VERSION.txt: this is v1.26.0

Signed-off-by: Denton Gentry <dgentry@tailscale.com>

.github/workflows/cifuzz.yml

@@ -19,7 +19,7 @@ jobs:
         dry-run: false
         language: go
     - name: Upload Crash
-      uses: actions/upload-artifact@v2.3.1
+      uses: actions/upload-artifact@v3
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts

.github/workflows/codeql-analysis.yml

@@ -39,7 +39,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/cross-darwin.yml

@@ -17,13 +17,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: macOS build cmd
       env:

.github/workflows/cross-freebsd.yml

@@ -17,13 +17,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: FreeBSD build cmd
       env:

.github/workflows/cross-openbsd.yml

@@ -17,13 +17,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: OpenBSD build cmd
       env:

.github/workflows/cross-wasm.yml

@@ -0,0 +1,47 @@
+name: Wasm-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: 1.18
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v3
+
+    - name: Wasm build CLI and client modules
+      env:
+        GOOS: js
+        GOARCH: wasm
+      run: go build ./cmd/tailscale/cli ./ipn/... ./net/... ./safesocket ./types/... ./wgengine/...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-windows.yml

@@ -17,13 +17,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Windows build cmd
       env:

.github/workflows/depaware.yml

@@ -14,12 +14,12 @@ jobs:
 
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
 
     - name: Check out code
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: depaware tailscaled
       run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled

.github/workflows/go-generate-without-stringer.sh

@@ -1,18 +0,0 @@
-#!/usr/bin/env sh
-#
-# This is a temporary hack to work around
-# https://github.com/golang/go/issues/51629 , wherein the stringer
-# generator doesn't work with generics.
-#
-# This script is the equivalent of `go generate ./...`, except that it
-# only runs generate on packages that don't try to use stringer.
-
-set -e
-
-find . -name '*.go' | xargs grep -l go:generate | xargs -n1 dirname | sort -u | while read dir; do
-	if ! egrep "cmd/(stringer|cloner)" $dir/*.go; then
-		set -x
-		go generate -tags=hermetic $dir
-		set +x
-	fi
-done

.github/workflows/go_generate.yml

@@ -15,23 +15,24 @@ jobs:
 
     steps:
       - name: Set up Go
-        uses: actions/setup-go@v2.1.5
+        uses: actions/setup-go@v3
         with:
           go-version: 1.18
 
       - name: Check out code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
       - name: check 'go generate' is clean
-        # The shell script invocation below is a temporary hack for
-        # https://github.com/tailscale/tailscale/issues/4194. When
-        # that issue is fixed, replace its invocation with:
-        # go generate --tags=hermetic ./...
         run: |
-          set -e
-          ./.github/workflows/go-generate-without-stringer.sh
+          if [[ "${{github.ref}}" == release-branch/* ]]
+          then
+            pkgs=$(go list ./... | grep -v dnsfallback)
+          else
+            pkgs=$(go list ./... | grep -v dnsfallback)
+          fi
+          go generate $pkgs
           echo
           echo
           git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)

.github/workflows/license.yml

@@ -14,12 +14,12 @@ jobs:
 
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
 
     - name: Check out code
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Run license checker
       run: ./scripts/check_license_headers.sh .

.github/workflows/linux-race.yml

@@ -17,13 +17,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Basic build
       run: go build ./cmd/...

.github/workflows/linux.yml

@@ -17,13 +17,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Basic build
       run: go build ./cmd/...

.github/workflows/linux32.yml

@@ -17,13 +17,13 @@ jobs:
     steps:
 
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
       id: go
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Basic build
       run: GOARCH=386 go build ./cmd/...

.github/workflows/staticcheck.yml

@@ -14,12 +14,12 @@ jobs:
 
     steps:
     - name: Set up Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18
 
     - name: Check out code
-      uses: actions/checkout@v1
+      uses: actions/checkout@v3
 
     - name: Run go vet
       run: go vet ./...

.github/workflows/vm.yml

@@ -16,12 +16,12 @@ jobs:
         run: echo "GOPATH=$HOME/go" >> $GITHUB_ENV
 
       - name: Set up Go
-        uses: actions/setup-go@v2.1.5
+        uses: actions/setup-go@v3
         with:
           go-version: 1.18
 
       - name: Checkout Code
-        uses: actions/checkout@v1
+        uses: actions/checkout@v3
 
       - name: Run VM tests
         run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004

.github/workflows/windows-race.yml

@@ -17,15 +17,15 @@ jobs:
     steps:
 
     - name: Install Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18.x
 
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Restore Cache
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         # Note: unlike some other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache

.github/workflows/windows.yml

@@ -17,15 +17,15 @@ jobs:
     steps:
 
     - name: Install Go
-      uses: actions/setup-go@v2.1.5
+      uses: actions/setup-go@v3
       with:
         go-version: 1.18.x
 
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Restore Cache
-      uses: actions/cache@v2
+      uses: actions/cache@v3
       with:
         # Note: unlike some other setups, this is only grabbing the mod download
         # cache, rather than the whole mod directory, as the download cache

Makefile

@@ -8,6 +8,9 @@ usage:
 vet:
 	./tool/go vet ./...
 
+tidy:
+	./tool/go mod tidy -compat=1.17
+
 updatedeps:
 	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
 	./tool/go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale

VERSION.txt

@@ -1 +1 @@
-1.23.0
+1.26.0

api.md

@@ -22,9 +22,9 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 * **[Tailnets](#tailnet)**
   - ACLs
     - [GET tailnet ACL](#tailnet-acl-get)
-    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
-    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
-	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
+    - [POST tailnet ACL](#tailnet-acl-post)
+    - [POST tailnet ACL preview](#tailnet-acl-preview-post)
+	- [POST tailnet ACL validate](#tailnet-acl-validate-post)
   - [Devices](#tailnet-devices)
     - [GET tailnet devices](#tailnet-devices-get)
   - [Keys](#tailnet-keys)
@@ -42,12 +42,12 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
 
 ## Device
 <!-- TODO: description about what devices are -->
-Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id". 
+Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id".
 You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.
 
-To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network. 
+To find the deviceID of a particular device, you can use the ["GET /devices"](#getdevices) API call and generate a list of devices on your network.
 Find the device you're looking for and get the "id" field.
-This is your deviceID. 
+This is your deviceID.
 
 <a name=device-get></a>
 
@@ -60,7 +60,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne
 ##### Parameters
 ##### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are: 
+Currently, supported options are:
 * `all`: returns all fields in the response.
 * `default`: return all fields except:
   * `enabledRoutes`
@@ -72,7 +72,7 @@ If more than one option is indicated, then the union is used.
 For example, for `fields=default,all`, all fields are returned.
 If the `fields` parameter is not provided, then the default option is used.
 
-##### Example 
+##### Example
 ```
 GET /api/v2/device/12345
 curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
@@ -102,10 +102,10 @@ Response
   "nodeKey":"nodekey:user1-node-key",
   "blocksIncomingConnections":false,
   "enabledRoutes":[
-    
+
   ],
   "advertisedRoutes":[
-    
+
   ],
   "clientConnectivity": {
     "endpoints":[
@@ -141,7 +141,7 @@ Response
 <a name=device-delete></a>
 
 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
-Deletes the provided device from its tailnet. 
+Deletes the provided device from its tailnet.
 The device must belong to the user's tailnet.
 Deleting shared/external devices is not supported.
 Supply the device of interest in the path using its ID.
@@ -159,7 +159,7 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
 
 Response
 
-If successful, the response should be empty: 
+If successful, the response should be empty:
 ```
 < HTTP/1.1 200 OK
 ...
@@ -167,7 +167,7 @@ If successful, the response should be empty:
 * Closing connection 0
 ```
 
-If the device is not owned by your tailnet: 
+If the device is not owned by your tailnet:
 ```
 < HTTP/1.1 501 Not Implemented
 ...
@@ -317,14 +317,9 @@ Allows for updating properties on the device key.
 - Provide `false` to enable the device's key expiry. Sets the key to expire at the original expiry time prior to disabling. The key may already have expired. In that case, the device must be re-authenticated.
 - Empty value will not change the key expiry.
 
-`preauthorized`
-
-- If `true`, don't require machine authorization (if enabled on the tailnet)
-
 ```
 {
-  "keyExpiryDisabled": true,
-  "preauthorized": true
+  "keyExpiryDisabled": true
 }
 ```
 
@@ -339,8 +334,8 @@ curl 'https://api.tailscale.com/api/v2/device/11055/key' \
 The response is 2xx on success. The response body is currently an empty JSON
 object.
 
-## Tailnet 
-A tailnet is the name of your Tailscale network. 
+## Tailnet
+A tailnet is the name of your Tailscale network.
 You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
 
 
@@ -620,7 +615,12 @@ Response:
 
 #### `POST /api/v2/tailnet/:tailnet/acl/validate` - run validation tests against the tailnet's active ACL
 
-Runs the provided ACL tests against the tailnet's existing ACL. This endpoint does not modify the ACL in any way.
+This endpoint works in one of two modes:
+
+1. with a request body that's a JSON array, the body is interpreted as ACL tests to run against the domain's current ACLs.
+2. with a request body that's a JSON object, the body is interpreted as a hypothetical new JSON (HuJSON) body with new ACLs, including any tests.
+
+In either case, this endpoint does not modify the ACL in any way.
 
 ##### Parameters
 
@@ -630,24 +630,39 @@ The POST body should be a JSON formatted array of ACL Tests.
 
 See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.
 
-##### Example
+##### Example with tests
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
   -u "tskey-yourapikey123:" \
   --data-binary '
-{
   [
     {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}
-  ]
-}'
+  ]'
+```
+
+##### Example with an ACL body
+```
+POST /api/v2/tailnet/example.com/acl/validate
+curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
+  -u "tskey-yourapikey123:" \
+  --data-binary '
+  {
+    "ACLs": [
+     { "Action": "accept", "src": ["100.105.106.107"], "dst": ["1.2.3.4:*"] },
+    ],
+    "Tests", [
+      {"src": "100.105.106.107", "allow": ["1.2.3.4:80"]}
+    ],
+  }'
 ```
 
 Response:
-If all the tests pass, the response will be empty, with an http status code of 200.
 
-Failed test error response:
-A 400 http status code and the errors in the response body.  
+The HTTP status code will be 200 if the request was well formed and there were no server errors, even in the case of failing tests or an invalid ACL. Look at the response body to determine whether there was a problem within your ACL or tests.
+
+If there's a problem, the response body will be a JSON object with a non-empty `message` property and optionally additional details in `data`:
+
 ```
 {
   "message":"test(s) failed",
@@ -660,6 +675,8 @@ A 400 http status code and the errors in the response body.
 }
 ```
 
+An empty body or a JSON object with no `message` is returned on success.
+
 <a name=tailnet-devices></a>
 
 ### Devices
@@ -667,7 +684,7 @@ A 400 http status code and the errors in the response body.
 <a name=tailnet-devices-get></a>
 
 #### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
-Lists the devices in a tailnet. 
+Lists the devices in a tailnet.
 Supply the tailnet of interest in the path.
 Use the `fields` query parameter to explicitly indicate which fields are returned.
 
@@ -676,7 +693,7 @@ Use the `fields` query parameter to explicitly indicate which fields are returne
 
 ###### Query Parameters
 `fields` - Controls which fields will be included in the returned response.
-Currently, supported options are: 
+Currently, supported options are:
 * `all`: Returns all fields in the response.
 * `default`: return all fields except:
   * `enabledRoutes`
@@ -696,7 +713,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
   -u "tskey-yourapikey123:"
 ```
 
-Response 
+Response
 ```
 {
   "devices":[
@@ -798,11 +815,15 @@ Supply the tailnet in the path.
 `capabilities` - A mapping of resources to permissible actions.
 ```
 {
-	"capabilities": {
+  "capabilities": {
     "devices": {
       "create": {
         "reusable": false,
-        "ephemeral": false
+        "ephemeral": false,
+        "preauthorized": false,
+        "tags": [
+          "tag:example"
+        ]
       }
     }
   }
@@ -822,11 +843,13 @@ The full key can no longer be retrieved by the server.
 
 ```
 echo '{
-	"capabilities": {
+  "capabilities": {
     "devices": {
       "create": {
         "reusable": false,
-        "ephemeral": false
+        "ephemeral": false,
+        "preauthorized": false,
+        "tags": [ "tag:example" ]
       }
     }
   }
@@ -842,7 +865,7 @@ Response:
 	"key":          "tskey-k123456CNTRL-abcdefghijklmnopqrstuvwxyz",
 	"created":      "2021-12-09T23:22:39Z",
 	"expires":      "2022-03-09T23:22:39Z",
-	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
+	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false, "preauthorized": false, "tags": [ "tag:example" ]}}}
 }
 ```
 
@@ -872,10 +895,22 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
 Response:
 ```
 {
-	"id":           "k123456CNTRL",
-	"created":      "2021-12-09T22:13:53Z",
-	"expires":      "2022-03-09T22:13:53Z",
-	"capabilities": {"devices": {"create": {"reusable": false, "ephemeral": false}}}
+  "id": "k123456CNTRL",
+  "created": "2022-05-05T18:55:44Z",
+  "expires": "2022-08-03T18:55:44Z",
+  "capabilities": {
+    "devices": {
+      "create": {
+        "reusable": false,
+        "ephemeral": true,
+        "preauthorized": false,
+        "tags": [
+          "tag:bar",
+          "tag:foo"
+        ]
+      }
+    }
+  }
 }
 ```
 
@@ -906,13 +941,13 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k12345
 <a name=tailnet-dns-nameservers-get></a>
 
 #### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
-Lists the DNS nameservers for a tailnet. 
+Lists the DNS nameservers for a tailnet.
 Supply the tailnet of interest in the path.
 
 ##### Parameters
 No parameters.
 
-##### Example 
+##### Example
 
 ```
 GET /api/v2/tailnet/example.com/dns/nameservers
@@ -920,7 +955,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
   -u "tskey-yourapikey123:"
 ```
 
-Response 
+Response
 ```
 {
   "dns": ["8.8.8.8"],
@@ -930,7 +965,7 @@ Response
 <a name=tailnet-dns-nameservers-post></a>
 
 #### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
-Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user. 
+Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user.
 Supply the tailnet of interest in the path.
 Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).
 
@@ -944,7 +979,7 @@ Note that changing the list of DNS nameservers may also affect the status of Mag
 ```
 
 ##### Returns
-Returns the new list of nameservers and the status of MagicDNS. 
+Returns the new list of nameservers and the status of MagicDNS.
 
 If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).
 
@@ -988,31 +1023,31 @@ Retrieves the DNS preferences that are currently set for the given tailnet.
 Supply the tailnet of interest in the path.
 
 ##### Parameters
-No parameters. 
+No parameters.
 
 ##### Example
 ```
 GET /api/v2/tailnet/example.com/dns/preferences
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
-  -u "tskey-yourapikey123:" 
+  -u "tskey-yourapikey123:"
 ```
 
 Response:
 ```
 {
-  "magicDNS":false, 
+  "magicDNS":false,
 }
 ```
 
 <a name=tailnet-dns-preferences-post></a>
 
-#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet 
+#### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet
 Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
-Note that MagicDNS is dependent on DNS servers. 
+Note that MagicDNS is dependent on DNS servers.
 
-If there is at least one DNS server, then MagicDNS can be enabled. 
+If there is at least one DNS server, then MagicDNS can be enabled.
 Otherwise, it returns an error.
-Note that removing all nameservers will turn off MagicDNS. 
+Note that removing all nameservers will turn off MagicDNS.
 To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.
 
 ##### Parameters
@@ -1043,7 +1078,7 @@ If there are no DNS servers, it returns an error message:
 }
 ```
 
-If there are DNS servers: 
+If there are DNS servers:
 ```
 {
   "magicDNS":true,
@@ -1052,8 +1087,8 @@ If there are DNS servers:
 
 <a name=tailnet-dns-searchpaths-get></a>
 
-#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet 
-Retrieves the list of search paths that is currently set for the given tailnet. 
+#### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet
+Retrieves the list of search paths that is currently set for the given tailnet.
 Supply the tailnet of interest in the path.
 
 
@@ -1064,7 +1099,7 @@ No parameters.
 ```
 GET /api/v2/tailnet/example.com/dns/searchpaths
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
-  -u "tskey-yourapikey123:" 
+  -u "tskey-yourapikey123:"
 ```
 
 Response:
@@ -1076,7 +1111,7 @@ Response:
 
 <a name=tailnet-dns-searchpaths-post></a>
 
-#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet 
+#### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet
 Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.
 
 ##### Parameters

build_docker.sh

@@ -32,7 +32,7 @@ REPOS="${REPOS:-${DEFAULT_REPOS}}"
 TAGS="${TAGS:-${DEFAULT_TAGS}}"
 BASE="${BASE:-${DEFAULT_BASE}}"
 
-go run github.com/tailscale/mkctr@latest \
+go run github.com/tailscale/mkctr \
   --gopaths="\
     tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
     tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled" \
@@ -40,7 +40,9 @@ go run github.com/tailscale/mkctr@latest \
     -X tailscale.com/version.Long=${VERSION_LONG} \
     -X tailscale.com/version.Short=${VERSION_SHORT} \
     -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" \
+  --files="docs/k8s/run.sh:/tailscale/run.sh" \
   --base="${BASE}" \
   --tags="${TAGS}" \
   --repos="${REPOS}" \
-  --push="${PUSH}"
+  --push="${PUSH}" \
+  /bin/sh /tailscale/run.sh

client/tailscale/acl.go

@@ -0,0 +1,469 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"inet.af/netaddr"
+)
+
+// ACLRow defines a rule that grants access by a set of users or groups to a set of servers and ports.
+type ACLRow struct {
+	Action string   `json:"action,omitempty"` // valid values: "accept"
+	Users  []string `json:"users,omitempty"`
+	Ports  []string `json:"ports,omitempty"`
+}
+
+// ACLTest defines a test for your ACLs to prevent accidental exposure or revoking of access to key servers and ports.
+type ACLTest struct {
+	User  string   `json:"user,omitempty"`  // source
+	Allow []string `json:"allow,omitempty"` // expected destination ip:port that user can access
+	Deny  []string `json:"deny,omitempty"`  // expected destination ip:port that user cannot access
+}
+
+// ACLDetails contains all the details for an ACL.
+type ACLDetails struct {
+	Tests     []ACLTest           `json:"tests,omitempty"`
+	ACLs      []ACLRow            `json:"acls,omitempty"`
+	Groups    map[string][]string `json:"groups,omitempty"`
+	TagOwners map[string][]string `json:"tagowners,omitempty"`
+	Hosts     map[string]string   `json:"hosts,omitempty"`
+}
+
+// ACL contains an ACLDetails and metadata.
+type ACL struct {
+	ACL  ACLDetails
+	ETag string // to check with version on server
+}
+
+// ACLHuJSON contains the HuJSON string of the ACL and metadata.
+type ACLHuJSON struct {
+	ACL      string
+	Warnings []string
+	ETag     string // to check with version on server
+}
+
+// ACL makes a call to the Tailscale server to get a JSON-parsed version of the ACL.
+// The JSON-parsed version of the ACL contains no comments as proper JSON does not support
+// comments.
+func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.ACL: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", "application/json")
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	// Otherwise, try to decode the response.
+	var aclDetails ACLDetails
+	if err = json.Unmarshal(b, &aclDetails); err != nil {
+		return nil, err
+	}
+	acl = &ACL{
+		ACL:  aclDetails,
+		ETag: resp.Header.Get("ETag"),
+	}
+	return acl, nil
+}
+
+// ACLHuJSON makes a call to the Tailscale server to get the ACL HuJSON and returns
+// it as a string.
+// HuJSON is JSON with a few modifications to make it more human-friendly. The primary
+// changes are allowing comments and trailing comments. See the following links for more info:
+// https://tailscale.com/kb/1018/acls?q=acl#tailscale-acl-policy-format
+// https://github.com/tailscale/hujson
+func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.ACLHuJSON: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Accept", "application/hujson")
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	data := struct {
+		ACL      []byte   `json:"acl"`
+		Warnings []string `json:"warnings"`
+	}{}
+	if err := json.Unmarshal(b, &data); err != nil {
+		return nil, err
+	}
+
+	acl = &ACLHuJSON{
+		ACL:      string(data.ACL),
+		Warnings: data.Warnings,
+		ETag:     resp.Header.Get("ETag"),
+	}
+	return acl, nil
+}
+
+// ACLTestFailureSummary specifies a user for which ACL tests
+// failed and the related user-friendly error messages.
+//
+// ACLTestFailureSummary specifies the JSON format sent to the
+// JavaScript client to be rendered in the HTML.
+type ACLTestFailureSummary struct {
+	User   string   `json:"user"`
+	Errors []string `json:"errors"`
+}
+
+// ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
+type ACLTestError struct {
+	ErrResponse
+	Data []ACLTestFailureSummary `json:"data"`
+}
+
+func (e ACLTestError) Error() string {
+	return fmt.Sprintf("%s, Data: %+v", e.ErrResponse.Error(), e.Data)
+}
+
+func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, "", err
+	}
+
+	if avoidCollisions {
+		req.Header.Set("If-Match", etag)
+	}
+	req.Header.Set("Accept", acceptHeader)
+	req.Header.Set("Content-Type", "application/hujson")
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, "", err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		// check if test error
+		var ate ACLTestError
+		if err := json.Unmarshal(b, &ate); err != nil {
+			return nil, "", err
+		}
+		ate.Status = resp.StatusCode
+		return nil, "", ate
+	}
+	return b, resp.Header.Get("ETag"), nil
+}
+
+// SetACL sends a POST request to update the ACL according to the provided ACL object. If
+// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
+// header to check if the previously obtained ACL was the latest version and that no updates
+// were missed.
+//
+// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
+// Returns error if ACL has tests that fail.
+// Returns error if there are other errors with the ACL.
+func (c *Client) SetACL(ctx context.Context, acl ACL, avoidCollisions bool) (res *ACL, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetACL: %w", err)
+		}
+	}()
+	postData, err := json.Marshal(acl.ACL)
+	if err != nil {
+		return nil, err
+	}
+	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/json")
+	if err != nil {
+		return nil, err
+	}
+
+	// Otherwise, try to decode the response.
+	var aclDetails ACLDetails
+	if err = json.Unmarshal(b, &aclDetails); err != nil {
+		return nil, err
+	}
+	res = &ACL{
+		ACL:  aclDetails,
+		ETag: etag,
+	}
+	return res, nil
+}
+
+// SetACLHuJSON sends a POST request to update the ACL according to the provided ACL object. If
+// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
+// header to check if the previously obtained ACL was the latest version and that no updates
+// were missed.
+//
+// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
+// Returns error if the HuJSON is invalid.
+// Returns error if ACL has tests that fail.
+// Returns error if there are other errors with the ACL.
+func (c *Client) SetACLHuJSON(ctx context.Context, acl ACLHuJSON, avoidCollisions bool) (res *ACLHuJSON, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetACLHuJSON: %w", err)
+		}
+	}()
+
+	postData := []byte(acl.ACL)
+	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/hujson")
+	if err != nil {
+		return nil, err
+	}
+
+	res = &ACLHuJSON{
+		ACL:  string(b),
+		ETag: etag,
+	}
+	return res, nil
+}
+
+// UserRuleMatch specifies the source users/groups/hosts that a rule targets
+// and the destination ports that they can access.
+// LineNumber is only useful for requests provided in HuJSON form.
+// While JSON requests will have LineNumber, the value is not useful.
+type UserRuleMatch struct {
+	Users      []string `json:"users"`
+	Ports      []string `json:"ports"`
+	LineNumber int      `json:"lineNumber"`
+}
+
+// ACLPreviewResponse is the response type of previewACLPostRequest
+type ACLPreviewResponse struct {
+	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
+	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
+	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
+}
+
+// ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
+type ACLPreview struct {
+	Matches []UserRuleMatch `json:"matches"`
+	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
+	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
+}
+
+func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
+	if err != nil {
+		return nil, err
+	}
+
+	q := req.URL.Query()
+	q.Add("type", previewType)
+	q.Add("previewFor", previewFor)
+	req.URL.RawQuery = q.Encode()
+
+	req.Header.Set("Content-Type", "application/hujson")
+	c.setAuth(req)
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+	if err = json.Unmarshal(b, &res); err != nil {
+		return nil, err
+	}
+
+	return res, nil
+}
+
+// PreviewACLForUser determines what rules match a given ACL for a user.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLForUser: %w", err)
+		}
+	}()
+	postData, err := json.Marshal(acl.ACL)
+	if err != nil {
+		return nil, err
+	}
+	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		User:    b.PreviewFor,
+	}, nil
+}
+
+// PreviewACLForIPPort determines what rules match a given ACL for a ipport.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netaddr.IPPort) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLForIPPort: %w", err)
+		}
+	}()
+	postData, err := json.Marshal(acl.ACL)
+	if err != nil {
+		return nil, err
+	}
+	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport.String())
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
+	}, nil
+}
+
+// PreviewACLHuJSONForUser determines what rules match a given ACL for a user.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, user string) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLHuJSONForUser: %w", err)
+		}
+	}()
+	postData := []byte(acl.ACL)
+	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		User:    b.PreviewFor,
+	}, nil
+}
+
+// PreviewACLHuJSONForIPPort determines what rules match a given ACL for a ipport.
+// The ACL can be a locally modified or clean ACL obtained from server.
+//
+// Returns ACLPreview on success with matches in a slice. If there are no matches,
+// the call is still successful but Matches will be an empty slice.
+// Returns error if the provided ACL is invalid.
+func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, ipport string) (res *ACLPreview, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.PreviewACLHuJSONForIPPort: %w", err)
+		}
+	}()
+	postData := []byte(acl.ACL)
+	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ACLPreview{
+		Matches: b.Matches,
+		IPPort:  b.PreviewFor,
+	}, nil
+}
+
+// ValidateACLJSON takes in the given source and destination (in this situation,
+// it is assumed that you are checking whether the source can connect to destination)
+// and creates an ACLTest from that. It then sends the ACLTest to the control api acl
+// validate endpoint, where the test is run. It returns a nil ACLTestError pointer if
+// no test errors occur.
+func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (testErr *ACLTestError, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.ValidateACLJSON: %w", err)
+		}
+	}()
+
+	tests := []ACLTest{ACLTest{User: source, Allow: []string{dest}}}
+	postData, err := json.Marshal(tests)
+	if err != nil {
+		return nil, err
+	}
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
+	if err != nil {
+		return nil, err
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	c.setAuth(req)
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
+	}
+
+	// The test ran without fail
+	if len(b) == 0 {
+		return nil, nil
+	}
+
+	var res ACLTestError
+	// The test returned errors.
+	if err = json.Unmarshal(b, &res); err != nil {
+		// failed to unmarshal
+		return nil, err
+	}
+	return &res, nil
+}

client/tailscale/apitype/apitype.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package apitype contains types for the Tailscale local API.
+// Package apitype contains types for the Tailscale local API and control plane API.
 package apitype
 
 import "tailscale.com/tailcfg"
@@ -11,6 +11,9 @@ import "tailscale.com/tailcfg"
 type WhoIsResponse struct {
 	Node        *tailcfg.Node
 	UserProfile *tailcfg.UserProfile
+
+	// Caps are extra capabilities that the remote Node has to this node.
+	Caps []string `json:",omitempty"`
 }
 
 // FileTarget is a node to which files can be sent, and the PeerAPI

client/tailscale/apitype/controltype.go

@@ -0,0 +1,20 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package apitype
+
+type DNSConfig struct {
+	Resolvers         []DNSResolver            `json:"resolvers"`
+	FallbackResolvers []DNSResolver            `json:"fallbackResolvers"`
+	Routes            map[string][]DNSResolver `json:"routes"`
+	Domains           []string                 `json:"domains"`
+	Nameservers       []string                 `json:"nameservers"`
+	Proxied           bool                     `json:"proxied"`
+	PerDomain         bool                     `json:",omitempty"`
+}
+
+type DNSResolver struct {
+	Addr                string   `json:"addr"`
+	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
+}

client/tailscale/devices.go

@@ -0,0 +1,262 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"tailscale.com/types/opt"
+)
+
+type GetDevicesResponse struct {
+	Devices []*Device `json:"devices"`
+}
+
+type DerpRegion struct {
+	Preferred           bool    `json:"preferred,omitempty"`
+	LatencyMilliseconds float64 `json:"latencyMs"`
+}
+
+type ClientConnectivity struct {
+	Endpoints             []string `json:"endpoints"`
+	DERP                  string   `json:"derp"`
+	MappingVariesByDestIP opt.Bool `json:"mappingVariesByDestIP"`
+	// DERPLatency is mapped by region name (e.g. "New York City", "Seattle").
+	DERPLatency    map[string]DerpRegion `json:"latency"`
+	ClientSupports map[string]opt.Bool   `json:"clientSupports"`
+}
+
+type Device struct {
+	// Addresses is a list of the devices's Tailscale IP addresses.
+	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
+	Addresses []string `json:"addresses"`
+	DeviceID  string   `json:"id"`
+	User      string   `json:"user"`
+	Name      string   `json:"name"`
+	Hostname  string   `json:"hostname"`
+
+	ClientVersion     string `json:"clientVersion"`   // Empty for external devices.
+	UpdateAvailable   bool   `json:"updateAvailable"` // Empty for external devices.
+	OS                string `json:"os"`
+	Created           string `json:"created"` // Empty for external devices.
+	LastSeen          string `json:"lastSeen"`
+	KeyExpiryDisabled bool   `json:"keyExpiryDisabled"`
+	Expires           string `json:"expires"`
+	Authorized        bool   `json:"authorized"`
+	IsExternal        bool   `json:"isExternal"`
+	MachineKey        string `json:"machineKey"` // Empty for external devices.
+	NodeKey           string `json:"nodeKey"`
+
+	// BlocksIncomingConnections is configured via the device's
+	// Tailscale client preferences. This field is only reported
+	// to the API starting with Tailscale 1.3.x clients.
+	BlocksIncomingConnections bool `json:"blocksIncomingConnections"`
+
+	// The following fields are not included by default:
+
+	// EnabledRoutes are the previously-approved subnet routes
+	// (e.g. "192.168.4.16/24", "10.5.2.4/32").
+	EnabledRoutes []string `json:"enabledRoutes"` // Empty for external devices.
+	// AdvertisedRoutes are the subnets (both enabled and not enabled)
+	// being requested from the node.
+	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
+
+	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
+}
+
+// DeviceFieldsOpts determines which fields should be returned in the response.
+//
+// Please only use DeviceAllFields and DeviceDefaultFields.
+// Other DeviceFieldsOpts are not supported.
+//
+// TODO: Support other DeviceFieldsOpts.
+// In the future, users should be able to create their own DeviceFieldsOpts
+// as valid arguments by setting the fields they want returned to a "non-nil"
+// value. For example, DeviceFieldsOpts{NodeID: "true"} should only return NodeIDs.
+type DeviceFieldsOpts Device
+
+func (d *DeviceFieldsOpts) addFieldsToQueryParameter() string {
+	if d == DeviceDefaultFields || d == nil {
+		return "default"
+	}
+	if d == DeviceAllFields {
+		return "all"
+	}
+
+	return ""
+}
+
+var (
+	DeviceAllFields = &DeviceFieldsOpts{}
+
+	// DeviceDefaultFields specifies that the following fields are returned:
+	//   Addresses, NodeID, User, Name, Hostname, ClientVersion, UpdateAvailable,
+	//   OS, Created, LastSeen, KeyExpiryDisabled, Expires, Authorized, IsExternal
+	//   MachineKey, NodeKey, BlocksIncomingConnections.
+	DeviceDefaultFields = &DeviceFieldsOpts{}
+)
+
+// Devices retrieves the list of devices for a tailnet.
+//
+// See the Device structure for the list of fields hidden for external devices.
+// The optional fields parameter specifies which fields of the devices to return; currently
+// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
+// Other values are currently undefined.
+func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceList []*Device, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.Devices: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	// Add fields.
+	fieldStr := fields.addFieldsToQueryParameter()
+	q := req.URL.Query()
+	q.Add("fields", fieldStr)
+	req.URL.RawQuery = q.Encode()
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var devices GetDevicesResponse
+	err = json.Unmarshal(b, &devices)
+	return devices.Devices, err
+}
+
+// Device retrieved the details for a specific device.
+//
+// See the Device structure for the list of fields hidden for an external device.
+// The optional fields parameter specifies which fields of the devices to return; currently
+// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
+// Other values are currently undefined.
+func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFieldsOpts) (device *Device, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.Device: %w", err)
+		}
+	}()
+	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add fields.
+	fieldStr := fields.addFieldsToQueryParameter()
+	q := req.URL.Query()
+	q.Add("fields", fieldStr)
+	req.URL.RawQuery = q.Encode()
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	err = json.Unmarshal(b, &device)
+	return device, err
+}
+
+// DeleteDevice deletes the specified device from the Client's tailnet.
+// NOTE: Only devices that belong to the Client's tailnet can be deleted.
+// Deleting external devices is not supported.
+func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DeleteDevice: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), url.PathEscape(deviceID))
+	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+	return nil
+}
+
+// AuthorizeDevice marks a device as authorized.
+func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
+	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+
+	return nil
+}
+
+// SetTags updates the ACL tags on a device.
+func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) error {
+	params := &struct {
+		Tags []string `json:"tags"`
+	}{Tags: tags}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return err
+	}
+	path := fmt.Sprintf("%s/api/v2/device/%s/tags", c.baseURL(), url.PathEscape(deviceID))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	if err != nil {
+		return err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+
+	return nil
+}

client/tailscale/dns.go

@@ -0,0 +1,235 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"tailscale.com/client/tailscale/apitype"
+)
+
+// DNSNameServers is returned when retrieving the list of nameservers.
+// It is also the structure provided when setting nameservers.
+type DNSNameServers struct {
+	DNS []string `json:"dns"` // DNS name servers
+}
+
+// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
+//
+// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
+type DNSNameServersPostResponse struct {
+	DNS      []string `json:"dns"`      // DNS name servers
+	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
+}
+
+// DNSSearchpaths is the list of search paths for a given domain.
+type DNSSearchPaths struct {
+	SearchPaths []string `json:"searchPaths"` // DNS search paths
+}
+
+// DNSPreferences is the preferences set for a given tailnet.
+//
+// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
+// there must be at least one nameserver. When all nameservers are removed,
+// MagicDNS is disabled.
+type DNSPreferences struct {
+	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
+}
+
+func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	return b, nil
+}
+
+func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData interface{}) ([]byte, error) {
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
+	data, err := json.Marshal(&postData)
+	if err != nil {
+		return nil, err
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	req.Header.Set("Content-Type", "application/json")
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	return b, nil
+}
+
+// DNSConfig retrieves the DNSConfig settings for a domain.
+func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "config")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp apitype.DNSConfig
+	err = json.Unmarshal(b, &dnsResp)
+	return &dnsResp, err
+}
+
+func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
+		}
+	}()
+	var dnsResp apitype.DNSConfig
+	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return &dnsResp, err
+}
+
+// NameServers retrieves the list of nameservers set for a domain.
+func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.NameServers: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "nameservers")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp DNSNameServers
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.DNS, err
+}
+
+// SetNameServers sets the list of nameservers for a tailnet to the list provided
+// by the user.
+//
+// It returns the new list of nameservers and the MagicDNS status in case it was
+// affected by the change. For example, removing all nameservers will turn off
+// MagicDNS.
+func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
+		}
+	}()
+	dnsReq := DNSNameServers{DNS: nameservers}
+	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// DNSPreferences retrieves the DNS preferences set for a tailnet.
+//
+// It returns the status of MagicDNS.
+func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
+	// Format return errors to be descriptive.
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "preferences")
+	if err != nil {
+		return nil, err
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// SetDNSPreferences sets the DNS preferences for a tailnet.
+//
+// MagicDNS can only be enabled when there is at least one nameserver provided.
+// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
+// unless explicitly enabled by a user again.
+func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
+		}
+	}()
+	dnsReq := DNSPreferences{MagicDNS: magicDNS}
+	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
+	if err != nil {
+		return
+	}
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp, err
+}
+
+// SearchPaths retrieves the list of searchpaths set for a tailnet.
+func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
+		}
+	}()
+	b, err := c.dnsGETRequest(ctx, "searchpaths")
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp *DNSSearchPaths
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.SearchPaths, err
+}
+
+// SetSearchPaths sets the list of searchpaths for a tailnet.
+func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
+		}
+	}()
+	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
+	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
+	if err != nil {
+		return nil, err
+	}
+	var dnsResp DNSSearchPaths
+	err = json.Unmarshal(b, &dnsResp)
+	return dnsResp.SearchPaths, err
+}

client/tailscale/localclient.go

@@ -0,0 +1,711 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"os/exec"
+	"runtime"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"go4.org/mem"
+	"inet.af/netaddr"
+	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/netutil"
+	"tailscale.com/paths"
+	"tailscale.com/safesocket"
+	"tailscale.com/tailcfg"
+)
+
+// defaultLocalClient is the default LocalClient when using the legacy
+// package-level functions.
+var defaultLocalClient LocalClient
+
+// LocalClient is a client to Tailscale's "local API", communicating with the
+// Tailscale daemon on the local machine. Its API is not necessarily stable and
+// subject to changes between releases. Some API calls have stricter
+// compatibility guarantees, once they've been widely adopted. See method docs
+// for details.
+//
+// Its zero value is valid to use.
+//
+// Any exported fields should be set before using methods on the type
+// and not changed thereafter.
+type LocalClient struct {
+	// Dial optionally specifies an alternate func that connects to the local
+	// machine's tailscaled or equivalent. If nil, a default is used.
+	Dial func(ctx context.Context, network, addr string) (net.Conn, error)
+
+	// Socket specifies an alternate path to the local Tailscale socket.
+	// If empty, a platform-specific default is used.
+	Socket string
+
+	// UseSocketOnly, if true, tries to only connect to tailscaled via the
+	// Unix socket and not via fallback mechanisms as done on macOS when
+	// connecting to the GUI client variants.
+	UseSocketOnly bool
+
+	// tsClient does HTTP requests to the local Tailscale daemon.
+	// It's lazily initialized on first use.
+	tsClient     *http.Client
+	tsClientOnce sync.Once
+}
+
+func (lc *LocalClient) socket() string {
+	if lc.Socket != "" {
+		return lc.Socket
+	}
+	return paths.DefaultTailscaledSocket()
+}
+
+func (lc *LocalClient) dialer() func(ctx context.Context, network, addr string) (net.Conn, error) {
+	if lc.Dial != nil {
+		return lc.Dial
+	}
+	return lc.defaultDialer
+}
+
+func (lc *LocalClient) defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
+	if addr != "local-tailscaled.sock:80" {
+		return nil, fmt.Errorf("unexpected URL address %q", addr)
+	}
+	if !lc.UseSocketOnly {
+		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
+		// a TCP server on a random port, find the random port. For HTTP connections,
+		// we don't send the token. It gets added in an HTTP Basic-Auth header.
+		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
+			var d net.Dialer
+			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
+		}
+	}
+	s := safesocket.DefaultConnectionStrategy(lc.socket())
+	// The user provided a non-default tailscaled socket address.
+	// Connect only to exactly what they provided.
+	s.UseFallback(false)
+	return safesocket.Connect(s)
+}
+
+// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
+//
+// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
+//
+// The hostname must be "local-tailscaled.sock", even though it
+// doesn't actually do any DNS lookup. The actual means of connecting to and
+// authenticating to the local Tailscale daemon vary by platform.
+//
+// DoLocalRequest may mutate the request to add Authorization headers.
+func (lc *LocalClient) DoLocalRequest(req *http.Request) (*http.Response, error) {
+	lc.tsClientOnce.Do(func() {
+		lc.tsClient = &http.Client{
+			Transport: &http.Transport{
+				DialContext: lc.dialer(),
+			},
+		}
+	})
+	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
+		req.SetBasicAuth("", token)
+	}
+	return lc.tsClient.Do(req)
+}
+
+func (lc *LocalClient) doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
+	res, err := lc.DoLocalRequest(req)
+	if err == nil {
+		if server := res.Header.Get("Tailscale-Version"); server != "" && server != ipn.IPCVersion() && onVersionMismatch != nil {
+			onVersionMismatch(ipn.IPCVersion(), server)
+		}
+		if res.StatusCode == 403 {
+			all, _ := ioutil.ReadAll(res.Body)
+			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
+		}
+		return res, nil
+	}
+	if ue, ok := err.(*url.Error); ok {
+		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
+			path := req.URL.Path
+			pathPrefix, _, _ := strings.Cut(path, "?")
+			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
+		}
+	}
+	return nil, err
+}
+
+type errorJSON struct {
+	Error string
+}
+
+// AccessDeniedError is an error due to permissions.
+type AccessDeniedError struct {
+	err error
+}
+
+func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
+func (e *AccessDeniedError) Unwrap() error { return e.err }
+
+// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
+func IsAccessDeniedError(err error) bool {
+	var ae *AccessDeniedError
+	return errors.As(err, &ae)
+}
+
+// bestError returns either err, or if body contains a valid JSON
+// object of type errorJSON, its non-empty error body.
+func bestError(err error, body []byte) error {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return errors.New(j.Error)
+	}
+	return err
+}
+
+func errorMessageFromBody(body []byte) string {
+	var j errorJSON
+	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
+		return j.Error
+	}
+	return strings.TrimSpace(string(body))
+}
+
+var onVersionMismatch func(clientVer, serverVer string)
+
+// SetVersionMismatchHandler sets f as the version mismatch handler
+// to be called when the client (the current process) has a version
+// number that doesn't match the server's declared version.
+func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
+	onVersionMismatch = f
+}
+
+func (lc *LocalClient) send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
+	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
+	if err != nil {
+		return nil, err
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	slurp, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != wantStatus {
+		err = fmt.Errorf("%v: %s", res.Status, bytes.TrimSpace(slurp))
+		return nil, bestError(err, slurp)
+	}
+	return slurp, nil
+}
+
+func (lc *LocalClient) get200(ctx context.Context, path string) ([]byte, error) {
+	return lc.send(ctx, "GET", path, 200, nil)
+}
+
+// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+//
+// Deprecated: use LocalClient.WhoIs.
+func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	return defaultLocalClient.WhoIs(ctx, remoteAddr)
+}
+
+// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
+func (lc *LocalClient) WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
+	if err != nil {
+		return nil, err
+	}
+	r := new(apitype.WhoIsResponse)
+	if err := json.Unmarshal(body, r); err != nil {
+		if max := 200; len(body) > max {
+			body = append(body[:max], "..."...)
+		}
+		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
+	}
+	return r, nil
+}
+
+// Goroutines returns a dump of the Tailscale daemon's current goroutines.
+func (lc *LocalClient) Goroutines(ctx context.Context) ([]byte, error) {
+	return lc.get200(ctx, "/localapi/v0/goroutines")
+}
+
+// DaemonMetrics returns the Tailscale daemon's metrics in
+// the Prometheus text exposition format.
+func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
+	return lc.get200(ctx, "/localapi/v0/metrics")
+}
+
+// Profile returns a pprof profile of the Tailscale daemon.
+func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
+	var secArg string
+	if sec < 0 || sec > 300 {
+		return nil, errors.New("duration out of range")
+	}
+	if sec != 0 || pprofType == "profile" {
+		secArg = fmt.Sprint(sec)
+	}
+	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
+}
+
+// BugReport logs and returns a log marker that can be shared by the user with support.
+func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(body)), nil
+}
+
+// DebugAction invokes a debug action, such as "rebind" or "restun".
+// These are development tools and subject to change or removal over time.
+func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
+	if err != nil {
+		return fmt.Errorf("error %w: %s", err, body)
+	}
+	return nil
+}
+
+// Status returns the Tailscale daemon's status.
+func Status(ctx context.Context) (*ipnstate.Status, error) {
+	return defaultLocalClient.Status(ctx)
+}
+
+// Status returns the Tailscale daemon's status.
+func (lc *LocalClient) Status(ctx context.Context) (*ipnstate.Status, error) {
+	return lc.status(ctx, "")
+}
+
+// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
+func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	return defaultLocalClient.StatusWithoutPeers(ctx)
+}
+
+// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
+func (lc *LocalClient) StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
+	return lc.status(ctx, "?peers=false")
+}
+
+func (lc *LocalClient) status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/status"+queryString)
+	if err != nil {
+		return nil, err
+	}
+	st := new(ipnstate.Status)
+	if err := json.Unmarshal(body, st); err != nil {
+		return nil, err
+	}
+	return st, nil
+}
+
+// IDToken is a request to get an OIDC ID token for an audience.
+// The token can be presented to any resource provider which offers OIDC
+// Federation.
+func (lc *LocalClient) IDToken(ctx context.Context, aud string) (*tailcfg.TokenResponse, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/id-token?aud="+url.QueryEscape(aud))
+	if err != nil {
+		return nil, err
+	}
+	tr := new(tailcfg.TokenResponse)
+	if err := json.Unmarshal(body, tr); err != nil {
+		return nil, err
+	}
+	return tr, nil
+}
+
+func (lc *LocalClient) WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/files/")
+	if err != nil {
+		return nil, err
+	}
+	var wfs []apitype.WaitingFile
+	if err := json.Unmarshal(body, &wfs); err != nil {
+		return nil, err
+	}
+	return wfs, nil
+}
+
+func (lc *LocalClient) DeleteWaitingFile(ctx context.Context, baseName string) error {
+	_, err := lc.send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
+	return err
+}
+
+func (lc *LocalClient) GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return nil, 0, err
+	}
+	if res.ContentLength == -1 {
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("unexpected chunking")
+	}
+	if res.StatusCode != 200 {
+		body, _ := ioutil.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
+	}
+	return res.Body, res.ContentLength, nil
+}
+
+func (lc *LocalClient) FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/file-targets")
+	if err != nil {
+		return nil, err
+	}
+	var fts []apitype.FileTarget
+	if err := json.Unmarshal(body, &fts); err != nil {
+		return nil, fmt.Errorf("invalid JSON: %w", err)
+	}
+	return fts, nil
+}
+
+// PushFile sends Taildrop file r to target.
+//
+// A size of -1 means unknown.
+// The name parameter is the original filename, not escaped.
+func (lc *LocalClient) PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
+	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
+	if err != nil {
+		return err
+	}
+	if size != -1 {
+		req.ContentLength = size
+	}
+	res, err := lc.doLocalRequestNiceError(req)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode == 200 {
+		io.Copy(io.Discard, res.Body)
+		return nil
+	}
+	all, _ := io.ReadAll(res.Body)
+	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
+}
+
+// CheckIPForwarding asks the local Tailscale daemon whether it looks like the
+// machine is properly configured to forward IP packets as a subnet router
+// or exit node.
+func (lc *LocalClient) CheckIPForwarding(ctx context.Context) error {
+	body, err := lc.get200(ctx, "/localapi/v0/check-ip-forwarding")
+	if err != nil {
+		return err
+	}
+	var jres struct {
+		Warning string
+	}
+	if err := json.Unmarshal(body, &jres); err != nil {
+		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
+	}
+	if jres.Warning != "" {
+		return errors.New(jres.Warning)
+	}
+	return nil
+}
+
+// CheckPrefs validates the provided preferences, without making any changes.
+//
+// The CLI uses this before a Start call to fail fast if the preferences won't
+// work. Currently (2022-04-18) this only checks for SSH server compatibility.
+// Note that EditPrefs does the same validation as this, so call CheckPrefs before
+// EditPrefs is not necessary.
+func (lc *LocalClient) CheckPrefs(ctx context.Context, p *ipn.Prefs) error {
+	pj, err := json.Marshal(p)
+	if err != nil {
+		return err
+	}
+	_, err = lc.send(ctx, "POST", "/localapi/v0/check-prefs", http.StatusOK, bytes.NewReader(pj))
+	return err
+}
+
+func (lc *LocalClient) GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
+	body, err := lc.get200(ctx, "/localapi/v0/prefs")
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func (lc *LocalClient) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
+	mpj, err := json.Marshal(mp)
+	if err != nil {
+		return nil, err
+	}
+	body, err := lc.send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
+	if err != nil {
+		return nil, err
+	}
+	var p ipn.Prefs
+	if err := json.Unmarshal(body, &p); err != nil {
+		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
+	}
+	return &p, nil
+}
+
+func (lc *LocalClient) Logout(ctx context.Context) error {
+	_, err := lc.send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
+	return err
+}
+
+// SetDNS adds a DNS TXT record for the given domain name, containing
+// the provided TXT value. The intended use case is answering
+// LetsEncrypt/ACME dns-01 challenges.
+//
+// The control plane will only permit SetDNS requests with very
+// specific names and values. The name should be
+// "_acme-challenge." + your node's MagicDNS name. It's expected that
+// clients cache the certs from LetsEncrypt (or whichever CA is
+// providing them) and only request new ones as needed; the control plane
+// rate limits SetDNS requests.
+//
+// This is a low-level interface; it's expected that most Tailscale
+// users use a higher level interface to getting/using TLS
+// certificates.
+func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
+	v := url.Values{}
+	v.Set("name", name)
+	v.Set("value", value)
+	_, err := lc.send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
+	return err
+}
+
+// DialTCP connects to the host's port via Tailscale.
+//
+// The host may be a base DNS name (resolved from the netmap inside
+// tailscaled), a FQDN, or an IP address.
+//
+// The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
+func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
+	connCh := make(chan net.Conn, 1)
+	trace := httptrace.ClientTrace{
+		GotConn: func(info httptrace.GotConnInfo) {
+			connCh <- info.Conn
+		},
+	}
+	ctx = httptrace.WithClientTrace(ctx, &trace)
+	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/dial", nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header = http.Header{
+		"Upgrade":    []string{"ts-dial"},
+		"Connection": []string{"upgrade"},
+		"Dial-Host":  []string{host},
+		"Dial-Port":  []string{fmt.Sprint(port)},
+	}
+	res, err := lc.DoLocalRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	if res.StatusCode != http.StatusSwitchingProtocols {
+		body, _ := io.ReadAll(res.Body)
+		res.Body.Close()
+		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
+	}
+	// From here on, the underlying net.Conn is ours to use, but there
+	// is still a read buffer attached to it within resp.Body. So, we
+	// must direct I/O through resp.Body, but we can still use the
+	// underlying net.Conn for stuff like deadlines.
+	var switchedConn net.Conn
+	select {
+	case switchedConn = <-connCh:
+	default:
+	}
+	if switchedConn == nil {
+		res.Body.Close()
+		return nil, fmt.Errorf("httptrace didn't provide a connection")
+	}
+	rwc, ok := res.Body.(io.ReadWriteCloser)
+	if !ok {
+		res.Body.Close()
+		return nil, errors.New("http Transport did not provide a writable body")
+	}
+	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
+}
+
+// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
+// It is intended to be used with netcheck to see availability of DERPs.
+func (lc *LocalClient) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
+	var derpMap tailcfg.DERPMap
+	res, err := lc.send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
+	if err != nil {
+		return nil, err
+	}
+	if err = json.Unmarshal(res, &derpMap); err != nil {
+		return nil, fmt.Errorf("invalid derp map json: %w", err)
+	}
+	return &derpMap, nil
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// Deprecated: use LocalClient.CertPair.
+func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	return defaultLocalClient.CertPair(ctx, domain)
+}
+
+// CertPair returns a cert and private key for the provided DNS domain.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// API maturity: this is considered a stable API.
+func (lc *LocalClient) CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
+	res, err := lc.send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+	// with ?type=pair, the response PEM is first the one private
+	// key PEM block, then the cert PEM blocks.
+	i := mem.Index(mem.B(res), mem.S("--\n--"))
+	if i == -1 {
+		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
+	}
+	i += len("--\n")
+	keyPEM, certPEM = res[:i], res[i:]
+	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
+		return nil, nil, fmt.Errorf("unexpected output: key in cert")
+	}
+	return certPEM, keyPEM, nil
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// tls.Config.GetCertificate.
+//
+// Deprecated: use LocalClient.GetCertificate.
+func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return defaultLocalClient.GetCertificate(hi)
+}
+
+// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
+//
+// It returns a cached certificate from disk if it's still valid.
+//
+// It's the right signature to use as the value of
+// tls.Config.GetCertificate.
+//
+// API maturity: this is considered a stable API.
+func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if hi == nil || hi.ServerName == "" {
+		return nil, errors.New("no SNI ServerName")
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+
+	name := hi.ServerName
+	if !strings.Contains(name, ".") {
+		if v, ok := lc.ExpandSNIName(ctx, name); ok {
+			name = v
+		}
+	}
+	certPEM, keyPEM, err := lc.CertPair(ctx, name)
+	if err != nil {
+		return nil, err
+	}
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return nil, err
+	}
+	return &cert, nil
+}
+
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+//
+// Deprecated: use LocalClient.ExpandSNIName.
+func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	return defaultLocalClient.ExpandSNIName(ctx, name)
+}
+
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
+func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
+	st, err := lc.StatusWithoutPeers(ctx)
+	if err != nil {
+		return "", false
+	}
+	for _, d := range st.CertDomains {
+		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
+			return d, true
+		}
+	}
+	return "", false
+}
+
+// Ping sends a ping of the provided type to the provided IP and waits
+// for its response.
+func (lc *LocalClient) Ping(ctx context.Context, ip netaddr.IP, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
+	v := url.Values{}
+	v.Set("ip", ip.String())
+	v.Set("type", string(pingtype))
+	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
+	if err != nil {
+		return nil, fmt.Errorf("error %w: %s", err, body)
+	}
+	pr := new(ipnstate.PingResult)
+	if err := json.Unmarshal(body, pr); err != nil {
+		return nil, err
+	}
+	return pr, nil
+}
+
+// tailscaledConnectHint gives a little thing about why tailscaled (or
+// platform equivalent) is not answering localapi connections.
+//
+// It ends in a punctuation. See caller.
+func tailscaledConnectHint() string {
+	if runtime.GOOS != "linux" {
+		// TODO(bradfitz): flesh this out
+		return "not running?"
+	}
+	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
+	if err != nil {
+		return "not running?"
+	}
+	// Parse:
+	// LoadState=loaded
+	// ActiveState=inactive
+	// SubState=dead
+	st := map[string]string{}
+	for _, line := range strings.Split(string(out), "\n") {
+		if k, v, ok := strings.Cut(line, "="); ok {
+			st[k] = strings.TrimSpace(v)
+		}
+	}
+	if st["LoadState"] == "loaded" &&
+		(st["SubState"] != "running" || st["ActiveState"] != "active") {
+		return "systemd tailscaled.service not running."
+	}
+	return "not running?"
+}

client/tailscale/routes.go

@@ -0,0 +1,98 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"inet.af/netaddr"
+)
+
+// Routes contains the lists of subnet routes that are currently advertised by a device,
+// as well as the subnets that are enabled to be routed by the device.
+type Routes struct {
+	AdvertisedRoutes []netaddr.IPPrefix `json:"advertisedRoutes"`
+	EnabledRoutes    []netaddr.IPPrefix `json:"enabledRoutes"`
+}
+
+// Routes retrieves the list of subnet routes that have been enabled for a device.
+// The routes that are returned are not necessarily advertised by the device,
+// they have only been preapproved.
+func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.Routes: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var sr Routes
+	err = json.Unmarshal(b, &sr)
+	return &sr, err
+}
+
+type postRoutesParams struct {
+	Routes []netaddr.IPPrefix `json:"routes"`
+}
+
+// SetRoutes updates the list of subnets that are enabled for a device.
+// Subnets must be parsable by inet.af/netaddr.ParseIPPrefix.
+// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
+// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
+func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netaddr.IPPrefix) (routes *Routes, err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
+		}
+	}()
+	params := &postRoutesParams{Routes: subnets}
+	data, err := json.Marshal(params)
+	if err != nil {
+		return nil, err
+	}
+	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
+	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	if err != nil {
+		return nil, err
+	}
+
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return nil, err
+	}
+	// If status code was not successful, return the error.
+	// TODO: Change the check for the StatusCode to include other 2XX success codes.
+	if resp.StatusCode != http.StatusOK {
+		return nil, handleErrorResponse(b, resp)
+	}
+
+	var srr *Routes
+	if err := json.Unmarshal(b, &srr); err != nil {
+		return nil, err
+	}
+	return srr, err
+}

client/tailscale/tailnet.go

@@ -0,0 +1,42 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.18
+// +build go1.18
+
+package tailscale
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/url"
+)
+
+// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
+func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
+	defer func() {
+		if err != nil {
+			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
+		}
+	}()
+
+	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
+	req, err := http.NewRequestWithContext(ctx, http.MethodDelete, path, nil)
+	if err != nil {
+		return err
+	}
+
+	c.setAuth(req)
+	b, resp, err := c.sendRequest(req)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return handleErrorResponse(b, resp)
+	}
+
+	return nil
+}

client/tailscale/tailscale.go

@@ -1,529 +1,160 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
 //go:build go1.18
 // +build go1.18
 
-// Package tailscale contains Tailscale client code.
+// Package tailscale contains Go clients for the Tailscale Local API and
+// Tailscale control plane API.
+//
+// Warning: this package is in development and makes no API compatibility
+// promises as of 2022-04-29. It is subject to change at any time.
 package tailscale
 
 import (
-	"bytes"
-	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
-	"net"
 	"net/http"
-	"net/url"
-	"os/exec"
-	"runtime"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"go4.org/mem"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/paths"
-	"tailscale.com/safesocket"
-	"tailscale.com/tailcfg"
-	"tailscale.com/version"
 )
 
-var (
-	// TailscaledSocket is the tailscaled Unix socket. It's used by the TailscaledDialer.
-	TailscaledSocket = paths.DefaultTailscaledSocket()
-
-	// TailscaledSocketSetExplicitly reports whether the user explicitly set TailscaledSocket.
-	TailscaledSocketSetExplicitly bool
-
-	// TailscaledDialer is the DialContext func that connects to the local machine's
-	// tailscaled or equivalent.
-	TailscaledDialer = defaultDialer
-)
-
-func defaultDialer(ctx context.Context, network, addr string) (net.Conn, error) {
-	if addr != "local-tailscaled.sock:80" {
-		return nil, fmt.Errorf("unexpected URL address %q", addr)
-	}
-	// TODO: make this part of a safesocket.ConnectionStrategy
-	if !TailscaledSocketSetExplicitly {
-		// On macOS, when dialing from non-sandboxed program to sandboxed GUI running
-		// a TCP server on a random port, find the random port. For HTTP connections,
-		// we don't send the token. It gets added in an HTTP Basic-Auth header.
-		if port, _, err := safesocket.LocalTCPPortAndToken(); err == nil {
-			var d net.Dialer
-			return d.DialContext(ctx, "tcp", "localhost:"+strconv.Itoa(port))
-		}
-	}
-	s := safesocket.DefaultConnectionStrategy(TailscaledSocket)
-	// The user provided a non-default tailscaled socket address.
-	// Connect only to exactly what they provided.
-	s.UseFallback(false)
-	return safesocket.Connect(s)
-}
-
-var (
-	// tsClient does HTTP requests to the local Tailscale daemon.
-	// We lazily initialize the client in case the caller wants to
-	// override TailscaledDialer.
-	tsClient     *http.Client
-	tsClientOnce sync.Once
-)
-
-// DoLocalRequest makes an HTTP request to the local machine's Tailscale daemon.
+// I_Acknowledge_This_API_Is_Unstable must be set true to use this package
+// for now. It was added 2022-04-29 when it was moved to this git repo
+// and will be removed when the public API has settled.
 //
-// URLs are of the form http://local-tailscaled.sock/localapi/v0/whois?ip=1.2.3.4.
+// TODO(bradfitz): remove this after the we're happy with the public API.
+var I_Acknowledge_This_API_Is_Unstable = false
+
+// TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
+
+const defaultAPIBase = "https://api.tailscale.com"
+
+// maxSize is the maximum read size (10MB) of responses from the server.
+const maxReadSize = 10 << 20
+
+// Client makes API calls to the Tailscale control plane API server.
 //
-// The hostname must be "local-tailscaled.sock", even though it
-// doesn't actually do any DNS lookup. The actual means of connecting to and
-// authenticating to the local Tailscale daemon vary by platform.
+// Use NewClient to instantiate one. Exported fields should be set before
+// the client is used and not changed thereafter.
+type Client struct {
+	// tailnet is the globally unique identifier for a Tailscale network, such
+	// as "example.com" or "user@gmail.com".
+	tailnet string
+	// auth is the authentication method to use for this client.
+	// nil means none, which generally won't work, but won't crash.
+	auth AuthMethod
+
+	// BaseURL optionally specifies an alternate API server to use.
+	// If empty, "https://api.tailscale.com" is used.
+	BaseURL string
+
+	// HTTPClient optionally specifies an alternate HTTP client to use.
+	// If nil, http.DefaultClient is used.
+	HTTPClient *http.Client
+}
+
+func (c *Client) httpClient() *http.Client {
+	if c.HTTPClient != nil {
+		return c.HTTPClient
+	}
+	return http.DefaultClient
+}
+
+func (c *Client) baseURL() string {
+	if c.BaseURL != "" {
+		return c.BaseURL
+	}
+	return defaultAPIBase
+}
+
+// AuthMethod is the interface for API authentication methods.
 //
-// DoLocalRequest may mutate the request to add Authorization headers.
-func DoLocalRequest(req *http.Request) (*http.Response, error) {
-	tsClientOnce.Do(func() {
-		tsClient = &http.Client{
-			Transport: &http.Transport{
-				DialContext: TailscaledDialer,
-			},
-		}
-	})
-	if _, token, err := safesocket.LocalTCPPortAndToken(); err == nil {
-		req.SetBasicAuth("", token)
-	}
-	return tsClient.Do(req)
+// Most users will use AuthKey.
+type AuthMethod interface {
+	modifyRequest(req *http.Request)
 }
 
-func doLocalRequestNiceError(req *http.Request) (*http.Response, error) {
-	res, err := DoLocalRequest(req)
-	if err == nil {
-		if server := res.Header.Get("Tailscale-Version"); server != "" && server != version.Long && onVersionMismatch != nil {
-			onVersionMismatch(version.Long, server)
-		}
-		if res.StatusCode == 403 {
-			all, _ := ioutil.ReadAll(res.Body)
-			return nil, &AccessDeniedError{errors.New(errorMessageFromBody(all))}
-		}
-		return res, nil
-	}
-	if ue, ok := err.(*url.Error); ok {
-		if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
-			path := req.URL.Path
-			pathPrefix, _, _ := strings.Cut(path, "?")
-			return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
-		}
-	}
-	return nil, err
+// APIKey is an AuthMethod for NewClient that authenticates requests
+// using an authkey.
+type APIKey string
+
+func (ak APIKey) modifyRequest(req *http.Request) {
+	req.SetBasicAuth(string(ak), "")
 }
 
-type errorJSON struct {
-	Error string
+func (c *Client) setAuth(r *http.Request) {
+	if c.auth != nil {
+		c.auth.modifyRequest(r)
+	}
 }
 
-// AccessDeniedError is an error due to permissions.
-type AccessDeniedError struct {
-	err error
-}
-
-func (e *AccessDeniedError) Error() string { return fmt.Sprintf("Access denied: %v", e.err) }
-func (e *AccessDeniedError) Unwrap() error { return e.err }
-
-// IsAccessDeniedError reports whether err is or wraps an AccessDeniedError.
-func IsAccessDeniedError(err error) bool {
-	var ae *AccessDeniedError
-	return errors.As(err, &ae)
-}
-
-// bestError returns either err, or if body contains a valid JSON
-// object of type errorJSON, its non-empty error body.
-func bestError(err error, body []byte) error {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return errors.New(j.Error)
-	}
-	return err
-}
-
-func errorMessageFromBody(body []byte) string {
-	var j errorJSON
-	if err := json.Unmarshal(body, &j); err == nil && j.Error != "" {
-		return j.Error
-	}
-	return strings.TrimSpace(string(body))
-}
-
-var onVersionMismatch func(clientVer, serverVer string)
-
-// SetVersionMismatchHandler sets f as the version mismatch handler
-// to be called when the client (the current process) has a version
-// number that doesn't match the server's declared version.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	onVersionMismatch = f
-}
-
-func send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
-	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
-	if err != nil {
-		return nil, err
-	}
-	res, err := doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, err
-	}
-	defer res.Body.Close()
-	slurp, err := ioutil.ReadAll(res.Body)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != wantStatus {
-		return nil, bestError(err, slurp)
-	}
-	return slurp, nil
-}
-
-func get200(ctx context.Context, path string) ([]byte, error) {
-	return send(ctx, "GET", path, 200, nil)
-}
-
-// WhoIs returns the owner of the remoteAddr, which must be an IP or IP:port.
-func WhoIs(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) {
-	body, err := get200(ctx, "/localapi/v0/whois?addr="+url.QueryEscape(remoteAddr))
-	if err != nil {
-		return nil, err
-	}
-	r := new(apitype.WhoIsResponse)
-	if err := json.Unmarshal(body, r); err != nil {
-		if max := 200; len(body) > max {
-			body = append(body[:max], "..."...)
-		}
-		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", body)
-	}
-	return r, nil
-}
-
-// Goroutines returns a dump of the Tailscale daemon's current goroutines.
-func Goroutines(ctx context.Context) ([]byte, error) {
-	return get200(ctx, "/localapi/v0/goroutines")
-}
-
-// DaemonMetrics returns the Tailscale daemon's metrics in
-// the Prometheus text exposition format.
-func DaemonMetrics(ctx context.Context) ([]byte, error) {
-	return get200(ctx, "/localapi/v0/metrics")
-}
-
-// Profile returns a pprof profile of the Tailscale daemon.
-func Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
-	var secArg string
-	if sec < 0 || sec > 300 {
-		return nil, errors.New("duration out of range")
-	}
-	if sec != 0 || pprofType == "profile" {
-		secArg = fmt.Sprint(sec)
-	}
-	return get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
-}
-
-// BugReport logs and returns a log marker that can be shared by the user with support.
-func BugReport(ctx context.Context, note string) (string, error) {
-	body, err := send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
-	if err != nil {
-		return "", err
-	}
-	return strings.TrimSpace(string(body)), nil
-}
-
-// DebugAction invokes a debug action, such as "rebind" or "restun".
-// These are development tools and subject to change or removal over time.
-func DebugAction(ctx context.Context, action string) error {
-	body, err := send(ctx, "POST", "/localapi/v0/debug?action="+url.QueryEscape(action), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	return nil
-}
-
-// Status returns the Tailscale daemon's status.
-func Status(ctx context.Context) (*ipnstate.Status, error) {
-	return status(ctx, "")
-}
-
-// StatusWithoutPeers returns the Tailscale daemon's status, without the peer info.
-func StatusWithoutPeers(ctx context.Context) (*ipnstate.Status, error) {
-	return status(ctx, "?peers=false")
-}
-
-func status(ctx context.Context, queryString string) (*ipnstate.Status, error) {
-	body, err := get200(ctx, "/localapi/v0/status"+queryString)
-	if err != nil {
-		return nil, err
-	}
-	st := new(ipnstate.Status)
-	if err := json.Unmarshal(body, st); err != nil {
-		return nil, err
-	}
-	return st, nil
-}
-
-func WaitingFiles(ctx context.Context) ([]apitype.WaitingFile, error) {
-	body, err := get200(ctx, "/localapi/v0/files/")
-	if err != nil {
-		return nil, err
-	}
-	var wfs []apitype.WaitingFile
-	if err := json.Unmarshal(body, &wfs); err != nil {
-		return nil, err
-	}
-	return wfs, nil
-}
-
-func DeleteWaitingFile(ctx context.Context, baseName string) error {
-	_, err := send(ctx, "DELETE", "/localapi/v0/files/"+url.PathEscape(baseName), http.StatusNoContent, nil)
-	return err
-}
-
-func GetWaitingFile(ctx context.Context, baseName string) (rc io.ReadCloser, size int64, err error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://local-tailscaled.sock/localapi/v0/files/"+url.PathEscape(baseName), nil)
-	if err != nil {
-		return nil, 0, err
-	}
-	res, err := doLocalRequestNiceError(req)
-	if err != nil {
-		return nil, 0, err
-	}
-	if res.ContentLength == -1 {
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("unexpected chunking")
-	}
-	if res.StatusCode != 200 {
-		body, _ := ioutil.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, 0, fmt.Errorf("HTTP %s: %s", res.Status, body)
-	}
-	return res.Body, res.ContentLength, nil
-}
-
-func FileTargets(ctx context.Context) ([]apitype.FileTarget, error) {
-	body, err := get200(ctx, "/localapi/v0/file-targets")
-	if err != nil {
-		return nil, err
-	}
-	var fts []apitype.FileTarget
-	if err := json.Unmarshal(body, &fts); err != nil {
-		return nil, fmt.Errorf("invalid JSON: %w", err)
-	}
-	return fts, nil
-}
-
-// PushFile sends Taildrop file r to target.
+// NewClient is a convenience method for instantiating a new Client.
 //
-// A size of -1 means unknown.
-// The name parameter is the original filename, not escaped.
-func PushFile(ctx context.Context, target tailcfg.StableNodeID, size int64, name string, r io.Reader) error {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://local-tailscaled.sock/localapi/v0/file-put/"+string(target)+"/"+url.PathEscape(name), r)
+// tailnet is the globally unique identifier for a Tailscale network, such
+// as "example.com" or "user@gmail.com".
+// If httpClient is nil, then http.DefaultClient is used.
+// "api.tailscale.com" is set as the BaseURL for the returned client
+// and can be changed manually by the user.
+func NewClient(tailnet string, auth AuthMethod) *Client {
+	return &Client{
+		tailnet: tailnet,
+		auth:    auth,
+	}
+}
+
+func (c *Client) Tailnet() string { return c.tailnet }
+
+// Do sends a raw HTTP request, after adding any authentication headers.
+func (c *Client) Do(req *http.Request) (*http.Response, error) {
+	if !I_Acknowledge_This_API_Is_Unstable {
+		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+	}
+	c.setAuth(req)
+	return c.httpClient().Do(req)
+}
+
+// sendRequest add the authenication key to the request and sends it. It
+// receives the response and reads up to 10MB of it.
+func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
+	if !I_Acknowledge_This_API_Is_Unstable {
+		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
+	}
+	c.setAuth(req)
+	resp, err := c.httpClient().Do(req)
 	if err != nil {
+		return nil, resp, err
+	}
+	defer resp.Body.Close()
+
+	// Read response. Limit the response to 10MB.
+	body := io.LimitReader(resp.Body, maxReadSize+1)
+	b, err := ioutil.ReadAll(body)
+	if len(b) > maxReadSize {
+		err = errors.New("API response too large")
+	}
+	return b, resp, err
+}
+
+// ErrResponse is the HTTP error returned by the Tailscale server.
+type ErrResponse struct {
+	Status  int
+	Message string
+}
+
+func (e ErrResponse) Error() string {
+	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
+}
+
+// handleErrorResponse decodes the error message from the server and returns
+// an ErrResponse from it.
+func handleErrorResponse(b []byte, resp *http.Response) error {
+	var errResp ErrResponse
+	if err := json.Unmarshal(b, &errResp); err != nil {
 		return err
 	}
-	if size != -1 {
-		req.ContentLength = size
-	}
-	res, err := doLocalRequestNiceError(req)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode == 200 {
-		io.Copy(io.Discard, res.Body)
-		return nil
-	}
-	all, _ := io.ReadAll(res.Body)
-	return bestError(fmt.Errorf("%s: %s", res.Status, all), all)
-}
-
-func CheckIPForwarding(ctx context.Context) error {
-	body, err := get200(ctx, "/localapi/v0/check-ip-forwarding")
-	if err != nil {
-		return err
-	}
-	var jres struct {
-		Warning string
-	}
-	if err := json.Unmarshal(body, &jres); err != nil {
-		return fmt.Errorf("invalid JSON from check-ip-forwarding: %w", err)
-	}
-	if jres.Warning != "" {
-		return errors.New(jres.Warning)
-	}
-	return nil
-}
-
-func GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
-	body, err := get200(ctx, "/localapi/v0/prefs")
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
-	mpj, err := json.Marshal(mp)
-	if err != nil {
-		return nil, err
-	}
-	body, err := send(ctx, "PATCH", "/localapi/v0/prefs", http.StatusOK, bytes.NewReader(mpj))
-	if err != nil {
-		return nil, err
-	}
-	var p ipn.Prefs
-	if err := json.Unmarshal(body, &p); err != nil {
-		return nil, fmt.Errorf("invalid prefs JSON: %w", err)
-	}
-	return &p, nil
-}
-
-func Logout(ctx context.Context) error {
-	_, err := send(ctx, "POST", "/localapi/v0/logout", http.StatusNoContent, nil)
-	return err
-}
-
-// SetDNS adds a DNS TXT record for the given domain name, containing
-// the provided TXT value. The intended use case is answering
-// LetsEncrypt/ACME dns-01 challenges.
-//
-// The control plane will only permit SetDNS requests with very
-// specific names and values. The name should be
-// "_acme-challenge." + your node's MagicDNS name. It's expected that
-// clients cache the certs from LetsEncrypt (or whichever CA is
-// providing them) and only request new ones as needed; the control plane
-// rate limits SetDNS requests.
-//
-// This is a low-level interface; it's expected that most Tailscale
-// users use a higher level interface to getting/using TLS
-// certificates.
-func SetDNS(ctx context.Context, name, value string) error {
-	v := url.Values{}
-	v.Set("name", name)
-	v.Set("value", value)
-	_, err := send(ctx, "POST", "/localapi/v0/set-dns?"+v.Encode(), 200, nil)
-	return err
-}
-
-// CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
-// It is intended to be used with netcheck to see availability of DERPs.
-func CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
-	var derpMap tailcfg.DERPMap
-	res, err := send(ctx, "GET", "/localapi/v0/derpmap", 200, nil)
-	if err != nil {
-		return nil, err
-	}
-	if err = json.Unmarshal(res, &derpMap); err != nil {
-		return nil, fmt.Errorf("invalid derp map json: %w", err)
-	}
-	return &derpMap, nil
-}
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// with ?type=pair, the response PEM is first the one private
-	// key PEM block, then the cert PEM blocks.
-	i := mem.Index(mem.B(res), mem.S("--\n--"))
-	if i == -1 {
-		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
-	}
-	i += len("--\n")
-	keyPEM, certPEM = res[:i], res[i:]
-	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
-		return nil, nil, fmt.Errorf("unexpected output: key in cert")
-	}
-	return certPEM, keyPEM, nil
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi == nil || hi.ServerName == "" {
-		return nil, errors.New("no SNI ServerName")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	name := hi.ServerName
-	if !strings.Contains(name, ".") {
-		if v, ok := ExpandSNIName(ctx, name); ok {
-			name = v
-		}
-	}
-	certPEM, keyPEM, err := CertPair(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	st, err := StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", false
-	}
-	for _, d := range st.CertDomains {
-		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
-			return d, true
-		}
-	}
-	return "", false
-}
-
-// tailscaledConnectHint gives a little thing about why tailscaled (or
-// platform equivalent) is not answering localapi connections.
-//
-// It ends in a punctuation. See caller.
-func tailscaledConnectHint() string {
-	if runtime.GOOS != "linux" {
-		// TODO(bradfitz): flesh this out
-		return "not running?"
-	}
-	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
-	if err != nil {
-		return "not running?"
-	}
-	// Parse:
-	// LoadState=loaded
-	// ActiveState=inactive
-	// SubState=dead
-	st := map[string]string{}
-	for _, line := range strings.Split(string(out), "\n") {
-		if k, v, ok := strings.Cut(line, "="); ok {
-			st[k] = strings.TrimSpace(v)
-		}
-	}
-	if st["LoadState"] == "loaded" &&
-		(st["SubState"] != "running" || st["ActiveState"] != "active") {
-		return "systemd tailscaled.service not running."
-	}
-	return "not running?"
+	errResp.Status = resp.StatusCode
+	return errResp
 }

cmd/cloner/cloner.go

@@ -22,13 +22,11 @@ import (
 	"os"
 	"strings"
 
-	"golang.org/x/tools/go/packages"
 	"tailscale.com/util/codegen"
 )
 
 var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
-	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
 	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )
@@ -43,30 +41,18 @@ func main() {
 	}
 	typeNames := strings.Split(*flagTypes, ",")
 
-	cfg := &packages.Config{
-		Mode:  packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedName,
-		Tests: false,
-	}
-	if *flagBuildTags != "" {
-		cfg.BuildFlags = []string{"-tags=" + *flagBuildTags}
-	}
-	pkgs, err := packages.Load(cfg, ".")
+	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
 	if err != nil {
 		log.Fatal(err)
 	}
-	if len(pkgs) != 1 {
-		log.Fatalf("wrong number of packages: %d", len(pkgs))
-	}
-	pkg := pkgs[0]
+	it := codegen.NewImportTracker(pkg.Types)
 	buf := new(bytes.Buffer)
-	imports := make(map[string]struct{})
-	namedTypes := codegen.NamedTypes(pkg)
 	for _, typeName := range typeNames {
 		typ, ok := namedTypes[typeName]
 		if !ok {
 			log.Fatalf("could not find type %s", typeName)
 		}
-		gen(buf, imports, typ, pkg.Types)
+		gen(buf, it, typ)
 	}
 
 	w := func(format string, args ...any) {
@@ -93,62 +79,13 @@ func main() {
 		w("	return false")
 		w("}")
 	}
-
-	contents := new(bytes.Buffer)
-	var flagArgs []string
-	if *flagTypes != "" {
-		flagArgs = append(flagArgs, "-type="+*flagTypes)
-	}
-	if *flagOutput != "" {
-		flagArgs = append(flagArgs, "-output="+*flagOutput)
-	}
-	if *flagBuildTags != "" {
-		flagArgs = append(flagArgs, "-tags="+*flagBuildTags)
-	}
-	if *flagCloneFunc {
-		flagArgs = append(flagArgs, "-clonefunc")
-	}
-	fmt.Fprintf(contents, header, strings.Join(flagArgs, " "), pkg.Name)
-	fmt.Fprintf(contents, "import (\n")
-	for s := range imports {
-		fmt.Fprintf(contents, "\t%q\n", s)
-	}
-	fmt.Fprintf(contents, ")\n\n")
-	contents.Write(buf.Bytes())
-
-	output := *flagOutput
-	if output == "" {
-		flag.Usage()
-		os.Exit(2)
-	}
-	if err := codegen.WriteFormatted(contents.Bytes(), output); err != nil {
+	cloneOutput := pkg.Name + "_clone.go"
+	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
 		log.Fatal(err)
 	}
 }
 
-const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
-//` + `go:generate` + ` go run tailscale.com/cmd/cloner %s
-
-package %s
-
-`
-
-func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisPkg *types.Package) {
-	pkgQual := func(pkg *types.Package) string {
-		if thisPkg == pkg {
-			return ""
-		}
-		imports[pkg.Path()] = struct{}{}
-		return pkg.Name()
-	}
-	importedName := func(t types.Type) string {
-		return types.TypeString(t, pkgQual)
-	}
-
+func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 	t, ok := typ.Underlying().(*types.Struct)
 	if !ok {
 		return
@@ -169,11 +106,11 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 	for i := 0; i < t.NumFields(); i++ {
 		fname := t.Field(i).Name()
 		ft := t.Field(i).Type()
-		if !codegen.ContainsPointers(ft) {
+		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
 			continue
 		}
 		if named, _ := ft.(*types.Named); named != nil {
-			if isViewType(ft) {
+			if codegen.IsViewType(ft) {
 				writef("dst.%s = src.%s", fname, fname)
 				continue
 			}
@@ -185,11 +122,16 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 		switch ft := ft.Underlying().(type) {
 		case *types.Slice:
 			if codegen.ContainsPointers(ft.Elem()) {
-				n := importedName(ft.Elem())
+				n := it.QualifiedName(ft.Elem())
 				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
 				writef("for i := range dst.%s {", fname)
-				if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
+					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
+						writef("\tx := *src.%s[i]", fname)
+						writef("\tdst.%s[i] = &x", fname)
+					} else {
+						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+					}
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
@@ -202,7 +144,7 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 				writef("dst.%s = src.%s.Clone()", fname, fname)
 				continue
 			}
-			n := importedName(ft.Elem())
+			n := it.QualifiedName(ft.Elem())
 			writef("if dst.%s != nil {", fname)
 			writef("\tdst.%s = new(%s)", fname, n)
 			writef("\t*dst.%s = *src.%s", fname, fname)
@@ -212,9 +154,9 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 			writef("}")
 		case *types.Map:
 			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
+			writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(ft.Elem()))
 			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
-				n := importedName(sliceType.Elem())
+				n := it.QualifiedName(sliceType.Elem())
 				writef("\tfor k := range src.%s {", fname)
 				// use zero-length slice instead of nil to ensure
 				// the key is always copied.
@@ -237,20 +179,10 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 	writef("return dst")
 	fmt.Fprintf(buf, "}\n\n")
 
-	buf.Write(codegen.AssertStructUnchanged(t, thisPkg, name, "Clone", imports))
-}
-
-func isViewType(typ types.Type) bool {
-	t, ok := typ.Underlying().(*types.Struct)
-	if !ok {
-		return false
-	}
-	if t.NumFields() != 1 {
-		return false
-	}
-	return t.Field(0).Name() == "ж"
+	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
 }
 
+// hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
 func hasBasicUnderlying(typ types.Type) bool {
 	switch typ.Underlying().(type) {
 	case *types.Slice, *types.Map:

cmd/derper/websocket.go

@@ -13,7 +13,7 @@ import (
 
 	"nhooyr.io/websocket"
 	"tailscale.com/derp"
-	"tailscale.com/derp/wsconn"
+	"tailscale.com/net/wsconn"
 )
 
 var counterWebSocketAccepts = expvar.NewInt("derp_websocket_accepts")

cmd/mkpkg/main.go

@@ -6,6 +6,7 @@
 package main
 
 import (
+	"flag"
 	"fmt"
 	"log"
 	"os"
@@ -14,7 +15,6 @@ import (
 	"github.com/goreleaser/nfpm"
 	_ "github.com/goreleaser/nfpm/deb"
 	_ "github.com/goreleaser/nfpm/rpm"
-	"github.com/pborman/getopt"
 )
 
 // parseFiles parses a comma-separated list of colon-separated pairs
@@ -44,19 +44,21 @@ func parseEmptyDirs(s string) []string {
 }
 
 func main() {
-	out := getopt.StringLong("out", 'o', "", "output file to write")
-	goarch := getopt.StringLong("arch", 'a', "amd64", "GOARCH this package is for")
-	pkgType := getopt.StringLong("type", 't', "deb", "type of package to build (deb or rpm)")
-	files := getopt.StringLong("files", 'F', "", "comma-separated list of files in src:dst form")
-	configFiles := getopt.StringLong("configs", 'C', "", "like --files, but for files marked as user-editable config files")
-	emptyDirs := getopt.StringLong("emptydirs", 'E', "", "comma-separated list of empty directories")
-	version := getopt.StringLong("version", 0, "0.0.0", "version of the package")
-	postinst := getopt.StringLong("postinst", 0, "", "debian postinst script path")
-	prerm := getopt.StringLong("prerm", 0, "", "debian prerm script path")
-	postrm := getopt.StringLong("postrm", 0, "", "debian postrm script path")
-	replaces := getopt.StringLong("replaces", 0, "", "package which this package replaces, if any")
-	depends := getopt.StringLong("depends", 0, "", "comma-separated list of packages this package depends on")
-	getopt.Parse()
+	out := flag.String("out", "", "output file to write")
+	name := flag.String("name", "tailscale", "package name")
+	description := flag.String("description", "The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO", "package description")
+	goarch := flag.String("arch", "amd64", "GOARCH this package is for")
+	pkgType := flag.String("type", "deb", "type of package to build (deb or rpm)")
+	files := flag.String("files", "", "comma-separated list of files in src:dst form")
+	configFiles := flag.String("configs", "", "like --files, but for files marked as user-editable config files")
+	emptyDirs := flag.String("emptydirs", "", "comma-separated list of empty directories")
+	version := flag.String("version", "0.0.0", "version of the package")
+	postinst := flag.String("postinst", "", "debian postinst script path")
+	prerm := flag.String("prerm", "", "debian prerm script path")
+	postrm := flag.String("postrm", "", "debian postrm script path")
+	replaces := flag.String("replaces", "", "package which this package replaces, if any")
+	depends := flag.String("depends", "", "comma-separated list of packages this package depends on")
+	flag.Parse()
 
 	filesMap, err := parseFiles(*files)
 	if err != nil {
@@ -68,12 +70,12 @@ func main() {
 	}
 	emptyDirList := parseEmptyDirs(*emptyDirs)
 	info := nfpm.WithDefaults(&nfpm.Info{
-		Name:        "tailscale",
+		Name:        *name,
 		Arch:        *goarch,
 		Platform:    "linux",
 		Version:     *version,
 		Maintainer:  "Tailscale Inc <info@tailscale.com>",
-		Description: "The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO",
+		Description: *description,
 		Homepage:    "https://www.tailscale.com",
 		License:     "MIT",
 		Overridables: nfpm.Overridables{

cmd/nginx-auth/.gitignore

@@ -0,0 +1,4 @@
+nga.sock
+*.deb
+*.rpm
+tailscale.nginx-auth

cmd/nginx-auth/README.md

@@ -0,0 +1,157 @@
+# nginx-auth
+
+This is a tool that allows users to use Tailscale Whois authentication with
+NGINX as a reverse proxy. This allows users that already have a bunch of
+services hosted on an internal NGINX server to point those domains to the
+Tailscale IP of the NGINX server and then seamlessly use Tailscale for
+authentication.
+
+Many thanks to [@zrail](https://twitter.com/zrail/status/1511788463586222087) on
+Twitter for introducing the basic idea and offering some sample code. This
+program is based on that sample code with security enhancements. Namely:
+
+* This listens over a UNIX socket instead of a TCP socket, to prevent
+  leakage to the network
+* This uses systemd socket activation so that systemd owns the socket
+  and can then lock down the service to the bare minimum required to do
+  its job without having to worry about dropping permissions
+* This provides additional information in HTTP response headers that can
+  be useful for integrating with various services
+
+## Configuration
+
+In order to protect a service with this tool, do the following in the respective
+`server` block:
+
+Create an authentication location with the `internal` flag set:
+
+```nginx
+location /auth {
+  internal;
+
+  proxy_pass http://unix:/run/tailscale.nginx-auth.sock;
+  proxy_pass_request_body off;
+
+  proxy_set_header Host $http_host;
+  proxy_set_header Remote-Addr $remote_addr;
+  proxy_set_header Remote-Port $remote_port;
+  proxy_set_header Original-URI $request_uri;
+}
+```
+
+Then add the following to the `location /` block:
+
+```
+auth_request /auth;
+auth_request_set $auth_user $upstream_http_tailscale_user;
+auth_request_set $auth_name $upstream_http_tailscale_name;
+auth_request_set $auth_login $upstream_http_tailscale_login;
+auth_request_set $auth_tailnet $upstream_http_tailscale_tailnet;
+auth_request_set $auth_profile_picture $upstream_http_tailscale_profile_picture;
+
+proxy_set_header X-Webauth-User "$auth_user";
+proxy_set_header X-Webauth-Name "$auth_name";
+proxy_set_header X-Webauth-Login "$auth_login";
+proxy_set_header X-Webauth-Tailnet "$auth_tailnet";
+proxy_set_header X-Webauth-Profile-Picture "$auth_profile_picture";
+```
+
+When this configuration is used with a Go HTTP handler such as this:
+
+```go
+http.HandlerFunc(func (w http.ResponseWriter, r *http.Request) {
+	e := json.NewEncoder(w)
+	e.SetIndent("", "  ")
+	e.Encode(r.Header)
+})
+```
+
+You will get output like this:
+
+```json
+{
+  "Accept": [
+    "*/*"
+  ],
+  "Connection": [
+    "upgrade"
+  ],
+  "User-Agent": [
+    "curl/7.82.0"
+  ],
+  "X-Webauth-Login": [
+    "Xe"
+  ],
+  "X-Webauth-Name": [
+    "Xe Iaso"
+  ],
+  "X-Webauth-Profile-Picture": [
+    "https://avatars.githubusercontent.com/u/529003?v=4"
+  ],
+  "X-Webauth-Tailnet": [
+    "cetacean.org.github"
+  ]
+  "X-Webauth-User": [
+    "Xe@github"
+  ]
+}
+```
+
+## Headers
+
+The authentication service provides the following headers to decorate your
+proxied requests:
+
+| Header                      | Example Value                                                      | Description                                                                   |
+| :------                     | :--------------                                                    | :----------                                                                   |
+| `Tailscale-User`            | `azurediamond@hunter2.net`                                         | The Tailscale username the remote machine is logged in as in user@host form   |
+| `Tailscale-Login`           | `azurediamond`                                                     | The user portion of the Tailscale username the remote machine is logged in as |
+| `Tailscale-Name`            | `Azure Diamond`                                                    | The "real name" of the Tailscale user the machine is logged in as             |
+| `Tailscale-Profile-Picture` | `https://i.kym-cdn.com/photos/images/newsfeed/001/065/963/ae0.png` | The profile picture provided by the Identity Provider your tailnet uses       |
+| `Tailscale-Tailnet`          | `hunter2.net`                                       | The tailnet name                                                              |
+
+Most of the time you can set `X-Webauth-User` to the contents of the
+`Tailscale-User` header, but some services may not accept a username with an `@`
+symbol in it. If this is the case, set `X-Webauth-User` to the `Tailscale-Login`
+header.
+
+The `Tailscale-Tailnet` header can help you identify which tailnet the session
+is coming from. If you are using node sharing, this can help you make sure that
+you aren't giving administrative access to people outside your tailnet.
+
+### Allow Requests From Only One Tailnet
+
+If you want to prevent node sharing from allowing users to access a service, add
+the `Expected-Tailnet` header to your auth request:
+
+```nginx
+location /auth {
+  # ...
+  proxy_set_header Expected-Tailnet "tailscale.com";
+}
+```
+
+If a user from a different tailnet tries to use that service, this will return a
+generic "forbidden" error page:
+
+```html
+<html>
+<head><title>403 Forbidden</title></head>
+<body>
+<center><h1>403 Forbidden</h1></center>
+<hr><center>nginx/1.18.0 (Ubuntu)</center>
+</body>
+</html>
+```
+
+## Building
+
+Install `cmd/mkpkg`:
+
+```
+cd .. && go install ./mkpkg
+```
+
+Then run `./mkdeb.sh`. It will emit a `.deb` and `.rpm` package for amd64
+machines (Linux uname flag: `x86_64`). You can add these to your deployment
+methods as you see fit.

cmd/nginx-auth/deb/postinst.sh

@@ -0,0 +1,14 @@
+if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
+	  deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
+	  if deb-systemd-helper --quiet was-enabled 'tailscale.nginx-auth.socket'; then
+		    deb-systemd-helper enable 'tailscale.nginx-auth.socket' >/dev/null || true
+	  else
+		    deb-systemd-helper update-state 'tailscale.nginx-auth.socket' >/dev/null || true
+	  fi
+
+    if systemctl is-active tailscale.nginx-auth.socket >/dev/null; then
+        systemctl --system daemon-reload >/dev/null || true
+        deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
+        deb-systemd-invoke restart 'tailscale.nginx-auth.socket' >/dev/null || true
+    fi
+fi

cmd/nginx-auth/deb/postrm.sh

@@ -0,0 +1,19 @@
+#!/bin/sh
+set -e
+if [ -d /run/systemd/system ] ; then
+	  systemctl --system daemon-reload >/dev/null || true
+fi
+
+if [ -x "/usr/bin/deb-systemd-helper" ]; then
+    if [ "$1" = "remove" ]; then
+		    deb-systemd-helper mask 'tailscale.nginx-auth.socket' >/dev/null || true
+		    deb-systemd-helper mask 'tailscale.nginx-auth.service' >/dev/null || true
+	  fi
+
+    if [ "$1" = "purge" ]; then
+		    deb-systemd-helper purge 'tailscale.nginx-auth.socket' >/dev/null || true
+		    deb-systemd-helper unmask 'tailscale.nginx-auth.socket' >/dev/null || true
+		    deb-systemd-helper purge 'tailscale.nginx-auth.service' >/dev/null || true
+		    deb-systemd-helper unmask 'tailscale.nginx-auth.service' >/dev/null || true
+	  fi
+fi

cmd/nginx-auth/deb/prerm.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -e
+if [ "$1" = "remove" ]; then
+	  if [ -d /run/systemd/system ]; then
+		    deb-systemd-invoke stop 'tailscale.nginx-auth.service' >/dev/null || true
+		    deb-systemd-invoke stop 'tailscale.nginx-auth.socket' >/dev/null || true
+	  fi
+fi

cmd/nginx-auth/mkdeb.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+set -e
+
+CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o tailscale.nginx-auth .
+
+VERSION=0.1.1
+
+mkpkg \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.deb \
+    --name=tailscale-nginx-auth \
+    --version=${VERSION} \
+    --type=deb \
+    --arch=amd64 \
+    --postinst=deb/postinst.sh \
+    --postrm=deb/postrm.sh \
+    --prerm=deb/prerm.sh \
+    --description="Tailscale NGINX authentication protocol handler" \
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md
+
+mkpkg \
+    --out=tailscale-nginx-auth-${VERSION}-amd64.rpm \
+    --name=tailscale-nginx-auth \
+    --version=${VERSION} \
+    --type=rpm \
+    --arch=amd64 \
+    --postinst=rpm/postinst.sh \
+    --postrm=rpm/postrm.sh \
+    --prerm=rpm/prerm.sh \
+    --description="Tailscale NGINX authentication protocol handler" \
+    --files=./tailscale.nginx-auth:/usr/sbin/tailscale.nginx-auth,./tailscale.nginx-auth.socket:/lib/systemd/system/tailscale.nginx-auth.socket,./tailscale.nginx-auth.service:/lib/systemd/system/tailscale.nginx-auth.service,./README.md:/usr/share/tailscale/nginx-auth/README.md

cmd/nginx-auth/nginx-auth.go

@@ -0,0 +1,127 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux
+
+// Command nginx-auth is a tool that allows users to use Tailscale Whois
+// authentication with NGINX as a reverse proxy. This allows users that
+// already have a bunch of services hosted on an internal NGINX server
+// to point those domains to the Tailscale IP of the NGINX server and
+// then seamlessly use Tailscale for authentication.
+package main
+
+import (
+	"flag"
+	"log"
+	"net"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/coreos/go-systemd/activation"
+	"tailscale.com/client/tailscale"
+)
+
+var (
+	sockPath = flag.String("sockpath", "", "the filesystem path for the unix socket this service exposes")
+)
+
+func main() {
+	flag.Parse()
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		remoteHost := r.Header.Get("Remote-Addr")
+		remotePort := r.Header.Get("Remote-Port")
+		if remoteHost == "" || remotePort == "" {
+			w.WriteHeader(http.StatusBadRequest)
+			log.Println("set Remote-Addr to $remote_addr and Remote-Port to $remote_port in your nginx config")
+			return
+		}
+
+		remoteAddrStr := net.JoinHostPort(remoteHost, remotePort)
+		remoteAddr, err := netip.ParseAddrPort(remoteAddrStr)
+		if err != nil {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("remote address and port are not valid: %v", err)
+			return
+		}
+
+		info, err := tailscale.WhoIs(r.Context(), remoteAddr.String())
+		if err != nil {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("can't look up %s: %v", remoteAddr, err)
+			return
+		}
+
+		if len(info.Node.Tags) != 0 {
+			w.WriteHeader(http.StatusForbidden)
+			log.Printf("node %s is tagged", info.Node.Hostinfo.Hostname())
+			return
+		}
+
+		_, tailnet, ok := strings.Cut(info.Node.Name, info.Node.ComputedName+".")
+		if !ok {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+			return
+		}
+		tailnet, _, ok = strings.Cut(tailnet, ".beta.tailscale.net")
+		if !ok {
+			w.WriteHeader(http.StatusUnauthorized)
+			log.Printf("can't extract tailnet name from hostname %q", info.Node.Name)
+			return
+		}
+
+		if expectedTailnet := r.Header.Get("Expected-Tailnet"); expectedTailnet != "" && expectedTailnet != tailnet {
+			w.WriteHeader(http.StatusForbidden)
+			log.Printf("user is part of tailnet %s, wanted: %s", tailnet, url.QueryEscape(expectedTailnet))
+			return
+		}
+
+		h := w.Header()
+		h.Set("Tailscale-Login", strings.Split(info.UserProfile.LoginName, "@")[0])
+		h.Set("Tailscale-User", info.UserProfile.LoginName)
+		h.Set("Tailscale-Name", info.UserProfile.DisplayName)
+		h.Set("Tailscale-Profile-Picture", info.UserProfile.ProfilePicURL)
+		h.Set("Tailscale-Tailnet", tailnet)
+		w.WriteHeader(http.StatusNoContent)
+	})
+
+	if *sockPath != "" {
+		_ = os.Remove(*sockPath) // ignore error, this file may not already exist
+		ln, err := net.Listen("unix", *sockPath)
+		if err != nil {
+			log.Fatalf("can't listen on %s: %v", *sockPath, err)
+		}
+		defer ln.Close()
+
+		log.Printf("listening on %s", *sockPath)
+		log.Fatal(http.Serve(ln, mux))
+	}
+
+	listeners, err := activation.Listeners()
+	if err != nil {
+		log.Fatalf("no sockets passed to this service with systemd: %v", err)
+	}
+
+	// NOTE(Xe): normally you'd want to make a waitgroup here and then register
+	// each listener with it. In this case I want this to blow up horribly if
+	// any of the listeners stop working. systemd will restart it due to the
+	// socket activation at play.
+	//
+	// TL;DR: Let it crash, it will come back
+	for _, ln := range listeners {
+		go func(ln net.Listener) {
+			log.Printf("listening on %s", ln.Addr())
+			log.Fatal(http.Serve(ln, mux))
+		}(ln)
+	}
+
+	for {
+		select {}
+	}
+}

cmd/nginx-auth/rpm/postrm.sh

@@ -0,0 +1,9 @@
+# $1 == 0 for uninstallation.
+# $1 == 1 for removing old package during upgrade.
+
+systemctl daemon-reload >/dev/null 2>&1 || :
+if [ $1 -ge 1 ] ; then
+    # Package upgrade, not uninstall
+    systemctl stop tailscale.nginx-auth.service >/dev/null 2>&1 || :
+    systemctl try-restart tailscale.nginx-auth.socket >/dev/null 2>&1 || :
+fi

cmd/nginx-auth/rpm/prerm.sh

@@ -0,0 +1,9 @@
+# $1 == 0 for uninstallation.
+# $1 == 1 for removing old package during upgrade.
+
+if [ $1 -eq 0 ] ; then
+    # Package removal, not upgrade
+    systemctl --no-reload disable tailscale.nginx-auth.socket > /dev/null 2>&1 || :
+    systemctl stop tailscale.nginx-auth.socket > /dev/null 2>&1 || :
+    systemctl stop tailscale.nginx-auth.service > /dev/null 2>&1 || :
+fi

cmd/nginx-auth/tailscale.nginx-auth.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Tailscale NGINX Authentication service
+After=nginx.service
+Wants=nginx.service
+
+[Service]
+ExecStart=/usr/sbin/tailscale.nginx-auth
+DynamicUser=yes
+
+[Install]
+WantedBy=default.target

cmd/nginx-auth/tailscale.nginx-auth.socket

@@ -0,0 +1,9 @@
+[Unit]
+Description=Tailscale NGINX Authentication socket
+PartOf=tailscale.nginx-auth.service
+
+[Socket]
+ListenStream=/var/run/tailscale.nginx-auth.sock
+
+[Install]
+WantedBy=sockets.target

cmd/proxy-to-grafana/proxy-to-grafana.go

@@ -0,0 +1,159 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// proxy-to-grafana is a reverse proxy which identifies users based on their
+// originating Tailscale identity and maps them to corresponding Grafana
+// users, creating them if needed.
+//
+// It uses Grafana's AuthProxy feature:
+// https://grafana.com/docs/grafana/latest/auth/auth-proxy/
+//
+// Set the TS_AUTHKEY environment variable to have this server automatically
+// join your tailnet, or look for the logged auth link on first start.
+//
+// Use this Grafana configuration to enable the auth proxy:
+//
+//     [auth.proxy]
+//     enabled = true
+//     header_name = X-WEBAUTH-USER
+//     header_property = username
+//     auto_sign_up = true
+//     whitelist = 127.0.0.1
+//     headers = Name:X-WEBAUTH-NAME
+//     enable_login_token = true
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"strings"
+	"time"
+
+	"tailscale.com/client/tailscale"
+	"tailscale.com/tailcfg"
+	"tailscale.com/tsnet"
+)
+
+var (
+	hostname     = flag.String("hostname", "", "Tailscale hostname to serve on, used as the base name for MagicDNS or subdomain in your domain alias for HTTPS.")
+	backendAddr  = flag.String("backend-addr", "", "Address of the Grafana server served over HTTP, in host:port format. Typically localhost:nnnn.")
+	tailscaleDir = flag.String("state-dir", "./", "Alternate directory to use for Tailscale state storage. If empty, a default is used.")
+	useHTTPS     = flag.Bool("use-https", false, "Serve over HTTPS via your *.ts.net subdomain if enabled in Tailscale admin.")
+)
+
+func main() {
+	flag.Parse()
+	if *hostname == "" || strings.Contains(*hostname, ".") {
+		log.Fatal("missing or invalid --hostname")
+	}
+	if *backendAddr == "" {
+		log.Fatal("missing --backend-addr")
+	}
+	ts := &tsnet.Server{
+		Dir:      *tailscaleDir,
+		Hostname: *hostname,
+	}
+
+	// TODO(bradfitz,maisem): move this to a method on tsnet.Server probably.
+	if err := ts.Start(); err != nil {
+		log.Fatalf("Error starting tsnet.Server: %v", err)
+	}
+	localClient, _ := ts.LocalClient()
+
+	url, err := url.Parse(fmt.Sprintf("http://%s", *backendAddr))
+	if err != nil {
+		log.Fatalf("couldn't parse backend address: %v", err)
+	}
+
+	proxy := httputil.NewSingleHostReverseProxy(url)
+	originalDirector := proxy.Director
+	proxy.Director = func(req *http.Request) {
+		originalDirector(req)
+		modifyRequest(req, localClient)
+	}
+
+	var ln net.Listener
+	if *useHTTPS {
+		ln, err = ts.Listen("tcp", ":443")
+		ln = tls.NewListener(ln, &tls.Config{
+			GetCertificate: tailscale.GetCertificate,
+		})
+
+		go func() {
+			// wait for tailscale to start before trying to fetch cert names
+			for i := 0; i < 60; i++ {
+				st, err := localClient.Status(context.Background())
+				if err != nil {
+					log.Printf("error retrieving tailscale status; retrying: %v", err)
+				} else {
+					log.Printf("tailscale status: %v", st.BackendState)
+					if st.BackendState == "Running" {
+						break
+					}
+				}
+				time.Sleep(time.Second)
+			}
+
+			l80, err := ts.Listen("tcp", ":80")
+			if err != nil {
+				log.Fatal(err)
+			}
+			name, ok := localClient.ExpandSNIName(context.Background(), *hostname)
+			if !ok {
+				log.Fatalf("can't get hostname for https redirect")
+			}
+			if err := http.Serve(l80, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				http.Redirect(w, r, fmt.Sprintf("https://%s", name), http.StatusMovedPermanently)
+			})); err != nil {
+				log.Fatal(err)
+			}
+		}()
+	} else {
+		ln, err = ts.Listen("tcp", ":80")
+	}
+	if err != nil {
+		log.Fatal(err)
+	}
+	log.Printf("proxy-to-grafana running at %v, proxying to %v", ln.Addr(), *backendAddr)
+	log.Fatal(http.Serve(ln, proxy))
+}
+
+func modifyRequest(req *http.Request, localClient *tailscale.LocalClient) {
+	// with enable_login_token set to true, we get a cookie that handles
+	// auth for paths that are not /login
+	if req.URL.Path != "/login" {
+		return
+	}
+
+	user, err := getTailscaleUser(req.Context(), localClient, req.RemoteAddr)
+	if err != nil {
+		log.Printf("error getting Tailscale user: %v", err)
+		return
+	}
+
+	req.Header.Set("X-Webauth-User", user.LoginName)
+	req.Header.Set("X-Webauth-Name", user.DisplayName)
+}
+
+func getTailscaleUser(ctx context.Context, localClient *tailscale.LocalClient, ipPort string) (*tailcfg.UserProfile, error) {
+	whois, err := localClient.WhoIs(ctx, ipPort)
+	if err != nil {
+		return nil, fmt.Errorf("failed to identify remote host: %w", err)
+	}
+	if len(whois.Node.Tags) != 0 {
+		return nil, fmt.Errorf("tagged nodes are not users")
+	}
+	if whois.UserProfile == nil || whois.UserProfile.LoginName == "" {
+		return nil, fmt.Errorf("failed to identify remote user")
+	}
+
+	return whois.UserProfile, nil
+}

cmd/tailscale/cli/bugreport.go

@@ -9,7 +9,6 @@ import (
 	"errors"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )
 
 var bugReportCmd = &ffcli.Command{
@@ -28,7 +27,7 @@ func runBugReport(ctx context.Context, args []string) error {
 	default:
 		return errors.New("unknown argumets")
 	}
-	logMarker, err := tailscale.BugReport(ctx, note)
+	logMarker, err := localClient.BugReport(ctx, note)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/cert.go

@@ -50,7 +50,7 @@ func runCert(ctx context.Context, args []string) error {
 			},
 			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
-					if v, ok := tailscale.ExpandSNIName(r.Context(), r.Host); ok {
+					if v, ok := localClient.ExpandSNIName(r.Context(), r.Host); ok {
 						http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
 						return
 					}
@@ -64,7 +64,7 @@ func runCert(ctx context.Context, args []string) error {
 
 	if len(args) != 1 {
 		var hint bytes.Buffer
-		if st, err := tailscale.Status(ctx); err == nil {
+		if st, err := localClient.Status(ctx); err == nil {
 			if st.BackendState != ipn.Running.String() {
 				fmt.Fprintf(&hint, "\nTailscale is not running.\n")
 			} else if len(st.CertDomains) == 0 {

cmd/tailscale/cli/cli.go

@@ -25,6 +25,7 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
@@ -124,23 +125,13 @@ func CleanUpArgs(args []string) []string {
 	return out
 }
 
+var localClient tailscale.LocalClient
+
 // Run runs the CLI. The args do not include the binary name.
 func Run(args []string) (err error) {
 	if len(args) == 1 && (args[0] == "-V" || args[0] == "--version") {
 		args = []string{"version"}
 	}
-	if runtime.GOOS == "linux" && distro.Get() == distro.Gokrazy &&
-		os.Getenv("GOKRAZY_FIRST_START") == "1" {
-		defer func() {
-			// Exit with 125 otherwise the CLI binary is restarted
-			// forever in a loop by the Gokrazy process supervisor.
-			// See https://gokrazy.org/userguide/process-interface/
-			if err != nil {
-				log.Println(err)
-			}
-			os.Exit(125)
-		}()
-	}
 
 	var warnOnce sync.Once
 	tailscale.SetVersionMismatchHandler(func(clientVer, serverVer string) {
@@ -170,6 +161,8 @@ change in the future.
 			ipCmd,
 			statusCmd,
 			pingCmd,
+			ncCmd,
+			sshCmd,
 			versionCmd,
 			webCmd,
 			fileCmd,
@@ -183,6 +176,9 @@ change in the future.
 	for _, c := range rootCmd.Subcommands {
 		c.UsageFunc = usageFunc
 	}
+	if envknob.UseWIPCode() {
+		rootCmd.Subcommands = append(rootCmd.Subcommands, idTokenCmd)
+	}
 
 	// Don't advertise the debug command, but it exists.
 	if strSliceContains(args, "debug") {
@@ -199,10 +195,10 @@ change in the future.
 		return err
 	}
 
-	tailscale.TailscaledSocket = rootArgs.socket
+	localClient.Socket = rootArgs.socket
 	rootfs.Visit(func(f *flag.Flag) {
 		if f.Name == "socket" {
-			tailscale.TailscaledSocketSetExplicitly = true
+			localClient.UseSocketOnly = true
 		}
 	})
 

cmd/tailscale/cli/cli_test.go

@@ -659,6 +659,39 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				NoSNAT:        true,
 			},
 		},
+		{
+			name: "via_route_good",
+			goos: "linux",
+			args: upArgsT{
+				advertiseRoutes: "fd7a:115c:a1e0:b1a::bb:10.0.0.0/112",
+				netfilterMode:   "off",
+			},
+			want: &ipn.Prefs{
+				WantRunning: true,
+				NoSNAT:      true,
+				AdvertiseRoutes: []netaddr.IPPrefix{
+					netaddr.MustParseIPPrefix("fd7a:115c:a1e0:b1a::bb:10.0.0.0/112"),
+				},
+			},
+		},
+		{
+			name: "via_route_short_prefix",
+			goos: "linux",
+			args: upArgsT{
+				advertiseRoutes: "fd7a:115c:a1e0:b1a::/64",
+				netfilterMode:   "off",
+			},
+			wantErr: "fd7a:115c:a1e0:b1a::/64 4-in-6 prefix must be at least a /96",
+		},
+		{
+			name: "via_route_short_reserved_siteid",
+			goos: "linux",
+			args: upArgsT{
+				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
+				netfilterMode:   "off",
+			},
+			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

cmd/tailscale/cli/debug.go

@@ -8,6 +8,7 @@ import (
 	"bufio"
 	"bytes"
 	"context"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -21,9 +22,10 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
+	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 )
@@ -66,6 +68,11 @@ var debugCmd = &ffcli.Command{
 			Exec:      runEnv,
 			ShortHelp: "print cmd/tailscale environment",
 		},
+		{
+			Name:      "stat",
+			Exec:      runStat,
+			ShortHelp: "stat a file",
+		},
 		{
 			Name:      "hostinfo",
 			Exec:      runHostinfo,
@@ -106,6 +113,11 @@ var debugCmd = &ffcli.Command{
 				return fs
 			})(),
 		},
+		{
+			Name:      "via",
+			Exec:      runVia,
+			ShortHelp: "convert between site-specific IPv4 CIDRs and IPv6 'via' routes",
+		},
 	},
 }
 
@@ -142,7 +154,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.cpuFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
-		if v, err := tailscale.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
+		if v, err := localClient.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -154,7 +166,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if out := debugArgs.memFile; out != "" {
 		usedFlag = true // TODO(bradfitz): add "profile" subcommand
 		log.Printf("Capturing memory profile ...")
-		if v, err := tailscale.Profile(ctx, "heap", 0); err != nil {
+		if v, err := localClient.Profile(ctx, "heap", 0); err != nil {
 			return err
 		} else {
 			if err := writeProfile(out, v); err != nil {
@@ -166,7 +178,7 @@ func runDebug(ctx context.Context, args []string) error {
 	if debugArgs.file != "" {
 		usedFlag = true // TODO(bradfitz): add "file" subcommand
 		if debugArgs.file == "get" {
-			wfs, err := tailscale.WaitingFiles(ctx)
+			wfs, err := localClient.WaitingFiles(ctx)
 			if err != nil {
 				fatalf("%v\n", err)
 			}
@@ -177,9 +189,9 @@ func runDebug(ctx context.Context, args []string) error {
 		}
 		delete := strings.HasPrefix(debugArgs.file, "delete:")
 		if delete {
-			return tailscale.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
+			return localClient.DeleteWaitingFile(ctx, strings.TrimPrefix(debugArgs.file, "delete:"))
 		}
-		rc, size, err := tailscale.GetWaitingFile(ctx, debugArgs.file)
+		rc, size, err := localClient.GetWaitingFile(ctx, debugArgs.file)
 		if err != nil {
 			return err
 		}
@@ -214,7 +226,7 @@ var prefsArgs struct {
 }
 
 func runPrefs(ctx context.Context, args []string) error {
-	prefs, err := tailscale.GetPrefs(ctx)
+	prefs, err := localClient.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -248,7 +260,7 @@ func runWatchIPN(ctx context.Context, args []string) error {
 }
 
 func runDERPMap(ctx context.Context, args []string) error {
-	dm, err := tailscale.CurrentDERPMap(ctx)
+	dm, err := localClient.CurrentDERPMap(ctx)
 	if err != nil {
 		return fmt.Errorf(
 			"failed to get local derp map, instead `curl %s/derpmap/default`: %w", ipn.DefaultControlURL, err,
@@ -265,7 +277,7 @@ func localAPIAction(action string) func(context.Context, []string) error {
 		if len(args) > 0 {
 			return errors.New("unexpected arguments")
 		}
-		return tailscale.DebugAction(ctx, action)
+		return localClient.DebugAction(ctx, action)
 	}
 }
 
@@ -276,6 +288,28 @@ func runEnv(ctx context.Context, args []string) error {
 	return nil
 }
 
+func runStat(ctx context.Context, args []string) error {
+	for _, a := range args {
+		fi, err := os.Lstat(a)
+		if err != nil {
+			fmt.Printf("%s: %v\n", a, err)
+			continue
+		}
+		fmt.Printf("%s: %v, %v\n", a, fi.Mode(), fi.Size())
+		if fi.IsDir() {
+			ents, _ := os.ReadDir(a)
+			for i, ent := range ents {
+				if i == 25 {
+					fmt.Printf("  ...\n")
+					break
+				}
+				fmt.Printf("  - %s\n", ent.Name())
+			}
+		}
+	}
+	return nil
+}
+
 func runHostinfo(ctx context.Context, args []string) error {
 	hi := hostinfo.New()
 	j, _ := json.MarshalIndent(hi, "", "  ")
@@ -284,7 +318,7 @@ func runHostinfo(ctx context.Context, args []string) error {
 }
 
 func runDaemonGoroutines(ctx context.Context, args []string) error {
-	goroutines, err := tailscale.Goroutines(ctx)
+	goroutines, err := localClient.Goroutines(ctx)
 	if err != nil {
 		return err
 	}
@@ -299,7 +333,7 @@ var metricsArgs struct {
 func runDaemonMetrics(ctx context.Context, args []string) error {
 	last := map[string]int64{}
 	for {
-		out, err := tailscale.DaemonMetrics(ctx)
+		out, err := localClient.DaemonMetrics(ctx)
 		if err != nil {
 			return err
 		}
@@ -348,3 +382,46 @@ func runDaemonMetrics(ctx context.Context, args []string) error {
 		time.Sleep(time.Second)
 	}
 }
+
+func runVia(ctx context.Context, args []string) error {
+	switch len(args) {
+	default:
+		return errors.New("expect either <site-id> <v4-cidr> or <v6-route>")
+	case 1:
+		ipp, err := netaddr.ParseIPPrefix(args[0])
+		if err != nil {
+			return err
+		}
+		if !ipp.IP().Is6() {
+			return errors.New("with one argument, expect an IPv6 CIDR")
+		}
+		if !tsaddr.TailscaleViaRange().Contains(ipp.IP()) {
+			return errors.New("not a via route")
+		}
+		if ipp.Bits() < 96 {
+			return errors.New("short length, want /96 or more")
+		}
+		v4 := tsaddr.UnmapVia(ipp.IP())
+		a := ipp.IP().As16()
+		siteID := binary.BigEndian.Uint32(a[8:12])
+		fmt.Printf("site %v (0x%x), %v\n", siteID, siteID, netaddr.IPPrefixFrom(v4, ipp.Bits()-96))
+	case 2:
+		siteID, err := strconv.ParseUint(args[0], 0, 32)
+		if err != nil {
+			return fmt.Errorf("invalid site-id %q; must be decimal or hex with 0x prefix", args[0])
+		}
+		if siteID > 0xff {
+			return fmt.Errorf("site-id values over 255 are currently reserved")
+		}
+		ipp, err := netaddr.ParseIPPrefix(args[1])
+		if err != nil {
+			return err
+		}
+		via, err := tsaddr.MapVia(uint32(siteID), ipp)
+		if err != nil {
+			return err
+		}
+		fmt.Println(via)
+	}
+	return nil
+}

cmd/tailscale/cli/down.go

@@ -6,10 +6,10 @@ package cli
 
 import (
 	"context"
+	"flag"
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 )
 
@@ -18,7 +18,14 @@ var downCmd = &ffcli.Command{
 	ShortUsage: "down",
 	ShortHelp:  "Disconnect from Tailscale",
 
-	Exec: runDown,
+	Exec:    runDown,
+	FlagSet: newDownFlagSet(),
+}
+
+func newDownFlagSet() *flag.FlagSet {
+	downf := newFlagSet("down")
+	registerAcceptRiskFlag(downf)
+	return downf
 }
 
 func runDown(ctx context.Context, args []string) error {
@@ -26,7 +33,13 @@ func runDown(ctx context.Context, args []string) error {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
 
-	st, err := tailscale.Status(ctx)
+	if isSSHOverTailscale() {
+		if err := presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will disable Tailscale and result in your session disconnecting.`); err != nil {
+			return err
+		}
+	}
+
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return fmt.Errorf("error fetching current status: %w", err)
 	}
@@ -34,7 +47,7 @@ func runDown(ctx context.Context, args []string) error {
 		fmt.Fprintf(Stderr, "Tailscale was already stopped.\n")
 		return nil
 	}
-	_, err = tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
+	_, err = localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
 		Prefs: ipn.Prefs{
 			WantRunning: false,
 		},

cmd/tailscale/cli/file.go

@@ -24,7 +24,6 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"golang.org/x/time/rate"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
@@ -157,7 +156,7 @@ func runCp(ctx context.Context, args []string) error {
 		if cpArgs.verbose {
 			log.Printf("sending %q to %v/%v/%v ...", name, target, ip, stableID)
 		}
-		err := tailscale.PushFile(ctx, stableID, contentLength, name, fileContents)
+		err := localClient.PushFile(ctx, stableID, contentLength, name, fileContents)
 		if err != nil {
 			return err
 		}
@@ -173,7 +172,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 	if err != nil {
 		return "", false, err
 	}
-	fts, err := tailscale.FileTargets(ctx)
+	fts, err := localClient.FileTargets(ctx)
 	if err != nil {
 		return "", false, err
 	}
@@ -194,7 +193,7 @@ func getTargetStableID(ctx context.Context, ipStr string) (id tailcfg.StableNode
 // invalid file sharing target.
 func fileTargetErrorDetail(ctx context.Context, ip netaddr.IP) error {
 	found := false
-	if st, err := tailscale.Status(ctx); err == nil && st.Self != nil {
+	if st, err := localClient.Status(ctx); err == nil && st.Self != nil {
 		for _, peer := range st.Peer {
 			for _, pip := range peer.TailscaleIPs {
 				if pip == ip {
@@ -261,7 +260,7 @@ func runCpTargets(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("invalid arguments with --targets")
 	}
-	fts, err := tailscale.FileTargets(ctx)
+	fts, err := localClient.FileTargets(ctx)
 	if err != nil {
 		return err
 	}
@@ -318,6 +317,7 @@ var fileGetCmd = &ffcli.Command{
 	FlagSet: (func() *flag.FlagSet {
 		fs := newFlagSet("get")
 		fs.BoolVar(&getArgs.wait, "wait", false, "wait for a file to arrive if inbox is empty")
+		fs.BoolVar(&getArgs.loop, "loop", false, "run get in a loop, receiving files as they come in")
 		fs.BoolVar(&getArgs.verbose, "verbose", false, "verbose output")
 		fs.Var(&getArgs.conflict, "conflict", `behavior when a conflicting (same-named) file already exists in the target directory.
 	skip:       skip conflicting files: leave them in the taildrop inbox and print an error. get any non-conflicting files
@@ -329,6 +329,7 @@ var fileGetCmd = &ffcli.Command{
 
 var getArgs = struct {
 	wait     bool
+	loop     bool
 	verbose  bool
 	conflict onConflict
 }{conflict: skipOnExist}
@@ -358,7 +359,7 @@ func openFileOrSubstitute(dir, base string, action onConflict) (*os.File, error)
 		}
 		return nil, fmt.Errorf("failed to write; %w", err)
 	case overwriteExisting:
-		// remove the target file and create it anew so we don't fall for an 
+		// remove the target file and create it anew so we don't fall for an
 		// attacker who symlinks a known target name to a file he wants changed.
 		if err = os.Remove(targetFile); err != nil {
 			return nil, fmt.Errorf("unable to remove target file: %w", err)
@@ -383,22 +384,75 @@ func openFileOrSubstitute(dir, base string, action onConflict) (*os.File, error)
 }
 
 func receiveFile(ctx context.Context, wf apitype.WaitingFile, dir string) (targetFile string, size int64, err error) {
-	rc, size, err := tailscale.GetWaitingFile(ctx, wf.Name)
+	rc, size, err := localClient.GetWaitingFile(ctx, wf.Name)
 	if err != nil {
 		return "", 0, fmt.Errorf("opening inbox file %q: %w", wf.Name, err)
 	}
+	defer rc.Close()
 	f, err := openFileOrSubstitute(dir, wf.Name, getArgs.conflict)
 	if err != nil {
 		return "", 0, err
 	}
 	_, err = io.Copy(f, rc)
-	rc.Close()
 	if err != nil {
+		f.Close()
 		return "", 0, fmt.Errorf("failed to write %v: %v", f.Name(), err)
 	}
 	return f.Name(), size, f.Close()
 }
 
+func runFileGetOneBatch(ctx context.Context, dir string) []error {
+	var wfs []apitype.WaitingFile
+	var err error
+	var errs []error
+	for len(errs) == 0 {
+		wfs, err = localClient.WaitingFiles(ctx)
+		if err != nil {
+			errs = append(errs, fmt.Errorf("getting WaitingFiles: %w", err))
+			break
+		}
+		if len(wfs) != 0 || !(getArgs.wait || getArgs.loop) {
+			break
+		}
+		if getArgs.verbose {
+			printf("waiting for file...")
+		}
+		if err := waitForFile(ctx); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	deleted := 0
+	for i, wf := range wfs {
+		if len(errs) > 100 {
+			// Likely, everything is broken.
+			// Don't try to receive any more files in this batch.
+			errs = append(errs, fmt.Errorf("too many errors in runFileGetOneBatch(). %d files unexamined", len(wfs)-i))
+			break
+		}
+		writtenFile, size, err := receiveFile(ctx, wf, dir)
+		if err != nil {
+			errs = append(errs, err)
+			continue
+		}
+		if getArgs.verbose {
+			printf("wrote %v as %v (%d bytes)\n", wf.Name, writtenFile, size)
+		}
+		if err = localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
+			errs = append(errs, fmt.Errorf("deleting %q from inbox: %v", wf.Name, err))
+			continue
+		}
+		deleted++
+	}
+	if deleted == 0 && len(wfs) > 0 {
+		// persistently stuck files are basically an error
+		errs = append(errs, fmt.Errorf("moved %d/%d files", deleted, len(wfs)))
+	} else if getArgs.verbose {
+		printf("moved %d/%d files\n", deleted, len(wfs))
+	}
+	return errs
+}
+
 func runFileGet(ctx context.Context, args []string) error {
 	if len(args) != 1 {
 		return errors.New("usage: file get <target-directory>")
@@ -413,45 +467,28 @@ func runFileGet(ctx context.Context, args []string) error {
 	if fi, err := os.Stat(dir); err != nil || !fi.IsDir() {
 		return fmt.Errorf("%q is not a directory", dir)
 	}
-
-	var wfs []apitype.WaitingFile
-	var err error
-	for {
-		wfs, err = tailscale.WaitingFiles(ctx)
-		if err != nil {
-			return fmt.Errorf("getting WaitingFiles: %w", err)
-		}
-		if len(wfs) != 0 || !getArgs.wait {
-			break
-		}
-		if getArgs.verbose {
-			printf("waiting for file...")
-		}
-		if err := waitForFile(ctx); err != nil {
-			return err
+	if getArgs.loop {
+		for {
+			errs := runFileGetOneBatch(ctx, dir)
+			for _, err := range errs {
+				outln(err)
+			}
+			if len(errs) > 0 {
+				// It's possible whatever caused the error(s) (e.g. conflicting target file,
+				// full disk, unwritable target directory) will re-occur if we try again so
+				// let's back off and not busy loop on error.
+				//
+				// If we've been invoked as:
+				//    tailscale file get --conflict=skip ~/Downloads
+				// then any file coming in named the same as one in ~/Downloads will always
+				// appear as an "error" until the user clears it, but other incoming files
+				// should be receivable when they arrive, so let's not wait too long to
+				// check again.
+				time.Sleep(5 * time.Second)
+			}
 		}
 	}
-
-	var errs []error
-	deleted := 0
-	for _, wf := range wfs {
-		writtenFile, size, err := receiveFile(ctx, wf, dir)
-		if err != nil {
-			errs = append(errs, err)
-			continue
-		}
-		if getArgs.verbose {
-			printf("wrote %v as %v (%d bytes)\n", wf.Name, writtenFile, size)
-		}
-		if err = tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
-			errs = append(errs, fmt.Errorf("deleting %q from inbox: %v", wf.Name, err))
-			continue
-		}
-		deleted++
-	}
-	if getArgs.verbose {
-		printf("moved %d/%d files\n", deleted, len(wfs))
-	}
+	errs := runFileGetOneBatch(ctx, dir)
 	if len(errs) == 0 {
 		return nil
 	}
@@ -465,7 +502,7 @@ func wipeInbox(ctx context.Context) error {
 	if getArgs.wait {
 		return errors.New("can't use --wait with /dev/null target")
 	}
-	wfs, err := tailscale.WaitingFiles(ctx)
+	wfs, err := localClient.WaitingFiles(ctx)
 	if err != nil {
 		return fmt.Errorf("getting WaitingFiles: %w", err)
 	}
@@ -474,7 +511,7 @@ func wipeInbox(ctx context.Context) error {
 		if getArgs.verbose {
 			log.Printf("deleting %v ...", wf.Name)
 		}
-		if err := tailscale.DeleteWaitingFile(ctx, wf.Name); err != nil {
+		if err := localClient.DeleteWaitingFile(ctx, wf.Name); err != nil {
 			return fmt.Errorf("deleting %q: %v", wf.Name, err)
 		}
 		deleted++
@@ -489,9 +526,10 @@ func waitForFile(ctx context.Context) error {
 	c, bc, pumpCtx, cancel := connect(ctx)
 	defer cancel()
 	fileWaiting := make(chan bool, 1)
+	notifyError := make(chan error, 1)
 	bc.SetNotifyCallback(func(n ipn.Notify) {
 		if n.ErrMessage != nil {
-			fatalf("Notify.ErrMessage: %v\n", *n.ErrMessage)
+			notifyError <- fmt.Errorf("Notify.ErrMessage: %v", *n.ErrMessage)
 		}
 		if n.FilesWaiting != nil {
 			select {
@@ -508,5 +546,7 @@ func waitForFile(ctx context.Context) error {
 		return pumpCtx.Err()
 	case <-ctx.Done():
 		return ctx.Err()
+	case err := <-notifyError:
+		return err
 	}
 }

cmd/tailscale/cli/id-token.go

@@ -0,0 +1,34 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+)
+
+var idTokenCmd = &ffcli.Command{
+	Name:       "id-token",
+	ShortUsage: "id-token <aud>",
+	ShortHelp:  "fetch an OIDC id-token for the Tailscale machine",
+	Exec:       runIDToken,
+}
+
+func runIDToken(ctx context.Context, args []string) error {
+	if len(args) != 1 {
+		return errors.New("usage: id-token <aud>")
+	}
+
+	tr, err := localClient.IDToken(ctx, args[0])
+	if err != nil {
+		return err
+	}
+
+	fmt.Println(tr.IDToken)
+	return nil
+}

cmd/tailscale/cli/ip.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn/ipnstate"
 )
 
@@ -59,7 +58,7 @@ func runIP(ctx context.Context, args []string) error {
 	if !v4 && !v6 {
 		v4, v6 = true, true
 	}
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/logout.go

@@ -10,7 +10,6 @@ import (
 	"strings"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )
 
 var logoutCmd = &ffcli.Command{
@@ -30,5 +29,5 @@ func runLogout(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}
-	return tailscale.Logout(ctx)
+	return localClient.Logout(ctx)
 }

cmd/tailscale/cli/nc.go

@@ -0,0 +1,62 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+)
+
+var ncCmd = &ffcli.Command{
+	Name:       "nc",
+	ShortUsage: "nc <hostname-or-IP> <port>",
+	ShortHelp:  "Connect to a port on a host, connected to stdin/stdout",
+	Exec:       runNC,
+}
+
+func runNC(ctx context.Context, args []string) error {
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		printf("%s\n", description)
+		os.Exit(1)
+	}
+
+	if len(args) != 2 {
+		return errors.New("usage: nc <hostname-or-IP> <port>")
+	}
+
+	hostOrIP, portStr := args[0], args[1]
+	port, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return fmt.Errorf("invalid port number %q", portStr)
+	}
+
+	// TODO(bradfitz): also add UDP too, via flag?
+	c, err := localClient.DialTCP(ctx, hostOrIP, uint16(port))
+	if err != nil {
+		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, port, err)
+	}
+	defer c.Close()
+	errc := make(chan error, 1)
+	go func() {
+		_, err := io.Copy(os.Stdout, c)
+		errc <- err
+	}()
+	go func() {
+		_, err := io.Copy(c, os.Stdin)
+		errc <- err
+	}()
+	return <-errc
+}

cmd/tailscale/cli/netcheck.go

@@ -18,7 +18,6 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
@@ -63,7 +62,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		fmt.Fprintln(Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}
 
-	dm, err := tailscale.CurrentDERPMap(ctx)
+	dm, err := localClient.CurrentDERPMap(ctx)
 	noRegions := dm != nil && len(dm.Regions) == 0
 	if noRegions {
 		log.Printf("No DERP map from tailscaled; using default.")

cmd/tailscale/cli/ping.go

@@ -16,9 +16,9 @@ import (
 	"time"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
+	"inet.af/netaddr"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 )
 
 var pingCmd = &ffcli.Command{
@@ -27,7 +27,7 @@ var pingCmd = &ffcli.Command{
 	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
 	LongHelp: strings.TrimSpace(`
 
-The 'tailscale ping' command pings a peer node at the Tailscale layer
+The 'tailscale ping' command pings a peer node from the Tailscale layer
 and reports which route it took for each response. The first ping or
 so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
 traversal finds a direct path through.
@@ -49,7 +49,9 @@ relay node.
 		fs := newFlagSet("ping")
 		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
 		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
-		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through IP + wireguard, but not involving host OS stack)")
+		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
+		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
+		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
 		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
 		return fs
@@ -61,11 +63,26 @@ var pingArgs struct {
 	untilDirect bool
 	verbose     bool
 	tsmp        bool
+	icmp        bool
+	peerAPI     bool
 	timeout     time.Duration
 }
 
+func pingType() tailcfg.PingType {
+	if pingArgs.tsmp {
+		return tailcfg.PingTSMP
+	}
+	if pingArgs.icmp {
+		return tailcfg.PingICMP
+	}
+	if pingArgs.peerAPI {
+		return tailcfg.PingPeerAPI
+	}
+	return tailcfg.PingDisco
+}
+
 func runPing(ctx context.Context, args []string) error {
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -75,24 +92,10 @@ func runPing(ctx context.Context, args []string) error {
 		os.Exit(1)
 	}
 
-	c, bc, ctx, cancel := connect(ctx)
-	defer cancel()
-
 	if len(args) != 1 || args[0] == "" {
 		return errors.New("usage: ping <hostname-or-IP>")
 	}
 	var ip string
-	prc := make(chan *ipnstate.PingResult, 1)
-	bc.SetNotifyCallback(func(n ipn.Notify) {
-		if n.ErrMessage != nil {
-			fatalf("Notify.ErrMessage: %v", *n.ErrMessage)
-		}
-		if pr := n.PingResult; pr != nil && pr.IP == ip {
-			prc <- pr
-		}
-	})
-	pumpErr := make(chan error, 1)
-	go func() { pumpErr <- pump(ctx, bc, c) }()
 
 	hostOrIP := args[0]
 	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
@@ -112,48 +115,51 @@ func runPing(ctx context.Context, args []string) error {
 	anyPong := false
 	for {
 		n++
-		bc.Ping(ip, pingArgs.tsmp)
-		timer := time.NewTimer(pingArgs.timeout)
-		select {
-		case <-timer.C:
-			printf("timeout waiting for ping reply\n")
-		case err := <-pumpErr:
+		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
+		pr, err := localClient.Ping(ctx, netaddr.MustParseIP(ip), pingType())
+		cancel()
+		if err != nil {
+			if errors.Is(err, context.DeadlineExceeded) {
+				printf("ping %q timed out\n", ip)
+				continue
+			}
 			return err
-		case pr := <-prc:
-			timer.Stop()
-			if pr.Err != "" {
-				if pr.IsLocalIP {
-					outln(pr.Err)
-					return nil
-				}
-				return errors.New(pr.Err)
-			}
-			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
-			via := pr.Endpoint
-			if pr.DERPRegionID != 0 {
-				via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
-			}
-			if pingArgs.tsmp {
-				// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
-				// For now just say it came via TSMP.
-				via = "TSMP"
-			}
-			anyPong = true
-			extra := ""
-			if pr.PeerAPIPort != 0 {
-				extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
-			}
-			printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
-			if pingArgs.tsmp {
-				return nil
-			}
-			if pr.Endpoint != "" && pingArgs.untilDirect {
-				return nil
-			}
-			time.Sleep(time.Second)
-		case <-ctx.Done():
-			return ctx.Err()
 		}
+		if pr.Err != "" {
+			if pr.IsLocalIP {
+				outln(pr.Err)
+				return nil
+			}
+			return errors.New(pr.Err)
+		}
+		latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
+		via := pr.Endpoint
+		if pr.DERPRegionID != 0 {
+			via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
+		}
+		if via == "" {
+			// TODO(bradfitz): populate the rest of ipnstate.PingResult for TSMP queries?
+			// For now just say which protocol it used.
+			via = string(pingType())
+		}
+		if pingArgs.peerAPI {
+			printf("hit peerapi of %s (%s) at %s in %s\n", pr.NodeIP, pr.NodeName, pr.PeerAPIURL, latency)
+			return nil
+		}
+		anyPong = true
+		extra := ""
+		if pr.PeerAPIPort != 0 {
+			extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
+		}
+		printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
+		if pingArgs.tsmp || pingArgs.icmp {
+			return nil
+		}
+		if pr.Endpoint != "" && pingArgs.untilDirect {
+			return nil
+		}
+		time.Sleep(time.Second)
+
 		if n == pingArgs.num {
 			if !anyPong {
 				return errors.New("no reply")
@@ -173,7 +179,7 @@ func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, self b
 	}
 
 	// Otherwise, try to resolve it first from the network peer list.
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return "", false, err
 	}

cmd/tailscale/cli/risks.go

@@ -0,0 +1,78 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"errors"
+	"flag"
+	"fmt"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+)
+
+var (
+	riskTypes     []string
+	acceptedRisks string
+	riskLoseSSH   = registerRiskType("lose-ssh")
+)
+
+func registerRiskType(riskType string) string {
+	riskTypes = append(riskTypes, riskType)
+	return riskType
+}
+
+// registerAcceptRiskFlag registers the --accept-risk flag. Accepted risks are accounted for
+// in presentRiskToUser.
+func registerAcceptRiskFlag(f *flag.FlagSet) {
+	f.StringVar(&acceptedRisks, "accept-risk", "", "accept risk and skip confirmation for risk types: "+strings.Join(riskTypes, ","))
+}
+
+// riskAccepted reports whether riskType is in acceptedRisks.
+func riskAccepted(riskType string) bool {
+	for _, r := range strings.Split(acceptedRisks, ",") {
+		if r == riskType {
+			return true
+		}
+	}
+	return false
+}
+
+var errAborted = errors.New("aborted, no changes made")
+
+// riskAbortTimeSeconds is the number of seconds to wait after displaying the
+// risk message before continuing with the operation.
+// It is used by the presentRiskToUser function below.
+const riskAbortTimeSeconds = 5
+
+// presentRiskToUser displays the risk message and waits for the user to
+// cancel. It returns errorAborted if the user aborts.
+func presentRiskToUser(riskType, riskMessage string) error {
+	if riskAccepted(riskType) {
+		return nil
+	}
+	fmt.Println(riskMessage)
+	fmt.Printf("To skip this warning, use --accept-risk=%s\n", riskType)
+
+	interrupt := make(chan os.Signal, 1)
+	signal.Notify(interrupt, syscall.SIGINT)
+	var msgLen int
+	for left := riskAbortTimeSeconds; left > 0; left-- {
+		msg := fmt.Sprintf("\rContinuing in %d seconds...", left)
+		msgLen = len(msg)
+		fmt.Print(msg)
+		select {
+		case <-interrupt:
+			fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen+1))
+			return errAborted
+		case <-time.After(time.Second):
+			continue
+		}
+	}
+	fmt.Printf("\r%s\r", strings.Repeat(" ", msgLen))
+	return errAborted
+}

cmd/tailscale/cli/ssh.go

@@ -0,0 +1,211 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"runtime"
+	"strings"
+
+	"github.com/peterbourgon/ff/v3/ffcli"
+	"inet.af/netaddr"
+	"tailscale.com/envknob"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/tsaddr"
+	"tailscale.com/version"
+)
+
+var sshCmd = &ffcli.Command{
+	Name:       "ssh",
+	ShortUsage: "ssh [user@]<host> [args...]",
+	ShortHelp:  "SSH to a Tailscale machine",
+	Exec:       runSSH,
+}
+
+func runSSH(ctx context.Context, args []string) error {
+	if runtime.GOOS == "darwin" && version.IsSandboxedMacOS() && !envknob.UseWIPCode() {
+		return errors.New("The 'tailscale ssh' subcommand is not available on sandboxed macOS builds.\nUse the regular 'ssh' client instead.")
+	}
+	if len(args) == 0 {
+		return errors.New("usage: ssh [user@]<host>")
+	}
+	arg, argRest := args[0], args[1:]
+	username, host, ok := strings.Cut(arg, "@")
+	if !ok {
+		host = arg
+		lu, err := user.Current()
+		if err != nil {
+			return nil
+		}
+		username = lu.Username
+	}
+
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return err
+	}
+
+	// hostForSSH is the hostname we'll tell OpenSSH we're
+	// connecting to, so we have to maintain fewer entries in the
+	// known_hosts files.
+	hostForSSH := host
+	if v, ok := nodeDNSNameFromArg(st, host); ok {
+		hostForSSH = v
+	}
+
+	ssh, err := exec.LookPath("ssh")
+	if err != nil {
+		// TODO(bradfitz): use Go's crypto/ssh client instead
+		// of failing. But for now:
+		return fmt.Errorf("no system 'ssh' command found: %w", err)
+	}
+	tailscaleBin, err := os.Executable()
+	if err != nil {
+		return err
+	}
+	knownHostsFile, err := writeKnownHosts(st)
+	if err != nil {
+		return err
+	}
+
+	argv := []string{ssh}
+
+	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
+		argv = append(argv, "-vvv")
+	}
+	argv = append(argv,
+		// Only trust SSH hosts that we know about.
+		"-o", fmt.Sprintf("UserKnownHostsFile %q", knownHostsFile),
+		"-o", "UpdateHostKeys no",
+		"-o", "StrictHostKeyChecking yes",
+	)
+
+	// TODO(bradfitz): nc is currently broken on macOS:
+	// https://github.com/tailscale/tailscale/issues/4529
+	// So don't use it for now. MagicDNS is usually working on macOS anyway
+	// and they're not in userspace mode, so 'nc' isn't very useful.
+	if runtime.GOOS != "darwin" {
+		argv = append(argv,
+			"-o", fmt.Sprintf("ProxyCommand %q --socket=%q nc %%h %%p",
+				tailscaleBin,
+				rootArgs.socket,
+			))
+	}
+
+	// Explicitly rebuild the user@host argument rather than
+	// passing it through.  In general, the use of OpenSSH's ssh
+	// binary is a crutch for now.  We don't want to be
+	// Hyrum-locked into passing through all OpenSSH flags to the
+	// OpenSSH client forever. We try to make our flags and args
+	// be compatible, but only a subset. The "tailscale ssh"
+	// command should be a simple and portable one. If they want
+	// to use a different one, we'll later be making stock ssh
+	// work well by default too. (doing things like automatically
+	// setting known_hosts, etc)
+	argv = append(argv, username+"@"+hostForSSH)
+
+	argv = append(argv, argRest...)
+
+	if envknob.Bool("TS_DEBUG_SSH_EXEC") {
+		log.Printf("Running: %q, %q ...", ssh, argv)
+	}
+
+	return execSSH(ssh, argv)
+}
+
+func writeKnownHosts(st *ipnstate.Status) (knownHostsFile string, err error) {
+	confDir, err := os.UserConfigDir()
+	if err != nil {
+		return "", err
+	}
+	tsConfDir := filepath.Join(confDir, "tailscale")
+	if err := os.MkdirAll(tsConfDir, 0700); err != nil {
+		return "", err
+	}
+	knownHostsFile = filepath.Join(tsConfDir, "ssh_known_hosts")
+	want := genKnownHosts(st)
+	if cur, err := os.ReadFile(knownHostsFile); err != nil || !bytes.Equal(cur, want) {
+		if err := os.WriteFile(knownHostsFile, want, 0644); err != nil {
+			return "", err
+		}
+	}
+	return knownHostsFile, nil
+}
+
+func genKnownHosts(st *ipnstate.Status) []byte {
+	var buf bytes.Buffer
+	for _, k := range st.Peers() {
+		ps := st.Peer[k]
+		for _, hk := range ps.SSH_HostKeys {
+			hostKey := strings.TrimSpace(hk)
+			if strings.ContainsAny(hostKey, "\n\r") { // invalid
+				continue
+			}
+			fmt.Fprintf(&buf, "%s %s\n", ps.DNSName, hostKey)
+		}
+	}
+	return buf.Bytes()
+}
+
+// nodeDNSNameFromArg returns the PeerStatus.DNSName value from a peer
+// in st that matches the input arg which can be a base name, full
+// DNS name, or an IP.
+func nodeDNSNameFromArg(st *ipnstate.Status, arg string) (dnsName string, ok bool) {
+	if arg == "" {
+		return
+	}
+	argIP, _ := netaddr.ParseIP(arg)
+	for _, ps := range st.Peer {
+		dnsName = ps.DNSName
+		if !argIP.IsZero() {
+			for _, ip := range ps.TailscaleIPs {
+				if ip == argIP {
+					return dnsName, true
+				}
+			}
+			continue
+		}
+		if strings.EqualFold(strings.TrimSuffix(arg, "."), strings.TrimSuffix(dnsName, ".")) {
+			return dnsName, true
+		}
+		if base, _, ok := strings.Cut(ps.DNSName, "."); ok && strings.EqualFold(base, arg) {
+			return dnsName, true
+		}
+	}
+	return "", false
+}
+
+// getSSHClientEnvVar returns the "SSH_CLIENT" environment variable
+// for the current process group, if any.
+var getSSHClientEnvVar = func() string {
+	return ""
+}
+
+// isSSHOverTailscale checks if the invocation is in a SSH session over Tailscale.
+// It is used to detect if the user is about to take an action that might result in them
+// disconnecting from the machine (e.g. disabling SSH)
+func isSSHOverTailscale() bool {
+	sshClient := getSSHClientEnvVar()
+	if sshClient == "" {
+		return false
+	}
+	ipStr, _, ok := strings.Cut(sshClient, " ")
+	if !ok {
+		return false
+	}
+	ip, err := netaddr.ParseIP(ipStr)
+	if err != nil {
+		return false
+	}
+	return tsaddr.IsTailscaleIP(ip)
+}

cmd/tailscale/cli/ssh_exec.go

@@ -0,0 +1,21 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !js && !windows
+// +build !js,!windows
+
+package cli
+
+import (
+	"errors"
+	"os"
+	"syscall"
+)
+
+func execSSH(ssh string, argv []string) error {
+	if err := syscall.Exec(ssh, argv, os.Environ()); err != nil {
+		return err
+	}
+	return errors.New("unreachable")
+}

cmd/tailscale/cli/ssh_exec_js.go

@@ -2,9 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !hermetic
-// +build !hermetic
+package cli
 
-package dnsfallback
+import (
+	"errors"
+)
 
-//go:generate go run update-dns-fallbacks.go
+func execSSH(ssh string, argv []string) error {
+	return errors.New("Not implemented")
+}

cmd/tailscale/cli/ssh_exec_windows.go

@@ -0,0 +1,25 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"errors"
+	"os"
+	"os/exec"
+)
+
+func execSSH(ssh string, argv []string) error {
+	// Don't use syscall.Exec on Windows, it's not fully implemented.
+	cmd := exec.Command(ssh, argv[1:]...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	var ee *exec.ExitError
+	err := cmd.Run()
+	if errors.As(err, &ee) {
+		os.Exit(ee.ExitCode())
+	}
+	return err
+}

cmd/tailscale/cli/ssh_unix.go

@@ -0,0 +1,51 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !js && !windows
+// +build !js,!windows
+
+package cli
+
+import (
+	"bytes"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+
+	"golang.org/x/sys/unix"
+)
+
+func init() {
+	getSSHClientEnvVar = func() string {
+		if os.Getenv("SUDO_USER") == "" {
+			// No sudo, just check the env.
+			return os.Getenv("SSH_CLIENT")
+		}
+		if runtime.GOOS != "linux" {
+			// TODO(maisem): implement this for other platforms. It's not clear
+			// if there is a way to get the environment for a given process on
+			// darwin and bsd.
+			return ""
+		}
+		// SID is the session ID of the user's login session.
+		// It is also the process ID of the original shell that the user logged in with.
+		// We only need to check the environment of that process.
+		sid, err := unix.Getsid(os.Getpid())
+		if err != nil {
+			return ""
+		}
+		b, err := os.ReadFile(filepath.Join("/proc", strconv.Itoa(sid), "environ"))
+		if err != nil {
+			return ""
+		}
+		prefix := []byte("SSH_CLIENT=")
+		for _, env := range bytes.Split(b, []byte{0}) {
+			if bytes.HasPrefix(env, prefix) {
+				return string(env[len(prefix):])
+			}
+		}
+		return ""
+	}
+}

cmd/tailscale/cli/status.go

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"net"
@@ -18,7 +19,6 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/toqueteos/webbrowser"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
@@ -69,7 +69,14 @@ var statusArgs struct {
 }
 
 func runStatus(ctx context.Context, args []string) error {
-	st, err := tailscale.Status(ctx)
+	if len(args) > 0 {
+		return errors.New("unexpected non-flag arguments to 'tailscale status'")
+	}
+	getStatus := localClient.Status
+	if !statusArgs.peers {
+		getStatus = localClient.StatusWithoutPeers
+	}
+	st, err := getStatus(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -107,7 +114,7 @@ func runStatus(ctx context.Context, args []string) error {
 				http.NotFound(w, r)
 				return
 			}
-			st, err := tailscale.Status(ctx)
+			st, err := localClient.Status(ctx)
 			if err != nil {
 				http.Error(w, err.Error(), 500)
 				return
@@ -121,12 +128,8 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}
 
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		outln(description)
-		os.Exit(1)
-	}
-
+	// print health check information prior to checking LocalBackend state as
+	// it may provide an explanation to the user if we choose to exit early
 	if len(st.Health) > 0 {
 		printf("# Health check:\n")
 		for _, m := range st.Health {
@@ -135,6 +138,12 @@ func runStatus(ctx context.Context, args []string) error {
 		outln()
 	}
 
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		outln(description)
+		os.Exit(1)
+	}
+
 	var buf bytes.Buffer
 	f := func(format string, a ...any) { fmt.Fprintf(&buf, format, a...) }
 	printPS := func(ps *ipnstate.PeerStatus) {

cmd/tailscale/cli/up.go

@@ -7,6 +7,7 @@ package cli
 import (
 	"context"
 	"encoding/base64"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -18,15 +19,15 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"time"
 
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@@ -51,7 +52,7 @@ down").
 If flags are specified, the flags must be the complete set of desired
 settings. An error is returned if any setting would be changed as a
 result of an unspecified flag's default value, unless the --reset flag
-is also used. (The flags --authkey, --force-reauth, and --qr are not
+is also used. (The flags --auth-key, --force-reauth, and --qr are not
 considered settings that need to be re-specified when modifying
 settings.)
 `),
@@ -98,9 +99,7 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	upf.StringVar(&upArgs.exitNodeIP, "exit-node", "", "Tailscale exit node (IP or base name) for internet traffic, or empty string to not use an exit node")
 	upf.BoolVar(&upArgs.exitNodeAllowLANAccess, "exit-node-allow-lan-access", false, "Allow direct access to the local network when routing traffic via an exit node")
 	upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
-	if envknob.UseWIPCode() || inTest() {
-		upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
-	}
+	upf.BoolVar(&upArgs.runSSH, "ssh", false, "run an SSH server, permitting access per tailnet admin's declared policy")
 	upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "comma-separated ACL tags to request; each must start with \"tag:\" (e.g. \"tag:eng,tag:montreal,tag:ssh\")")
 	upf.StringVar(&upArgs.authKeyOrFile, "auth-key", "", `node authorization key; if it begins with "file:", then it's a path to a file containing the authkey`)
 	upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
@@ -116,6 +115,8 @@ func newUpFlagSet(goos string, upArgs *upArgsT) *flag.FlagSet {
 	case "windows":
 		upf.BoolVar(&upArgs.forceDaemon, "unattended", false, "run in \"Unattended Mode\" where Tailscale keeps running even after the current GUI user logs out (Windows-only)")
 	}
+	upf.DurationVar(&upArgs.timeout, "timeout", 0, "maximum amount of time to wait for tailscaled to enter a Running state; default (0s) blocks forever")
+	registerAcceptRiskFlag(upf)
 	return upf
 }
 
@@ -148,6 +149,7 @@ type upArgsT struct {
 	hostname               string
 	opUser                 string
 	json                   bool
+	timeout                time.Duration
 }
 
 func (a upArgsT) getAuthKey() (string, error) {
@@ -201,6 +203,26 @@ var (
 	ipv6default = netaddr.MustParseIPPrefix("::/0")
 )
 
+func validateViaPrefix(ipp netaddr.IPPrefix) error {
+	if !tsaddr.IsViaPrefix(ipp) {
+		return fmt.Errorf("%v is not a 4-in-6 prefix", ipp)
+	}
+	if ipp.Bits() < (128 - 32) {
+		return fmt.Errorf("%v 4-in-6 prefix must be at least a /%v", ipp, 128-32)
+	}
+	a := ipp.IP().As16()
+	// The first 64 bits of a are the via prefix.
+	// The next 32 bits are the "site ID".
+	// The last 32 bits are the IPv4.
+	// For now, we reserve the top 3 bytes of the site ID,
+	// and only allow users to use site IDs 0-255.
+	siteID := binary.BigEndian.Uint32(a[8:12])
+	if siteID > 0xFF {
+		return fmt.Errorf("route %v contains invalid site ID %08x; must be 0xff or less", ipp, siteID)
+	}
+	return nil
+}
+
 func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netaddr.IPPrefix, error) {
 	routeMap := map[netaddr.IPPrefix]bool{}
 	if advertiseRoutes != "" {
@@ -214,6 +236,11 @@ func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]
 			if ipp != ipp.Masked() {
 				return nil, fmt.Errorf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
 			}
+			if tsaddr.IsViaPrefix(ipp) {
+				if err := validateViaPrefix(ipp); err != nil {
+					return nil, err
+				}
+			}
 			if ipp == ipv4default {
 				default4 = true
 			} else if ipp == ipv6default {
@@ -382,7 +409,7 @@ func runUp(ctx context.Context, args []string) error {
 		fatalf("too many non-flag arguments: %q", args)
 	}
 
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return fixTailscaledConnectError(err)
 	}
@@ -423,12 +450,12 @@ func runUp(ctx context.Context, args []string) error {
 	}
 
 	if len(prefs.AdvertiseRoutes) > 0 {
-		if err := tailscale.CheckIPForwarding(context.Background()); err != nil {
+		if err := localClient.CheckIPForwarding(context.Background()); err != nil {
 			warnf("%v", err)
 		}
 	}
 
-	curPrefs, err := tailscale.GetPrefs(ctx)
+	curPrefs, err := localClient.GetPrefs(ctx)
 	if err != nil {
 		return err
 	}
@@ -442,12 +469,24 @@ func runUp(ctx context.Context, args []string) error {
 		backendState:  st.BackendState,
 		curExitNodeIP: exitNodeIP(curPrefs, st),
 	}
+
+	if upArgs.runSSH != curPrefs.RunSSH && isSSHOverTailscale() {
+		if upArgs.runSSH {
+			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`)
+		} else {
+			err = presentRiskToUser(riskLoseSSH, `You are connected using Tailscale SSH; this action will result in your session disconnecting.`)
+		}
+		if err != nil {
+			return err
+		}
+	}
+
 	simpleUp, justEditMP, err := updatePrefs(prefs, curPrefs, env)
 	if err != nil {
 		fatalf("%s", err)
 	}
 	if justEditMP != nil {
-		_, err := tailscale.EditPrefs(ctx, justEditMP)
+		_, err := localClient.EditPrefs(ctx, justEditMP)
 		return err
 	}
 
@@ -558,7 +597,7 @@ func runUp(ctx context.Context, args []string) error {
 	// Special case: bare "tailscale up" means to just start
 	// running, if there's ever been a login.
 	if simpleUp {
-		_, err := tailscale.EditPrefs(ctx, &ipn.MaskedPrefs{
+		_, err := localClient.EditPrefs(ctx, &ipn.MaskedPrefs{
 			Prefs: ipn.Prefs{
 				WantRunning: true,
 			},
@@ -568,6 +607,10 @@ func runUp(ctx context.Context, args []string) error {
 			return err
 		}
 	} else {
+		if err := localClient.CheckPrefs(ctx, prefs); err != nil {
+			return err
+		}
+
 		authKey, err := upArgs.getAuthKey()
 		if err != nil {
 			return err
@@ -605,6 +648,12 @@ func runUp(ctx context.Context, args []string) error {
 	// need to prioritize reads from 'running' if it's
 	// readable; its send does happen before the pump mechanism
 	// shuts down. (Issue 2333)
+	var timeoutCh <-chan time.Time
+	if upArgs.timeout > 0 {
+		timeoutTimer := time.NewTimer(upArgs.timeout)
+		defer timeoutTimer.Stop()
+		timeoutCh = timeoutTimer.C
+	}
 	select {
 	case <-running:
 		return nil
@@ -622,6 +671,8 @@ func runUp(ctx context.Context, args []string) error {
 		default:
 		}
 		return err
+	case <-timeoutCh:
+		return errors.New(`timeout waiting for Tailscale service to enter a Running state; check health with "tailscale status"`)
 	}
 }
 
@@ -678,7 +729,7 @@ func addPrefFlagMapping(flagName string, prefNames ...string) {
 // correspond to an ipn.Pref.
 func preflessFlag(flagName string) bool {
 	switch flagName {
-	case "auth-key", "force-reauth", "reset", "qr", "json":
+	case "auth-key", "force-reauth", "reset", "qr", "json", "timeout", "accept-risk":
 		return true
 	}
 	return false

cmd/tailscale/cli/version.go

@@ -10,7 +10,6 @@ import (
 	"fmt"
 
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/version"
 )
 
@@ -41,7 +40,7 @@ func runVersion(ctx context.Context, args []string) error {
 
 	printf("Client: %s\n", version.String())
 
-	st, err := tailscale.StatusWithoutPeers(ctx)
+	st, err := localClient.StatusWithoutPeers(ctx)
 	if err != nil {
 		return err
 	}

cmd/tailscale/cli/web.go

@@ -28,7 +28,6 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"inet.af/netaddr"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/preftype"
@@ -269,15 +268,14 @@ func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
 	}
 	// We need a SynoToken for authenticate.cgi.
 	// So we tell the client to get one.
-	serverURL := r.URL.Scheme + "://" + r.URL.Host
-	synoTokenRedirectHTML.Execute(w, serverURL)
+	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
 	return true
 }
 
-var synoTokenRedirectHTML = template.Must(template.New("redirect").Parse(`<html><body>
+const synoTokenRedirectHTML = `<html><body>
 Redirecting with session token...
 <script>
-var serverURL = {{ . }};
+var serverURL = window.location.protocol + "//" + window.location.host;
 var req = new XMLHttpRequest();
 req.overrideMimeType("application/json");
 req.open("GET", serverURL + "/webman/login.cgi", true);
@@ -289,7 +287,7 @@ req.onload = function() {
 req.send(null);
 </script>
 </body></html>
-`))
+`
 
 func webHandler(w http.ResponseWriter, r *http.Request) {
 	if authRedirect(w, r) {
@@ -319,7 +317,7 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
 			return
 		}
-		prefs, err := tailscale.GetPrefs(r.Context())
+		prefs, err := localClient.GetPrefs(r.Context())
 		if err != nil && !postData.Reauthenticate {
 			w.WriteHeader(http.StatusInternalServerError)
 			json.NewEncoder(w).Encode(mi{"error": err.Error()})
@@ -349,12 +347,12 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	st, err := tailscale.Status(r.Context())
+	st, err := localClient.Status(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	prefs, err := tailscale.GetPrefs(r.Context())
+	prefs, err := localClient.GetPrefs(r.Context())
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -407,7 +405,7 @@ func tailscaleUp(ctx context.Context, prefs *ipn.Prefs, forceReauth bool) (authU
 		prefs.NetfilterMode = preftype.NetfilterOff
 	}
 
-	st, err := tailscale.Status(ctx)
+	st, err := localClient.Status(ctx)
 	if err != nil {
 		return "", fmt.Errorf("can't fetch status: %v", err)
 	}

cmd/tailscale/depaware.txt

@@ -42,7 +42,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
         tailscale.com/derp                                           from tailscale.com/derp/derphttp
         tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck
-   L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
         tailscale.com/disco                                          from tailscale.com/derp
         tailscale.com/envknob                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
@@ -56,13 +55,15 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/net/neterror                                   from tailscale.com/net/netcheck+
         tailscale.com/net/netknob                                    from tailscale.com/net/netns
         tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
+        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
         tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
         tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck
         tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
         tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
      💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-     💣 tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
+   L    tailscale.com/net/wsconn                                     from tailscale.com/derp/derphttp
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
         tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
         tailscale.com/syncs                                          from tailscale.com/net/interfaces+
         tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
@@ -87,8 +88,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
    W    tailscale.com/util/endian                                    from tailscale.com/net/netns
         tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
-   W    tailscale.com/util/winutil                                   from tailscale.com/hostinfo
-   W 💣 tailscale.com/util/winutil/vss                               from tailscale.com/util/winutil
+   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
         tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
         tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
         tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
@@ -192,7 +192,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         os                                                           from crypto/rand+
         os/exec                                                      from github.com/toqueteos/webbrowser+
         os/signal                                                    from tailscale.com/cmd/tailscale/cli
-        os/user                                                      from tailscale.com/util/groupmember
+        os/user                                                      from tailscale.com/util/groupmember+
         path                                                         from html/template+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+

cmd/tailscaled/depaware.txt

@@ -3,7 +3,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
    W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
    W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-  LD    github.com/anmitsu/go-shlex                                  from github.com/tailscale/ssh
+  LD    github.com/anmitsu/go-shlex                                  from tailscale.com/tempfork/gliderlabs/ssh
    L    github.com/aws/aws-sdk-go-v2                                 from github.com/aws/aws-sdk-go-v2/internal/ini
    L    github.com/aws/aws-sdk-go-v2/aws                             from github.com/aws/aws-sdk-go-v2/aws/middleware+
    L    github.com/aws/aws-sdk-go-v2/aws/arn                         from tailscale.com/ipn/store/awsstore
@@ -76,12 +76,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
    L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
         github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
-   L    github.com/klauspost/compress/flate                          from nhooyr.io/websocket
+        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
         github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
         github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/internal/cpuinfo               from github.com/klauspost/compress/zstd
         github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
         github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
         github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
+        github.com/kortschak/wol                                     from tailscale.com/ipn/ipnlocal
+  LD    github.com/kr/fs                                             from github.com/pkg/sftp
    L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
    L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
    L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
@@ -89,7 +92,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
      💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
    W    github.com/pkg/errors                                        from github.com/tailscale/certstore
+  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
+  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
    W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
+  LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
+  LD 💣 github.com/tailscale/golang-x-crypto/internal/subtle         from github.com/tailscale/golang-x-crypto/chacha20
+  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
+  LD    github.com/tailscale/golang-x-crypto/ssh/internal/bcrypt_pbkdf from github.com/tailscale/golang-x-crypto/ssh
         github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
         github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
         github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
@@ -97,7 +106,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
         github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
    L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router
-  LD    github.com/tailscale/ssh                                     from tailscale.com/ssh/tailssh
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
   LD    github.com/u-root/u-root/pkg/termios                         from tailscale.com/ssh/tailssh
    L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
@@ -106,7 +114,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
    L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
    L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
      💣 go4.org/intern                                               from inet.af/netaddr
-     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
+     💣 go4.org/mem                                                  from tailscale.com/control/controlbase+
         go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
    W 💣 golang.zx2c4.com/wintun                                      from golang.zx2c4.com/wireguard/tun
      💣 golang.zx2c4.com/wireguard/conn                              from golang.zx2c4.com/wireguard/device+
@@ -127,15 +135,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/linewriter                             from gvisor.dev/gvisor/pkg/log
         gvisor.dev/gvisor/pkg/log                                    from gvisor.dev/gvisor/pkg/context+
         gvisor.dev/gvisor/pkg/rand                                   from gvisor.dev/gvisor/pkg/tcpip/network/hash+
-        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/refsvfs2
-        gvisor.dev/gvisor/pkg/refsvfs2                               from gvisor.dev/gvisor/pkg/tcpip/stack
+        gvisor.dev/gvisor/pkg/refs                                   from gvisor.dev/gvisor/pkg/refsvfs2+
+        gvisor.dev/gvisor/pkg/refsvfs2                               from gvisor.dev/gvisor/pkg/tcpip/stack+
      💣 gvisor.dev/gvisor/pkg/sleep                                  from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
      💣 gvisor.dev/gvisor/pkg/state                                  from gvisor.dev/gvisor/pkg/atomicbitops+
         gvisor.dev/gvisor/pkg/state/wire                             from gvisor.dev/gvisor/pkg/state
      💣 gvisor.dev/gvisor/pkg/sync                                   from gvisor.dev/gvisor/pkg/linewriter+
-        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip                                  from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/adapters/gonet                   from tailscale.com/wgengine/netstack
-     💣 gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+     💣 gvisor.dev/gvisor/pkg/tcpip/buffer                           from gvisor.dev/gvisor/pkg/tcpip/header+
         gvisor.dev/gvisor/pkg/tcpip/hash/jenkins                     from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/header                           from gvisor.dev/gvisor/pkg/tcpip/header/parse+
         gvisor.dev/gvisor/pkg/tcpip/header/parse                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv4+
@@ -148,44 +156,43 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         gvisor.dev/gvisor/pkg/tcpip/network/ipv6                     from tailscale.com/wgengine/netstack
         gvisor.dev/gvisor/pkg/tcpip/ports                            from gvisor.dev/gvisor/pkg/tcpip/stack+
         gvisor.dev/gvisor/pkg/tcpip/seqnum                           from gvisor.dev/gvisor/pkg/tcpip/header+
-     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
-        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+     💣 gvisor.dev/gvisor/pkg/tcpip/stack                            from gvisor.dev/gvisor/pkg/tcpip/header/parse+
+        gvisor.dev/gvisor/pkg/tcpip/transport                        from gvisor.dev/gvisor/pkg/tcpip/transport/internal/network+
         gvisor.dev/gvisor/pkg/tcpip/transport/icmp                   from tailscale.com/wgengine/netstack
-        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/internal/network       from gvisor.dev/gvisor/pkg/tcpip/transport/raw+
         gvisor.dev/gvisor/pkg/tcpip/transport/internal/noop          from gvisor.dev/gvisor/pkg/tcpip/transport/raw
         gvisor.dev/gvisor/pkg/tcpip/transport/packet                 from gvisor.dev/gvisor/pkg/tcpip/transport/raw
-        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/icmp+
+        gvisor.dev/gvisor/pkg/tcpip/transport/raw                    from gvisor.dev/gvisor/pkg/tcpip/transport/udp+
      💣 gvisor.dev/gvisor/pkg/tcpip/transport/tcp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
         gvisor.dev/gvisor/pkg/tcpip/transport/tcpconntrack           from gvisor.dev/gvisor/pkg/tcpip/stack
-        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from gvisor.dev/gvisor/pkg/tcpip/adapters/gonet+
+        gvisor.dev/gvisor/pkg/tcpip/transport/udp                    from tailscale.com/net/tstun+
         gvisor.dev/gvisor/pkg/waiter                                 from gvisor.dev/gvisor/pkg/context+
-        inet.af/netaddr                                              from inet.af/wf+
+        inet.af/netaddr                                              from tailscale.com/control/controlclient+
         inet.af/peercred                                             from tailscale.com/ipn/ipnserver
    W 💣 inet.af/wf                                                   from tailscale.com/wf
-   L    nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
-   L    nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-   L    nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
+        nhooyr.io/websocket                                          from tailscale.com/derp/derphttp+
+        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
+        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
         tailscale.com                                                from tailscale.com/version
         tailscale.com/atomicfile                                     from tailscale.com/ipn+
   LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
         tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
-        tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/cmd/tailscaled+
+        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
+        tailscale.com/cmd/tailscaled/childproc                       from tailscale.com/ssh/tailssh+
         tailscale.com/control/controlbase                            from tailscale.com/control/controlclient+
-        tailscale.com/control/controlclient                          from tailscale.com/cmd/tailscaled+
+        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
         tailscale.com/control/controlhttp                            from tailscale.com/control/controlclient
         tailscale.com/control/controlknobs                           from tailscale.com/control/controlclient+
         tailscale.com/derp                                           from tailscale.com/derp/derphttp+
-        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscaled+
-   L    tailscale.com/derp/wsconn                                    from tailscale.com/derp/derphttp
+        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
         tailscale.com/disco                                          from tailscale.com/derp+
-        tailscale.com/envknob                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/envknob                                        from tailscale.com/control/controlclient+
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
-        tailscale.com/ipn                                            from tailscale.com/client/tailscale+
-        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ipn/ipnserver+
+        tailscale.com/ipn                                            from tailscale.com/ipn/ipnlocal+
+        tailscale.com/ipn/ipnlocal                                   from tailscale.com/ssh/tailssh+
         tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/control/controlclient+
         tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
         tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/ipn/store                                      from tailscale.com/cmd/tailscaled
@@ -196,40 +203,43 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/log/filelogger                                 from tailscale.com/logpolicy
         tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
         tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled+
-        tailscale.com/logtail                                        from tailscale.com/cmd/tailscaled+
-        tailscale.com/logtail/backoff                                from tailscale.com/cmd/tailscaled+
+        tailscale.com/logtail                                        from tailscale.com/control/controlclient+
+        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
         tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
      💣 tailscale.com/metrics                                        from tailscale.com/derp+
-        tailscale.com/net/dns                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
+        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver
         tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
         tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
         tailscale.com/net/dnsfallback                                from tailscale.com/control/controlclient+
         tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
-     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/control/controlclient+
         tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
         tailscale.com/net/neterror                                   from tailscale.com/net/dns/resolver+
-        tailscale.com/net/netknob                                    from tailscale.com/logpolicy+
-        tailscale.com/net/netns                                      from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/netknob                                    from tailscale.com/net/netns+
+        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
      💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
         tailscale.com/net/netutil                                    from tailscale.com/ipn/ipnlocal+
         tailscale.com/net/packet                                     from tailscale.com/net/tstun+
-        tailscale.com/net/portmapper                                 from tailscale.com/cmd/tailscaled+
+        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
         tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
         tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
         tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
         tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
         tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
-        tailscale.com/net/tsdial                                     from tailscale.com/cmd/tailscaled+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/cmd/tailscaled+
-        tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
-     💣 tailscale.com/paths                                          from tailscale.com/client/tailscale+
+        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
+        tailscale.com/net/tstun                                      from tailscale.com/net/dns+
+        tailscale.com/net/wsconn                                     from tailscale.com/control/controlhttp+
+        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
         tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
         tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
         tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/wgengine/netstack
+  LD 💣 tailscale.com/ssh/tailssh                                    from tailscale.com/cmd/tailscaled
         tailscale.com/syncs                                          from tailscale.com/control/controlknobs+
-        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
+        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
+  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
    W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
         tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
      💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
@@ -239,8 +249,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
         tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
         tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/cmd/tailscaled+
-        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscaled+
+        tailscale.com/types/key                                      from tailscale.com/control/controlbase+
+        tailscale.com/types/logger                                   from tailscale.com/control/controlclient+
         tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
         tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
         tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
@@ -249,31 +259,31 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/types/preftype                                 from tailscale.com/ipn+
         tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
         tailscale.com/types/views                                    from tailscale.com/ipn/ipnlocal+
-        tailscale.com/util/clientmetric                              from tailscale.com/cmd/tailscaled+
+        tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
   LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
      💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
   LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
         tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
         tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-        tailscale.com/util/multierr                                  from tailscale.com/cmd/tailscaled+
+        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
+        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
         tailscale.com/util/netconv                                   from tailscale.com/wgengine/magicsock
-        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
+        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
         tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
         tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
         tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
         tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
-        tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
-   W 💣 tailscale.com/util/winutil/vss                               from tailscale.com/util/winutil
-        tailscale.com/version                                        from tailscale.com/client/tailscale+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/util/winutil                                   from tailscale.com/cmd/tailscaled+
+        tailscale.com/version                                        from tailscale.com/derp+
+        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
    W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
-        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine                                       from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
         tailscale.com/wgengine/magicsock                             from tailscale.com/ipn/ipnlocal+
-        tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscaled+
-        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled
-        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/monitor                               from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/netstack                              from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/router                                from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/wgcfg                                 from tailscale.com/ipn/ipnlocal+
         tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
@@ -281,19 +291,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
         golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
-  LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
+  LD    golang.org/x/crypto/blowfish                                 from golang.org/x/crypto/ssh/internal/bcrypt_pbkdf+
         golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305+
         golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
         golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
         golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
         golang.org/x/crypto/curve25519                               from crypto/tls+
-  LD    golang.org/x/crypto/ed25519                                  from golang.org/x/crypto/ssh
+  LD    golang.org/x/crypto/ed25519                                  from golang.org/x/crypto/ssh+
         golang.org/x/crypto/hkdf                                     from crypto/tls+
         golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
         golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device
+        golang.org/x/crypto/poly1305                                 from golang.zx2c4.com/wireguard/device+
         golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-  LD    golang.org/x/crypto/ssh                                      from github.com/tailscale/ssh+
+  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
         golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
         golang.org/x/net/dns/dnsmessage                              from net+
         golang.org/x/net/http/httpguts                               from golang.org/x/net/http2+
@@ -311,8 +321,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
   LD    golang.org/x/sys/unix                                        from github.com/insomniacslk/dhcp/interfaces+
    W    golang.org/x/sys/windows                                     from github.com/go-ole/go-ole+
-   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
+   W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
    W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
+   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
    W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
         golang.org/x/term                                            from tailscale.com/logpolicy
         golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
@@ -344,10 +355,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         crypto/sha256                                                from crypto/tls+
         crypto/sha512                                                from crypto/ecdsa+
         crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from github.com/aws/aws-sdk-go-v2/aws/transport/http+
+        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
         crypto/x509                                                  from crypto/tls+
         crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from crypto/elliptic+
+        embed                                                        from tailscale.com+
         encoding                                                     from encoding/json+
         encoding/asn1                                                from crypto/x509+
         encoding/base64                                              from encoding/json+
@@ -355,19 +366,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         encoding/hex                                                 from crypto/x509+
         encoding/json                                                from expvar+
         encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from github.com/aws/aws-sdk-go-v2/aws/protocol/xml+
+        encoding/xml                                                 from github.com/tailscale/goupnp+
         errors                                                       from bufio+
         expvar                                                       from tailscale.com/derp+
-        flag                                                         from tailscale.com/cmd/tailscaled+
+        flag                                                         from tailscale.com/control/controlclient+
         fmt                                                          from compress/flate+
         hash                                                         from crypto+
         hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from gvisor.dev/gvisor/pkg/tcpip/network/ipv6+
+        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
         hash/maphash                                                 from go4.org/mem
-        html                                                         from net/http/pprof+
+        html                                                         from tailscale.com/ipn/ipnlocal+
         io                                                           from bufio+
         io/fs                                                        from crypto/rand+
-        io/ioutil                                                    from github.com/aws/aws-sdk-go-v2/aws/protocol/query+
+        io/ioutil                                                    from github.com/godbus/dbus/v5+
         log                                                          from expvar+
   LD    log/syslog                                                   from tailscale.com/ssh/tailssh
         math                                                         from compress/flate+
@@ -384,19 +395,19 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         net/http/internal                                            from net/http+
         net/http/pprof                                               from tailscale.com/cmd/tailscaled+
         net/netip                                                    from golang.zx2c4.com/wireguard/conn+
-        net/textproto                                                from github.com/aws/aws-sdk-go-v2/aws/signer/v4+
+        net/textproto                                                from golang.org/x/net/http/httpguts+
         net/url                                                      from crypto/x509+
         os                                                           from crypto/rand+
-        os/exec                                                      from github.com/aws/aws-sdk-go-v2/credentials/processcreds+
+        os/exec                                                      from github.com/coreos/go-iptables/iptables+
         os/signal                                                    from tailscale.com/cmd/tailscaled+
         os/user                                                      from github.com/godbus/dbus/v5+
-        path                                                         from github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds+
+        path                                                         from github.com/godbus/dbus/v5+
         path/filepath                                                from crypto/x509+
         reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/aws/aws-sdk-go-v2/internal/endpoints/v2+
+        regexp                                                       from github.com/coreos/go-iptables/iptables+
         regexp/syntax                                                from regexp
-        runtime/debug                                                from github.com/klauspost/compress/zstd+
-        runtime/pprof                                                from net/http/pprof+
+        runtime/debug                                                from golang.org/x/sync/singleflight+
+        runtime/pprof                                                from tailscale.com/log/logheap+
         runtime/trace                                                from net/http/pprof
         sort                                                         from compress/flate+
         strconv                                                      from compress/flate+

cmd/tailscaled/ssh.go

@@ -0,0 +1,11 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build linux || darwin
+// +build linux darwin
+
+package main
+
+// Force registration of tailssh with LocalBackend.
+import _ "tailscale.com/ssh/tailssh"

cmd/tailscaled/tailscaled.go

@@ -25,7 +25,6 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
-	"runtime/debug"
 	"strings"
 	"syscall"
 	"time"
@@ -130,14 +129,6 @@ var subCommands = map[string]*func([]string) error{
 }
 
 func main() {
-	// We aren't very performance sensitive, and the parts that are
-	// performance sensitive (wireguard) try hard not to do any memory
-	// allocations. So let's be aggressive about garbage collection,
-	// unless the user specifically overrides it in the usual way.
-	if _, ok := os.LookupEnv("GOGC"); !ok {
-		debug.SetGCPercent(10)
-	}
-
 	printVersion := false
 	flag.IntVar(&args.verbose, "verbose", 0, "log verbosity level; 0 is default, 1 or higher are increasingly verbose")
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
@@ -146,7 +137,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state")
+	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
@@ -167,13 +158,12 @@ func main() {
 		}
 	}
 
-	if beWindowsSubprocess() {
-		return
-	}
-
 	flag.Parse()
 	if flag.NArg() > 0 {
-		log.Fatalf("tailscaled does not take non-flag arguments: %q", flag.Args())
+		// Windows subprocess is spawned with /subprocess, so we need to avoid this check there.
+		if runtime.GOOS != "windows" || flag.Arg(0) != "/subproc" {
+			log.Fatalf("tailscaled does not take non-flag arguments: %q", flag.Args())
+		}
 	}
 
 	if printVersion {
@@ -181,9 +171,6 @@ func main() {
 		os.Exit(0)
 	}
 
-	if runtime.GOOS == "darwin" && runtime.Version() == "go1.18" {
-		log.Fatalf("tailscaled is broken on macOS with go1.18 due to upstream bug https://github.com/golang/go/issues/51759; use 1.18.1+ or Tailscale's Go fork")
-	}
 	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") && !args.cleanup {
 		log.SetFlags(0)
 		log.Fatalf("tailscaled requires root; use sudo tailscaled (or use --tun=userspace-networking)")
@@ -199,6 +186,16 @@ func main() {
 		log.Fatalf("--bird-socket is not supported on %s", runtime.GOOS)
 	}
 
+	// Only apply a default statepath when neither have been provided, so that a
+	// user may specify only --statedir if they wish.
+	if args.statepath == "" && args.statedir == "" {
+		args.statepath = paths.DefaultTailscaledStateFile()
+	}
+
+	if beWindowsSubprocess() {
+		return
+	}
+
 	err := run()
 
 	// Remove file sharing from Windows shell (noop in non-windows)
@@ -344,6 +341,7 @@ func run() error {
 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)
 
 	dialer := new(tsdial.Dialer) // mutated below (before used)
+	dialer.Logf = logf
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
@@ -353,7 +351,7 @@ func run() error {
 	}
 	if debugMux != nil {
 		if ig, ok := e.(wgengine.InternalsGetter); ok {
-			if _, mc, ok := ig.GetInternals(); ok {
+			if _, mc, _, ok := ig.GetInternals(); ok {
 				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
 			}
 		}
@@ -406,6 +404,7 @@ func run() error {
 	// want to keep running.
 	signal.Ignore(syscall.SIGPIPE)
 	go func() {
+		defer dialer.Close()
 		select {
 		case s := <-interrupt:
 			logf("tailscaled got signal %v; shutting down", s)
@@ -576,11 +575,11 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 }
 
 func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
-	tunDev, magicConn, ok := e.(wgengine.InternalsGetter).GetInternals()
+	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
 	if !ok {
 		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
 	}
-	return netstack.Create(logf, tunDev, e, magicConn, dialer)
+	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
 }
 
 // mustStartProxyListeners creates listeners for local SOCKS and HTTP

cmd/tailscaled/tailscaled_windows.go

@@ -30,6 +30,7 @@ import (
 
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/svc"
+	"golang.org/x/sys/windows/svc/eventlog"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
 	"tailscale.com/envknob"
@@ -60,12 +61,31 @@ func isWindowsService() bool {
 	return v
 }
 
+// syslogf is a logger function that writes to the Windows event log (ie, the
+// one that you see in the Windows Event Viewer). tailscaled may optionally
+// generate diagnostic messages in the same event timeline as the Windows
+// Service Control Manager to assist with diagnosing issues with tailscaled's
+// lifetime (such as slow shutdowns).
+var syslogf logger.Logf = logger.Discard
+
 // runWindowsService starts running Tailscale under the Windows
 // Service environment.
 //
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
+	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
+		syslog, err := eventlog.Open(serviceName)
+		if err == nil {
+			syslogf = func(format string, args ...any) {
+				syslog.Info(0, fmt.Sprintf(format, args...))
+			}
+			defer syslog.Close()
+		}
+	}
+
+	syslogf("Service entering svc.Run")
+	defer syslogf("Service exiting svc.Run")
 	return svc.Run(serviceName, &ipnService{Policy: pol})
 }
 
@@ -75,7 +95,10 @@ type ipnService struct {
 
 // Called by Windows to execute the windows service.
 func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, changes chan<- svc.Status) (bool, uint32) {
+	defer syslogf("SvcStopped notification imminent")
+
 	changes <- svc.Status{State: svc.StartPending}
+	syslogf("Service start pending")
 
 	svcAccepts := svc.AcceptStop
 	if winutil.GetPolicyInteger("FlushDNSOnSessionUnlock", 0) != 0 {
@@ -98,26 +121,29 @@ func (service *ipnService) Execute(args []string, r <-chan svc.ChangeRequest, ch
 	}()
 
 	changes <- svc.Status{State: svc.Running, Accepts: svcAccepts}
+	syslogf("Service running")
 
-	for ctx.Err() == nil {
+	for {
 		select {
 		case <-doneCh:
+			return false, windows.NO_ERROR
 		case cmd := <-r:
 			log.Printf("Got Windows Service event: %v", cmdName(cmd.Cmd))
 			switch cmd.Cmd {
 			case svc.Stop:
-				cancel()
+				changes <- svc.Status{State: svc.StopPending}
+				syslogf("Service stop pending")
+				cancel() // so BabysitProc will kill the child process
 			case svc.Interrogate:
+				syslogf("Service interrogation")
 				changes <- cmd.CurrentStatus
 			case svc.SessionChange:
+				syslogf("Service session change notification")
 				handleSessionChange(cmd)
 				changes <- cmd.CurrentStatus
 			}
 		}
 	}
-
-	changes <- svc.Status{State: svc.StopPending}
-	return false, windows.NO_ERROR
 }
 
 func cmdName(c svc.Cmd) string {
@@ -234,19 +260,19 @@ func startIPNServer(ctx context.Context, logid string) error {
 
 	linkMon, err := monitor.New(logf)
 	if err != nil {
-		return err
+		return fmt.Errorf("monitor: %w", err)
 	}
 	dialer := new(tsdial.Dialer)
 
-	getEngineRaw := func() (wgengine.Engine, error) {
+	getEngineRaw := func() (wgengine.Engine, *netstack.Impl, error) {
 		dev, devName, err := tstun.New(logf, "Tailscale")
 		if err != nil {
-			return nil, fmt.Errorf("TUN: %w", err)
+			return nil, nil, fmt.Errorf("TUN: %w", err)
 		}
 		r, err := router.New(logf, dev, nil)
 		if err != nil {
 			dev.Close()
-			return nil, fmt.Errorf("router: %w", err)
+			return nil, nil, fmt.Errorf("router: %w", err)
 		}
 		if wrapNetstack {
 			r = netstack.NewSubnetRouterWrapper(r)
@@ -255,7 +281,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 		if err != nil {
 			r.Close()
 			dev.Close()
-			return nil, fmt.Errorf("DNS: %w", err)
+			return nil, nil, fmt.Errorf("DNS: %w", err)
 		}
 		eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
 			Tun:         dev,
@@ -268,23 +294,24 @@ func startIPNServer(ctx context.Context, logid string) error {
 		if err != nil {
 			r.Close()
 			dev.Close()
-			return nil, fmt.Errorf("engine: %w", err)
+			return nil, nil, fmt.Errorf("engine: %w", err)
 		}
 		ns, err := newNetstack(logf, dialer, eng)
 		if err != nil {
-			return nil, fmt.Errorf("newNetstack: %w", err)
+			return nil, nil, fmt.Errorf("newNetstack: %w", err)
 		}
 		ns.ProcessLocalIPs = false
 		ns.ProcessSubnets = wrapNetstack
 		if err := ns.Start(); err != nil {
-			return nil, fmt.Errorf("failed to start netstack: %w", err)
+			return nil, nil, fmt.Errorf("failed to start netstack: %w", err)
 		}
-		return wgengine.NewWatchdog(eng), nil
+		return wgengine.NewWatchdog(eng), ns, nil
 	}
 
 	type engineOrError struct {
-		Engine wgengine.Engine
-		Err    error
+		Engine   wgengine.Engine
+		Netstack *netstack.Impl
+		Err      error
 	}
 	engErrc := make(chan engineOrError)
 	t0 := time.Now()
@@ -293,7 +320,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 		for try := 1; ; try++ {
 			logf("tailscaled: getting engine... (try %v)", try)
 			t1 := time.Now()
-			eng, err := getEngineRaw()
+			eng, ns, err := getEngineRaw()
 			d, dt := time.Since(t1).Round(ms), time.Since(t1).Round(ms)
 			if err != nil {
 				logf("tailscaled: engine fetch error (try %v) in %v (total %v, sysUptime %v): %v",
@@ -306,7 +333,7 @@ func startIPNServer(ctx context.Context, logid string) error {
 				}
 			}
 			timer := time.NewTimer(5 * time.Second)
-			engErrc <- engineOrError{eng, err}
+			engErrc <- engineOrError{eng, ns, err}
 			if err == nil {
 				timer.Stop()
 				return
@@ -318,14 +345,14 @@ func startIPNServer(ctx context.Context, logid string) error {
 	// getEngine is called by ipnserver to get the engine. It's
 	// not called concurrently and is not called again once it
 	// successfully returns an engine.
-	getEngine := func() (wgengine.Engine, error) {
+	getEngine := func() (wgengine.Engine, *netstack.Impl, error) {
 		if msg := envknob.String("TS_DEBUG_WIN_FAIL"); msg != "" {
-			return nil, fmt.Errorf("pretending to be a service failure: %v", msg)
+			return nil, nil, fmt.Errorf("pretending to be a service failure: %v", msg)
 		}
 		for {
 			res := <-engErrc
 			if res.Engine != nil {
-				return res.Engine, nil
+				return res.Engine, res.Netstack, nil
 			}
 			if time.Since(t0) < time.Minute || windowsUptime() < 10*time.Minute {
 				// Ignore errors during early boot. Windows 10 auto logs in the GUI
@@ -336,12 +363,12 @@ func startIPNServer(ctx context.Context, logid string) error {
 			}
 			// Return nicer errors to users, annotated with logids, which helps
 			// when they file bugs.
-			return nil, fmt.Errorf("%w\n\nlogid: %v", res.Err, logid)
+			return nil, nil, fmt.Errorf("%w\n\nlogid: %v", res.Err, logid)
 		}
 	}
 	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
-		return err
+		return fmt.Errorf("store: %w", err)
 	}
 
 	ln, _, err := safesocket.Listen(args.socketpath, safesocket.WindowsLocalPort)

cmd/tsshd/tsshd.go

@@ -2,177 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-//go:build !windows
-// +build !windows
+//go:build ignore
+// +build ignore
 
-// The tsshd binary is an SSH server that accepts connections
+// The tsshd binary was an experimental SSH server that accepts connections
 // from anybody on the same Tailscale network.
 //
-// It does not use passwords or SSH public key.
+// Its functionality moved into tailscaled.
 //
-// Any user name is accepted; users are logged in as whoever is
-// running this daemon.
-//
-// Warning: use at your own risk. This code has had very few eyeballs
-// on it.
-package main
-
-import (
-	"flag"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"net"
-	"os"
-	"os/exec"
-	"syscall"
-	"time"
-	"unsafe"
-
-	"github.com/creack/pty"
-	"github.com/tailscale/ssh"
-	gossh "golang.org/x/crypto/ssh"
-	"inet.af/netaddr"
-	"tailscale.com/net/interfaces"
-	"tailscale.com/net/tsaddr"
-)
-
-var (
-	port    = flag.Int("port", 2200, "port to listen on")
-	hostKey = flag.String("hostkey", "", "SSH host key")
-)
-
-func main() {
-	flag.Parse()
-	if *hostKey == "" {
-		log.Fatalf("missing required --hostkey")
-	}
-	hostKey, err := ioutil.ReadFile(*hostKey)
-	if err != nil {
-		log.Fatal(err)
-	}
-	signer, err := gossh.ParsePrivateKey(hostKey)
-	if err != nil {
-		log.Printf("failed to parse SSH host key: %v", err)
-		return
-	}
-
-	warned := false
-	for {
-		addrs, iface, err := interfaces.Tailscale()
-		if err != nil {
-			log.Fatalf("listing interfaces: %v", err)
-		}
-		if len(addrs) == 0 {
-			if !warned {
-				log.Printf("no tailscale interface found; polling until one is available")
-				warned = true
-			}
-			// TODO: use netlink or other OS-specific mechanism to efficiently
-			// wait for change in interfaces. Polling every N seconds is good enough
-			// for now.
-			time.Sleep(5 * time.Second)
-			continue
-		}
-		warned = false
-		var addr netaddr.IP
-		for _, a := range addrs {
-			if a.Is4() {
-				addr = a
-				break
-			}
-		}
-		listen := net.JoinHostPort(addr.String(), fmt.Sprint(*port))
-		log.Printf("tailscale ssh server listening on %v, %v", iface.Name, listen)
-		s := &ssh.Server{
-			Addr:    listen,
-			Handler: handleSSH,
-		}
-		s.AddHostKey(signer)
-
-		err = s.ListenAndServe()
-		log.Fatalf("tailscale sshd failed: %v", err)
-	}
-
-}
-
-func handleSSH(s ssh.Session) {
-	user := s.User()
-	addr := s.RemoteAddr()
-	ta, ok := addr.(*net.TCPAddr)
-	if !ok {
-		log.Printf("tsshd: rejecting non-TCP addr %T %v", addr, addr)
-		s.Exit(1)
-		return
-	}
-	tanetaddr, ok := netaddr.FromStdIP(ta.IP)
-	if !ok {
-		log.Printf("tsshd: rejecting unparseable addr %v", ta.IP)
-		s.Exit(1)
-		return
-	}
-	if !tsaddr.IsTailscaleIP(tanetaddr) {
-		log.Printf("tsshd: rejecting non-Tailscale addr %v", ta.IP)
-		s.Exit(1)
-		return
-	}
-
-	log.Printf("new session for %q from %v", user, ta)
-	defer log.Printf("closing session for %q from %v", user, ta)
-	ptyReq, winCh, isPty := s.Pty()
-	if !isPty {
-		fmt.Fprintf(s, "TODO scp etc")
-		s.Exit(1)
-		return
-	}
-
-	userWantsShell := len(s.Command()) == 0
-
-	if userWantsShell {
-		shell, err := shellOfUser(s.User())
-		if err != nil {
-			fmt.Fprintf(s, "failed to find shell: %v\n", err)
-			s.Exit(1)
-			return
-		}
-		cmd := exec.Command(shell)
-		cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", ptyReq.Term))
-		f, err := pty.Start(cmd)
-		if err != nil {
-			log.Printf("running shell: %v", err)
-			s.Exit(1)
-			return
-		}
-		defer f.Close()
-		go func() {
-			for win := range winCh {
-				setWinsize(f, win.Width, win.Height)
-			}
-		}()
-		go func() {
-			io.Copy(f, s) // stdin
-		}()
-		io.Copy(s, f) // stdout
-		cmd.Process.Kill()
-		if err := cmd.Wait(); err != nil {
-			s.Exit(1)
-		} else {
-			s.Exit(0)
-		}
-		return
-	}
-
-	fmt.Fprintf(s, "TODO: args\n")
-	s.Exit(1)
-}
-
-func shellOfUser(user string) (string, error) {
-	// TODO
-	return "/bin/bash", nil
-}
-
-func setWinsize(f *os.File, w, h int) {
-	syscall.Syscall(syscall.SYS_IOCTL, f.Fd(), uintptr(syscall.TIOCSWINSZ),
-		uintptr(unsafe.Pointer(&struct{ h, w, x, y uint16 }{uint16(h), uint16(w), 0, 0})))
-}
+// See https://github.com/tailscale/tailscale/issues/3802

cmd/tsshd/tsshd_windows.go

@@ -1,12 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build windows
-// +build windows
-
-package main
-
-func main() {
-	panic("tsshd does not work on windows yet")
-}

cmd/viewer/tests/tests.go

@@ -0,0 +1,59 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package tests serves a list of tests for tailscale.com/cmd/viewer.
+package tests
+
+import (
+	"fmt"
+
+	"inet.af/netaddr"
+)
+
+//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
+
+type StructWithoutPtrs struct {
+	Int int
+	Pfx netaddr.IPPrefix
+}
+
+type Map struct {
+	Int                 map[string]int
+	SliceInt            map[string][]int
+	StructWithPtr       map[string]*StructWithPtrs
+	StructWithoutPtr    map[string]*StructWithoutPtrs
+	SlicesWithPtrs      map[string][]*StructWithPtrs
+	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
+	StructWithoutPtrKey map[StructWithoutPtrs]int `json:"-"`
+
+	// Unsupported.
+	SliceIntPtr      map[string][]*int
+	PointerKey       map[*string]int        `json:"-"`
+	StructWithPtrKey map[StructWithPtrs]int `json:"-"`
+}
+
+type StructWithPtrs struct {
+	Value *StructWithoutPtrs
+	Int   *int
+
+	NoCloneValue *StructWithoutPtrs `codegen:"noclone"`
+}
+
+func (v *StructWithPtrs) String() string { return fmt.Sprintf("%v", v.Int) }
+
+func (v *StructWithPtrs) Equal(v2 *StructWithPtrs) bool {
+	return v.Value == v2.Value
+}
+
+type StructWithSlices struct {
+	Values         []StructWithoutPtrs
+	ValuePointers  []*StructWithoutPtrs
+	StructPointers []*StructWithPtrs
+	Structs        []StructWithPtrs
+	Ints           []*int
+
+	Slice    []string
+	Prefixes []netaddr.IPPrefix
+	Data     []byte
+}

cmd/viewer/tests/tests_clone.go

@@ -0,0 +1,183 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner; DO NOT EDIT.
+
+package tests
+
+import (
+	"inet.af/netaddr"
+)
+
+// Clone makes a deep copy of StructWithPtrs.
+// The result aliases no memory with the original.
+func (src *StructWithPtrs) Clone() *StructWithPtrs {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithPtrs)
+	*dst = *src
+	if dst.Value != nil {
+		dst.Value = new(StructWithoutPtrs)
+		*dst.Value = *src.Value
+	}
+	if dst.Int != nil {
+		dst.Int = new(int)
+		*dst.Int = *src.Int
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithPtrsCloneNeedsRegeneration = StructWithPtrs(struct {
+	Value        *StructWithoutPtrs
+	Int          *int
+	NoCloneValue *StructWithoutPtrs
+}{})
+
+// Clone makes a deep copy of StructWithoutPtrs.
+// The result aliases no memory with the original.
+func (src *StructWithoutPtrs) Clone() *StructWithoutPtrs {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithoutPtrs)
+	*dst = *src
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithoutPtrsCloneNeedsRegeneration = StructWithoutPtrs(struct {
+	Int int
+	Pfx netaddr.IPPrefix
+}{})
+
+// Clone makes a deep copy of Map.
+// The result aliases no memory with the original.
+func (src *Map) Clone() *Map {
+	if src == nil {
+		return nil
+	}
+	dst := new(Map)
+	*dst = *src
+	if dst.Int != nil {
+		dst.Int = map[string]int{}
+		for k, v := range src.Int {
+			dst.Int[k] = v
+		}
+	}
+	if dst.SliceInt != nil {
+		dst.SliceInt = map[string][]int{}
+		for k := range src.SliceInt {
+			dst.SliceInt[k] = append([]int{}, src.SliceInt[k]...)
+		}
+	}
+	if dst.StructWithPtr != nil {
+		dst.StructWithPtr = map[string]*StructWithPtrs{}
+		for k, v := range src.StructWithPtr {
+			dst.StructWithPtr[k] = v.Clone()
+		}
+	}
+	if dst.StructWithoutPtr != nil {
+		dst.StructWithoutPtr = map[string]*StructWithoutPtrs{}
+		for k, v := range src.StructWithoutPtr {
+			dst.StructWithoutPtr[k] = v.Clone()
+		}
+	}
+	if dst.SlicesWithPtrs != nil {
+		dst.SlicesWithPtrs = map[string][]*StructWithPtrs{}
+		for k := range src.SlicesWithPtrs {
+			dst.SlicesWithPtrs[k] = append([]*StructWithPtrs{}, src.SlicesWithPtrs[k]...)
+		}
+	}
+	if dst.SlicesWithoutPtrs != nil {
+		dst.SlicesWithoutPtrs = map[string][]*StructWithoutPtrs{}
+		for k := range src.SlicesWithoutPtrs {
+			dst.SlicesWithoutPtrs[k] = append([]*StructWithoutPtrs{}, src.SlicesWithoutPtrs[k]...)
+		}
+	}
+	if dst.StructWithoutPtrKey != nil {
+		dst.StructWithoutPtrKey = map[StructWithoutPtrs]int{}
+		for k, v := range src.StructWithoutPtrKey {
+			dst.StructWithoutPtrKey[k] = v
+		}
+	}
+	if dst.SliceIntPtr != nil {
+		dst.SliceIntPtr = map[string][]*int{}
+		for k := range src.SliceIntPtr {
+			dst.SliceIntPtr[k] = append([]*int{}, src.SliceIntPtr[k]...)
+		}
+	}
+	if dst.PointerKey != nil {
+		dst.PointerKey = map[*string]int{}
+		for k, v := range src.PointerKey {
+			dst.PointerKey[k] = v
+		}
+	}
+	if dst.StructWithPtrKey != nil {
+		dst.StructWithPtrKey = map[StructWithPtrs]int{}
+		for k, v := range src.StructWithPtrKey {
+			dst.StructWithPtrKey[k] = v
+		}
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _MapCloneNeedsRegeneration = Map(struct {
+	Int                 map[string]int
+	SliceInt            map[string][]int
+	StructWithPtr       map[string]*StructWithPtrs
+	StructWithoutPtr    map[string]*StructWithoutPtrs
+	SlicesWithPtrs      map[string][]*StructWithPtrs
+	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
+	StructWithoutPtrKey map[StructWithoutPtrs]int
+	SliceIntPtr         map[string][]*int
+	PointerKey          map[*string]int
+	StructWithPtrKey    map[StructWithPtrs]int
+}{})
+
+// Clone makes a deep copy of StructWithSlices.
+// The result aliases no memory with the original.
+func (src *StructWithSlices) Clone() *StructWithSlices {
+	if src == nil {
+		return nil
+	}
+	dst := new(StructWithSlices)
+	*dst = *src
+	dst.Values = append(src.Values[:0:0], src.Values...)
+	dst.ValuePointers = make([]*StructWithoutPtrs, len(src.ValuePointers))
+	for i := range dst.ValuePointers {
+		dst.ValuePointers[i] = src.ValuePointers[i].Clone()
+	}
+	dst.StructPointers = make([]*StructWithPtrs, len(src.StructPointers))
+	for i := range dst.StructPointers {
+		dst.StructPointers[i] = src.StructPointers[i].Clone()
+	}
+	dst.Structs = make([]StructWithPtrs, len(src.Structs))
+	for i := range dst.Structs {
+		dst.Structs[i] = *src.Structs[i].Clone()
+	}
+	dst.Ints = make([]*int, len(src.Ints))
+	for i := range dst.Ints {
+		x := *src.Ints[i]
+		dst.Ints[i] = &x
+	}
+	dst.Slice = append(src.Slice[:0:0], src.Slice...)
+	dst.Prefixes = append(src.Prefixes[:0:0], src.Prefixes...)
+	dst.Data = append(src.Data[:0:0], src.Data...)
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithSlicesCloneNeedsRegeneration = StructWithSlices(struct {
+	Values         []StructWithoutPtrs
+	ValuePointers  []*StructWithoutPtrs
+	StructPointers []*StructWithPtrs
+	Structs        []StructWithPtrs
+	Ints           []*int
+	Slice          []string
+	Prefixes       []netaddr.IPPrefix
+	Data           []byte
+}{})

cmd/viewer/tests/tests_view.go

@@ -0,0 +1,316 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale/cmd/viewer; DO NOT EDIT.
+
+package tests
+
+import (
+	"encoding/json"
+	"errors"
+
+	"go4.org/mem"
+	"inet.af/netaddr"
+	"tailscale.com/types/views"
+)
+
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices
+
+// View returns a readonly view of StructWithPtrs.
+func (p *StructWithPtrs) View() StructWithPtrsView {
+	return StructWithPtrsView{ж: p}
+}
+
+// StructWithPtrsView provides a read-only view over StructWithPtrs.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithPtrsView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithPtrs
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithPtrsView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithPtrsView) AsStruct() *StructWithPtrs {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithPtrsView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithPtrsView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithPtrs
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithPtrsView) Value() *StructWithoutPtrs {
+	if v.ж.Value == nil {
+		return nil
+	}
+	x := *v.ж.Value
+	return &x
+}
+
+func (v StructWithPtrsView) Int() *int {
+	if v.ж.Int == nil {
+		return nil
+	}
+	x := *v.ж.Int
+	return &x
+}
+
+func (v StructWithPtrsView) NoCloneValue() *StructWithoutPtrs { return v.ж.NoCloneValue }
+func (v StructWithPtrsView) String() string                   { return v.ж.String() }
+func (v StructWithPtrsView) Equal(v2 StructWithPtrsView) bool { return v.ж.Equal(v2.ж) }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithPtrsViewNeedsRegeneration = StructWithPtrs(struct {
+	Value        *StructWithoutPtrs
+	Int          *int
+	NoCloneValue *StructWithoutPtrs
+}{})
+
+// View returns a readonly view of StructWithoutPtrs.
+func (p *StructWithoutPtrs) View() StructWithoutPtrsView {
+	return StructWithoutPtrsView{ж: p}
+}
+
+// StructWithoutPtrsView provides a read-only view over StructWithoutPtrs.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithoutPtrsView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithoutPtrs
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithoutPtrsView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithoutPtrsView) AsStruct() *StructWithoutPtrs {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithoutPtrsView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithoutPtrsView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithoutPtrs
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithoutPtrsView) Int() int              { return v.ж.Int }
+func (v StructWithoutPtrsView) Pfx() netaddr.IPPrefix { return v.ж.Pfx }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithoutPtrsViewNeedsRegeneration = StructWithoutPtrs(struct {
+	Int int
+	Pfx netaddr.IPPrefix
+}{})
+
+// View returns a readonly view of Map.
+func (p *Map) View() MapView {
+	return MapView{ж: p}
+}
+
+// MapView provides a read-only view over Map.
+//
+// Its methods should only be called if `Valid()` returns true.
+type MapView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *Map
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v MapView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v MapView) AsStruct() *Map {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v MapView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *MapView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x Map
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v MapView) Int() views.Map[string, int] { return views.MapOf(v.ж.Int) }
+
+func (v MapView) SliceInt() views.MapFn[string, []int, views.Slice[int]] {
+	return views.MapFnOf(v.ж.SliceInt, func(t []int) views.Slice[int] {
+		return views.SliceOf(t)
+	})
+}
+
+func (v MapView) StructWithPtr() views.MapFn[string, *StructWithPtrs, StructWithPtrsView] {
+	return views.MapFnOf(v.ж.StructWithPtr, func(t *StructWithPtrs) StructWithPtrsView {
+		return t.View()
+	})
+}
+
+func (v MapView) StructWithoutPtr() views.MapFn[string, *StructWithoutPtrs, StructWithoutPtrsView] {
+	return views.MapFnOf(v.ж.StructWithoutPtr, func(t *StructWithoutPtrs) StructWithoutPtrsView {
+		return t.View()
+	})
+}
+
+func (v MapView) SlicesWithPtrs() views.MapFn[string, []*StructWithPtrs, views.SliceView[*StructWithPtrs, StructWithPtrsView]] {
+	return views.MapFnOf(v.ж.SlicesWithPtrs, func(t []*StructWithPtrs) views.SliceView[*StructWithPtrs, StructWithPtrsView] {
+		return views.SliceOfViews[*StructWithPtrs, StructWithPtrsView](t)
+	})
+}
+
+func (v MapView) SlicesWithoutPtrs() views.MapFn[string, []*StructWithoutPtrs, views.SliceView[*StructWithoutPtrs, StructWithoutPtrsView]] {
+	return views.MapFnOf(v.ж.SlicesWithoutPtrs, func(t []*StructWithoutPtrs) views.SliceView[*StructWithoutPtrs, StructWithoutPtrsView] {
+		return views.SliceOfViews[*StructWithoutPtrs, StructWithoutPtrsView](t)
+	})
+}
+
+func (v MapView) StructWithoutPtrKey() views.Map[StructWithoutPtrs, int] {
+	return views.MapOf(v.ж.StructWithoutPtrKey)
+}
+func (v MapView) SliceIntPtr() map[string][]*int           { panic("unsupported") }
+func (v MapView) PointerKey() map[*string]int              { panic("unsupported") }
+func (v MapView) StructWithPtrKey() map[StructWithPtrs]int { panic("unsupported") }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _MapViewNeedsRegeneration = Map(struct {
+	Int                 map[string]int
+	SliceInt            map[string][]int
+	StructWithPtr       map[string]*StructWithPtrs
+	StructWithoutPtr    map[string]*StructWithoutPtrs
+	SlicesWithPtrs      map[string][]*StructWithPtrs
+	SlicesWithoutPtrs   map[string][]*StructWithoutPtrs
+	StructWithoutPtrKey map[StructWithoutPtrs]int
+	SliceIntPtr         map[string][]*int
+	PointerKey          map[*string]int
+	StructWithPtrKey    map[StructWithPtrs]int
+}{})
+
+// View returns a readonly view of StructWithSlices.
+func (p *StructWithSlices) View() StructWithSlicesView {
+	return StructWithSlicesView{ж: p}
+}
+
+// StructWithSlicesView provides a read-only view over StructWithSlices.
+//
+// Its methods should only be called if `Valid()` returns true.
+type StructWithSlicesView struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *StructWithSlices
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v StructWithSlicesView) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v StructWithSlicesView) AsStruct() *StructWithSlices {
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v StructWithSlicesView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *StructWithSlicesView) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x StructWithSlices
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж = &x
+	return nil
+}
+
+func (v StructWithSlicesView) Values() views.Slice[StructWithoutPtrs] {
+	return views.SliceOf(v.ж.Values)
+}
+func (v StructWithSlicesView) ValuePointers() views.SliceView[*StructWithoutPtrs, StructWithoutPtrsView] {
+	return views.SliceOfViews[*StructWithoutPtrs, StructWithoutPtrsView](v.ж.ValuePointers)
+}
+func (v StructWithSlicesView) StructPointers() views.SliceView[*StructWithPtrs, StructWithPtrsView] {
+	return views.SliceOfViews[*StructWithPtrs, StructWithPtrsView](v.ж.StructPointers)
+}
+func (v StructWithSlicesView) Structs() StructWithPtrs    { panic("unsupported") }
+func (v StructWithSlicesView) Ints() *int                 { panic("unsupported") }
+func (v StructWithSlicesView) Slice() views.Slice[string] { return views.SliceOf(v.ж.Slice) }
+func (v StructWithSlicesView) Prefixes() views.IPPrefixSlice {
+	return views.IPPrefixSliceOf(v.ж.Prefixes)
+}
+func (v StructWithSlicesView) Data() mem.RO { return mem.B(v.ж.Data) }
+
+// A compilation failure here means this code must be regenerated, with the command at the top of this file.
+var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
+	Values         []StructWithoutPtrs
+	ValuePointers  []*StructWithoutPtrs
+	StructPointers []*StructWithPtrs
+	Structs        []StructWithPtrs
+	Ints           []*int
+	Slice          []string
+	Prefixes       []netaddr.IPPrefix
+	Data           []byte
+}{})

cmd/viewer/viewer.go

@@ -0,0 +1,378 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Viewer is a tool to automate the creation of "view" wrapper types that
+// provide read-only accessor methods to underlying fields.
+package main
+
+import (
+	"bytes"
+	"flag"
+	"fmt"
+	"go/types"
+	"html/template"
+	"log"
+	"os"
+	"strings"
+
+	"tailscale.com/util/codegen"
+)
+
+const viewTemplateStr = `{{define "common"}}
+// View returns a readonly view of {{.StructName}}.
+func (p *{{.StructName}}) View() {{.ViewName}} {
+	return {{.ViewName}}{ж: p}
+}
+
+// {{.ViewName}} provides a read-only view over {{.StructName}}.
+//
+// Its methods should only be called if ` + "`Valid()`" + ` returns true.
+type {{.ViewName}} struct {
+	// ж is the underlying mutable value, named with a hard-to-type
+	// character that looks pointy like a pointer.
+	// It is named distinctively to make you think of how dangerous it is to escape
+	// to callers. You must not let callers be able to mutate it.
+	ж *{{.StructName}}
+}
+
+// Valid reports whether underlying value is non-nil.
+func (v {{.ViewName}}) Valid() bool { return v.ж != nil }
+
+// AsStruct returns a clone of the underlying value which aliases no memory with
+// the original.
+func (v {{.ViewName}}) AsStruct() *{{.StructName}}{ 
+	if v.ж == nil {
+		return nil
+	}
+	return v.ж.Clone()
+}
+
+func (v {{.ViewName}}) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
+
+func (v *{{.ViewName}}) UnmarshalJSON(b []byte) error {
+	if v.ж != nil {
+		return errors.New("already initialized")
+	}
+	if len(b) == 0 {
+		return nil
+	}
+	var x {{.StructName}}
+	if err := json.Unmarshal(b, &x); err != nil {
+		return err
+	}
+	v.ж=&x
+	return nil
+}
+
+{{end}}
+{{define "valueField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} { return v.ж.{{.FieldName}} }
+{{end}}
+{{define "byteSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() mem.RO { return mem.B(v.ж.{{.FieldName}}) }
+{{end}}
+{{define "ipPrefixSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.IPPrefixSlice { return views.IPPrefixSliceOf(v.ж.{{.FieldName}}) }
+{{end}}
+{{define "sliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.Slice[{{.FieldType}}] { return views.SliceOf(v.ж.{{.FieldName}}) }
+{{end}}
+{{define "viewSliceField"}}func (v {{.ViewName}}) {{.FieldName}}() views.SliceView[{{.FieldType}},{{.FieldViewName}}] { return views.SliceOfViews[{{.FieldType}},{{.FieldViewName}}](v.ж.{{.FieldName}}) }
+{{end}}
+{{define "viewField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}}View { return v.ж.{{.FieldName}}.View() }
+{{end}}
+{{define "valuePointerField"}}func (v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {
+	if v.ж.{{.FieldName}} == nil {
+		return nil
+	}
+	x := *v.ж.{{.FieldName}}
+	return &x
+}
+
+{{end}}
+{{define "mapField"}}
+func(v {{.ViewName}}) {{.FieldName}}() views.Map[{{.MapKeyType}},{{.MapValueType}}] { return views.MapOf(v.ж.{{.FieldName}})}
+{{end}}
+{{define "mapFnField"}}
+func(v {{.ViewName}}) {{.FieldName}}() views.MapFn[{{.MapKeyType}},{{.MapValueType}},{{.MapValueView}}] { return views.MapFnOf(v.ж.{{.FieldName}}, func (t {{.MapValueType}}) {{.MapValueView}} {
+	return {{.MapFn}}
+})}
+{{end}}
+{{define "unsupportedField"}}func(v {{.ViewName}}) {{.FieldName}}() {{.FieldType}} {panic("unsupported")}
+{{end}}
+{{define "stringFunc"}}func(v {{.ViewName}}) String() string { return v.ж.String() }
+{{end}}
+{{define "equalFunc"}}func(v {{.ViewName}}) Equal(v2 {{.ViewName}}) bool { return v.ж.Equal(v2.ж) }
+{{end}}
+`
+
+var viewTemplate *template.Template
+
+func init() {
+	viewTemplate = template.Must(template.New("view").Parse(viewTemplateStr))
+}
+
+func requiresCloning(t types.Type) (shallow, deep bool, base types.Type) {
+	switch v := t.(type) {
+	case *types.Pointer:
+		_, deep, base = requiresCloning(v.Elem())
+		return true, deep, base
+	case *types.Slice:
+		_, deep, base = requiresCloning(v.Elem())
+		return true, deep, base
+	}
+	p := codegen.ContainsPointers(t)
+	return p, p, t
+}
+
+func genView(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named, thisPkg *types.Package) {
+	t, ok := typ.Underlying().(*types.Struct)
+	if !ok || codegen.IsViewType(t) {
+		return
+	}
+	it.Import("encoding/json")
+	it.Import("errors")
+
+	args := struct {
+		StructName    string
+		ViewName      string
+		FieldName     string
+		FieldType     string
+		FieldViewName string
+
+		MapKeyType   string
+		MapValueType string
+		MapValueView string
+		MapFn        string
+	}{
+		StructName: typ.Obj().Name(),
+		ViewName:   typ.Obj().Name() + "View",
+	}
+
+	writeTemplate := func(name string) {
+		if err := viewTemplate.ExecuteTemplate(buf, name, args); err != nil {
+			log.Fatal(err)
+		}
+	}
+	writeTemplate("common")
+	for i := 0; i < t.NumFields(); i++ {
+		f := t.Field(i)
+		fname := f.Name()
+		if !f.Exported() {
+			continue
+		}
+		args.FieldName = fname
+		fieldType := f.Type()
+		if codegen.IsInvalid(fieldType) {
+			continue
+		}
+		if !codegen.ContainsPointers(fieldType) || codegen.IsViewType(fieldType) || codegen.HasNoClone(t.Tag(i)) {
+			args.FieldType = it.QualifiedName(fieldType)
+			writeTemplate("valueField")
+			continue
+		}
+		switch underlying := fieldType.Underlying().(type) {
+		case *types.Slice:
+			slice := underlying
+			elem := slice.Elem()
+			args.FieldType = it.QualifiedName(elem)
+			switch elem.String() {
+			case "byte":
+				it.Import("go4.org/mem")
+				writeTemplate("byteSliceField")
+			case "inet.af/netaddr.IPPrefix":
+				it.Import("tailscale.com/types/views")
+				writeTemplate("ipPrefixSliceField")
+			default:
+				it.Import("tailscale.com/types/views")
+				shallow, deep, base := requiresCloning(elem)
+				if deep {
+					if _, isPtr := elem.(*types.Pointer); isPtr {
+						args.FieldViewName = it.QualifiedName(base) + "View"
+						writeTemplate("viewSliceField")
+					} else {
+						writeTemplate("unsupportedField")
+					}
+					continue
+				} else if shallow {
+					if _, isBasic := base.(*types.Basic); isBasic {
+						writeTemplate("unsupportedField")
+					} else {
+						args.FieldViewName = it.QualifiedName(base) + "View"
+						writeTemplate("viewSliceField")
+					}
+					continue
+				}
+				writeTemplate("sliceField")
+			}
+			continue
+		case *types.Struct, *types.Named:
+			strucT := underlying
+			args.FieldType = it.QualifiedName(fieldType)
+			if codegen.ContainsPointers(strucT) {
+				writeTemplate("viewField")
+				continue
+			}
+			writeTemplate("valueField")
+			continue
+		case *types.Map:
+			m := underlying
+			args.FieldType = it.QualifiedName(fieldType)
+			shallow, deep, key := requiresCloning(m.Key())
+			if shallow || deep {
+				writeTemplate("unsupportedField")
+				continue
+			}
+			args.MapKeyType = it.QualifiedName(key)
+			mElem := m.Elem()
+			var template string
+			switch u := mElem.(type) {
+			case *types.Basic:
+				template = "mapField"
+				args.MapValueType = it.QualifiedName(mElem)
+			case *types.Slice:
+				slice := u
+				sElem := slice.Elem()
+				switch x := sElem.(type) {
+				case *types.Basic:
+					args.MapValueView = fmt.Sprintf("views.Slice[%v]", sElem)
+					args.MapValueType = "[]" + sElem.String()
+					args.MapFn = "views.SliceOf(t)"
+					template = "mapFnField"
+				case *types.Pointer:
+					ptr := x
+					pElem := ptr.Elem()
+					switch pElem.(type) {
+					case *types.Struct, *types.Named:
+						ptrType := it.QualifiedName(ptr)
+						viewType := it.QualifiedName(pElem) + "View"
+						args.MapFn = fmt.Sprintf("views.SliceOfViews[%v,%v](t)", ptrType, viewType)
+						args.MapValueView = fmt.Sprintf("views.SliceView[%v,%v]", ptrType, viewType)
+						args.MapValueType = "[]" + ptrType
+						template = "mapFnField"
+					default:
+						template = "unsupportedField"
+					}
+				default:
+					template = "unsupportedField"
+				}
+			case *types.Pointer:
+				ptr := u
+				pElem := ptr.Elem()
+				switch pElem.(type) {
+				case *types.Struct, *types.Named:
+					args.MapValueType = it.QualifiedName(ptr)
+					args.MapValueView = it.QualifiedName(pElem) + "View"
+					args.MapFn = "t.View()"
+					template = "mapFnField"
+				default:
+					template = "unsupportedField"
+				}
+			default:
+				template = "unsupportedField"
+			}
+			writeTemplate(template)
+			continue
+		case *types.Pointer:
+			ptr := underlying
+			_, deep, base := requiresCloning(ptr)
+			if deep {
+				args.FieldType = it.QualifiedName(base)
+				writeTemplate("viewField")
+			} else {
+				args.FieldType = it.QualifiedName(ptr)
+				writeTemplate("valuePointerField")
+			}
+			continue
+		}
+		writeTemplate("unsupportedField")
+	}
+	for i := 0; i < typ.NumMethods(); i++ {
+		f := typ.Method(i)
+		if !f.Exported() {
+			continue
+		}
+		sig, ok := f.Type().(*types.Signature)
+		if !ok {
+			continue
+		}
+
+		switch f.Name() {
+		case "Clone", "View":
+			continue // "AsStruct"
+		case "String":
+			writeTemplate("stringFunc")
+			continue
+		case "Equal":
+			if sig.Results().Len() == 1 && sig.Results().At(0).Type().String() == "bool" {
+				writeTemplate("equalFunc")
+				continue
+			}
+		}
+	}
+	fmt.Fprintf(buf, "\n")
+	buf.Write(codegen.AssertStructUnchanged(t, args.StructName, "View", it))
+}
+
+var (
+	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
+	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
+	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
+)
+
+func main() {
+	log.SetFlags(0)
+	log.SetPrefix("viewer: ")
+	flag.Parse()
+	if len(*flagTypes) == 0 {
+		flag.Usage()
+		os.Exit(2)
+	}
+	typeNames := strings.Split(*flagTypes, ",")
+
+	var flagArgs []string
+	flagArgs = append(flagArgs, fmt.Sprintf("-clonefunc=%v", *flagCloneFunc))
+	if *flagTypes != "" {
+		flagArgs = append(flagArgs, "-type="+*flagTypes)
+	}
+	if *flagBuildTags != "" {
+		flagArgs = append(flagArgs, "-tags="+*flagBuildTags)
+	}
+	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
+	if err != nil {
+		log.Fatal(err)
+	}
+	it := codegen.NewImportTracker(pkg.Types)
+
+	buf := new(bytes.Buffer)
+	fmt.Fprintf(buf, `//go:generate go run tailscale.com/cmd/cloner  %s`, strings.Join(flagArgs, " "))
+	fmt.Fprintln(buf)
+	runCloner := false
+	for _, typeName := range typeNames {
+		typ, ok := namedTypes[typeName]
+		if !ok {
+			log.Fatalf("could not find type %s", typeName)
+		}
+		var hasClone bool
+		for i, n := 0, typ.NumMethods(); i < n; i++ {
+			if typ.Method(i).Name() == "Clone" {
+				hasClone = true
+				break
+			}
+		}
+		if !hasClone {
+			runCloner = true
+		}
+		genView(buf, it, typ, pkg.Types)
+	}
+	out := pkg.Name + "_view.go"
+	if err := codegen.WritePackageFile("tailscale/cmd/viewer", pkg, out, it, buf); err != nil {
+		log.Fatal(err)
+	}
+	if runCloner {
+		// When a new pacakge is added or when existing generated files have
+		// been deleted, we might run into a case where tailscale.com/cmd/cloner
+		// has not run yet. We detect this by verifying that all the structs we
+		// interacted with have had Clone method already generated. If they
+		// haven't we ask the caller to rerun generation again so that those get
+		// generated.
+		log.Printf("%v requires regeneration. Please run go generate again", pkg.Name+"_clone.go")
+	}
+}

control/controlbase/conn.go

@@ -52,10 +52,11 @@ type rxState struct {
 	sync.Mutex
 	cipher    cipher.AEAD
 	nonce     nonce
-	buf       [maxMessageSize]byte
-	n         int    // number of valid bytes in buf
-	next      int    // offset of next undecrypted packet
-	plaintext []byte // slice into buf of decrypted bytes
+	buf       *maxMsgBuffer   // or nil when reads exhausted
+	n         int             // number of valid bytes in buf
+	next      int             // offset of next undecrypted packet
+	plaintext []byte          // slice into buf of decrypted bytes
+	hdrBuf    [headerLen]byte // small buffer used when buf is nil
 }
 
 // txState is all the Conn state that Write uses.
@@ -63,7 +64,6 @@ type txState struct {
 	sync.Mutex
 	cipher cipher.AEAD
 	nonce  nonce
-	buf    [maxMessageSize]byte
 	err    error // records the first partial write error for all future calls
 }
 
@@ -89,6 +89,10 @@ func (c *Conn) Peer() key.MachinePublic {
 // readNLocked reads into c.rx.buf until buf contains at least total
 // bytes. Returns a slice of the total bytes in rxBuf, or an
 // error if fewer than total bytes are available.
+//
+// It may be called with a nil c.rx.buf only if total == headerLen.
+//
+// On success, c.rx.buf will be non-nil.
 func (c *Conn) readNLocked(total int) ([]byte, error) {
 	if total > maxMessageSize {
 		return nil, errReadTooBig{total}
@@ -97,8 +101,26 @@ func (c *Conn) readNLocked(total int) ([]byte, error) {
 		if total <= c.rx.n {
 			return c.rx.buf[:total], nil
 		}
-
-		n, err := c.conn.Read(c.rx.buf[c.rx.n:])
+		var n int
+		var err error
+		if c.rx.buf == nil {
+			if c.rx.n != 0 || total != headerLen {
+				panic("unexpected")
+			}
+			// Optimization to reduce memory usage.
+			// Most connections are blocked forever waiting for
+			// a read, so we don't want c.rx.buf to be allocated until
+			// we know there's data to read. Instead, when we're
+			// waiting for data to arrive here, read into the
+			// 3 byte hdrBuf:
+			n, err = c.conn.Read(c.rx.hdrBuf[:])
+			if n > 0 {
+				c.rx.buf = getMaxMsgBuffer()
+				copy(c.rx.buf[:], c.rx.hdrBuf[:n])
+			}
+		} else {
+			n, err = c.conn.Read(c.rx.buf[c.rx.n:])
+		}
 		c.rx.n += n
 		if err != nil {
 			return nil, err
@@ -134,19 +156,19 @@ func (c *Conn) decryptLocked(msg []byte) (err error) {
 	return err
 }
 
-// encryptLocked encrypts plaintext into c.tx.buf (including the
+// encryptLocked encrypts plaintext into buf (including the
 // packet header) and returns a slice of the ciphertext, or an error
 // if the cipher is exhausted (i.e. can no longer be used safely).
-func (c *Conn) encryptLocked(plaintext []byte) ([]byte, error) {
+func (c *Conn) encryptLocked(plaintext []byte, buf *maxMsgBuffer) ([]byte, error) {
 	if !c.tx.nonce.Valid() {
 		// Received 2^64-1 messages on this cipher state. Connection
 		// is no longer usable.
 		return nil, errCipherExhausted{}
 	}
 
-	c.tx.buf[0] = msgTypeRecord
-	binary.BigEndian.PutUint16(c.tx.buf[1:headerLen], uint16(len(plaintext)+chp.Overhead))
-	ret := c.tx.cipher.Seal(c.tx.buf[:headerLen], c.tx.nonce[:], plaintext, nil)
+	buf[0] = msgTypeRecord
+	binary.BigEndian.PutUint16(buf[1:headerLen], uint16(len(plaintext)+chp.Overhead))
+	ret := c.tx.cipher.Seal(buf[:headerLen], c.tx.nonce[:], plaintext, nil)
 	c.tx.nonce.Increment()
 
 	return ret, nil
@@ -191,6 +213,14 @@ func (c *Conn) decryptOneLocked() error {
 		c.rx.next = 0
 	}
 
+	// Return our buffer to the pool if it's empty, lest we be
+	// blocked in a long Read call, reading the 3 byte header. We
+	// don't to keep that buffer unnecessarily alive.
+	if c.rx.n == 0 && c.rx.next == 0 && c.rx.buf != nil {
+		bufPool.Put(c.rx.buf)
+		c.rx.buf = nil
+	}
+
 	bs, err := c.readNLocked(headerLen)
 	if err != nil {
 		return err
@@ -227,6 +257,12 @@ func (c *Conn) Read(bs []byte) (int, error) {
 	}
 	n := copy(bs, c.rx.plaintext)
 	c.rx.plaintext = c.rx.plaintext[n:]
+
+	// Lose slice's underlying array pointer to unneeded memory so
+	// GC can collect more.
+	if len(c.rx.plaintext) == 0 {
+		c.rx.plaintext = nil
+	}
 	return n, nil
 }
 
@@ -257,6 +293,9 @@ func (c *Conn) Write(bs []byte) (n int, err error) {
 		return 0, net.ErrClosed
 	}
 
+	buf := getMaxMsgBuffer()
+	defer bufPool.Put(buf)
+
 	var sent int
 	for len(bs) > 0 {
 		toSend := bs
@@ -265,7 +304,7 @@ func (c *Conn) Write(bs []byte) (n int, err error) {
 		}
 		bs = bs[len(toSend):]
 
-		ciphertext, err := c.encryptLocked(toSend)
+		ciphertext, err := c.encryptLocked(toSend, buf)
 		if err != nil {
 			return sent, err
 		}
@@ -355,3 +394,16 @@ func (n *nonce) Increment() {
 	}
 	binary.BigEndian.PutUint64(n[4:], 1+binary.BigEndian.Uint64(n[4:]))
 }
+
+type maxMsgBuffer [maxMessageSize]byte
+
+// bufPool holds the temporary buffers for Conn.Read & Write.
+var bufPool = &sync.Pool{
+	New: func() interface{} {
+		return new(maxMsgBuffer)
+	},
+}
+
+func getMaxMsgBuffer() *maxMsgBuffer {
+	return bufPool.Get().(*maxMsgBuffer)
+}

control/controlbase/conn_test.go

@@ -13,10 +13,12 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"runtime"
 	"strings"
 	"sync"
 	"testing"
 	"testing/iotest"
+	"time"
 
 	chp "golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/net/nettest"
@@ -24,6 +26,8 @@ import (
 	"tailscale.com/types/key"
 )
 
+const testProtocolVersion = 1
+
 func TestMessageSize(t *testing.T) {
 	// This test is a regression guard against someone looking at
 	// maxCiphertextSize, going "huh, we could be more efficient if it
@@ -205,7 +209,7 @@ func TestConnStd(t *testing.T) {
 			c2, err = Server(context.Background(), s2, controlKey, nil)
 			serverErr <- err
 		}()
-		c1, err = Client(context.Background(), s1, machineKey, controlKey.Public())
+		c1, err = Client(context.Background(), s1, machineKey, controlKey.Public(), testProtocolVersion)
 		if err != nil {
 			s1.Close()
 			s2.Close()
@@ -224,6 +228,81 @@ func TestConnStd(t *testing.T) {
 	})
 }
 
+// tests that the idle memory overhead of a Conn blocked in a read is
+// reasonable (under 2K). It was previously over 8KB with two 4KB
+// buffers for rx/tx. This make sure we don't regress. Hopefully it
+// doesn't turn into a flaky test. If so, const max can be adjusted,
+// or it can be deleted or reworked.
+func TestConnMemoryOverhead(t *testing.T) {
+	num := 1000
+	if testing.Short() {
+		num = 100
+	}
+	ng0 := runtime.NumGoroutine()
+
+	runtime.GC()
+	var ms0 runtime.MemStats
+	runtime.ReadMemStats(&ms0)
+
+	var closers []io.Closer
+	closeAll := func() {
+		for _, c := range closers {
+			c.Close()
+		}
+		closers = nil
+	}
+	defer closeAll()
+
+	for i := 0; i < num; i++ {
+		client, server := pair(t)
+		closers = append(closers, client, server)
+		go func() {
+			var buf [1]byte
+			client.Read(buf[:])
+		}()
+	}
+
+	t0 := time.Now()
+	deadline := t0.Add(3 * time.Second)
+	var ngo int
+	for time.Now().Before(deadline) {
+		runtime.GC()
+		ngo = runtime.NumGoroutine()
+		if ngo >= num {
+			break
+		}
+		time.Sleep(10 * time.Millisecond)
+	}
+	if ngo < num {
+		t.Fatalf("only %v goroutines; expected %v+", ngo, num)
+	}
+	runtime.GC()
+	var ms runtime.MemStats
+	runtime.ReadMemStats(&ms)
+	growthTotal := int64(ms.HeapAlloc) - int64(ms0.HeapAlloc)
+	growthEach := float64(growthTotal) / float64(num)
+	t.Logf("Alloced %v bytes, %.2f B/each", growthTotal, growthEach)
+	const max = 2000
+	if growthEach > max {
+		t.Errorf("allocated more than expected; want max %v bytes/each", max)
+	}
+
+	closeAll()
+
+	// And make sure our goroutines go away too.
+	deadline = time.Now().Add(3 * time.Second)
+	for time.Now().Before(deadline) {
+		ngo = runtime.NumGoroutine()
+		if ngo < ng0+num/10 {
+			break
+		}
+		time.Sleep(10 * time.Millisecond)
+	}
+	if ngo >= ng0+num/10 {
+		t.Errorf("goroutines didn't go back down; started at %v, now %v", ng0, ngo)
+	}
+}
+
 // mkConns creates synthetic Noise Conns wrapping the given net.Conns.
 // This function is for testing just the Conn transport logic without
 // having to muck about with Noise handshakes.
@@ -323,7 +402,7 @@ func pairWithConns(t *testing.T, clientConn, serverConn net.Conn) (*Conn, *Conn)
 		serverErr <- err
 	}()
 
-	client, err := Client(context.Background(), clientConn, machineKey, controlKey.Public())
+	client, err := Client(context.Background(), clientConn, machineKey, controlKey.Public(), testProtocolVersion)
 	if err != nil {
 		t.Fatalf("client connection failed: %v", err)
 	}

control/controlbase/handshake.go

@@ -32,7 +32,7 @@ const (
 	protocolName = "Noise_IK_25519_ChaChaPoly_BLAKE2s"
 	// protocolVersion is the version of the control protocol that
 	// Client will use when initiating a handshake.
-	protocolVersion uint16 = 1
+	//protocolVersion uint16 = 1
 	// protocolVersionPrefix is the name portion of the protocol
 	// name+version string that gets mixed into the handshake as a
 	// prologue.
@@ -66,7 +66,7 @@ type HandshakeContinuation func(context.Context, net.Conn) (*Conn, error)
 // protocol switching. By splitting the handshake into an initial
 // message and a continuation, we can embed the handshake initiation
 // into the HTTP protocol switching request and avoid a bit of delay.
-func ClientDeferred(machineKey key.MachinePrivate, controlKey key.MachinePublic) (initialHandshake []byte, continueHandshake HandshakeContinuation, err error) {
+func ClientDeferred(machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16) (initialHandshake []byte, continueHandshake HandshakeContinuation, err error) {
 	var s symmetricState
 	s.Initialize()
 
@@ -78,7 +78,7 @@ func ClientDeferred(machineKey key.MachinePrivate, controlKey key.MachinePublic)
 	s.MixHash(controlKey.UntypedBytes())
 
 	// -> e, es, s, ss
-	init := mkInitiationMessage()
+	init := mkInitiationMessage(protocolVersion)
 	machineEphemeral := key.NewMachine()
 	machineEphemeralPub := machineEphemeral.Public()
 	copy(init.EphemeralPub(), machineEphemeralPub.UntypedBytes())
@@ -96,7 +96,7 @@ func ClientDeferred(machineKey key.MachinePrivate, controlKey key.MachinePublic)
 	s.EncryptAndHash(cipher, init.Tag(), nil) // empty message payload
 
 	cont := func(ctx context.Context, conn net.Conn) (*Conn, error) {
-		return continueClientHandshake(ctx, conn, &s, machineKey, machineEphemeral, controlKey)
+		return continueClientHandshake(ctx, conn, &s, machineKey, machineEphemeral, controlKey, protocolVersion)
 	}
 	return init[:], cont, nil
 }
@@ -107,8 +107,8 @@ func ClientDeferred(machineKey key.MachinePrivate, controlKey key.MachinePublic)
 // This is a helper for when you don't need the fancy
 // continuation-style handshake, and just want to synchronously
 // upgrade a net.Conn to a secure transport.
-func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
-	init, cont, err := ClientDeferred(machineKey, controlKey)
+func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16) (*Conn, error) {
+	init, cont, err := ClientDeferred(machineKey, controlKey, protocolVersion)
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +118,7 @@ func Client(ctx context.Context, conn net.Conn, machineKey key.MachinePrivate, c
 	return cont(ctx, conn)
 }
 
-func continueClientHandshake(ctx context.Context, conn net.Conn, s *symmetricState, machineKey, machineEphemeral key.MachinePrivate, controlKey key.MachinePublic) (*Conn, error) {
+func continueClientHandshake(ctx context.Context, conn net.Conn, s *symmetricState, machineKey, machineEphemeral key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16) (*Conn, error) {
 	// No matter what, this function can only run once per s. Ensure
 	// attempted reuse causes a panic.
 	defer func() {
@@ -239,9 +239,12 @@ func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate, o
 	} else if _, err := io.ReadFull(conn, init.Header()); err != nil {
 		return nil, err
 	}
-	if init.Version() != protocolVersion {
-		return nil, sendErr("unsupported protocol version")
-	}
+	// Just a rename to make it more obvious what the value is. In the
+	// current implementation we don't need to block any protocol
+	// versions at this layer, it's safe to let the handshake proceed
+	// and then let the caller make decisions based on the agreed-upon
+	// protocol version.
+	clientVersion := init.Version()
 	if init.Type() != msgTypeInitiation {
 		return nil, sendErr("unexpected handshake message type")
 	}
@@ -257,7 +260,7 @@ func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate, o
 
 	// prologue. Can only do this once we at least think the client is
 	// handshaking using a supported version.
-	s.MixHash(protocolVersionPrologue(protocolVersion))
+	s.MixHash(protocolVersionPrologue(clientVersion))
 
 	// <- s
 	// ...
@@ -310,7 +313,7 @@ func Server(ctx context.Context, conn net.Conn, controlKey key.MachinePrivate, o
 
 	c := &Conn{
 		conn:          conn,
-		version:       protocolVersion,
+		version:       clientVersion,
 		peer:          machineKey,
 		handshakeHash: s.h,
 		tx: txState{

control/controlbase/handshake_test.go

@@ -30,7 +30,7 @@ func TestHandshake(t *testing.T) {
 		serverErr <- err
 	}()
 
-	client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public())
+	client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public(), testProtocolVersion)
 	if err != nil {
 		t.Fatalf("client connection failed: %v", err)
 	}
@@ -42,8 +42,8 @@ func TestHandshake(t *testing.T) {
 		t.Fatal("client and server disagree on handshake hash")
 	}
 
-	if client.ProtocolVersion() != int(protocolVersion) {
-		t.Fatalf("client reporting wrong protocol version %d, want %d", client.ProtocolVersion(), protocolVersion)
+	if client.ProtocolVersion() != int(testProtocolVersion) {
+		t.Fatalf("client reporting wrong protocol version %d, want %d", client.ProtocolVersion(), testProtocolVersion)
 	}
 	if client.ProtocolVersion() != server.ProtocolVersion() {
 		t.Fatalf("peers disagree on protocol version, client=%d server=%d", client.ProtocolVersion(), server.ProtocolVersion())
@@ -82,7 +82,7 @@ func TestNoReuse(t *testing.T) {
 			serverErr <- err
 		}()
 
-		client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public())
+		client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public(), testProtocolVersion)
 		if err != nil {
 			t.Fatalf("client connection failed: %v", err)
 		}
@@ -181,7 +181,7 @@ func TestTampering(t *testing.T) {
 			serverErr <- err
 		}()
 
-		_, err := Client(context.Background(), clientConn, clientKey, serverKey.Public())
+		_, err := Client(context.Background(), clientConn, clientKey, serverKey.Public(), testProtocolVersion)
 		if err == nil {
 			t.Fatal("client connection succeeded despite tampering")
 		}
@@ -204,7 +204,7 @@ func TestTampering(t *testing.T) {
 			serverErr <- err
 		}()
 
-		_, err := Client(context.Background(), clientConn, clientKey, serverKey.Public())
+		_, err := Client(context.Background(), clientConn, clientKey, serverKey.Public(), testProtocolVersion)
 		if err == nil {
 			t.Fatal("client connection succeeded despite tampering")
 		}
@@ -231,7 +231,7 @@ func TestTampering(t *testing.T) {
 			serverErr <- err
 		}()
 
-		client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public())
+		client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public(), testProtocolVersion)
 		if err != nil {
 			t.Fatalf("client handshake failed: %v", err)
 		}
@@ -281,7 +281,7 @@ func TestTampering(t *testing.T) {
 			}
 		}()
 
-		client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public())
+		client, err := Client(context.Background(), clientConn, clientKey, serverKey.Public(), testProtocolVersion)
 		if err != nil {
 			t.Fatalf("client handshake failed: %v", err)
 		}

control/controlbase/interop_test.go

@@ -77,7 +77,7 @@ func TestInteropServer(t *testing.T) {
 	)
 
 	go func() {
-		client, err := Client(context.Background(), s1, machineKey, controlKey.Public())
+		client, err := Client(context.Background(), s1, machineKey, controlKey.Public(), testProtocolVersion)
 		clientErr <- err
 		if err != nil {
 			return
@@ -121,11 +121,11 @@ func noiseExplorerClient(conn net.Conn, controlKey key.MachinePublic, machineKey
 	copy(mk.public_key[:], machineKey.Public().UntypedBytes())
 	var peerKey [32]byte
 	copy(peerKey[:], controlKey.UntypedBytes())
-	session := InitSession(true, protocolVersionPrologue(protocolVersion), mk, peerKey)
+	session := InitSession(true, protocolVersionPrologue(testProtocolVersion), mk, peerKey)
 
 	_, msg1 := SendMessage(&session, nil)
 	var hdr [initiationHeaderLen]byte
-	binary.BigEndian.PutUint16(hdr[:2], protocolVersion)
+	binary.BigEndian.PutUint16(hdr[:2], testProtocolVersion)
 	hdr[2] = msgTypeInitiation
 	binary.BigEndian.PutUint16(hdr[3:5], 96)
 	if _, err := conn.Write(hdr[:]); err != nil {
@@ -193,7 +193,7 @@ func noiseExplorerServer(conn net.Conn, controlKey key.MachinePrivate, wantMachi
 	var mk keypair
 	copy(mk.private_key[:], controlKey.UntypedBytes())
 	copy(mk.public_key[:], controlKey.Public().UntypedBytes())
-	session := InitSession(false, protocolVersionPrologue(protocolVersion), mk, [32]byte{})
+	session := InitSession(false, protocolVersionPrologue(testProtocolVersion), mk, [32]byte{})
 
 	var buf [1024]byte
 	if _, err := io.ReadFull(conn, buf[:101]); err != nil {

control/controlbase/messages.go

@@ -39,9 +39,9 @@ const (
 // 16b: message tag (authenticates the whole message)
 type initiationMessage [101]byte
 
-func mkInitiationMessage() initiationMessage {
+func mkInitiationMessage(protocolVersion uint16) initiationMessage {
 	var ret initiationMessage
-	binary.BigEndian.PutUint16(ret[:2], uint16(protocolVersion))
+	binary.BigEndian.PutUint16(ret[:2], protocolVersion)
 	ret[2] = msgTypeInitiation
 	binary.BigEndian.PutUint16(ret[3:5], uint16(len(ret.Payload())))
 	return ret

control/controlclient/auto.go

@@ -61,10 +61,9 @@ type Auto struct {
 	loggedIn        bool       // true if currently logged in
 	loginGoal       *LoginGoal // non-nil if some login activity is desired
 	synced          bool       // true if our netmap is up-to-date
-	hostinfo        *tailcfg.Hostinfo
-	inPollNetMap    bool // true if currently running a PollNetMap
-	inLiteMapUpdate bool // true if a lite (non-streaming) map request is outstanding
-	inSendStatus    int  // number of sendStatus calls currently in progress
+	inPollNetMap    bool       // true if currently running a PollNetMap
+	inLiteMapUpdate bool       // true if a lite (non-streaming) map request is outstanding
+	inSendStatus    int        // number of sendStatus calls currently in progress
 	state           State
 
 	authCtx    context.Context // context used for auth requests
@@ -290,6 +289,7 @@ func (c *Auto) authRoutine() {
 		}
 
 		if goal == nil {
+			health.SetAuthRoutineInError(nil)
 			// Wait for user to Login or Logout.
 			<-ctx.Done()
 			c.logf("[v1] authRoutine: context done.")
@@ -297,6 +297,7 @@ func (c *Auto) authRoutine() {
 		}
 
 		if !goal.wantLoggedIn {
+			health.SetAuthRoutineInError(nil)
 			err := c.direct.TryLogout(ctx)
 			goal.sendLogoutError(err)
 			if err != nil {
@@ -335,6 +336,7 @@ func (c *Auto) authRoutine() {
 				f = "TryLogin"
 			}
 			if err != nil {
+				health.SetAuthRoutineInError(err)
 				report(err, f)
 				bo.BackOff(ctx, err)
 				continue
@@ -359,6 +361,7 @@ func (c *Auto) authRoutine() {
 			}
 
 			// success
+			health.SetAuthRoutineInError(nil)
 			c.mu.Lock()
 			c.loggedIn = true
 			c.loginGoal = nil
@@ -555,9 +558,8 @@ func (c *Auto) SetNetInfo(ni *tailcfg.NetInfo) {
 	if !c.direct.SetNetInfo(ni) {
 		return
 	}
-	c.logf("NetInfo: %v", ni)
 
-	// Send new Hostinfo (which includes NetInfo) to server
+	// Send new NetInfo to server
 	c.sendNewMapRequest()
 }
 
@@ -567,7 +569,6 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 	loggedIn := c.loggedIn
 	synced := c.synced
 	statusFunc := c.statusFunc
-	hi := c.hostinfo
 	c.inSendStatus++
 	c.mu.Unlock()
 
@@ -595,7 +596,6 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		URL:            url,
 		Persist:        p,
 		NetMap:         nm,
-		Hostinfo:       hi,
 		State:          state,
 		Err:            err,
 	}

control/controlclient/controlclient_test.go

@@ -22,7 +22,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 
 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist", "Hostinfo"}
+	equalHandles := []string{"LoginFinished", "LogoutFinished", "Err", "URL", "NetMap", "State", "Persist"}
 	if have := fieldsOf(reflect.TypeOf(Status{})); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)

control/controlclient/direct.go

@@ -18,7 +18,6 @@ import (
 	"net/http"
 	"net/url"
 	"os"
-	"os/exec"
 	"reflect"
 	"runtime"
 	"strings"
@@ -35,11 +34,13 @@ import (
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
+	"tailscale.com/logtail"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/interfaces"
-	"tailscale.com/net/netns"
+	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -56,7 +57,8 @@ import (
 // Direct is the client that connects to a tailcontrol server for a node.
 type Direct struct {
 	httpc                  *http.Client // HTTP client used to talk to tailcontrol
-	serverURL              string       // URL of the tailcontrol server
+	dialer                 *tsdial.Dialer
+	serverURL              string // URL of the tailcontrol server
 	timeNow                func() time.Time
 	lastPrintMap           time.Time
 	newDecompressor        func() (Decompressor, error)
@@ -69,6 +71,7 @@ type Direct struct {
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
 	pinger                 Pinger
+	popBrowser             func(url string) // or nil
 
 	mu             sync.Mutex        // mutex guards the following fields
 	serverKey      key.MachinePublic // original ("legacy") nacl crypto_box-based public key
@@ -77,12 +80,12 @@ type Direct struct {
 	sfGroup     singleflight.Group // protects noiseClient creation.
 	noiseClient *noiseClient
 
-	persist      persist.Persist
-	authKey      string
-	tryingNewKey key.NodePrivate
-	expiry       *time.Time
-	// hostinfo is mutated in-place while mu is held.
+	persist       persist.Persist
+	authKey       string
+	tryingNewKey  key.NodePrivate
+	expiry        *time.Time
 	hostinfo      *tailcfg.Hostinfo // always non-nil
+	netinfo       *tailcfg.NetInfo
 	endpoints     []tailcfg.Endpoint
 	everEndpoints bool   // whether we've ever had non-empty endpoints
 	localPort     uint16 // or zero to mean auto
@@ -100,9 +103,11 @@ type Options struct {
 	NewDecompressor      func() (Decompressor, error)
 	KeepAlive            bool
 	Logf                 logger.Logf
-	HTTPTestClient       *http.Client // optional HTTP client to use (for tests only)
-	DebugFlags           []string     // debug settings to send to control
-	LinkMonitor          *monitor.Mon // optional link monitor
+	HTTPTestClient       *http.Client     // optional HTTP client to use (for tests only)
+	DebugFlags           []string         // debug settings to send to control
+	LinkMonitor          *monitor.Mon     // optional link monitor
+	PopBrowserURL        func(url string) // optional func to open browser
+	Dialer               *tsdial.Dialer   // non-nil
 
 	// KeepSharerAndUserSplit controls whether the client
 	// understands Node.Sharer. If false, the Sharer is mapped to the User.
@@ -119,11 +124,10 @@ type Options struct {
 	Pinger Pinger
 }
 
-// Pinger is a subset of the wgengine.Engine interface, containing just the Ping method.
+// Pinger is the LocalBackend.Ping method.
 type Pinger interface {
-	// Ping is a request to start a discovery or TSMP ping with the peer handling
-	// the given IP and then call cb with its ping latency & method.
-	Ping(ip netaddr.IP, useTSMP bool, cb func(*ipnstate.PingResult))
+	// Ping is a request to do a ping with the peer handling the given IP.
+	Ping(ctx context.Context, ip netaddr.IP, pingType tailcfg.PingType) (*ipnstate.PingResult, error)
 }
 
 type Decompressor interface {
@@ -167,13 +171,12 @@ func NewDirect(opts Options) (*Direct, error) {
 			UseLastGood:      true,
 			LookupIPFallback: dnsfallback.Lookup,
 		}
-		dialer := netns.NewDialer(opts.Logf)
 		tr := http.DefaultTransport.(*http.Transport).Clone()
 		tr.Proxy = tshttpproxy.ProxyFromEnvironment
 		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Hostname(), tr.TLSClientConfig)
-		tr.DialContext = dnscache.Dialer(dialer.DialContext, dnsCache)
-		tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dnsCache, tr.TLSClientConfig)
+		tr.DialContext = dnscache.Dialer(opts.Dialer.SystemDial, dnsCache)
+		tr.DialTLSContext = dnscache.TLSDialer(opts.Dialer.SystemDial, dnsCache, tr.TLSClientConfig)
 		tr.ForceAttemptHTTP2 = true
 		// Disable implicit gzip compression; the various
 		// handlers (register, map, set-dns, etc) do their own
@@ -198,11 +201,18 @@ func NewDirect(opts Options) (*Direct, error) {
 		linkMon:                opts.LinkMonitor,
 		skipIPForwardingCheck:  opts.SkipIPForwardingCheck,
 		pinger:                 opts.Pinger,
+		popBrowser:             opts.PopBrowserURL,
+		dialer:                 opts.Dialer,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
 	} else {
+		ni := opts.Hostinfo.NetInfo
+		opts.Hostinfo.NetInfo = nil
 		c.SetHostinfo(opts.Hostinfo)
+		if ni != nil {
+			c.SetNetInfo(ni)
+		}
 	}
 	return c, nil
 }
@@ -247,14 +257,11 @@ func (c *Direct) SetNetInfo(ni *tailcfg.NetInfo) bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 
-	if c.hostinfo == nil {
-		c.logf("[unexpected] SetNetInfo called with no HostInfo; ignoring NetInfo update: %+v", ni)
+	if reflect.DeepEqual(ni, c.netinfo) {
 		return false
 	}
-	if reflect.DeepEqual(ni, c.hostinfo.NetInfo) {
-		return false
-	}
-	c.hostinfo.NetInfo = ni.Clone()
+	c.netinfo = ni.Clone()
+	c.logf("NetInfo: %v", ni)
 	return true
 }
 
@@ -331,6 +338,14 @@ type httpClient interface {
 	Do(req *http.Request) (*http.Response, error)
 }
 
+// hostInfoLocked returns a Clone of c.hostinfo and c.netinfo.
+// It must only be called with c.mu held.
+func (c *Direct) hostInfoLocked() *tailcfg.Hostinfo {
+	hi := c.hostinfo.Clone()
+	hi.NetInfo = c.netinfo.Clone()
+	return hi
+}
+
 func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, newURL string, err error) {
 	c.mu.Lock()
 	persist := c.persist
@@ -338,7 +353,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	serverKey := c.serverKey
 	serverNoiseKey := c.serverNoiseKey
 	authKey := c.authKey
-	hi := c.hostinfo.Clone()
+	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
 	c.mu.Unlock()
@@ -372,7 +387,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		if err != nil {
 			return regen, opt.URL, err
 		}
-		c.logf("control server key %s from %s", serverKey.ShortString(), c.serverURL)
+		c.logf("control server key from %s: ts2021=%s, legacy=%v", c.serverURL, keys.PublicKey.ShortString(), keys.LegacyPublicKey.ShortString())
 
 		c.mu.Lock()
 		c.serverKey = keys.LegacyPublicKey
@@ -640,7 +655,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	serverURL := c.serverURL
 	serverKey := c.serverKey
 	serverNoiseKey := c.serverNoiseKey
-	hi := c.hostinfo.Clone()
+	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
 	localPort := c.localPort
 	var epStrs []string
@@ -847,9 +862,17 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 
 		if pr := resp.PingRequest; pr != nil && c.isUniquePingRequest(pr) {
 			metricMapResponsePings.Add(1)
-			go answerPing(c.logf, c.httpc, pr)
+			go answerPing(c.logf, c.httpc, pr, c.pinger)
+		}
+		if u := resp.PopBrowserURL; u != "" && u != sess.lastPopBrowserURL {
+			sess.lastPopBrowserURL = u
+			if c.popBrowser != nil {
+				c.logf("netmap: control says to open URL %v; opening...", u)
+				c.popBrowser(u)
+			} else {
+				c.logf("netmap: control says to open URL %v; no popBrowser func", u)
+			}
 		}
-
 		if resp.ControlTime != nil && !resp.ControlTime.IsZero() {
 			c.logf.JSON(1, "controltime", resp.ControlTime.UTC())
 		}
@@ -858,6 +881,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		} else {
 			vlogf("netmap: got new map")
 		}
+
 		select {
 		case timeoutReset <- struct{}{}:
 			vlogf("netmap: sent timer reset")
@@ -883,6 +907,9 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 				c.logf("exiting process with status %v per controlplane", *code)
 				os.Exit(*code)
 			}
+			if resp.Debug.DisableLogTail {
+				logtail.Disable()
+			}
 			if resp.Debug.LogHeapPprof {
 				go logheap.LogHeap(resp.Debug.LogHeapURL)
 			}
@@ -1139,89 +1166,17 @@ func TrimWGConfig() opt.Bool {
 //
 // It should not return false positives.
 //
-// TODO(bradfitz): merge this code into LocalBackend.CheckIPForwarding
-// and change controlclient.Options.SkipIPForwardingCheck into a
-// func([]netaddr.IPPrefix) error signature instead. Then we only have
-// one copy of this code.
+// TODO(bradfitz): Change controlclient.Options.SkipIPForwardingCheck into a
+// func([]netaddr.IPPrefix) error signature instead.
 func ipForwardingBroken(routes []netaddr.IPPrefix, state *interfaces.State) bool {
-	if len(routes) == 0 {
-		// Nothing to route, so no need to warn.
+	warn, err := netutil.CheckIPForwarding(routes, state)
+	if err != nil {
+		// Oh well, we tried. This is just for debugging.
+		// We don't want false positives.
+		// TODO: maybe we want a different warning for inability to check?
 		return false
 	}
-
-	if runtime.GOOS != "linux" {
-		// We only do subnet routing on Linux for now.
-		// It might work on darwin/macOS when building from source, so
-		// don't return true for other OSes. We can OS-based warnings
-		// already in the admin panel.
-		return false
-	}
-
-	localIPs := map[netaddr.IP]bool{}
-	for _, addrs := range state.InterfaceIPs {
-		for _, pfx := range addrs {
-			localIPs[pfx.IP()] = true
-		}
-	}
-
-	v4Routes, v6Routes := false, false
-	for _, r := range routes {
-		// It's possible to advertise a route to one of the local
-		// machine's local IPs. IP forwarding isn't required for this
-		// to work, so we shouldn't warn for such exports.
-		if r.IsSingleIP() && localIPs[r.IP()] {
-			continue
-		}
-		if r.IP().Is4() {
-			v4Routes = true
-		} else {
-			v6Routes = true
-		}
-	}
-
-	if v4Routes {
-		out, err := ioutil.ReadFile("/proc/sys/net/ipv4/ip_forward")
-		if err != nil {
-			// Try another way.
-			out, err = exec.Command("sysctl", "-n", "net.ipv4.ip_forward").Output()
-		}
-		if err != nil {
-			// Oh well, we tried. This is just for debugging.
-			// We don't want false positives.
-			// TODO: maybe we want a different warning for inability to check?
-			return false
-		}
-		if strings.TrimSpace(string(out)) == "0" {
-			return true
-		}
-	}
-	if v6Routes {
-		// Note: you might be wondering why we check only the state of
-		// conf.all.forwarding, rather than per-interface forwarding
-		// configuration. According to kernel documentation, it seems
-		// that to actually forward packets, you need to enable
-		// forwarding globally, and the per-interface forwarding
-		// setting only alters other things such as how router
-		// advertisements are handled. The kernel itself warns that
-		// enabling forwarding per-interface and not globally will
-		// probably not work, so I feel okay calling those configs
-		// broken until we have proof otherwise.
-		out, err := ioutil.ReadFile("/proc/sys/net/ipv6/conf/all/forwarding")
-		if err != nil {
-			out, err = exec.Command("sysctl", "-n", "net.ipv6.conf.all.forwarding").Output()
-		}
-		if err != nil {
-			// Oh well, we tried. This is just for debugging.
-			// We don't want false positives.
-			// TODO: maybe we want a different warning for inability to check?
-			return false
-		}
-		if strings.TrimSpace(string(out)) == "0" {
-			return true
-		}
-	}
-
-	return false
+	return warn != nil
 }
 
 // isUniquePingRequest reports whether pr contains a new PingRequest.URL
@@ -1241,29 +1196,44 @@ func (c *Direct) isUniquePingRequest(pr *tailcfg.PingRequest) bool {
 	return true
 }
 
-func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
+func answerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) {
 	if pr.URL == "" {
 		logf("invalid PingRequest with no URL")
 		return
 	}
+	if pr.Types == "" {
+		answerHeadPing(logf, c, pr)
+		return
+	}
+	for _, t := range strings.Split(pr.Types, ",") {
+		switch pt := tailcfg.PingType(t); pt {
+		case tailcfg.PingTSMP, tailcfg.PingDisco, tailcfg.PingICMP, tailcfg.PingPeerAPI:
+			go doPingerPing(logf, c, pr, pinger, pt)
+		default:
+			logf("unsupported ping request type: %q", t)
+		}
+	}
+}
+
+func answerHeadPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
 
 	req, err := http.NewRequestWithContext(ctx, "HEAD", pr.URL, nil)
 	if err != nil {
-		logf("http.NewRequestWithContext(%q): %v", pr.URL, err)
+		logf("answerHeadPing: NewRequestWithContext: %v", err)
 		return
 	}
 	if pr.Log {
-		logf("answerPing: sending ping to %v ...", pr.URL)
+		logf("answerHeadPing: sending HEAD ping to %v ...", pr.URL)
 	}
 	t0 := time.Now()
 	_, err = c.Do(req)
 	d := time.Since(t0).Round(time.Millisecond)
 	if err != nil {
-		logf("answerPing error: %v to %v (after %v)", err, pr.URL, d)
+		logf("answerHeadPing error: %v to %v (after %v)", err, pr.URL, d)
 	} else if pr.Log {
-		logf("answerPing complete to %v (after %v)", pr.URL, d)
+		logf("answerHeadPing complete to %v (after %v)", pr.URL, d)
 	}
 }
 
@@ -1316,7 +1286,7 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 			return nil, err
 		}
 
-		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL)
+		nc, err = newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer)
 		if err != nil {
 			return nil, err
 		}
@@ -1436,35 +1406,35 @@ func (c *Direct) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	return nc.Do(req)
 }
 
-// tsmpPing sends a Ping to pr.IP, and sends an http request back to pr.URL
-// with ping response data.
-func tsmpPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) error {
-	var err error
-	if pr.URL == "" {
-		return errors.New("invalid PingRequest with no URL")
-	}
-	if pr.IP.IsZero() {
-		return errors.New("PingRequest without IP")
-	}
-	if !strings.Contains(pr.Types, "TSMP") {
-		return fmt.Errorf("PingRequest with no TSMP in Types, got %q", pr.Types)
+// doPingerPing sends a Ping to pr.IP using pinger, and sends an http request back to
+// pr.URL with ping response data.
+func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger, pingType tailcfg.PingType) {
+	if pr.URL == "" || pr.IP.IsZero() || pinger == nil {
+		logf("invalid ping request: missing url, ip or pinger")
+		return
 	}
+	start := time.Now()
 
-	now := time.Now()
-	pinger.Ping(pr.IP, true, func(res *ipnstate.PingResult) {
-		// Currently does not check for error since we just return if it fails.
-		err = postPingResult(now, logf, c, pr, res)
-	})
-	return err
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	res, err := pinger.Ping(ctx, pr.IP, pingType)
+	if err != nil {
+		d := time.Since(start).Round(time.Millisecond)
+		logf("doPingerPing: ping error of type %q to %v after %v: %v", pingType, pr.IP, d, err)
+		return
+	}
+	postPingResult(start, logf, c, pr, res.ToPingResponse(pingType))
 }
 
-func postPingResult(now time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *ipnstate.PingResult) error {
-	if res.Err != "" {
-		return errors.New(res.Err)
-	}
-	duration := time.Since(now)
+func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *tailcfg.PingResponse) error {
+	duration := time.Since(start)
 	if pr.Log {
-		logf("TSMP ping to %v completed in %v seconds. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration.Seconds())
+		if res.Err == "" {
+			logf("ping to %v completed in %v. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration)
+		} else {
+			logf("ping to %v failed after %v: %v", pr.IP, duration, res.Err)
+		}
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 	defer cancel()
@@ -1474,20 +1444,20 @@ func postPingResult(now time.Time, logf logger.Logf, c *http.Client, pr *tailcfg
 		return err
 	}
 	// Send the results of the Ping, back to control URL.
-	req, err := http.NewRequestWithContext(ctx, "POST", pr.URL, bytes.NewBuffer(jsonPingRes))
+	req, err := http.NewRequestWithContext(ctx, "POST", pr.URL, bytes.NewReader(jsonPingRes))
 	if err != nil {
 		return fmt.Errorf("http.NewRequestWithContext(%q): %w", pr.URL, err)
 	}
 	if pr.Log {
-		logf("tsmpPing: sending ping results to %v ...", pr.URL)
+		logf("postPingResult: sending ping results to %v ...", pr.URL)
 	}
 	t0 := time.Now()
 	_, err = c.Do(req)
 	d := time.Since(t0).Round(time.Millisecond)
 	if err != nil {
-		return fmt.Errorf("tsmpPing error: %w to %v (after %v)", err, pr.URL, d)
+		return fmt.Errorf("postPingResult error: %w to %v (after %v)", err, pr.URL, d)
 	} else if pr.Log {
-		logf("tsmpPing complete to %v (after %v)", pr.URL, d)
+		logf("postPingResult complete to %v (after %v)", pr.URL, d)
 	}
 	return nil
 }

control/controlclient/direct_test.go

@@ -14,6 +14,7 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@@ -30,6 +31,7 @@ func TestNewDirect(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
+		Dialer: new(tsdial.Dialer),
 	}
 	c, err := NewDirect(opts)
 	if err != nil {
@@ -106,6 +108,7 @@ func TestTsmpPing(t *testing.T) {
 		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
 			return k, nil
 		},
+		Dialer: new(tsdial.Dialer),
 	}
 
 	c, err := NewDirect(opts)
@@ -113,7 +116,8 @@ func TestTsmpPing(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	pingRes := &ipnstate.PingResult{
+	pingRes := &tailcfg.PingResponse{
+		Type:     "TSMP",
 		IP:       "123.456.7890",
 		Err:      "",
 		NodeName: "testnode",

control/controlclient/map.go

@@ -44,6 +44,7 @@ type mapSession struct {
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
 	lastHealth             []string
+	lastPopBrowserURL      string
 
 	// netMapBuilding is non-nil during a netmapForResponse call,
 	// containing the value to be returned, once fully populated.

control/controlclient/noise.go

@@ -8,6 +8,7 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"math"
 	"net"
 	"net/http"
 	"net/url"
@@ -17,7 +18,10 @@ import (
 	"golang.org/x/net/http2"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp"
+	"tailscale.com/net/tsdial"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 )
 
@@ -43,6 +47,7 @@ func (c *noiseConn) Close() error {
 // the ts2021 protocol.
 type noiseClient struct {
 	*http.Client // HTTP client used to talk to tailcontrol
+	dialer       *tsdial.Dialer
 	privKey      key.MachinePrivate
 	serverPubKey key.MachinePublic
 	serverHost   string // the host:port part of serverURL
@@ -55,7 +60,7 @@ type noiseClient struct {
 
 // newNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string) (*noiseClient, error) {
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer) (*noiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -72,6 +77,7 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		serverPubKey: serverPubKey,
 		privKey:      priKey,
 		serverHost:   host,
+		dialer:       dialer,
 	}
 
 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -135,9 +141,6 @@ func (nc *noiseClient) Close() error {
 func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	connID := nc.nextID
-	if nc.connPool == nil {
-		nc.connPool = make(map[int]*noiseConn)
-	}
 	nc.nextID++
 	nc.mu.Unlock()
 
@@ -146,7 +149,12 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 
-	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey)
+	if tailcfg.CurrentCapabilityVersion > math.MaxUint16 {
+		// Panic, because a test should have started failing several
+		// thousand version numbers before getting to this point.
+		panic("capability version is too high to fit in the wire protocol")
+	}
+	conn, err := controlhttp.Dial(ctx, nc.serverHost, nc.privKey, nc.serverPubKey, uint16(tailcfg.CurrentCapabilityVersion), nc.dialer.SystemDial)
 	if err != nil {
 		return nil, err
 	}
@@ -154,6 +162,6 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.mu.Lock()
 	defer nc.mu.Unlock()
 	ncc := &noiseConn{Conn: conn, id: connID, pool: nc}
-	nc.connPool[ncc.id] = ncc
+	mak.Set(&nc.connPool, ncc.id, ncc)
 	return ncc, nil
 }

control/controlclient/noise_test.go

@@ -0,0 +1,28 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlclient
+
+import (
+	"math"
+	"testing"
+
+	"tailscale.com/tailcfg"
+)
+
+// maxAllowedNoiseVersion is the highest we expect the Tailscale
+// capability version to ever get. It's a value close to 2^16, but
+// with enough leeway that we get a very early warning that it's time
+// to rework the wire protocol to allow larger versions, while still
+// giving us headroom to bump this test and fix the build.
+//
+// Code elsewhere in the client will panic() if the tailcfg capability
+// version exceeds 16 bits, so take a failure of this test seriously.
+const maxAllowedNoiseVersion = math.MaxUint16 - 5000
+
+func TestNoiseVersion(t *testing.T) {
+	if tailcfg.CurrentCapabilityVersion > maxAllowedNoiseVersion {
+		t.Fatalf("tailcfg.CurrentCapabilityVersion is %d, want <=%d", tailcfg.CurrentCapabilityVersion, maxAllowedNoiseVersion)
+	}
+}

control/controlclient/status.go

@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"reflect"
 
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
@@ -75,9 +74,8 @@ type Status struct {
 	// package, but we have some automated tests elsewhere that need to
 	// use them. Please don't use these fields.
 	// TODO(apenwarr): Unexport or remove these.
-	State    State
-	Persist  *persist.Persist  // locally persisted configuration
-	Hostinfo *tailcfg.Hostinfo // current Hostinfo data
+	State   State
+	Persist *persist.Persist // locally persisted configuration
 }
 
 // Equal reports whether s and s2 are equal.
@@ -92,7 +90,6 @@ func (s *Status) Equal(s2 *Status) bool {
 		s.URL == s2.URL &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
 		reflect.DeepEqual(s.NetMap, s2.NetMap) &&
-		reflect.DeepEqual(s.Hostinfo, s2.Hostinfo) &&
 		s.State == s2.State
 }
 

control/controlhttp/client.go

@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+//go:build !js
+// +build !js
+
 // Package controlhttp implements the Tailscale 2021 control protocol
 // base transport over HTTP.
 //
@@ -25,36 +28,21 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"net/http/httptrace"
 	"net/url"
+	"time"
 
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
-	"tailscale.com/net/netns"
+	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/types/key"
 )
 
-const (
-	// upgradeHeader is the value of the Upgrade HTTP header used to
-	// indicate the Tailscale control protocol.
-	upgradeHeaderValue = "tailscale-control-protocol"
-
-	// handshakeHeaderName is the HTTP request header that can
-	// optionally contain base64-encoded initial handshake
-	// payload, to save an RTT.
-	handshakeHeaderName = "X-Tailscale-Handshake"
-
-	// serverUpgradePath is where the server-side HTTP handler to
-	// to do the protocol switch is located.
-	serverUpgradePath = "/ts2021"
-)
-
 // Dial connects to the HTTP server at addr, requests to switch to the
 // Tailscale control protocol, and returns an established control
 // protocol connection.
@@ -64,90 +52,158 @@ const (
 //
 // The provided ctx is only used for the initial connection, until
 // Dial returns. It does not affect the connection once established.
-func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic) (*controlbase.Conn, error) {
+func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
 	host, port, err := net.SplitHostPort(addr)
 	if err != nil {
 		return nil, err
 	}
 	a := &dialParams{
-		ctx:        ctx,
 		host:       host,
 		httpPort:   port,
 		httpsPort:  "443",
 		machineKey: machineKey,
 		controlKey: controlKey,
+		version:    protocolVersion,
 		proxyFunc:  tshttpproxy.ProxyFromEnvironment,
+		dialer:     dialer,
 	}
-	return a.dial()
+	return a.dial(ctx)
 }
 
 type dialParams struct {
-	ctx        context.Context
 	host       string
 	httpPort   string
 	httpsPort  string
 	machineKey key.MachinePrivate
 	controlKey key.MachinePublic
+	version    uint16
 	proxyFunc  func(*http.Request) (*url.URL, error) // or nil
+	dialer     dnscache.DialContextFunc
 
 	// For tests only
-	insecureTLS bool
+	insecureTLS       bool
+	testFallbackDelay time.Duration
 }
 
-func (a *dialParams) dial() (*controlbase.Conn, error) {
-	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey)
-	if err != nil {
-		return nil, err
+// httpsFallbackDelay is how long we'll wait for a.httpPort to work before
+// starting to try a.httpsPort.
+func (a *dialParams) httpsFallbackDelay() time.Duration {
+	if v := a.testFallbackDelay; v != 0 {
+		return v
 	}
+	return 500 * time.Millisecond
+}
 
-	u := &url.URL{
+func (a *dialParams) dial(ctx context.Context) (*controlbase.Conn, error) {
+	// Create one shared context used by both port 80 and port 443 dials.
+	// If port 80 is still in flight when 443 returns, this deferred cancel
+	// will stop the port 80 dial.
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	// u80 and u443 are the URLs we'll try to hit over HTTP or HTTPS,
+	// respectively, in order to do the HTTP upgrade to a net.Conn over which
+	// we'll speak Noise.
+	u80 := &url.URL{
 		Scheme: "http",
 		Host:   net.JoinHostPort(a.host, a.httpPort),
 		Path:   serverUpgradePath,
 	}
-	conn, httpErr := a.tryURL(u, init)
-	if httpErr == nil {
-		ret, err := cont(a.ctx, conn)
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-		return ret, nil
+	u443 := &url.URL{
+		Scheme: "https",
+		Host:   net.JoinHostPort(a.host, a.httpsPort),
+		Path:   serverUpgradePath,
 	}
 
-	// Connecting over plain HTTP failed, assume it's an HTTP proxy
-	// being difficult and see if we can get through over HTTPS.
-	u.Scheme = "https"
-	u.Host = net.JoinHostPort(a.host, a.httpsPort)
-	init, cont, err = controlbase.ClientDeferred(a.machineKey, a.controlKey)
+	type tryURLRes struct {
+		u    *url.URL          // input (the URL conn+err are for/from)
+		conn *controlbase.Conn // result (mutually exclusive with err)
+		err  error
+	}
+	ch := make(chan tryURLRes) // must be unbuffered
+	try := func(u *url.URL) {
+		cbConn, err := a.dialURL(ctx, u)
+		select {
+		case ch <- tryURLRes{u, cbConn, err}:
+		case <-ctx.Done():
+			if cbConn != nil {
+				cbConn.Close()
+			}
+		}
+	}
+
+	// Start the plaintext HTTP attempt first.
+	go try(u80)
+
+	// In case outbound port 80 blocked or MITM'ed poorly, start a backup timer
+	// to dial port 443 if port 80 doesn't either succeed or fail quickly.
+	try443Timer := time.AfterFunc(a.httpsFallbackDelay(), func() { try(u443) })
+	defer try443Timer.Stop()
+
+	var err80, err443 error
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, fmt.Errorf("connection attempts aborted by context: %w", ctx.Err())
+		case res := <-ch:
+			if res.err == nil {
+				return res.conn, nil
+			}
+			switch res.u {
+			case u80:
+				// Connecting over plain HTTP failed; assume it's an HTTP proxy
+				// being difficult and see if we can get through over HTTPS.
+				err80 = res.err
+				// Stop the fallback timer and run it immediately. We don't use
+				// Timer.Reset(0) here because on AfterFuncs, that can run it
+				// again.
+				if try443Timer.Stop() {
+					go try(u443)
+				} // else we lost the race and it started already which is what we want
+			case u443:
+				err443 = res.err
+			default:
+				panic("invalid")
+			}
+			if err80 != nil && err443 != nil {
+				return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", err80, err443)
+			}
+		}
+	}
+}
+
+// dialURL attempts to connect to the given URL.
+func (a *dialParams) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(a.machineKey, a.controlKey, a.version)
 	if err != nil {
 		return nil, err
 	}
-	conn, tlsErr := a.tryURL(u, init)
-	if tlsErr == nil {
-		ret, err := cont(a.ctx, conn)
-		if err != nil {
-			conn.Close()
-			return nil, err
-		}
-		return ret, nil
+	netConn, err := a.tryURLUpgrade(ctx, u, init)
+	if err != nil {
+		return nil, err
 	}
-
-	return nil, fmt.Errorf("all connection attempts failed (HTTP: %v, HTTPS: %v)", httpErr, tlsErr)
+	cbConn, err := cont(ctx, netConn)
+	if err != nil {
+		netConn.Close()
+		return nil, err
+	}
+	return cbConn, nil
 }
 
-func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
+// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
+//
+// Only the provided ctx is used, not a.ctx.
+func (a *dialParams) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
 	dns := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward,
 		LookupIPFallback: dnsfallback.Lookup,
 		UseLastGood:      true,
 	}
-	dialer := netns.NewDialer(log.Printf)
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 	defer tr.CloseIdleConnections()
 	tr.Proxy = a.proxyFunc
 	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
-	tr.DialContext = dnscache.Dialer(dialer.DialContext, dns)
+	tr.DialContext = dnscache.Dialer(a.dialer, dns)
 	// Disable HTTP2, since h2 can't do protocol switching.
 	tr.TLSClientConfig.NextProtos = []string{}
 	tr.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
@@ -156,7 +212,7 @@ func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
 		tr.TLSClientConfig.InsecureSkipVerify = true
 		tr.TLSClientConfig.VerifyConnection = nil
 	}
-	tr.DialTLSContext = dnscache.TLSDialer(dialer.DialContext, dns, tr.TLSClientConfig)
+	tr.DialTLSContext = dnscache.TLSDialer(a.dialer, dns, tr.TLSClientConfig)
 	tr.DisableCompression = true
 
 	// (mis)use httptrace to extract the underlying net.Conn from the
@@ -186,7 +242,7 @@ func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
 			connCh <- info.Conn
 		},
 	}
-	ctx := httptrace.WithClientTrace(a.ctx, &trace)
+	ctx = httptrace.WithClientTrace(ctx, &trace)
 	req := &http.Request{
 		Method: "POST",
 		URL:    u,
@@ -232,22 +288,5 @@ func (a *dialParams) tryURL(u *url.URL, init []byte) (net.Conn, error) {
 		return nil, errors.New("http Transport did not provide a writable body")
 	}
 
-	return &wrappedConn{switchedConn, rwc}, nil
-}
-
-type wrappedConn struct {
-	net.Conn
-	rwc io.ReadWriteCloser
-}
-
-func (w *wrappedConn) Read(bs []byte) (int, error) {
-	return w.rwc.Read(bs)
-}
-
-func (w *wrappedConn) Write(bs []byte) (int, error) {
-	return w.rwc.Write(bs)
-}
-
-func (w *wrappedConn) Close() error {
-	return w.rwc.Close()
+	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
 }

control/controlhttp/client_js.go

@@ -0,0 +1,56 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlhttp
+
+import (
+	"context"
+	"encoding/base64"
+	"net"
+	"net/url"
+
+	"nhooyr.io/websocket"
+	"tailscale.com/control/controlbase"
+	"tailscale.com/net/dnscache"
+	"tailscale.com/net/wsconn"
+	"tailscale.com/types/key"
+)
+
+// Variant of Dial that tunnels the request over WebScokets, since we cannot do
+// bi-directional communication over an HTTP connection when in JS.
+func Dial(ctx context.Context, addr string, machineKey key.MachinePrivate, controlKey key.MachinePublic, protocolVersion uint16, dialer dnscache.DialContextFunc) (*controlbase.Conn, error) {
+	init, cont, err := controlbase.ClientDeferred(machineKey, controlKey, protocolVersion)
+	if err != nil {
+		return nil, err
+	}
+
+	host, addr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, err
+	}
+	wsURL := &url.URL{
+		Scheme: "ws",
+		Host:   net.JoinHostPort(host, addr),
+		Path:   serverUpgradePath,
+		// Can't set HTTP headers on the websocket request, so we have to to send
+		// the handshake via an HTTP header.
+		RawQuery: url.Values{
+			handshakeHeaderName: []string{base64.StdEncoding.EncodeToString(init)},
+		}.Encode(),
+	}
+	wsConn, _, err := websocket.Dial(ctx, wsURL.String(), &websocket.DialOptions{
+		Subprotocols: []string{upgradeHeaderValue},
+	})
+	if err != nil {
+		return nil, err
+	}
+	netConn := wsconn.New(wsConn)
+	cbConn, err := cont(ctx, netConn)
+	if err != nil {
+		netConn.Close()
+		return nil, err
+	}
+	return cbConn, nil
+
+}

control/controlhttp/constants.go

@@ -0,0 +1,20 @@
+// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package controlhttp
+
+const (
+	// upgradeHeader is the value of the Upgrade HTTP header used to
+	// indicate the Tailscale control protocol.
+	upgradeHeaderValue = "tailscale-control-protocol"
+
+	// handshakeHeaderName is the HTTP request header that can
+	// optionally contain base64-encoded initial handshake
+	// payload, to save an RTT.
+	handshakeHeaderName = "X-Tailscale-Handshake"
+
+	// serverUpgradePath is where the server-side HTTP handler to
+	// to do the protocol switch is located.
+	serverUpgradePath = "/ts2021"
+)

control/controlhttp/http_test.go

@@ -17,22 +17,36 @@ import (
 	"strconv"
 	"sync"
 	"testing"
+	"time"
 
 	"tailscale.com/control/controlbase"
 	"tailscale.com/net/socks5"
+	"tailscale.com/net/tsdial"
 	"tailscale.com/types/key"
 )
 
+type httpTestParam struct {
+	name  string
+	proxy proxy
+
+	// makeHTTPHangAfterUpgrade makes the HTTP response hang after sending a
+	// 101 switching protocols.
+	makeHTTPHangAfterUpgrade bool
+}
+
 func TestControlHTTP(t *testing.T) {
-	tests := []struct {
-		name  string
-		proxy proxy
-	}{
+	tests := []httpTestParam{
 		// direct connection
 		{
 			name:  "no_proxy",
 			proxy: nil,
 		},
+		// direct connection but port 80 is MITM'ed and broken
+		{
+			name:                     "port80_broken_mitm",
+			proxy:                    nil,
+			makeHTTPHangAfterUpgrade: true,
+		},
 		// SOCKS5
 		{
 			name:  "socks5",
@@ -96,14 +110,16 @@ func TestControlHTTP(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			testControlHTTP(t, test.proxy)
+			testControlHTTP(t, test)
 		})
 	}
 }
 
-func testControlHTTP(t *testing.T, proxy proxy) {
+func testControlHTTP(t *testing.T, param httpTestParam) {
+	proxy := param.proxy
 	client, server := key.NewMachine(), key.NewMachine()
 
+	const testProtocolVersion = 1
 	sch := make(chan serverResult, 1)
 	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		conn, err := AcceptHTTP(context.Background(), w, r, server)
@@ -131,7 +147,11 @@ func testControlHTTP(t *testing.T, proxy proxy) {
 		t.Fatalf("HTTPS listen: %v", err)
 	}
 
-	httpServer := &http.Server{Handler: handler}
+	var httpHandler http.Handler = handler
+	if param.makeHTTPHangAfterUpgrade {
+		httpHandler = http.HandlerFunc(brokenMITMHandler)
+	}
+	httpServer := &http.Server{Handler: httpHandler}
 	go httpServer.Serve(httpLn)
 	defer httpServer.Close()
 
@@ -142,17 +162,24 @@ func testControlHTTP(t *testing.T, proxy proxy) {
 	go httpsServer.ServeTLS(httpsLn, "", "")
 	defer httpsServer.Close()
 
-	//ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	//defer cancel()
+	ctx := context.Background()
+	const debugTimeout = false
+	if debugTimeout {
+		var cancel context.CancelFunc
+		ctx, cancel = context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+	}
 
 	a := dialParams{
-		ctx:         context.Background(), //ctx,
-		host:        "localhost",
-		httpPort:    strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
-		httpsPort:   strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
-		machineKey:  client,
-		controlKey:  server.Public(),
-		insecureTLS: true,
+		host:              "localhost",
+		httpPort:          strconv.Itoa(httpLn.Addr().(*net.TCPAddr).Port),
+		httpsPort:         strconv.Itoa(httpsLn.Addr().(*net.TCPAddr).Port),
+		machineKey:        client,
+		controlKey:        server.Public(),
+		version:           testProtocolVersion,
+		insecureTLS:       true,
+		dialer:            new(tsdial.Dialer).SystemDial,
+		testFallbackDelay: 50 * time.Millisecond,
 	}
 
 	if proxy != nil {
@@ -171,7 +198,7 @@ func testControlHTTP(t *testing.T, proxy proxy) {
 		}
 	}
 
-	conn, err := a.dial()
+	conn, err := a.dial(ctx)
 	if err != nil {
 		t.Fatalf("dialing controlhttp: %v", err)
 	}
@@ -213,6 +240,7 @@ type proxy interface {
 
 type socksProxy struct {
 	sync.Mutex
+	closed          bool
 	proxy           socks5.Server
 	ln              net.Listener
 	clientConnAddrs map[string]bool // addrs of the local end of outgoing conns from proxy
@@ -228,7 +256,14 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 	}
 	s.ln = ln
 	s.clientConnAddrs = map[string]bool{}
-	s.proxy.Logf = t.Logf
+	s.proxy.Logf = func(format string, a ...any) {
+		s.Lock()
+		defer s.Unlock()
+		if s.closed {
+			return
+		}
+		t.Logf(format, a...)
+	}
 	s.proxy.Dialer = s.dialAndRecord
 	go s.proxy.Serve(ln)
 	return fmt.Sprintf("socks5://%s", ln.Addr().String())
@@ -237,6 +272,10 @@ func (s *socksProxy) Start(t *testing.T) (url string) {
 func (s *socksProxy) Close() {
 	s.Lock()
 	defer s.Unlock()
+	if s.closed {
+		return
+	}
+	s.closed = true
 	s.ln.Close()
 }
 
@@ -396,3 +435,11 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		Certificates: []tls.Certificate{cert},
 	}
 }
+
+func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Upgrade", upgradeHeaderValue)
+	w.Header().Set("Connection", "upgrade")
+	w.WriteHeader(http.StatusSwitchingProtocols)
+	w.(http.Flusher).Flush()
+	<-r.Context().Done()
+}

control/controlhttp/server.go

@@ -5,15 +5,16 @@
 package controlhttp
 
 import (
-	"bufio"
 	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"net"
 	"net/http"
 
+	"nhooyr.io/websocket"
 	"tailscale.com/control/controlbase"
+	"tailscale.com/net/netutil"
+	"tailscale.com/net/wsconn"
 	"tailscale.com/types/key"
 )
 
@@ -28,6 +29,9 @@ func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, pri
 		http.Error(w, "missing next protocol", http.StatusBadRequest)
 		return nil, errors.New("no next protocol in HTTP request")
 	}
+	if next == "websocket" {
+		return acceptWebsocket(ctx, w, r, private)
+	}
 	if next != upgradeHeaderValue {
 		http.Error(w, "unknown next protocol", http.StatusBadRequest)
 		return nil, fmt.Errorf("client requested unhandled next protocol %q", next)
@@ -62,9 +66,7 @@ func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, pri
 		conn.Close()
 		return nil, fmt.Errorf("flushing hijacked HTTP buffer: %w", err)
 	}
-	if brw.Reader.Buffered() > 0 {
-		conn = &drainBufConn{conn, brw.Reader}
-	}
+	conn = netutil.NewDrainBufConn(conn, brw.Reader)
 
 	nc, err := controlbase.Server(ctx, conn, private, init)
 	if err != nil {
@@ -75,21 +77,41 @@ func AcceptHTTP(ctx context.Context, w http.ResponseWriter, r *http.Request, pri
 	return nc, nil
 }
 
-// drainBufConn is a net.Conn with an initial bunch of bytes in a
-// bufio.Reader. Read drains the bufio.Reader until empty, then passes
-// through subsequent reads to the Conn directly.
-type drainBufConn struct {
-	net.Conn
-	r *bufio.Reader
-}
+// acceptWebsocket upgrades a WebSocket connection (from a client that cannot
+// speak HTTP) to a Tailscale control protocol base transport connection.
+func acceptWebsocket(ctx context.Context, w http.ResponseWriter, r *http.Request, private key.MachinePrivate) (*controlbase.Conn, error) {
+	c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
+		Subprotocols:   []string{upgradeHeaderValue},
+		OriginPatterns: []string{"*"},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("Could not accept WebSocket connection %v", err)
+	}
+	if c.Subprotocol() != upgradeHeaderValue {
+		c.Close(websocket.StatusPolicyViolation, "client must speak the control subprotocol")
+		return nil, fmt.Errorf("Unexpected subprotocol %q", c.Subprotocol())
+	}
+	if err := r.ParseForm(); err != nil {
+		c.Close(websocket.StatusPolicyViolation, "Could not parse parameters")
+		return nil, fmt.Errorf("parse query parameters: %v", err)
+	}
+	initB64 := r.Form.Get(handshakeHeaderName)
+	if initB64 == "" {
+		c.Close(websocket.StatusPolicyViolation, "missing Tailscale handshake parameter")
+		return nil, errors.New("no tailscale handshake parameter in HTTP request")
+	}
+	init, err := base64.StdEncoding.DecodeString(initB64)
+	if err != nil {
+		c.Close(websocket.StatusPolicyViolation, "invalid tailscale handshake parameter")
+		return nil, fmt.Errorf("decoding base64 handshake parameter: %v", err)
+	}
 
-func (b *drainBufConn) Read(bs []byte) (int, error) {
-	if b.r == nil {
-		return b.Conn.Read(bs)
+	conn := wsconn.New(c)
+	nc, err := controlbase.Server(ctx, conn, private, init)
+	if err != nil {
+		conn.Close()
+		return nil, fmt.Errorf("noise handshake failed: %w", err)
 	}
-	n, err := b.r.Read(bs)
-	if b.r.Buffered() == 0 {
-		b.r = nil
-	}
-	return n, err
+
+	return nc, nil
 }