoginURL(url)
-}
--- a/cmd/tsconnect/src/pkg/pkg.css
+++ b/cmd/tsconnect/src/pkg/pkg.css
@@ -0,0 +1,9 @@
+/* Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved. */
+/* Use of this source code is governed by a BSD-style */
+/* license that can be found in the LICENSE file. */
+
+@import "xterm/css/xterm.css";
+
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
--- a/cmd/tsconnect/src/pkg/pkg.ts
+++ b/cmd/tsconnect/src/pkg/pkg.ts
@@ -0,0 +1,41 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Type definitions need to be manually imported for dts-bundle-generator to
+// discover them.
+/// <reference path="../types/esbuild.d.ts" />
+/// <reference path="../types/wasm_js.d.ts" />
+
+import "../wasm_exec"
+import wasmURL from "./main.wasm"
+
+/**
+ * Superset of the IPNConfig type, with additional configuration that is
+ * needed for the package to function.
+ */
+type IPNPackageConfig = IPNConfig & {
+  // Auth key used to intitialize the Tailscale client (required)
+  authKey: string
+  // URL of the main.wasm file that is included in the page, if it is not
+  // accessible via a relative URL.
+  wasmURL?: string
+  // Funtion invoked if the Go process panics or unexpectedly exits.
+  panicHandler: (err: string) => void
+}
+
+export async function createIPN(config: IPNPackageConfig): Promise<IPN> {
+  const go = new Go()
+  const wasmInstance = await WebAssembly.instantiateStreaming(
+    fetch(config.wasmURL ?? wasmURL),
+    go.importObject
+  )
+  // The Go process should never exit, if it does then it's an unhandled panic.
+  go.run(wasmInstance.instance).then(() =>
+    config.panicHandler("Unexpected shutdown")
+  )
+
+  return newIPN(config)
+}
+
+export { runSSHSession } from "../lib/ssh"
--- a/cmd/tsconnect/src/ssh.ts
+++ b/cmd/tsconnect/src/ssh.ts
@@ -1,98 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-import { Terminal } from "xterm"
-import { FitAddon } from "xterm-addon-fit"
-import { getContentNode } from "./index"
-
-export function showSSHForm(peers: IPNNetMapPeerNode[], ipn: IPN) {
-  const formNode = document.querySelector("#ssh-form") as HTMLDivElement
-  const noSSHNode = document.querySelector("#no-ssh") as HTMLDivElement
-
-  const sshPeers = peers.filter(
-    (p) => p.tailscaleSSHEnabled && p.online !== false
-  )
-  if (sshPeers.length == 0) {
-    formNode.classList.add("hidden")
-    noSSHNode.classList.remove("hidden")
-    return
-  }
-  sshPeers.sort((a, b) => a.name.localeCompare(b.name))
-
-  const selectNode = formNode.querySelector("select")!
-  selectNode.innerHTML = ""
-  for (const p of sshPeers) {
-    const option = document.createElement("option")
-    option.textContent = p.name.split(".")[0]
-    option.value = p.name
-    selectNode.appendChild(option)
-  }
-
-  const usernameNode = formNode.querySelector(".username") as HTMLInputElement
-  formNode.onsubmit = (e) => {
-    e.preventDefault()
-    const hostname = selectNode.value
-    ssh(hostname, usernameNode.value, ipn)
-  }
-
-  noSSHNode.classList.add("hidden")
-  formNode.classList.remove("hidden")
-}
-
-export function hideSSHForm() {
-  const formNode = document.querySelector("#ssh-form") as HTMLDivElement
-  formNode.classList.add("hidden")
-}
-
-function ssh(hostname: string, username: string, ipn: IPN) {
-  document.body.classList.add("ssh-active")
-  const termContainerNode = document.createElement("div")
-  termContainerNode.className = "flex-grow bg-black p-2 overflow-hidden"
-  getContentNode().appendChild(termContainerNode)
-
-  const term = new Terminal({
-    cursorBlink: true,
-  })
-  const fitAddon = new FitAddon()
-  term.loadAddon(fitAddon)
-  term.open(termContainerNode)
-  fitAddon.fit()
-
-  let onDataHook: ((data: string) => void) | undefined
-  term.onData((e) => {
-    onDataHook?.(e)
-  })
-
-  term.focus()
-
-  const sshSession = ipn.ssh(hostname, username, {
-    writeFn: (input) => term.write(input),
-    setReadFn: (hook) => (onDataHook = hook),
-    rows: term.rows,
-    cols: term.cols,
-    onDone: () => {
-      resizeObserver.disconnect()
-      term.dispose()
-      termContainerNode.remove()
-      document.body.classList.remove("ssh-active")
-      window.removeEventListener("beforeunload", beforeUnloadListener)
-    },
-  })
-
-  // Make terminal and SSH session track the size of the containing DOM node.
-  const resizeObserver = new ResizeObserver((entries) => {
-    fitAddon.fit()
-  })
-  resizeObserver.observe(termContainerNode)
-  term.onResize(({ rows, cols }) => {
-    sshSession.resize(rows, cols)
-  })
-
-  // Close the session if the user closes the window without an explicit
-  // exit.
-  const beforeUnloadListener = () => {
-    sshSession.close()
-  }
-  window.addEventListener("beforeunload", beforeUnloadListener)
-}
--- a/cmd/tsconnect/src/types/esbuild.d.ts
+++ b/cmd/tsconnect/src/types/esbuild.d.ts
--- a/cmd/tsconnect/src/types/wasm_js.d.ts
+++ b/cmd/tsconnect/src/types/wasm_js.d.ts
@@ -4,8 +4,7 @@

 /**
 * @fileoverview Type definitions for types exported by the wasm_js.go Go
- * module. Not actually a .d.ts file so that we can use enums from it in
- * esbuild's simplified TypeScript compiler (see https://github.com/evanw/esbuild/issues/2298#issuecomment-1146378367)
+ * module.
 */

 declare global {
@@ -20,15 +19,14 @@ declare global {
      username: string,
      termConfig: {
        writeFn: (data: string) => void
+        writeErrorFn: (err: string) => void
        setReadFn: (readFn: (data: string) => void) => void
        rows: number
        cols: number
        onDone: () => void
      }
    ): IPNSSHSession
-    fetch(
-      url: string
-    ): Promise<{
+    fetch(url: string): Promise<{
      status: number
      statusText: string
      text: () => Promise<string>
@@ -47,6 +45,8 @@ declare global {

  type IPNConfig = {
    stateStorage?: IPNStateStorage
+    authKey?: string
+    controlURL?: string
  }

  type IPNCallbacks = {
@@ -76,23 +76,23 @@ declare global {
    online?: boolean
    tailscaleSSHEnabled: boolean
  }
+
+  /** Mirrors values from ipn/backend.go */
+  type IPNState =
+    | "NoState"
+    | "InUseOtherUser"
+    | "NeedsLogin"
+    | "NeedsMachineAuth"
+    | "Stopped"
+    | "Starting"
+    | "Running"
+
+  /** Mirrors values from MachineStatus in tailcfg.go */
+  type IPNMachineStatus =
+    | "MachineUnknown"
+    | "MachineUnauthorized"
+    | "MachineAuthorized"
+    | "MachineInvalid"
 }

-/** Mirrors values from ipn/backend.go */
-export const enum IPNState {
-  NoState = 0,
-  InUseOtherUser = 1,
-  NeedsLogin = 2,
-  NeedsMachineAuth = 3,
-  Stopped = 4,
-  Starting = 5,
-  Running = 6,
-}
-
-/** Mirrors values from MachineStatus in tailcfg.go */
-export const enum IPNMachineStatus {
-  MachineUnknown = 0,
-  MachineUnauthorized = 1,
-  MachineAuthorized = 2,
-  MachineInvalid = 3,
-}
+export {}
--- a/cmd/tsconnect/tailwind.config.js
+++ b/cmd/tsconnect/tailwind.config.js
@@ -1,6 +1,6 @@
 /** @type {import('tailwindcss').Config} */
 module.exports = {
-  content: ["./index.html", "./src/**/*.ts"],
+  content: ["./index.html", "./src/**/*.ts", "./src/**/*.tsx"],
  theme: {
    extend: {},
  },
--- a/cmd/tsconnect/tsconfig.json
+++ b/cmd/tsconnect/tsconfig.json
@@ -6,7 +6,9 @@
    "isolatedModules": true,
    "strict": true,
    "forceConsistentCasingInFileNames": true,
-    "sourceMap": true
+    "sourceMap": true,
+    "jsx": "react-jsx",
+    "jsxImportSource": "preact"
  },
  "include": ["src/**/*"],
  "exclude": ["node_modules"]
--- a/cmd/tsconnect/tsconnect.go
+++ b/cmd/tsconnect/tsconnect.go
@@ -20,8 +20,10 @@ import (
 var (
 	addr            = flag.String("addr", ":9090", "address to listen on")
 	distDir         = flag.String("distdir", "./dist", "path of directory to place build output in")
+	pkgDir          = flag.String("pkgdir", "./pkg", "path of directory to place NPM package build output in")
 	yarnPath        = flag.String("yarnpath", "../../tool/yarn", "path yarn executable used to install JavaScript dependencies")
 	fastCompression = flag.Bool("fast-compression", false, "Use faster compression when building, to speed up build time. Meant to iterative/debugging use only.")
+	devControl      = flag.String("dev-control", "", "URL of a development control server to be used with dev. If provided without specifying dev, an error will be returned.")
 )

 func main() {
@@ -36,6 +38,8 @@ func main() {
 		runDev()
 	case "build":
 		runBuild()
+	case "build-pkg":
+		runBuildPkg()
 	case "serve":
 		runServe()
 	default:
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -31,16 +31,20 @@ import (
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/ipn/store/mem"
+	"tailscale.com/logpolicy"
+	"tailscale.com/logtail"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/words"
 )

+// ControlURL defines the URL to be used for connection to Control.
+var ControlURL = ipn.DefaultControlURL
+
 func main() {
 	js.Global().Set("newIPN", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
 		if len(args) != 1 {
@@ -56,7 +60,37 @@ func main() {

 func newIPN(jsConfig js.Value) map[string]any {
 	netns.SetEnabled(false)
-	var logf logger.Logf = log.Printf
+
+	jsStateStorage := jsConfig.Get("stateStorage")
+	var store ipn.StateStore
+	if jsStateStorage.IsUndefined() {
+		store = new(mem.Store)
+	} else {
+		store = &jsStateStore{jsStateStorage}
+	}
+
+	jsControlURL := jsConfig.Get("controlURL")
+	controlURL := ControlURL
+	if jsControlURL.Type() == js.TypeString {
+		controlURL = jsControlURL.String()
+	}
+
+	jsAuthKey := jsConfig.Get("authKey")
+	var authKey string
+	if jsAuthKey.Type() == js.TypeString {
+		authKey = jsAuthKey.String()
+	}
+
+	lpc := getOrCreateLogPolicyConfig(store)
+	c := logtail.Config{
+		Collection: lpc.Collection,
+		PrivateID:  lpc.PrivateID,
+		// NewZstdEncoder is intentionally not passed in, compressed requests
+		// set HTTP headers that are not supported by the no-cors fetching mode.
+		HTTPC: &http.Client{Transport: &noCORSTransport{http.DefaultTransport}},
+	}
+	logtail := logtail.NewLogger(c, log.Printf)
+	logf := logtail.Logf

 	dialer := new(tsdial.Dialer)
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
@@ -86,14 +120,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 		return ns.DialContextTCP(ctx, dst)
 	}

-	jsStateStorage := jsConfig.Get("stateStorage")
-	var store ipn.StateStore
-	if jsStateStorage.IsUndefined() {
-		store = new(mem.Store)
-	} else {
-		store = &jsStateStore{jsStateStorage}
-	}
-	srv, err := ipnserver.New(log.Printf, "some-logid", store, eng, dialer, nil, ipnserver.Options{
+	srv, err := ipnserver.New(logf, lpc.PublicID.String(), store, eng, dialer, nil, ipnserver.Options{
 		SurviveDisconnects: true,
 		LoginFlags:         controlclient.LoginEphemeral,
 	})
@@ -104,9 +131,11 @@ func newIPN(jsConfig js.Value) map[string]any {
 	ns.SetLocalBackend(lb)

 	jsIPN := &jsIPN{
-		dialer: dialer,
-		srv:    srv,
-		lb:     lb,
+		dialer:     dialer,
+		srv:        srv,
+		lb:         lb,
+		controlURL: controlURL,
+		authKey:    authKey,
 	}

 	return map[string]any{
@@ -162,14 +191,33 @@ func newIPN(jsConfig js.Value) map[string]any {
 }

 type jsIPN struct {
-	dialer *tsdial.Dialer
-	srv    *ipnserver.Server
-	lb     *ipnlocal.LocalBackend
+	dialer     *tsdial.Dialer
+	srv        *ipnserver.Server
+	lb         *ipnlocal.LocalBackend
+	controlURL string
+	authKey    string
+}
+
+var jsIPNState = map[ipn.State]string{
+	ipn.NoState:          "NoState",
+	ipn.InUseOtherUser:   "InUseOtherUser",
+	ipn.NeedsLogin:       "NeedsLogin",
+	ipn.NeedsMachineAuth: "NeedsMachineAuth",
+	ipn.Stopped:          "Stopped",
+	ipn.Starting:         "Starting",
+	ipn.Running:          "Running",
+}
+
+var jsMachineStatus = map[tailcfg.MachineStatus]string{
+	tailcfg.MachineUnknown:      "MachineUnknown",
+	tailcfg.MachineUnauthorized: "MachineUnauthorized",
+	tailcfg.MachineAuthorized:   "MachineAuthorized",
+	tailcfg.MachineInvalid:      "MachineInvalid",
 }

 func (i *jsIPN) run(jsCallbacks js.Value) {
 	notifyState := func(state ipn.State) {
-		jsCallbacks.Call("notifyState", int(state))
+		jsCallbacks.Call("notifyState", jsIPNState[state])
 	}
 	notifyState(ipn.NoState)

@@ -188,7 +236,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 		if n.State != nil {
 			notifyState(*n.State)
 		}
-		if nm := n.NetMap; nm != nil && i.lb.State() == ipn.Running {
+		if nm := n.NetMap; nm != nil {
 			jsNetMap := jsNetMap{
 				Self: jsNetMapSelfNode{
 					jsNetMapNode: jsNetMapNode{
@@ -197,7 +245,7 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 						NodeKey:    nm.NodeKey.String(),
 						MachineKey: nm.MachineKey.String(),
 					},
-					MachineStatus: int(nm.MachineStatus),
+					MachineStatus: jsMachineStatus[nm.MachineStatus],
 				},
 				Peers: mapSlice(nm.Peers, func(p *tailcfg.Node) jsNetMapPeerNode {
 					name := p.Name
@@ -232,12 +280,13 @@ func (i *jsIPN) run(jsCallbacks js.Value) {
 		err := i.lb.Start(ipn.Options{
 			StateKey: "wasm",
 			UpdatePrefs: &ipn.Prefs{
-				ControlURL:       ipn.DefaultControlURL,
+				ControlURL:       i.controlURL,
 				RouteAll:         false,
 				AllowSingleHosts: true,
 				WantRunning:      true,
 				Hostname:         generateHostname(),
 			},
+			AuthKey: i.authKey,
 		})
 		if err != nil {
 			log.Printf("Start error: %v", err)
@@ -298,6 +347,7 @@ type jsSSHSession struct {

 func (s *jsSSHSession) Run() {
 	writeFn := s.termConfig.Get("writeFn")
+	writeErrorFn := s.termConfig.Get("writeErrorFn")
 	setReadFn := s.termConfig.Get("setReadFn")
 	rows := s.termConfig.Get("rows").Int()
 	cols := s.termConfig.Get("cols").Int()
@@ -308,7 +358,7 @@ func (s *jsSSHSession) Run() {
 		writeFn.Invoke(s)
 	}
 	writeError := func(label string, err error) {
-		write(fmt.Sprintf("%s Error: %v\r\n", label, err))
+		writeErrorFn.Invoke(fmt.Sprintf("%s Error: %v\r\n", label, err))
 	}

 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
@@ -445,7 +495,7 @@ type jsNetMapNode struct {

 type jsNetMapSelfNode struct {
 	jsNetMapNode
-	MachineStatus int `json:"machineStatus"`
+	MachineStatus string `json:"machineStatus"`
 }

 type jsNetMapPeerNode struct {
@@ -527,3 +577,40 @@ func makePromise(f func() (any, error)) js.Value {
 	promiseConstructor := js.Global().Get("Promise")
 	return promiseConstructor.New(handler)
 }
+
+const logPolicyStateKey = "log-policy"
+
+func getOrCreateLogPolicyConfig(state ipn.StateStore) *logpolicy.Config {
+	if configBytes, err := state.ReadState(logPolicyStateKey); err == nil {
+		if config, err := logpolicy.ConfigFromBytes(configBytes); err == nil {
+			return config
+		} else {
+			log.Printf("Could not parse log policy config: %v", err)
+		}
+	} else if err != ipn.ErrStateNotExist {
+		log.Printf("Could not get log policy config from state store: %v", err)
+	}
+	config := logpolicy.NewConfig(logtail.CollectionNode)
+	if err := state.WriteState(logPolicyStateKey, config.ToBytes()); err != nil {
+		log.Printf("Could not save log policy config to state store: %v", err)
+	}
+	return config
+}
+
+// noCORSTransport wraps a RoundTripper and forces the no-cors mode on requests,
+// so that we can use it with non-CORS-aware servers.
+type noCORSTransport struct {
+	http.RoundTripper
+}
+
+func (t *noCORSTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("js.fetch:mode", "no-cors")
+	resp, err := t.RoundTripper.RoundTrip(req)
+	if err == nil {
+		// In no-cors mode no response properties are returned. Populate just
+		// the status so that callers do not think this was an error.
+		resp.StatusCode = http.StatusOK
+		resp.Status = http.StatusText(http.StatusOK)
+	}
+	return resp, err
+}
--- a/cmd/tsconnect/yarn.lock
+++ b/cmd/tsconnect/yarn.lock
@@ -130,6 +130,15 @@ cliui@^6.0.0:
    strip-ansi "^6.0.0"
    wrap-ansi "^6.2.0"

+cliui@^7.0.2:
+  version "7.0.4"
+  resolved "https://registry.yarnpkg.com/cliui/-/cliui-7.0.4.tgz#a0265ee655476fc807aea9df3df8df7783808b4f"
+  integrity sha512-OcRE68cOsVMXp1Yvonl/fzkQOyjLSu/8bhPDfQt0e0/Eb283TKP20Fs2MqoPsr9SwA595rRCA+QMzYc9nBP+JQ==
+  dependencies:
+    string-width "^4.2.0"
+    strip-ansi "^6.0.0"
+    wrap-ansi "^7.0.0"
+
 color-convert@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/color-convert/-/color-convert-2.0.1.tgz#72d3a68d598c9bdb3af2ad1e84f21d896abd4de3"
@@ -181,6 +190,14 @@ dlv@^1.1.3:
  resolved "https://registry.yarnpkg.com/dlv/-/dlv-1.1.3.tgz#5c198a8a11453596e751494d49874bc7732f2e79"
  integrity sha512-+HlytyjlPKnIG8XuRG8WvmBP8xs8P71y+SKKS6ZXWoEgLuePxtDoUEiH7WkdePWrQ5JBpE6aoVqfZfJUQkjXwA==

+dts-bundle-generator@^6.12.0:
+  version "6.12.0"
+  resolved "https://registry.yarnpkg.com/dts-bundle-generator/-/dts-bundle-generator-6.12.0.tgz#0a221bdce5fdd309a56c8556e645f16ed87ab07d"
+  integrity sha512-k/QAvuVaLIdyWRUHduDrWBe4j8PcE6TDt06+f32KHbW7/SmUPbX1O23fFtQgKwUyTBkbIjJFOFtNrF97tJcKug==
+  dependencies:
+    typescript ">=3.0.1"
+    yargs "^17.2.1"
+
 emoji-regex@^8.0.0:
  version "8.0.0"
  resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-8.0.0.tgz#e818fd69ce5ccfcb404594f842963bf53164cc37"
@@ -191,6 +208,11 @@ encode-utf8@^1.0.3:
  resolved "https://registry.yarnpkg.com/encode-utf8/-/encode-utf8-1.0.3.tgz#f30fdd31da07fb596f281beb2f6b027851994cda"
  integrity sha512-ucAnuBEhUK4boH2HjVYG5Q2mQyPorvv0u/ocS+zhdw0S8AlHYY+GOFhP1Gio5z4icpP2ivFSvhtFjQi8+T9ppw==

+escalade@^3.1.1:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/escalade/-/escalade-3.1.1.tgz#d8cfdc7000965c5a0174b4a82eaa5c0552742e40"
+  integrity sha512-k0er2gUkLf8O0zKJiAhmkTnJlTvINGv7ygDNPbeIsX/TJjGJZHuh9B2UxbsaEkmlEo9MfhrSzmhIlhRlI2GXnw==
+
 fast-glob@^3.2.11:
  version "3.2.11"
  resolved "https://registry.yarnpkg.com/fast-glob/-/fast-glob-3.2.11.tgz#a1172ad95ceb8a16e20caa5c5e56480e5129c1d9"
@@ -234,7 +256,7 @@ function-bind@^1.1.1:
  resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d"
  integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==

-get-caller-file@^2.0.1:
+get-caller-file@^2.0.1, get-caller-file@^2.0.5:
  version "2.0.5"
  resolved "https://registry.yarnpkg.com/get-caller-file/-/get-caller-file-2.0.5.tgz#4f94412a82db32f36e3b0b9741f8a97feb031f7e"
  integrity sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==
@@ -443,6 +465,11 @@ postcss@^8.4.14:
    picocolors "^1.0.0"
    source-map-js "^1.0.2"

+preact@^10.10.0:
+  version "10.10.0"
+  resolved "https://registry.yarnpkg.com/preact/-/preact-10.10.0.tgz#7434750a24b59dae1957d95dc0aa47a4a8e9a180"
+  integrity sha512-fszkg1iJJjq68I4lI8ZsmBiaoQiQHbxf1lNq+72EmC/mZOsFF5zn3k1yv9QGoFgIXzgsdSKtYymLJsrJPoamjQ==
+
 qrcode@^1.5.0:
  version "1.5.0"
  resolved "https://registry.yarnpkg.com/qrcode/-/qrcode-1.5.0.tgz#95abb8a91fdafd86f8190f2836abbfc500c72d1b"
@@ -518,7 +545,7 @@ source-map-js@^1.0.2:
  resolved "https://registry.yarnpkg.com/source-map-js/-/source-map-js-1.0.2.tgz#adbc361d9c62df380125e7f161f71c826f1e490c"
  integrity sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==

-string-width@^4.1.0, string-width@^4.2.0:
+string-width@^4.1.0, string-width@^4.2.0, string-width@^4.2.3:
  version "4.2.3"
  resolved "https://registry.yarnpkg.com/string-width/-/string-width-4.2.3.tgz#269c7117d27b05ad2e536830a8ec895ef9c6d010"
  integrity sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==
@@ -574,7 +601,7 @@ to-regex-range@^5.0.1:
  dependencies:
    is-number "^7.0.0"

-typescript@^4.7.4:
+typescript@>=3.0.1, typescript@^4.7.4:
  version "4.7.4"
  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.7.4.tgz#1a88596d1cf47d59507a1bcdfb5b9dfe4d488235"
  integrity sha512-C0WQT0gezHuw6AdY1M2jxUO83Rjf0HP7Sk1DtXj6j1EwkQNZrHAg2XPWlq62oqEhYvONq5pkC2Y9oPljWToLmQ==
@@ -598,6 +625,15 @@ wrap-ansi@^6.2.0:
    string-width "^4.1.0"
    strip-ansi "^6.0.0"

+wrap-ansi@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/wrap-ansi/-/wrap-ansi-7.0.0.tgz#67e145cff510a6a6984bdf1152911d69d2eb9e43"
+  integrity sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==
+  dependencies:
+    ansi-styles "^4.0.0"
+    string-width "^4.1.0"
+    strip-ansi "^6.0.0"
+
 xtend@^4.0.2:
  version "4.0.2"
  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"
@@ -618,6 +654,11 @@ y18n@^4.0.0:
  resolved "https://registry.yarnpkg.com/y18n/-/y18n-4.0.3.tgz#b5f259c82cd6e336921efd7bfd8bf560de9eeedf"
  integrity sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==

+y18n@^5.0.5:
+  version "5.0.8"
+  resolved "https://registry.yarnpkg.com/y18n/-/y18n-5.0.8.tgz#7f4934d0f7ca8c56f95314939ddcd2dd91ce1d55"
+  integrity sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==
+
 yaml@^1.10.2:
  version "1.10.2"
  resolved "https://registry.yarnpkg.com/yaml/-/yaml-1.10.2.tgz#2301c5ffbf12b467de8da2333a459e29e7920e4b"
@@ -631,6 +672,11 @@ yargs-parser@^18.1.2:
    camelcase "^5.0.0"
    decamelize "^1.2.0"

+yargs-parser@^21.0.0:
+  version "21.1.1"
+  resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-21.1.1.tgz#9096bceebf990d21bb31fa9516e0ede294a77d35"
+  integrity sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==
+
 yargs@^15.3.1:
  version "15.4.1"
  resolved "https://registry.yarnpkg.com/yargs/-/yargs-15.4.1.tgz#0d87a16de01aee9d8bec2bfbf74f67851730f4f8"
@@ -647,3 +693,16 @@ yargs@^15.3.1:
    which-module "^2.0.0"
    y18n "^4.0.0"
    yargs-parser "^18.1.2"
+
+yargs@^17.2.1:
+  version "17.5.1"
+  resolved "https://registry.yarnpkg.com/yargs/-/yargs-17.5.1.tgz#e109900cab6fcb7fd44b1d8249166feb0b36e58e"
+  integrity sha512-t6YAJcxDkNX7NFYiVtKvWUz8l+PaKTLiL63mJYWR2GnHq2gjEWISzsLp9wg3aY36dY1j+gfIEL3pIF+XlJJfbA==
+  dependencies:
+    cliui "^7.0.2"
+    escalade "^3.1.1"
+    get-caller-file "^2.0.5"
+    require-directory "^2.1.1"
+    string-width "^4.2.3"
+    y18n "^5.0.5"
+    yargs-parser "^21.0.0"
--- a/cmd/viewer/tests/tests.go
+++ b/cmd/viewer/tests/tests.go
@@ -10,7 +10,7 @@ import (
 	"net/netip"
 )

-//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
+//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone --clone-only-type=OnlyGetClone

 type StructWithoutPtrs struct {
 	Int int
@@ -58,3 +58,7 @@ type StructWithSlices struct {
 	Prefixes []netip.Prefix
 	Data     []byte
 }
+
+type OnlyGetClone struct {
+	SinViewerPorFavor bool
+}
--- a/cmd/viewer/tests/tests_clone.go
+++ b/cmd/viewer/tests/tests_clone.go
@@ -196,3 +196,19 @@ var _StructWithSlicesCloneNeedsRegeneration = StructWithSlices(struct {
 	Prefixes       []netip.Prefix
 	Data           []byte
 }{})
+
+// Clone makes a deep copy of OnlyGetClone.
+// The result aliases no memory with the original.
+func (src *OnlyGetClone) Clone() *OnlyGetClone {
+	if src == nil {
+		return nil
+	}
+	dst := new(OnlyGetClone)
+	*dst = *src
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _OnlyGetCloneCloneNeedsRegeneration = OnlyGetClone(struct {
+	SinViewerPorFavor bool
+}{})
--- a/cmd/viewer/tests/tests_view.go
+++ b/cmd/viewer/tests/tests_view.go
@@ -15,7 +15,7 @@ import (
 	"tailscale.com/types/views"
 )

-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone

 // View returns a readonly view of StructWithPtrs.
 func (p *StructWithPtrs) View() StructWithPtrsView {
--- a/cmd/viewer/viewer.go
+++ b/cmd/viewer/viewer.go
@@ -327,6 +327,8 @@ var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
 	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
+
+	flagCloneOnlyTypes = flag.String("clone-only-type", "", "comma-separated list of types (a subset of --type) that should only generate a go:generate clone line and not actual views")
 )

 func main() {
@@ -353,10 +355,18 @@ func main() {
 	}
 	it := codegen.NewImportTracker(pkg.Types)

+	cloneOnlyType := map[string]bool{}
+	for _, t := range strings.Split(*flagCloneOnlyTypes, ",") {
+		cloneOnlyType[t] = true
+	}
+
 	buf := new(bytes.Buffer)
 	fmt.Fprintf(buf, "//go:generate go run tailscale.com/cmd/cloner  %s\n\n", strings.Join(flagArgs, " "))
 	runCloner := false
 	for _, typeName := range typeNames {
+		if cloneOnlyType[typeName] {
+			continue
+		}
 		typ, ok := namedTypes[typeName]
 		if !ok {
 			log.Fatalf("could not find type %s", typeName)
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -5,6 +5,7 @@
 package controlclient

 import (
+	"bufio"
 	"bytes"
 	"context"
 	"encoding/binary"
@@ -16,6 +17,7 @@ import (
 	"io/ioutil"
 	"log"
 	"net/http"
+	"net/http/httptest"
 	"net/netip"
 	"net/url"
 	"os"
@@ -23,7 +25,6 @@ import (
 	"runtime"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"go4.org/mem"
@@ -41,6 +42,7 @@ import (
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -73,6 +75,7 @@ type Direct struct {
 	skipIPForwardingCheck  bool
 	pinger                 Pinger
 	popBrowser             func(url string) // or nil
+	c2nHandler             http.Handler     // or nil

 	mu             sync.Mutex        // mutex guards the following fields
 	serverKey      key.MachinePublic // original ("legacy") nacl crypto_box-based public key
@@ -108,6 +111,7 @@ type Options struct {
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
 	Dialer               *tsdial.Dialer   // non-nil
+	C2NHandler           http.Handler     // or nil

 	// GetNLPublicKey specifies an optional function to use
 	// Network Lock. If nil, it's not used.
@@ -129,6 +133,12 @@ type Options struct {
 	// MapResponse.PingRequest queries from the control plane.
 	// If nil, PingRequest queries are not answered.
 	Pinger Pinger
+
+	// GetTailscaleRoutes is a function that should return any Tailscale
+	// routes that are currently known; if any are returned, we test the IP
+	// address of the control server against these routes and use our
+	// fallback DNS server in those cases.
+	GetTailscaleRoutes func() []netip.Prefix
 }

 // Pinger is the LocalBackend.Ping method.
@@ -210,6 +220,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
 		pinger:                 opts.Pinger,
 		popBrowser:             opts.PopBrowserURL,
+		c2nHandler:             opts.C2NHandler,
 		dialer:                 opts.Dialer,
 	}
 	if opts.Hostinfo == nil {
@@ -710,7 +721,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 	c.logf("[v1] PollNetMap: stream=%v ep=%v", allowStream, epStrs)

 	vlogf := logger.Discard
-	if Debug.NetMap {
+	if DevKnob.DumpNetMaps {
 		// TODO(bradfitz): update this to use "[v2]" prefix perhaps? but we don't
 		// want to upload it always.
 		vlogf = c.logf
@@ -885,7 +896,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool

 		if pr := resp.PingRequest; pr != nil && c.isUniquePingRequest(pr) {
 			metricMapResponsePings.Add(1)
-			go answerPing(c.logf, c.httpc, pr, c.pinger)
+			go c.answerPing(pr)
 		}
 		if u := resp.PopBrowserURL; u != "" && u != sess.lastPopBrowserURL {
 			sess.lastPopBrowserURL = u
@@ -939,8 +950,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 			if resp.Debug.GoroutineDumpURL != "" {
 				go dumpGoroutinesToURL(c.httpc, resp.Debug.GoroutineDumpURL)
 			}
-			setControlAtomic(&controlUseDERPRoute, resp.Debug.DERPRoute)
-			setControlAtomic(&controlTrimWGConfig, resp.Debug.TrimWGConfig)
 			if sleep := time.Duration(resp.Debug.SleepSeconds * float64(time.Second)); sleep > 0 {
 				if err := sleepAsRequested(ctx, c.logf, timeoutReset, sleep); err != nil {
 					return err
@@ -954,12 +963,17 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 			return errors.New("MapResponse lacked node")
 		}

-		if Debug.StripEndpoints {
+		if d := nm.Debug; d != nil {
+			controlUseDERPRoute.Store(d.DERPRoute)
+			controlTrimWGConfig.Store(d.TrimWGConfig)
+		}
+
+		if DevKnob.StripEndpoints {
 			for _, p := range resp.Peers {
 				p.Endpoints = nil
 			}
 		}
-		if Debug.StripCaps {
+		if DevKnob.StripCaps {
 			nm.SelfNode.Capabilities = nil
 		}

@@ -1125,25 +1139,23 @@ func loadServerPubKeys(ctx context.Context, httpc *http.Client, serverURL string
 	return &out, nil
 }

-// Debug contains temporary internal-only debug knobs.
+// DevKnob contains temporary internal-only debug knobs.
 // They're unexported to not draw attention to them.
-var Debug = initDebug()
+var DevKnob = initDevKnob()

-type debug struct {
-	NetMap         bool
-	ProxyDNS       bool
-	Disco          bool
+type devKnobs struct {
+	DumpNetMaps    bool
+	ForceProxyDNS  bool
 	StripEndpoints bool // strip endpoints from control (only use disco messages)
 	StripCaps      bool // strip all local node's control-provided capabilities
 }

-func initDebug() debug {
-	return debug{
-		NetMap:         envknob.Bool("TS_DEBUG_NETMAP"),
-		ProxyDNS:       envknob.Bool("TS_DEBUG_PROXY_DNS"),
+func initDevKnob() devKnobs {
+	return devKnobs{
+		DumpNetMaps:    envknob.Bool("TS_DEBUG_NETMAP"),
+		ForceProxyDNS:  envknob.Bool("TS_DEBUG_PROXY_DNS"),
 		StripEndpoints: envknob.Bool("TS_DEBUG_STRIP_ENDPOINTS"),
 		StripCaps:      envknob.Bool("TS_DEBUG_STRIP_CAPS"),
-		Disco:          envknob.BoolDefaultTrue("TS_DEBUG_USE_DISCO"),
 	}
 }

@@ -1151,29 +1163,20 @@ var clockNow = time.Now

 // opt.Bool configs from control.
 var (
-	controlUseDERPRoute atomic.Value
-	controlTrimWGConfig atomic.Value
+	controlUseDERPRoute syncs.AtomicValue[opt.Bool]
+	controlTrimWGConfig syncs.AtomicValue[opt.Bool]
 )

-func setControlAtomic(dst *atomic.Value, v opt.Bool) {
-	old, ok := dst.Load().(opt.Bool)
-	if !ok || old != v {
-		dst.Store(v)
-	}
-}
-
 // DERPRouteFlag reports the last reported value from control for whether
 // DERP route optimization (Issue 150) should be enabled.
 func DERPRouteFlag() opt.Bool {
-	v, _ := controlUseDERPRoute.Load().(opt.Bool)
-	return v
+	return controlUseDERPRoute.Load()
 }

 // TrimWGConfig reports the last reported value from control for whether
 // we should do lazy wireguard configuration.
 func TrimWGConfig() opt.Bool {
-	v, _ := controlTrimWGConfig.Load().(opt.Bool)
-	return v
+	return controlTrimWGConfig.Load()
 }

 // ipForwardingBroken reports whether the system's IP forwarding is disabled
@@ -1211,21 +1214,39 @@ func (c *Direct) isUniquePingRequest(pr *tailcfg.PingRequest) bool {
 	return true
 }

-func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) {
+func (c *Direct) answerPing(pr *tailcfg.PingRequest) {
+	httpc := c.httpc
+	useNoise := pr.URLIsNoise || pr.Types == "c2n" && c.noiseConfigured()
+	if useNoise {
+		nc, err := c.getNoiseClient()
+		if err != nil {
+			c.logf("failed to get noise client for ping request: %v", err)
+			return
+		}
+		httpc = nc.Client
+	}
 	if pr.URL == "" {
-		logf("invalid PingRequest with no URL")
+		c.logf("invalid PingRequest with no URL")
 		return
 	}
-	if pr.Types == "" {
-		answerHeadPing(logf, c, pr)
+	switch pr.Types {
+	case "":
+		answerHeadPing(c.logf, httpc, pr)
+		return
+	case "c2n":
+		if !useNoise && !envknob.Bool("TS_DEBUG_PERMIT_HTTP_C2N") {
+			c.logf("refusing to answer c2n ping without noise")
+			return
+		}
+		answerC2NPing(c.logf, c.c2nHandler, httpc, pr)
 		return
 	}
 	for _, t := range strings.Split(pr.Types, ",") {
 		switch pt := tailcfg.PingType(t); pt {
 		case tailcfg.PingTSMP, tailcfg.PingDisco, tailcfg.PingICMP, tailcfg.PingPeerAPI:
-			go doPingerPing(logf, c, pr, pinger, pt)
+			go doPingerPing(c.logf, httpc, pr, c.pinger, pt)
 		default:
-			logf("unsupported ping request type: %q", t)
+			c.logf("unsupported ping request type: %q", t)
 		}
 	}
 }
@@ -1252,6 +1273,54 @@ func answerHeadPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
 	}
 }

+func answerC2NPing(logf logger.Logf, c2nHandler http.Handler, c *http.Client, pr *tailcfg.PingRequest) {
+	if c2nHandler == nil {
+		logf("answerC2NPing: c2nHandler not defined")
+		return
+	}
+	hreq, err := http.ReadRequest(bufio.NewReader(bytes.NewReader(pr.Payload)))
+	if err != nil {
+		logf("answerC2NPing: ReadRequest: %v", err)
+		return
+	}
+	if pr.Log {
+		logf("answerC2NPing: got c2n request for %v ...", hreq.RequestURI)
+	}
+	handlerTimeout := time.Minute
+	if v := hreq.Header.Get("C2n-Handler-Timeout"); v != "" {
+		handlerTimeout, _ = time.ParseDuration(v)
+	}
+	handlerCtx, cancel := context.WithTimeout(context.Background(), handlerTimeout)
+	defer cancel()
+	hreq = hreq.WithContext(handlerCtx)
+	rec := httptest.NewRecorder()
+	c2nHandler.ServeHTTP(rec, hreq)
+	cancel()
+
+	c2nResBuf := new(bytes.Buffer)
+	rec.Result().Write(c2nResBuf)
+
+	replyCtx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(replyCtx, "POST", pr.URL, c2nResBuf)
+	if err != nil {
+		logf("answerC2NPing: NewRequestWithContext: %v", err)
+		return
+	}
+	if pr.Log {
+		logf("answerC2NPing: sending POST ping to %v ...", pr.URL)
+	}
+	t0 := time.Now()
+	_, err = c.Do(req)
+	d := time.Since(t0).Round(time.Millisecond)
+	if err != nil {
+		logf("answerC2NPing error: %v to %v (after %v)", err, pr.URL, d)
+	} else if pr.Log {
+		logf("answerC2NPing complete to %v (after %v)", pr.URL, d)
+	}
+}
+
 func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<- struct{}, d time.Duration) error {
 	const maxSleep = 5 * time.Minute
 	if d > maxSleep {
@@ -1328,7 +1397,7 @@ func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) er
 	if err != nil {
 		return err
 	}
-	res, err := np.Post(fmt.Sprintf("https://%v/%v", np.serverHost, "machine/set-dns"), "application/json", bytes.NewReader(bodyData))
+	res, err := np.Post(fmt.Sprintf("https://%v/%v", np.host, "machine/set-dns"), "application/json", bytes.NewReader(bodyData))
 	if err != nil {
 		return err
 	}
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -15,6 +15,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
+	"tailscale.com/types/opt"
 	"tailscale.com/wgengine/filter"
 )

@@ -46,6 +47,7 @@ type mapSession struct {
 	lastDomain             string
 	lastHealth             []string
 	lastPopBrowserURL      string
+	stickyDebug            tailcfg.Debug // accumulated opt.Bool values

 	// netMapBuilding is non-nil during a netmapForResponse call,
 	// containing the value to be returned, once fully populated.
@@ -114,6 +116,28 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		ms.lastHealth = resp.Health
 	}

+	debug := resp.Debug
+	if debug != nil {
+		if debug.RandomizeClientPort {
+			debug.SetRandomizeClientPort.Set(true)
+		}
+		if debug.ForceBackgroundSTUN {
+			debug.SetForceBackgroundSTUN.Set(true)
+		}
+		copyDebugOptBools(&ms.stickyDebug, debug)
+	} else if ms.stickyDebug != (tailcfg.Debug{}) {
+		debug = new(tailcfg.Debug)
+	}
+	if debug != nil {
+		copyDebugOptBools(debug, &ms.stickyDebug)
+		if !debug.ForceBackgroundSTUN {
+			debug.ForceBackgroundSTUN, _ = ms.stickyDebug.SetForceBackgroundSTUN.Get()
+		}
+		if !debug.RandomizeClientPort {
+			debug.RandomizeClientPort, _ = ms.stickyDebug.SetRandomizeClientPort.Get()
+		}
+	}
+
 	nm := &netmap.NetworkMap{
 		NodeKey:         ms.privateNodeKey.Public(),
 		PrivateKey:      ms.privateNodeKey,
@@ -126,7 +150,7 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		SSHPolicy:       ms.lastSSHPolicy,
 		CollectServices: ms.collectServices,
 		DERPMap:         ms.lastDERPMap,
-		Debug:           resp.Debug,
+		Debug:           debug,
 		ControlHealth:   ms.lastHealth,
 	}
 	ms.netMapBuilding = nm
@@ -166,7 +190,7 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		}
 		ms.addUserProfile(peer.User)
 	}
-	if Debug.ProxyDNS {
+	if DevKnob.ForceProxyDNS {
 		nm.DNS.Proxied = true
 	}
 	ms.netMapBuilding = nil
@@ -286,6 +310,9 @@ func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
 				if v := ec.Capabilities; v != nil {
 					n.Capabilities = *v
 				}
+				if v := ec.KeySignature; v != nil {
+					n.KeySignature = v
+				}
 			}
 		}
 	}
@@ -344,3 +371,18 @@ func filterSelfAddresses(in []netip.Prefix) (ret []netip.Prefix) {
 		return ret
 	}
 }
+
+func copyDebugOptBools(dst, src *tailcfg.Debug) {
+	copy := func(v *opt.Bool, s opt.Bool) {
+		if s != "" {
+			*v = s
+		}
+	}
+	copy(&dst.DERPRoute, src.DERPRoute)
+	copy(&dst.DisableSubnetsIfPAC, src.DisableSubnetsIfPAC)
+	copy(&dst.DisableUPnP, src.DisableUPnP)
+	copy(&dst.OneCGNATRoute, src.OneCGNATRoute)
+	copy(&dst.SetForceBackgroundSTUN, src.SetForceBackgroundSTUN)
+	copy(&dst.SetRandomizeClientPort, src.SetRandomizeClientPort)
+	copy(&dst.TrimWGConfig, src.TrimWGConfig)
+}
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -16,6 +16,8 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
+	"tailscale.com/types/opt"
+	"tailscale.com/util/must"
 )

 func TestUndeltaPeers(t *testing.T) {
@@ -207,6 +209,20 @@ func TestUndeltaPeers(t *testing.T) {
 				Key:  key.NodePublicFromRaw32(mem.B(append(make([]byte, 31), 'A'))),
 			}),
 		},
+		{
+			name: "change_key_signature",
+			prev: peers(n(1, "foo")),
+			mapRes: &tailcfg.MapResponse{
+				PeersChangedPatch: []*tailcfg.PeerChange{{
+					NodeID:       1,
+					KeySignature: []byte{3, 4},
+				}},
+			}, want: peers(&tailcfg.Node{
+				ID:           1,
+				Name:         "foo",
+				KeySignature: []byte{3, 4},
+			}),
+		},
 		{
 			name: "change_disco_key",
 			prev: peers(n(1, "foo")),
@@ -449,3 +465,152 @@ func TestNetmapForResponse(t *testing.T) {
 		}
 	})
 }
+
+// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResposnes
+// entirely or have their opt.Bool values unspecified between MapResponses in a
+// session and that should mean no change. (as of capver 37). But two Debug
+// fields existed prior to capver 37 that weren't opt.Bool; we test that we both
+// still accept the non-opt.Bool form from control for RandomizeClientPort and
+// ForceBackgroundSTUN and also accept the new form, keeping the old form in
+// sync.
+func TestDeltaDebug(t *testing.T) {
+	type step struct {
+		got  *tailcfg.Debug
+		want *tailcfg.Debug
+	}
+	tests := []struct {
+		name  string
+		steps []step
+	}{
+		{
+			name: "nothing-to-nothing",
+			steps: []step{
+				{nil, nil},
+				{nil, nil},
+			},
+		},
+		{
+			name: "sticky-with-old-style-randomize-client-port",
+			steps: []step{
+				{
+					&tailcfg.Debug{RandomizeClientPort: true},
+					&tailcfg.Debug{
+						RandomizeClientPort:    true,
+						SetRandomizeClientPort: "true",
+					},
+				},
+				{
+					nil, // not sent by server
+					&tailcfg.Debug{
+						RandomizeClientPort:    true,
+						SetRandomizeClientPort: "true",
+					},
+				},
+			},
+		},
+		{
+			name: "sticky-with-new-style-randomize-client-port",
+			steps: []step{
+				{
+					&tailcfg.Debug{SetRandomizeClientPort: "true"},
+					&tailcfg.Debug{
+						RandomizeClientPort:    true,
+						SetRandomizeClientPort: "true",
+					},
+				},
+				{
+					nil, // not sent by server
+					&tailcfg.Debug{
+						RandomizeClientPort:    true,
+						SetRandomizeClientPort: "true",
+					},
+				},
+			},
+		},
+		{
+			name: "opt-bool-sticky-changing-over-time",
+			steps: []step{
+				{nil, nil},
+				{nil, nil},
+				{
+					&tailcfg.Debug{OneCGNATRoute: "true"},
+					&tailcfg.Debug{OneCGNATRoute: "true"},
+				},
+				{
+					nil,
+					&tailcfg.Debug{OneCGNATRoute: "true"},
+				},
+				{
+					&tailcfg.Debug{OneCGNATRoute: "false"},
+					&tailcfg.Debug{OneCGNATRoute: "false"},
+				},
+				{
+					nil,
+					&tailcfg.Debug{OneCGNATRoute: "false"},
+				},
+			},
+		},
+		{
+			name: "legacy-ForceBackgroundSTUN",
+			steps: []step{
+				{
+					&tailcfg.Debug{ForceBackgroundSTUN: true},
+					&tailcfg.Debug{ForceBackgroundSTUN: true, SetForceBackgroundSTUN: "true"},
+				},
+			},
+		},
+		{
+			name: "opt-bool-SetForceBackgroundSTUN",
+			steps: []step{
+				{
+					&tailcfg.Debug{SetForceBackgroundSTUN: "true"},
+					&tailcfg.Debug{ForceBackgroundSTUN: true, SetForceBackgroundSTUN: "true"},
+				},
+			},
+		},
+		{
+			name: "server-reset-to-default",
+			steps: []step{
+				{
+					&tailcfg.Debug{SetForceBackgroundSTUN: "true"},
+					&tailcfg.Debug{ForceBackgroundSTUN: true, SetForceBackgroundSTUN: "true"},
+				},
+				{
+					&tailcfg.Debug{SetForceBackgroundSTUN: "unset"},
+					&tailcfg.Debug{ForceBackgroundSTUN: false, SetForceBackgroundSTUN: "unset"},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ms := newTestMapSession(t)
+			for stepi, s := range tt.steps {
+				nm := ms.netmapForResponse(&tailcfg.MapResponse{Debug: s.got})
+				if !reflect.DeepEqual(nm.Debug, s.want) {
+					t.Errorf("unexpected result at step index %v; got: %s", stepi, must.Get(json.Marshal(nm.Debug)))
+				}
+			}
+		})
+	}
+}
+
+// Verifies that copyDebugOptBools doesn't missing any opt.Bools.
+func TestCopyDebugOptBools(t *testing.T) {
+	rt := reflect.TypeOf(tailcfg.Debug{})
+	for i := 0; i < rt.NumField(); i++ {
+		sf := rt.Field(i)
+		if sf.Type != reflect.TypeOf(opt.Bool("")) {
+			continue
+		}
+		var src, dst tailcfg.Debug
+		reflect.ValueOf(&src).Elem().Field(i).Set(reflect.ValueOf(opt.Bool("true")))
+		if src == (tailcfg.Debug{}) {
+			t.Fatalf("failed to set field %v", sf.Name)
+		}
+		copyDebugOptBools(&dst, &src)
+		if src != dst {
+			t.Fatalf("copyDebugOptBools didn't copy field %v", sf.Name)
+		}
+	}
+}
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -7,7 +7,6 @@ package controlclient
 import (
 	"context"
 	"crypto/tls"
-	"fmt"
 	"math"
 	"net"
 	"net/http"
@@ -50,7 +49,9 @@ type noiseClient struct {
 	dialer       *tsdial.Dialer
 	privKey      key.MachinePrivate
 	serverPubKey key.MachinePublic
-	serverHost   string // the host:port part of serverURL
+	host         string // the host part of serverURL
+	httpPort     string // the default port to call
+	httpsPort    string // the fallback Noise-over-https port

 	// mu only protects the following variables.
 	mu       sync.Mutex
@@ -65,18 +66,28 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 	if err != nil {
 		return nil, err
 	}
-	var host string
+	var httpPort string
+	var httpsPort string
 	if u.Port() != "" {
-		// If there is an explicit port specified use it.
-		host = u.Host
+		// If there is an explicit port specified, trust the scheme and hope for the best
+		if u.Scheme == "http" {
+			httpPort = u.Port()
+			httpsPort = "443"
+		} else {
+			httpPort = "80"
+			httpsPort = u.Port()
+		}
 	} else {
-		// Otherwise, controlhttp.Dial expects an http endpoint.
-		host = fmt.Sprintf("%v:80", u.Hostname())
+		// Otherwise, use the standard ports
+		httpPort = "80"
+		httpsPort = "443"
 	}
 	np := &noiseClient{
 		serverPubKey: serverPubKey,
 		privKey:      priKey,
-		serverHost:   host,
+		host:         u.Hostname(),
+		httpPort:     httpPort,
+		httpsPort:    httpsPort,
 		dialer:       dialer,
 	}

@@ -154,7 +165,7 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
-	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
+	conn, err := controlhttp.Dial(ctx, nc.host, nc.httpPort, nc.httpsPort, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
 	if err != nil {
 		return nil, err
 	}
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -43,24 +43,20 @@ import (
 	"tailscale.com/types/key"
 )

-// Dial connects to the HTTP server at addr, requests to switch to the
+// Dial connects to the HTTP server at host:httpPort, requests to switch to the
 // Tailscale control protocol, and returns an established control
 // protocol connection.
 //
 // If Dial fails to connect using addr, it also tries to tunnel over
-// TLS to <addr's host>:443 as a compatibility fallback.
+// TLS to host:httpsPort as a compatibility fallback.
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
-	host, port, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, err
-	}
+func Dial(ctx context.Context, host string, httpPort string, httpsPort string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
 	a := &dialParams{
 		host:       host,
-		httpPort:   port,
-		httpsPort:  "443",
+		httpPort:   httpPort,
+		httpsPort:  httpsPort,
 		machineKey: machineKey,
 		controlKey: controlKey,
 		version:    protocolVersion,
--- a/control/controlhttp/client_js.go
+++ b/control/controlhttp/client_js.go
@@ -18,25 +18,20 @@ import (

 // Variant of Dial that tunnels the request over WebSockets, since we cannot do
 // bi-directional communication over an HTTP connection when in JS.
-func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+func Dial(ctx context.Context, host string, httpPort string, httpsPort string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
 	init, cont, err := controlbase.ClientDeferred(machineKey, controlKey, protocolVersion)
 	if err != nil {
 		return nil, err
 	}

-	host, _, err := net.SplitHostPort(addr)
-	if err != nil {
-		return nil, err
-	}
 	wsScheme := "wss"
-	wsHost := host
 	if host == "localhost" {
 		wsScheme = "ws"
-		wsHost = addr
+		host = net.JoinHostPort(host, httpPort)
 	}
 	wsURL := &url.URL{
 		Scheme: wsScheme,
-		Host:   wsHost,
+		Host:   host,
 		Path:   serverUpgradePath,
 		// Can't set HTTP headers on the websocket request, so we have to to send
 		// the handshake via an HTTP header.
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -7,12 +7,13 @@
 package controlknobs

 import (
+	"sync/atomic"
+
 	"tailscale.com/envknob"
-	"tailscale.com/syncs"
 )

 // disableUPnP indicates whether to attempt UPnP mapping.
-var disableUPnP syncs.AtomicBool
+var disableUPnP atomic.Bool

 func init() {
 	SetDisableUPnP(envknob.Bool("TS_DISABLE_UPNP"))
@@ -21,11 +22,11 @@ func init() {
 // DisableUPnP reports the last reported value from control
 // whether UPnP portmapping should be disabled.
 func DisableUPnP() bool {
-	return disableUPnP.Get()
+	return disableUPnP.Load()
 }

 // SetDisableUPnP sets whether control says that UPnP should be
 // disabled.
 func SetDisableUPnP(v bool) {
-	disableUPnP.Set(v)
+	disableUPnP.Store(v)
 }
--- a/derp/derp_client.go
+++ b/derp/derp_client.go
@@ -13,11 +13,11 @@ import (
 	"io"
 	"net/netip"
 	"sync"
-	"sync/atomic"
 	"time"

 	"go4.org/mem"
 	"golang.org/x/time/rate"
+	"tailscale.com/syncs"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -39,8 +39,8 @@ type Client struct {
 	rate *rate.Limiter // if non-nil, rate limiter to use

 	// Owned by Recv:
-	peeked  int          // bytes to discard on next Recv
-	readErr atomic.Value // of error; sticky (set by Recv)
+	peeked  int                      // bytes to discard on next Recv
+	readErr syncs.AtomicValue[error] // sticky (set by Recv)
 }

 // ClientOpt is an option passed to NewClient.
@@ -445,7 +445,7 @@ func (c *Client) Recv() (m ReceivedMessage, err error) {
 }

 func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err error) {
-	readErr, _ := c.readErr.Load().(error)
+	readErr := c.readErr.Load()
 	if readErr != nil {
 		return nil, readErr
 	}
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -41,7 +41,6 @@ import (
 	"tailscale.com/disco"
 	"tailscale.com/envknob"
 	"tailscale.com/metrics"
-	"tailscale.com/syncs"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/pad32"
@@ -232,7 +231,7 @@ type dupClientSet struct {
 }

 func (s *dupClientSet) ActiveClient() *sclient {
-	if s.last != nil && !s.last.isDisabled.Get() {
+	if s.last != nil && !s.last.isDisabled.Load() {
 		return s.last
 	}
 	return nil
@@ -499,8 +498,8 @@ func (s *Server) registerClient(c *sclient) {
 		s.dupClientConns.Add(2) // both old and new count
 		s.dupClientConnTotal.Add(1)
 		old := set.ActiveClient()
-		old.isDup.Set(true)
-		c.isDup.Set(true)
+		old.isDup.Store(true)
+		c.isDup.Store(true)
 		s.clients[c.key] = &dupClientSet{
 			last: c,
 			set: map[*sclient]bool{
@@ -512,7 +511,7 @@ func (s *Server) registerClient(c *sclient) {
 	case *dupClientSet:
 		s.dupClientConns.Add(1)     // the gauge
 		s.dupClientConnTotal.Add(1) // the counter
-		c.isDup.Set(true)
+		c.isDup.Store(true)
 		set.set[c] = true
 		set.last = c
 		set.sendHistory = append(set.sendHistory, c)
@@ -571,8 +570,8 @@ func (s *Server) unregisterClient(c *sclient) {
 			if remain == nil {
 				panic("unexpected nil remain from single element dup set")
 			}
-			remain.isDisabled.Set(false)
-			remain.isDup.Set(false)
+			remain.isDisabled.Store(false)
+			remain.isDup.Store(false)
 			s.clients[c.key] = singleClient{remain}
 		}
 	}
@@ -1073,11 +1072,11 @@ func (s *Server) sendServerKey(lw *lazyBufioWriter) error {
 }

 func (s *Server) noteClientActivity(c *sclient) {
-	if !c.isDup.Get() {
+	if !c.isDup.Load() {
 		// Fast path for clients that aren't in a dup set.
 		return
 	}
-	if c.isDisabled.Get() {
+	if c.isDisabled.Load() {
 		// If they're already disabled, no point checking more.
 		return
 	}
@@ -1112,7 +1111,7 @@ func (s *Server) noteClientActivity(c *sclient) {
 		for _, prior := range ds.sendHistory {
 			if prior == c {
 				ds.ForeachClient(func(c *sclient) {
-					c.isDisabled.Set(true)
+					c.isDisabled.Store(true)
 				})
 				break
 			}
@@ -1253,8 +1252,8 @@ type sclient struct {
 	peerGone       chan key.NodePublic // write request that a previous sender has disconnected (not used by mesh peers)
 	meshUpdate     chan struct{}       // write request to write peerStateChange
 	canMesh        bool                // clientInfo had correct mesh token for inter-region routing
-	isDup          syncs.AtomicBool    // whether more than 1 sclient for key is connected
-	isDisabled     syncs.AtomicBool    // whether sends to this peer are disabled due to active/active dups
+	isDup          atomic.Bool         // whether more than 1 sclient for key is connected
+	isDisabled     atomic.Bool         // whether sends to this peer are disabled due to active/active dups

 	// replaceLimiter controls how quickly two connections with
 	// the same client key can kick each other off the server by
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -958,10 +958,10 @@ func TestServerDupClients(t *testing.T) {
 				t.Error("wrong single client")
 				return
 			}
-			if want.isDup.Get() {
+			if want.isDup.Load() {
 				t.Errorf("unexpected isDup on singleClient")
 			}
-			if want.isDisabled.Get() {
+			if want.isDisabled.Load() {
 				t.Errorf("unexpected isDisabled on singleClient")
 			}
 		case nil:
@@ -1004,13 +1004,13 @@ func TestServerDupClients(t *testing.T) {
 	}
 	checkDup := func(t *testing.T, c *sclient, want bool) {
 		t.Helper()
-		if got := c.isDup.Get(); got != want {
+		if got := c.isDup.Load(); got != want {
 			t.Errorf("client %q isDup = %v; want %v", clientName[c], got, want)
 		}
 	}
 	checkDisabled := func(t *testing.T, c *sclient, want bool) {
 		t.Helper()
-		if got := c.isDisabled.Get(); got != want {
+		if got := c.isDisabled.Load(); got != want {
 			t.Errorf("client %q isDisabled = %v; want %v", clientName[c], got, want)
 		}
 	}
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -27,7 +27,6 @@ import (
 	"runtime"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"

 	"go4.org/mem"
@@ -37,6 +36,7 @@ import (
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -69,7 +69,7 @@ type Client struct {
 	// by SetAddressFamilySelector. It's an atomic because it needs
 	// to be accessed by multiple racing routines started while
 	// Client.conn holds mu.
-	addrFamSelAtomic atomic.Value // of AddressFamilySelector
+	addrFamSelAtomic syncs.AtomicValue[AddressFamilySelector]

 	mu           sync.Mutex
 	preferred    bool
--- a/docs/k8s/proxy.yaml
+++ b/docs/k8s/proxy.yaml
@@ -18,7 +18,7 @@ spec:
    command: ["/bin/sh"]
    args:
      - -c
-      - sysctl -w net.ipv4.ip_forward=1
+      - sysctl -w net.ipv4.ip_forward=1 -w net.ipv6.conf.all.forwarding=1
    resources:
      requests:
        cpu: 1m
--- a/go.mod
+++ b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/creack/pty v1.1.17
 	github.com/dave/jennifer v1.4.1
-	github.com/evanw/esbuild v0.14.39
+	github.com/evanw/esbuild v0.14.53
 	github.com/frankban/quicktest v1.14.0
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/go-ole/go-ole v1.2.6
@@ -51,7 +51,7 @@ require (
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
-	github.com/u-root/u-root v0.8.0
+	github.com/u-root/u-root v0.9.0
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
 	go4.org/mem v0.0.0-20210711025021-927187094b94
 	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf
@@ -59,12 +59,12 @@ require (
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
 	golang.org/x/net v0.0.0-20220607020251-c690dde0001d
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11
 	golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478
-	golang.zx2c4.com/wireguard/windows v0.4.10
+	golang.zx2c4.com/wireguard/windows v0.5.3
 	gvisor.dev/gvisor v0.0.0-20220801230058-850e42eb4444
 	honnef.co/go/tools v0.4.0-0.dev.0.20220404092545-59d7a2877f83
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
@@ -254,7 +254,7 @@ require (
 	github.com/timakin/bodyclose v0.0.0-20210704033933-f49887972144 // indirect
 	github.com/tomarrell/wrapcheck/v2 v2.4.0 // indirect
 	github.com/tommy-muehle/go-mnd/v2 v2.4.0 // indirect
-	github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 // indirect
+	github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 // indirect
 	github.com/ulikunitz/xz v0.5.10 // indirect
 	github.com/ultraware/funlen v0.0.3 // indirect
 	github.com/ultraware/whitespace v0.0.4 // indirect
@@ -266,7 +266,7 @@ require (
 	github.com/yeya24/promlinter v0.1.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/protobuf v1.28.0 // indirect
 	gopkg.in/ini.v1 v1.66.2 // indirect
--- a/go.sum
+++ b/go.sum
@@ -278,8 +278,8 @@ github.com/esimonov/ifshort v1.0.3 h1:JD6x035opqGec5fZ0TLjXeROD2p5H7oLGn8MKfy9HT
 github.com/esimonov/ifshort v1.0.3/go.mod h1:yZqNJUrNn20K8Q9n2CrjTKYyVEmX209Hgu+M1LBpeZE=
 github.com/ettle/strcase v0.1.1 h1:htFueZyVeE1XNnMEfbqp5r67qAN/4r6ya1ysq8Q+Zcw=
 github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY=
-github.com/evanw/esbuild v0.14.39 h1:1TMZtCXOY4ctAbGY4QT9sjT203I/cQ16vXt2F9rLT58=
-github.com/evanw/esbuild v0.14.39/go.mod h1:GG+zjdi59yh3ehDn4ZWfPcATxjPDUH53iU4ZJbp7dkY=
+github.com/evanw/esbuild v0.14.53 h1:9uU73SZUmP1jRQhaC6hPm9aoqFGYlPwfk7OrhG6AhpQ=
+github.com/evanw/esbuild v0.14.53/go.mod h1:iINY06rn799hi48UqEnaQvVfZWe6W9bET78LbvN8VWk=
 github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
@@ -729,8 +729,6 @@ github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.4/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
-github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.4/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -1127,11 +1125,11 @@ github.com/tommy-muehle/go-mnd/v2 v2.4.0 h1:1t0f8Uiaq+fqKteUR4N9Umr6E99R+lDnLnq7
 github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
-github.com/u-root/u-root v0.8.0 h1:jqP7uPC2+0eRszYTrmdZ6UDyO1Dbuy0rpMo+BnPZ9cY=
-github.com/u-root/u-root v0.8.0/go.mod h1:But1FHzS4Ua4ywx6kZOaRzZTucUKIDKOPOLEKOckQ68=
+github.com/u-root/u-root v0.9.0 h1:1dpUzrE0FyKrNEjxpKFOkyveuV1f3T0Ko5CQg4gTkCg=
+github.com/u-root/u-root v0.9.0/go.mod h1:ewc9w6JF1ayZCVC9Y5wsrUiCBw3nMmPC3QItvrEwmew=
 github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
-github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7 h1:XMAtQHwKjWHIRwg+8Nj/rzUomQY1q6cM3ncA0wP8GU4=
-github.com/u-root/uio v0.0.0-20210528151154-e40b768296a7/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
+github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4 h1:hl6sK6aFgTLISijk6xIzeqnPzQcsLqqvL6vEfTPinME=
+github.com/u-root/uio v0.0.0-20220204230159-dac05f7d2cb4/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
 github.com/ugorji/go v1.1.7 h1:/68gy2h+1mWMrwZFeD1kQialdSzAb432dtpeJ42ovdo=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
@@ -1352,7 +1350,6 @@ golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -1449,7 +1446,6 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201109165425-215b40eba54c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1484,7 +1480,6 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1495,8 +1490,8 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d h1:Zu/JngovGLVi6t2J3nmAf3AoTDwuzw85YZ3b9o4yU7s=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
@@ -1509,8 +1504,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 h1:GLw7MR8AfAG2GmGcmVgObFOHXYypgGjnGno25RDwn3Y=
+golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1637,11 +1633,10 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
 golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478 h1:vDy//hdR+GnROE3OdYbQKt9rdtNdHkDtONvpRwmls/0=
 golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478/go.mod h1:bVQfyl2sCM/QIIGHpWbFGfHPuDvqnCNkT6MQLTCjO/U=
-golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
-golang.zx2c4.com/wireguard/windows v0.4.10/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
+golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
+golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -38,6 +38,7 @@ func New() *tailcfg.Hostinfo {
 		Desktop:     desktop(),
 		Package:     packageTypeCached(),
 		GoArch:      runtime.GOARCH,
+		GoVersion:   runtime.Version(),
 		DeviceModel: deviceModel(),
 		Cloud:       string(cloudenv.Get()),
 	}
--- a/hostinfo/hostinfo_linux.go
+++ b/hostinfo/hostinfo_linux.go
@@ -16,6 +16,7 @@ import (

 	"golang.org/x/sys/unix"
 	"tailscale.com/util/lineread"
+	"tailscale.com/util/strs"
 	"tailscale.com/version/distro"
 )

@@ -50,7 +51,7 @@ func linuxDeviceModel() string {

 func getQnapQtsVersion(versionInfo string) string {
 	for _, field := range strings.Fields(versionInfo) {
-		if suffix := strings.TrimPrefix(field, "QTSFW_"); suffix != field {
+		if suffix, ok := strs.CutPrefix(field, "QTSFW_"); ok {
 			return "QTS " + suffix
 		}
 	}
--- a/hostinfo/hostinfo_windows.go
+++ b/hostinfo/hostinfo_windows.go
@@ -8,10 +8,10 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"sync/atomic"

 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
+	"tailscale.com/syncs"
 	"tailscale.com/util/winutil"
 )

@@ -20,10 +20,10 @@ func init() {
 	packageType = packageTypeWindows
 }

-var winVerCache atomic.Value // of string
+var winVerCache syncs.AtomicValue[string]

 func osVersionWindows() string {
-	if s, ok := winVerCache.Load().(string); ok {
+	if s, ok := winVerCache.LoadOk(); ok {
 		return s
 	}
 	major, minor, build := windows.RtlGetNtVersionNumbers()
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -0,0 +1,21 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipnlocal
+
+import (
+	"io"
+	"net/http"
+)
+
+func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
+	switch r.URL.Path {
+	case "/echo":
+		// Test handler.
+		body, _ := io.ReadAll(r.Body)
+		w.Write(body)
+	default:
+		http.Error(w, "unknown c2n path", http.StatusBadRequest)
+	}
+}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -127,11 +127,12 @@ type LocalBackend struct {
 	serverURL             string           // tailcontrol URL
 	newDecompressor       func() (controlclient.Decompressor, error)
 	varRoot               string // or empty if SetVarRoot never called
-	sshAtomicBool         syncs.AtomicBool
+	sshAtomicBool         atomic.Bool
 	shutdownCalled        bool // if Shutdown has been called

-	filterAtomic            atomic.Value // of *filter.Filter
-	containsViaIPFuncAtomic atomic.Value // of func(netip.Addr) bool
+	filterAtomic            atomic.Pointer[filter.Filter]
+	containsViaIPFuncAtomic syncs.AtomicValue[func(netip.Addr) bool]
+	tailscaleRoutesAtomic   syncs.AtomicValue[[]netip.Prefix]

 	// The mutex protects the following elements.
 	mu             sync.Mutex
@@ -148,7 +149,7 @@ type LocalBackend struct {
 	inServerMode   bool
 	machinePrivKey key.MachinePrivate
 	nlPrivKey      key.NLPrivate
-	tka            *tka.Authority
+	tka            *tkaState
 	state          ipn.State
 	capFileSharing bool // whether netMap contains the file sharing capability
 	// hostinfo is mutated in-place while mu is held.
@@ -577,8 +578,8 @@ func (b *LocalBackend) PeerCaps(src netip.Addr) []string {
 	if b.netMap == nil {
 		return nil
 	}
-	filt, ok := b.filterAtomic.Load().(*filter.Filter)
-	if !ok {
+	filt := b.filterAtomic.Load()
+	if filt == nil {
 		return nil
 	}
 	for _, a := range b.netMap.Addresses {
@@ -884,6 +885,10 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 	return b.ccGen
 }

+func (b *LocalBackend) getTailscaleRoutes() []netip.Prefix {
+	return b.tailscaleRoutesAtomic.Load()
+}
+
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
@@ -955,6 +960,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	hostinfo := hostinfo.New()
 	hostinfo.BackendLogID = b.backendLogID
 	hostinfo.FrontendLogID = opts.FrontendLogID
+	hostinfo.Userspace.Set(wgengine.IsNetstack(b.e))
+	hostinfo.UserspaceRouter.Set(wgengine.IsNetstackRouter(b.e))

 	if b.cc != nil {
 		// TODO(apenwarr): avoid the need to reinit controlclient.
@@ -1039,10 +1046,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		})
 	}

-	var discoPublic key.DiscoPublic
-	if controlclient.Debug.Disco {
-		discoPublic = b.e.DiscoPublicKey()
-	}
+	discoPublic := b.e.DiscoPublicKey()

 	var err error
 	if persistv == nil {
@@ -1078,6 +1082,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		PopBrowserURL:        b.tellClientToBrowseToURL,
 		Dialer:               b.Dialer(),
 		Status:               b.setClientStatus,
+		C2NHandler:           http.HandlerFunc(b.handleC2N),
+		GetTailscaleRoutes:   b.getTailscaleRoutes,

 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -1183,7 +1189,15 @@ func (b *LocalBackend) updateFilterLocked(netMap *netmap.NetworkMap, prefs *ipn.
 		sshPol = *netMap.SSHPolicy
 	}

-	changed := deephash.Update(&b.filterHash, haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp, sshPol)
+	changed := deephash.Update(&b.filterHash, &struct {
+		HaveNetmap  bool
+		Addrs       []netip.Prefix
+		FilterMatch []filter.Match
+		LocalNets   []netipx.IPRange
+		LogNets     []netipx.IPRange
+		ShieldsUp   bool
+		SSHPolicy   tailcfg.SSHPolicy
+	}{haveNetmap, addrs, packetFilter, localNets.Ranges(), logNets.Ranges(), shieldsUp, sshPol})
 	if !changed {
 		return
 	}
@@ -1501,17 +1515,17 @@ func (b *LocalBackend) tellClientToBrowseToURL(url string) {
 var panicOnMachineKeyGeneration = envknob.Bool("TS_DEBUG_PANIC_MACHINE_KEY")

 func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePrivate, error) {
-	var cache atomic.Value
+	var cache syncs.AtomicValue[key.MachinePrivate]
 	return func() (key.MachinePrivate, error) {
 		if panicOnMachineKeyGeneration {
 			panic("machine key generated")
 		}
-		if v, ok := cache.Load().(key.MachinePrivate); ok {
+		if v, ok := cache.LoadOk(); ok {
 			return v, nil
 		}
 		b.mu.Lock()
 		defer b.mu.Unlock()
-		if v, ok := cache.Load().(key.MachinePrivate); ok {
+		if v, ok := cache.LoadOk(); ok {
 			return v, nil
 		}
 		if err := b.initMachineKeyLocked(); err != nil {
@@ -1523,11 +1537,11 @@ func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePriva
 }

 func (b *LocalBackend) createGetNLPublicKeyFunc() func() (key.NLPublic, error) {
-	var cache atomic.Value
+	var cache syncs.AtomicValue[key.NLPublic]
 	return func() (key.NLPublic, error) {
 		b.mu.Lock()
 		defer b.mu.Unlock()
-		if v, ok := cache.Load().(key.NLPublic); ok {
+		if v, ok := cache.LoadOk(); ok {
 			return v, nil
 		}

@@ -1740,7 +1754,7 @@ func (b *LocalBackend) loadStateLocked(key ipn.StateKey, prefs *ipn.Prefs) (err
 // setAtomicValuesFromPrefs populates sshAtomicBool and containsViaIPFuncAtomic
 // from the prefs p, which may be nil.
 func (b *LocalBackend) setAtomicValuesFromPrefs(p *ipn.Prefs) {
-	b.sshAtomicBool.Set(p != nil && p.RunSSH && canSSH)
+	b.sshAtomicBool.Store(p != nil && p.RunSSH && canSSH)

 	if p == nil {
 		b.containsViaIPFuncAtomic.Store(tsaddr.NewContainsIPFunc(nil))
@@ -2307,6 +2321,7 @@ func (b *LocalBackend) authReconfig() {
 	}
 	b.logf("[v1] authReconfig: ra=%v dns=%v 0x%02x: %v", prefs.RouteAll, prefs.CorpDNS, flags, err)

+	b.tailscaleRoutesAtomic.Store(rcfg.Routes)
 	b.initPeerAPIListener()
 }

@@ -2502,8 +2517,11 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 // used for locked tailnets.
 //
 // It should only be called before the LocalBackend is used.
-func (b *LocalBackend) SetTailnetKeyAuthority(a *tka.Authority) {
-	b.tka = a
+func (b *LocalBackend) SetTailnetKeyAuthority(a *tka.Authority, storage *tka.FS) {
+	b.tka = &tkaState{
+		authority: a,
+		storage:   storage,
+	}
 }

 // SetVarRoot sets the root directory of Tailscale's writable
@@ -2525,8 +2543,7 @@ func (b *LocalBackend) TailscaleVarRoot() string {
 	}
 	switch runtime.GOOS {
 	case "ios", "android", "darwin":
-		dir, _ := paths.AppSharedDir.Load().(string)
-		return dir
+		return paths.AppSharedDir.Load()
 	}
 	return ""
 }
@@ -2793,14 +2810,12 @@ func (b *LocalBackend) routerConfig(cfg *wgcfg.Config, prefs *ipn.Prefs, oneCGNA
 			rs.LocalRoutes = internalIPs // unconditionally allow access to guest VM networks
 			if prefs.ExitNodeAllowLANAccess {
 				rs.LocalRoutes = append(rs.LocalRoutes, externalIPs...)
-				if len(externalIPs) != 0 {
-					b.logf("allowing exit node access to internal IPs: %v", internalIPs)
-				}
 			} else {
 				// Explicitly add routes to the local network so that we do not
 				// leak any traffic.
 				rs.Routes = append(rs.Routes, externalIPs...)
 			}
+			b.logf("allowing exit node access to local IPs: %v", rs.LocalRoutes)
 		}
 	}

@@ -3053,13 +3068,13 @@ func (b *LocalBackend) ResetForClientDisconnect() {
 	b.setAtomicValuesFromPrefs(nil)
 }

-func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Get() && canSSH }
+func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && canSSH }

 // ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
 // Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
 // by Tailscale.
 func (b *LocalBackend) ShouldHandleViaIP(ip netip.Addr) bool {
-	if f, ok := b.containsViaIPFuncAtomic.Load().(func(netip.Addr) bool); ok {
+	if f, ok := b.containsViaIPFuncAtomic.LoadOk(); ok {
 		return f(ip)
 	}
 	return false
@@ -3285,7 +3300,7 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		return nil, errors.New("file sharing not enabled by Tailscale admin")
 	}
 	for _, p := range nm.Peers {
-		if p.User != nm.User || !slices.Contains(p.Capabilities, tailcfg.CapabilityFileSharingTarget) {
+		if p.User != nm.User && !slices.Contains(p.Capabilities, tailcfg.CapabilityFileSharingTarget) {
 			continue
 		}
 		peerAPI := peerAPIBase(b.netMap, p)
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -0,0 +1,239 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipnlocal
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"tailscale.com/envknob"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/logtail/backoff"
+	"tailscale.com/tailcfg"
+	"tailscale.com/tka"
+	"tailscale.com/types/key"
+	"tailscale.com/types/netmap"
+	"tailscale.com/types/tkatype"
+)
+
+var networkLockAvailable = envknob.Bool("TS_EXPERIMENTAL_NETWORK_LOCK")
+
+type tkaState struct {
+	authority *tka.Authority
+	storage   *tka.FS
+}
+
+// CanSupportNetworkLock returns true if tailscaled is able to operate
+// a local tailnet key authority (and hence enforce network lock).
+func (b *LocalBackend) CanSupportNetworkLock() bool {
+	if b.tka != nil {
+		// The TKA is being used, so yeah its supported.
+		return true
+	}
+
+	if b.TailscaleVarRoot() != "" {
+		// Theres a var root (aka --statedir), so if network lock gets
+		// initialized we have somewhere to store our AUMs. Thats all
+		// we need.
+		return true
+	}
+	return false
+}
+
+// NetworkLockStatus returns a structure describing the state of the
+// tailnet key authority, if any.
+func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
+	if b.tka == nil {
+		return &ipnstate.NetworkLockStatus{
+			Enabled:   false,
+			PublicKey: b.nlPrivKey.Public(),
+		}
+	}
+
+	var head [32]byte
+	h := b.tka.authority.Head()
+	copy(head[:], h[:])
+
+	return &ipnstate.NetworkLockStatus{
+		Enabled:   true,
+		Head:      &head,
+		PublicKey: b.nlPrivKey.Public(),
+	}
+}
+
+// NetworkLockInit enables network-lock for the tailnet, with the tailnets'
+// key authority initialized to trust the provided keys.
+//
+// Initialization involves two RPCs with control, termed 'begin' and 'finish'.
+// The Begin RPC transmits the genesis Authority Update Message, which
+// encodes the initial state of the authority, and the list of all nodes
+// needing signatures is returned as a response.
+// The Finish RPC submits signatures for all these nodes, at which point
+// Control has everything it needs to atomically enable network lock.
+func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
+	if b.tka != nil {
+		return errors.New("network-lock is already initialized")
+	}
+	if !networkLockAvailable {
+		return errors.New("this is an experimental feature in your version of tailscale - Please upgrade to the latest to use this.")
+	}
+	if !b.CanSupportNetworkLock() {
+		return errors.New("network-lock is not supported in this configuration. Did you supply a --statedir?")
+	}
+	nm := b.NetMap()
+	if nm == nil {
+		return errors.New("no netmap: are you logged into tailscale?")
+	}
+
+	// Generates a genesis AUM representing trust in the provided keys.
+	// We use an in-memory tailchonk because we don't want to commit to
+	// the filesystem until we've finished the initialization sequence,
+	// just in case something goes wrong.
+	_, genesisAUM, err := tka.Create(&tka.Mem{}, tka.State{
+		Keys: keys,
+		// TODO(tom): Actually plumb a real disablement value.
+		DisablementSecrets: [][]byte{bytes.Repeat([]byte{1}, 32)},
+	}, b.nlPrivKey)
+	if err != nil {
+		return fmt.Errorf("tka.Create: %v", err)
+	}
+
+	b.logf("Generated genesis AUM to initialize network lock, trusting the following keys:")
+	for i, k := range genesisAUM.State.Keys {
+		b.logf(" - key[%d] = nlpub:%x with %d votes", i, k.Public, k.Votes)
+	}
+
+	// Phase 1/2 of initialization: Transmit the genesis AUM to Control.
+	initResp, err := b.tkaInitBegin(nm, genesisAUM)
+	if err != nil {
+		return fmt.Errorf("tka init-begin RPC: %w", err)
+	}
+
+	// Our genesis AUM was accepted but before Control turns on enforcement of
+	// node-key signatures, we need to sign keys for all the existing nodes.
+	// If we don't get these signatures ahead of time, everyone will loose
+	// connectivity because control won't have any signatures to send which
+	// satisfy network-lock checks.
+	sigs := make(map[tailcfg.NodeID]tkatype.MarshaledSignature, len(initResp.NeedSignatures))
+	for _, nodeInfo := range initResp.NeedSignatures {
+		nks, err := signNodeKey(nodeInfo, b.nlPrivKey)
+		if err != nil {
+			return fmt.Errorf("generating signature: %v", err)
+		}
+
+		sigs[nodeInfo.NodeID] = nks.Serialize()
+	}
+
+	// Finalize enablement by transmitting signature for all nodes to Control.
+	_, err = b.tkaInitFinish(nm, sigs)
+	return err
+}
+
+func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeKeySignature, error) {
+	p, err := nodeInfo.NodePublic.MarshalBinary()
+	if err != nil {
+		return nil, err
+	}
+
+	sig := tka.NodeKeySignature{
+		SigKind:        tka.SigDirect,
+		KeyID:          signer.KeyID(),
+		Pubkey:         p,
+		WrappingPubkey: nodeInfo.RotationPubkey,
+	}
+	sig.Signature, err = signer.SignNKS(sig.SigHash())
+	if err != nil {
+		return nil, fmt.Errorf("signature failed: %w", err)
+	}
+	return &sig, nil
+}
+
+func (b *LocalBackend) tkaInitBegin(nm *netmap.NetworkMap, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitBeginRequest{
+		NodeID:     nm.SelfNode.ID,
+		GenesisAUM: aum.Serialize(),
+	}); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	bo := backoff.NewBackoff("tka-init-begin", b.logf, 5*time.Second)
+	for {
+		if err := ctx.Err(); err != nil {
+			return nil, fmt.Errorf("ctx: %w", err)
+		}
+		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/begin", &req)
+		if err != nil {
+			return nil, fmt.Errorf("req: %w", err)
+		}
+		res, err := b.DoNoiseRequest(req)
+		if err != nil {
+			bo.BackOff(ctx, err)
+			continue
+		}
+		if res.StatusCode != 200 {
+			body, _ := io.ReadAll(res.Body)
+			res.Body.Close()
+			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+		}
+		a := new(tailcfg.TKAInitBeginResponse)
+		err = json.NewDecoder(res.Body).Decode(a)
+		res.Body.Close()
+		if err != nil {
+			return nil, fmt.Errorf("decoding JSON: %w", err)
+		}
+
+		return a, nil
+	}
+}
+
+func (b *LocalBackend) tkaInitFinish(nm *netmap.NetworkMap, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
+	var req bytes.Buffer
+	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitFinishRequest{
+		NodeID:     nm.SelfNode.ID,
+		Signatures: nks,
+	}); err != nil {
+		return nil, fmt.Errorf("encoding request: %v", err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	bo := backoff.NewBackoff("tka-init-finish", b.logf, 5*time.Second)
+	for {
+		if err := ctx.Err(); err != nil {
+			return nil, fmt.Errorf("ctx: %w", err)
+		}
+		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/finish", &req)
+		if err != nil {
+			return nil, fmt.Errorf("req: %w", err)
+		}
+		res, err := b.DoNoiseRequest(req)
+		if err != nil {
+			bo.BackOff(ctx, err)
+			continue
+		}
+		if res.StatusCode != 200 {
+			body, _ := io.ReadAll(res.Body)
+			res.Body.Close()
+			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+		}
+		a := new(tailcfg.TKAInitFinishResponse)
+		err = json.NewDecoder(res.Body).Decode(a)
+		res.Body.Close()
+		if err != nil {
+			return nil, fmt.Errorf("decoding JSON: %w", err)
+		}
+
+		return a, nil
+	}
+}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .29.0
 .31.0