tmp: introduce wire/user/safe mtu

tmp: more callmemaybe debugging
tmp: add both kinds of mtu to printout of probe
2023-08-07 23:05:24 +02:00 · 2023-08-07 21:04:10 +02:00 · 2023-08-04 11:02:07 +02:00 · 2023-08-03 18:03:26 +02:00 · 2023-08-02 15:34:19 +02:00 · 2023-08-02 15:34:00 +02:00
199 changed files with 3863 additions and 10008 deletions
--- a/.github/workflows/installer.yml
+++ b/.github/workflows/installer.yml
@@ -78,7 +78,7 @@ jobs:
        || contains(matrix.image, 'amazonlinux')
    - name: install dependencies (zypper)
      # tar and gzip are needed by the actions/checkout below.
-      run: zypper --non-interactive install tar gzip ${{ matrix.deps }}
+      run: zypper --non-interactive install tar gzip
      if: contains(matrix.image, 'opensuse')
    - name: install dependencies (apt-get)
      run: |
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -144,7 +144,7 @@ jobs:
      # Don't use -bench=. -benchtime=1x.
      # Somewhere in the layers (powershell?)
      # the equals signs cause great confusion.
-      run: go run ./cmd/testwrapper ./... -bench . -benchtime 1x
+      run: go test -bench . -benchtime 1x ./...

  vm:
    runs-on: ["self-hosted", "linux", "vm"]
--- a/.gitignore
+++ b/.gitignore
@@ -35,10 +35,5 @@ cmd/tailscaled/tailscaled
 # Ignore direnv nix-shell environment cache
 .direnv/

-# Ignore web client node modules
-.vite/
-client/web/node_modules
-client/web/build
-
 /gocross
 /dist
--- a/2
+++ b/2
@@ -31,7 +31,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.21-alpine AS build-env
+FROM golang:1.20-alpine AS build-env

 WORKDIR /go/src/tailscale

--- a/README.md
+++ b/README.md
@@ -37,7 +37,7 @@ not open source.

 ## Building

-We always require the latest Go release, currently Go 1.21. (While we build
+We always require the latest Go release, currently Go 1.20. (While we build
 releases with our [Go fork](https://github.com/tailscale/go/), its use is not
 required.)

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.49.0
+1.47.0
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -10,7 +10,6 @@ import "tailscale.com/tailcfg"
 const LocalAPIHost = "local-tailscaled.sock"

 // WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
-// In successful whois responses, Node and UserProfile are never nil.
 type WhoIsResponse struct {
 	Node        *tailcfg.Node
 	UserProfile *tailcfg.UserProfile
--- a/client/tailscale/apitype/controltype.go
+++ b/client/tailscale/apitype/controltype.go
@@ -10,7 +10,6 @@ type DNSConfig struct {
 	Domains           []string                 `json:"domains"`
 	Nameservers       []string                 `json:"nameservers"`
 	Proxied           bool                     `json:"proxied"`
-	DNSFilterURL      string                   `json:"DNSFilterURL"`
 }

 type DNSResolver struct {
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -259,28 +259,6 @@ func (lc *LocalClient) DaemonMetrics(ctx context.Context) ([]byte, error) {
 	return lc.get200(ctx, "/localapi/v0/metrics")
 }

-// IncrementCounter increments the value of a Tailscale daemon's counter
-// metric by the given delta. If the metric has yet to exist, a new counter
-// metric is created and initialized to delta.
-//
-// IncrementCounter does not support gauge metrics or negative delta values.
-func (lc *LocalClient) IncrementCounter(ctx context.Context, name string, delta int) error {
-	type metricUpdate struct {
-		Name  string `json:"name"`
-		Type  string `json:"type"`
-		Value int    `json:"value"` // amount to increment by
-	}
-	if delta < 0 {
-		return errors.New("negative delta not allowed")
-	}
-	_, err := lc.send(ctx, "POST", "/localapi/v0/upload-client-metrics", 200, jsonBody([]metricUpdate{{
-		Name:  name,
-		Type:  "counter",
-		Value: delta,
-	}}))
-	return err
-}
-
 // TailDaemonLogs returns a stream the Tailscale daemon's logs as they arrive.
 // Close the context to stop the stream.
 func (lc *LocalClient) TailDaemonLogs(ctx context.Context) (io.Reader, error) {
@@ -829,25 +807,16 @@ func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn str
 	return "", false
 }

-// PingOpts contains options for the ping request.
+// Ping sends a ping of the provided type and size to the provided IP and waits
+// for its response.
 //
-// The zero value is valid, which means to use defaults.
-type PingOpts struct {
-	// Size is the length of the ping message in bytes. It's ignored if it's
-	// smaller than the minimum message size.
-	//
-	// For disco pings, it specifies the length of the packet's payload. That
-	// is, it includes the disco headers and message, but not the IP and UDP
-	// headers.
-	Size int
-}
-
-// Ping sends a ping of the provided type to the provided IP and waits
-// for its response. The opts type specifies additional options.
-func (lc *LocalClient) PingWithOpts(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType, opts PingOpts) (*ipnstate.PingResult, error) {
+// For disco pings, the size argument specifies the length of the packet's payload, that
+// is, including the disco headers and message, but not including the IP and UDP headers.
+// If size is smaller than the minimum message size it's ignored.
+func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType, size int) (*ipnstate.PingResult, error) {
 	v := url.Values{}
 	v.Set("ip", ip.String())
-	v.Set("size", strconv.Itoa(opts.Size))
+	v.Set("size", strconv.Itoa(size))
 	v.Set("type", string(pingtype))
 	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
 	if err != nil {
@@ -856,12 +825,6 @@ func (lc *LocalClient) PingWithOpts(ctx context.Context, ip netip.Addr, pingtype
 	return decodeJSON[*ipnstate.PingResult](body)
 }

-// Ping sends a ping of the provided type to the provided IP and waits
-// for its response.
-func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
-	return lc.PingWithOpts(ctx, ip, pingtype, PingOpts{})
-}
-
 // NetworkLockStatus fetches information about the tailnet key authority, if one is configured.
 func (lc *LocalClient) NetworkLockStatus(ctx context.Context) (*ipnstate.NetworkLockStatus, error) {
 	body, err := lc.send(ctx, "GET", "/localapi/v0/tka/status", 200, nil)
@@ -1003,42 +966,6 @@ func (lc *LocalClient) NetworkLockVerifySigningDeeplink(ctx context.Context, url
 	return decodeJSON[*tka.DeeplinkValidationResult](body)
 }

-// NetworkLockGenRecoveryAUM generates an AUM for recovering from a tailnet-lock key compromise.
-func (lc *LocalClient) NetworkLockGenRecoveryAUM(ctx context.Context, removeKeys []tkatype.KeyID, forkFrom tka.AUMHash) ([]byte, error) {
-	vr := struct {
-		Keys     []tkatype.KeyID
-		ForkFrom string
-	}{removeKeys, forkFrom.String()}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/generate-recovery-aum", 200, jsonBody(vr))
-	if err != nil {
-		return nil, fmt.Errorf("sending generate-recovery-aum: %w", err)
-	}
-
-	return body, nil
-}
-
-// NetworkLockCosignRecoveryAUM co-signs a recovery AUM using the node's tailnet lock key.
-func (lc *LocalClient) NetworkLockCosignRecoveryAUM(ctx context.Context, aum tka.AUM) ([]byte, error) {
-	r := bytes.NewReader(aum.Serialize())
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/cosign-recovery-aum", 200, r)
-	if err != nil {
-		return nil, fmt.Errorf("sending cosign-recovery-aum: %w", err)
-	}
-
-	return body, nil
-}
-
-// NetworkLockSubmitRecoveryAUM submits a recovery AUM to the control plane.
-func (lc *LocalClient) NetworkLockSubmitRecoveryAUM(ctx context.Context, aum tka.AUM) error {
-	r := bytes.NewReader(aum.Serialize())
-	_, err := lc.send(ctx, "POST", "/localapi/v0/tka/submit-recovery-aum", 200, r)
-	if err != nil {
-		return fmt.Errorf("sending cosign-recovery-aum: %w", err)
-	}
-	return nil
-}
-
 // SetServeConfig sets or replaces the serving settings.
 // If config is nil, settings are cleared and serving is disabled.
 func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
@@ -1166,27 +1093,6 @@ func (lc *LocalClient) DeleteProfile(ctx context.Context, profile ipn.ProfileID)
 	return err
 }

-// QueryFeature makes a request for instructions on how to enable
-// a feature, such as Funnel, for the node's tailnet. If relevant,
-// this includes a control server URL the user can visit to enable
-// the feature.
-//
-// If you are looking to use QueryFeature, you'll likely want to
-// use cli.enableFeatureInteractive instead, which handles the logic
-// of wraping QueryFeature and translating its response into an
-// interactive flow for the user, including using the IPN notify bus
-// to block until the feature has been enabled.
-//
-// 2023-08-09: Valid feature values are "serve" and "funnel".
-func (lc *LocalClient) QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error) {
-	v := url.Values{"feature": {feature}}
-	body, err := lc.send(ctx, "POST", "/localapi/v0/query-feature?"+v.Encode(), 200, nil)
-	if err != nil {
-		return nil, fmt.Errorf("error %w: %s", err, body)
-	}
-	return decodeJSON[*tailcfg.QueryFeatureResponse](body)
-}
-
 func (lc *LocalClient) DebugDERPRegion(ctx context.Context, regionIDOrCode string) (*ipnstate.DebugDERPRegionReport, error) {
 	v := url.Values{"region": {regionIDOrCode}}
 	body, err := lc.send(ctx, "POST", "/localapi/v0/debug-derp-region?"+v.Encode(), 200, nil)
--- a/client/tailscale/required_version.go
+++ b/client/tailscale/required_version.go
@@ -1,10 +1,10 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:build !go1.21
+//go:build !go1.20

 package tailscale

 func init() {
-	you_need_Go_1_21_to_compile_Tailscale()
+	you_need_Go_1_20_to_compile_Tailscale()
 }
--- a/client/web/dev.go
+++ b/client/web/dev.go
@@ -1,75 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package web
-
-import (
-	"log"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-)
-
-// startDevServer starts the JS dev server that does on-demand rebuilding
-// and serving of web client JS and CSS resources.
-func (s *Server) startDevServer() (cleanup func()) {
-	root := gitRootDir()
-	webClientPath := filepath.Join(root, "client", "web")
-
-	yarn := filepath.Join(root, "tool", "yarn")
-	node := filepath.Join(root, "tool", "node")
-	vite := filepath.Join(webClientPath, "node_modules", ".bin", "vite")
-
-	log.Printf("installing JavaScript deps using %s... (might take ~30s)", yarn)
-	out, err := exec.Command(yarn, "--non-interactive", "-s", "--cwd", webClientPath, "install").CombinedOutput()
-	if err != nil {
-		log.Fatalf("error running tailscale web's yarn install: %v, %s", err, out)
-	}
-	log.Printf("starting JavaScript dev server...")
-	cmd := exec.Command(node, vite)
-	cmd.Dir = webClientPath
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Start(); err != nil {
-		log.Fatalf("Starting JS dev server: %v", err)
-	}
-	log.Printf("JavaScript dev server running as pid %d", cmd.Process.Pid)
-	return func() {
-		cmd.Process.Signal(os.Interrupt)
-		err := cmd.Wait()
-		log.Printf("JavaScript dev server exited: %v", err)
-	}
-}
-
-func (s *Server) addProxyToDevServer() {
-	if !s.devMode {
-		return // only using Vite proxy in dev mode
-	}
-	// We use Vite to develop on the web client.
-	// Vite starts up its own local server for development,
-	// which we proxy requests to from Server.ServeHTTP.
-	// Here we set up the proxy to Vite's server.
-	handleErr := func(w http.ResponseWriter, r *http.Request, err error) {
-		w.Header().Set("Content-Type", "text/plain")
-		w.WriteHeader(http.StatusBadGateway)
-		w.Write([]byte("The web client development server isn't running. " +
-			"Run `./tool/yarn --cwd client/web start` from " +
-			"the repo root to start the development server."))
-		w.Write([]byte("\n\nError: " + err.Error()))
-	}
-	viteTarget, _ := url.Parse("http://127.0.0.1:4000")
-	s.devProxy = httputil.NewSingleHostReverseProxy(viteTarget)
-	s.devProxy.ErrorHandler = handleErr
-}
-
-func gitRootDir() string {
-	top, err := exec.Command("git", "rev-parse", "--show-toplevel").Output()
-	if err != nil {
-		log.Fatalf("failed to find git top level (not in corp git?): %v", err)
-	}
-	return strings.TrimSpace(string(top))
-}
--- a/client/web/index.html
+++ b/client/web/index.html
@@ -1,29 +0,0 @@
-<!doctype html>
-<html class="bg-gray-50">
-  <head>
-    <title>Tailscale</title>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-    <link rel="stylesheet" type="text/css" href="/src/index.css" />
-  </head>
-  <body>
-    <div class="min-h-screen py-10 flex justify-center items-center" style="display: none">
-      <div class="max-w-md">
-        <h3 class="font-semibold text-lg mb-4">Your web browser is unsupported.</h3>
-        <p class="mb-2">
-          Update to a modern browser to access the Tailscale web client. You can use
-          <a class="link" href="https://www.mozilla.org/en-US/firefox/new/" target="_blank">Firefox</a>,
-          <a class="link" href="https://www.microsoft.com/en-us/edge" target="_blank">Edge</a>,
-          <a class="link" href="https://www.apple.com/safari/" target="_blank">Safari</a>,
-          or <a class="link" href="https://www.google.com/chrome/" target="_blank">Chrome</a>.</p>
-        <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a></p>
-      </div>
-    </div>
-    <noscript>
-      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
-      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
-    </noscript>
-    <script type="module" src="/src/index.tsx"></script>
-  </body>
-</html>
--- a/client/web/package.json
+++ b/client/web/package.json
@@ -1,42 +0,0 @@
-{
-  "name": "webclient",
-  "version": "0.0.1",
-  "license": "BSD-3-Clause",
-  "engines": {
-    "node": "18.16.1",
-    "yarn": "1.22.19"
-  },
-  "private": true,
-  "dependencies": {
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0"
-  },
-  "devDependencies": {
-    "@types/react": "^18.0.20",
-    "@types/react-dom": "^18.0.6",
-    "@vitejs/plugin-react-swc": "^3.3.2",
-    "autoprefixer": "^10.4.15",
-    "postcss": "^8.4.27",
-    "prettier": "^2.5.1",
-    "prettier-plugin-organize-imports": "^3.2.2",
-    "tailwindcss": "^3.3.3",
-    "typescript": "^4.7.4",
-    "vite": "^4.3.9",
-    "vite-plugin-rewrite-all": "^1.0.1",
-    "vite-plugin-svgr": "^3.2.0",
-    "vite-tsconfig-paths": "^3.5.0",
-    "vitest": "^0.32.0"
-  },
-  "scripts": {
-    "build": "vite build",
-    "start": "vite",
-    "lint": "tsc --noEmit",
-    "test": "vitest",
-    "format": "prettier --write 'src/**/*.{ts,tsx}'",
-    "format-check": "prettier --check 'src/**/*.{ts,tsx}'"
-  },
-  "prettier": {
-    "semi": false,
-    "printWidth": 80
-  }
-}
--- a/client/web/postcss.config.js
+++ b/client/web/postcss.config.js
@@ -1,6 +0,0 @@
-module.exports = {
-  plugins: {
-    tailwindcss: {},
-    autoprefixer: {},
-  },
-}
--- a/client/web/src/components/app.tsx
+++ b/client/web/src/components/app.tsx
@@ -1,25 +0,0 @@
-import React from "react"
-import { Footer, Header, IP, State } from "src/components/legacy"
-import useNodeData from "src/hooks/node-data"
-
-export default function App() {
-  const data = useNodeData()
-
-  return (
-    <div className="py-14">
-      {!data ? (
-        // TODO(sonia): add a loading view
-        <div className="text-center">Loading...</div>
-      ) : (
-        <>
-          <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
-            <Header data={data} />
-            <IP data={data} />
-            <State data={data} />
-          </main>
-          <Footer data={data} />
-        </>
-      )}
-    </div>
-  )
-}
--- a/client/web/src/components/legacy.tsx
+++ b/client/web/src/components/legacy.tsx
@@ -1,272 +0,0 @@
-import React from "react"
-import { NodeData } from "src/hooks/node-data"
-
-// TODO(tailscale/corp#13775): legacy.tsx contains a set of components
-// that (crudely) implement the pre-2023 web client. These are implemented
-// purely to ease migration to the new React-based web client, and will
-// eventually be completely removed.
-
-export function Header(props: { data: NodeData }) {
-  const { data } = props
-
-  return (
-    <header className="flex justify-between items-center min-width-0 py-2 mb-8">
-      <svg
-        width="26"
-        height="26"
-        viewBox="0 0 23 23"
-        fill="none"
-        xmlns="http://www.w3.org/2000/svg"
-        className="flex-shrink-0 mr-4"
-      >
-        <circle
-          opacity="0.2"
-          cx="3.4"
-          cy="3.25"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle cx="3.4" cy="11.3" r="2.7" fill="currentColor"></circle>
-        <circle
-          opacity="0.2"
-          cx="3.4"
-          cy="19.5"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle cx="11.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-        <circle cx="11.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-        <circle
-          opacity="0.2"
-          cx="11.5"
-          cy="3.25"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle
-          opacity="0.2"
-          cx="19.5"
-          cy="3.25"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle cx="19.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-        <circle
-          opacity="0.2"
-          cx="19.5"
-          cy="19.5"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-      </svg>
-      <div className="flex items-center justify-end space-x-2 w-2/3">
-        {data.Profile && (
-          <>
-            <div className="text-right w-full leading-4">
-              <h4 className="truncate leading-normal">
-                {data.Profile.LoginName}
-              </h4>
-              <div className="text-xs text-gray-500 text-right">
-                <a href="#" className="hover:text-gray-700 js-loginButton">
-                  Switch account
-                </a>{" "}
-                |{" "}
-                <a href="#" className="hover:text-gray-700 js-loginButton">
-                  Reauthenticate
-                </a>{" "}
-                |{" "}
-                <a href="#" className="hover:text-gray-700 js-logoutButton">
-                  Logout
-                </a>
-              </div>
-            </div>
-            <div className="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
-              {data.Profile.ProfilePicURL ? (
-                <div
-                  className="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
-                  style={{
-                    backgroundImage: `url(${data.Profile.ProfilePicURL})`,
-                    backgroundSize: "cover",
-                  }}
-                />
-              ) : (
-                <div className="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed" />
-              )}
-            </div>
-          </>
-        )}
-      </div>
-    </header>
-  )
-}
-
-export function IP(props: { data: NodeData }) {
-  const { data } = props
-
-  if (!data.IP) {
-    return null
-  }
-
-  return (
-    <>
-      <div className="border border-gray-200 bg-gray-50 rounded-md p-2 pl-3 pr-3 width-full flex items-center justify-between">
-        <div className="flex items-center min-width-0">
-          <svg
-            className="flex-shrink-0 text-gray-600 mr-3 ml-1"
-            xmlns="http://www.w3.org/2000/svg"
-            width="20"
-            height="20"
-            viewBox="0 0 24 24"
-            fill="none"
-            stroke="currentColor"
-            strokeWidth="2"
-            strokeLinecap="round"
-            strokeLinejoin="round"
-          >
-            <rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
-            <rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
-            <line x1="6" y1="6" x2="6.01" y2="6"></line>
-            <line x1="6" y1="18" x2="6.01" y2="18"></line>
-          </svg>
-          <div>
-            <h4 className="font-semibold truncate mr-2">{data.DeviceName}</h4>
-          </div>
-        </div>
-        <h5>{data.IP}</h5>
-      </div>
-      <p className="mt-1 ml-1 mb-6 text-xs text-gray-600">
-        Debug info: Tailscale {data.IPNVersion}, tun={data.TUNMode.toString()}
-        {data.IsSynology && (
-          <>
-            , DSM{data.DSMVersion}
-            {data.TUNMode || (
-              <>
-                {" "}
-                (
-                <a
-                  href="https://tailscale.com/kb/1152/synology-outbound/"
-                  className="link-underline text-gray-600"
-                  target="_blank"
-                  aria-label="Configure outbound synology traffic"
-                  rel="noopener noreferrer"
-                >
-                  outgoing access not configured
-                </a>
-                )
-              </>
-            )}
-          </>
-        )}
-      </p>
-    </>
-  )
-}
-
-export function State(props: { data: NodeData }) {
-  const { data } = props
-
-  switch (data.Status) {
-    case "NeedsLogin":
-    case "NoState":
-      if (data.IP) {
-        return (
-          <>
-            <div className="mb-6">
-              <p className="text-gray-700">
-                Your device's key has expired. Reauthenticate this device by
-                logging in again, or{" "}
-                <a
-                  href="https://tailscale.com/kb/1028/key-expiry"
-                  className="link"
-                  target="_blank"
-                >
-                  learn more
-                </a>
-                .
-              </p>
-            </div>
-            <a href="#" className="mb-4 js-loginButton" target="_blank">
-              <button className="button button-blue w-full">
-                Reauthenticate
-              </button>
-            </a>
-          </>
-        )
-      } else {
-        return (
-          <>
-            <div className="mb-6">
-              <h3 className="text-3xl font-semibold mb-3">Log in</h3>
-              <p className="text-gray-700">
-                Get started by logging in to your Tailscale network.
-                Or,&nbsp;learn&nbsp;more at{" "}
-                <a
-                  href="https://tailscale.com/"
-                  className="link"
-                  target="_blank"
-                >
-                  tailscale.com
-                </a>
-                .
-              </p>
-            </div>
-            <a href="#" className="mb-4 js-loginButton" target="_blank">
-              <button className="button button-blue w-full">Log In</button>
-            </a>
-          </>
-        )
-      }
-    case "NeedsMachineAuth":
-      return (
-        <div className="mb-4">
-          This device is authorized, but needs approval from a network admin
-          before it can connect to the network.
-        </div>
-      )
-    default:
-      return (
-        <>
-          <div className="mb-4">
-            <p>
-              You are connected! Access this device over Tailscale using the
-              device name or IP address above.
-            </p>
-          </div>
-          <div className="mb-4">
-            <a href="#" className="mb-4 js-advertiseExitNode">
-              {data.AdvertiseExitNode ? (
-                <button
-                  className="button button-red button-medium"
-                  id="enabled"
-                >
-                  Stop advertising Exit Node
-                </button>
-              ) : (
-                <button
-                  className="button button-blue button-medium"
-                  id="enabled"
-                >
-                  Advertise as Exit Node
-                </button>
-              )}
-            </a>
-          </div>
-        </>
-      )
-  }
-}
-
-export function Footer(props: { data: NodeData }) {
-  const { data } = props
-
-  return (
-    <footer className="container max-w-lg mx-auto text-center">
-      <a
-        className="text-xs text-gray-500 hover:text-gray-600"
-        href={data.LicensesURL}
-      >
-        Open Source Licenses
-      </a>
-    </footer>
-  )
-}
--- a/client/web/src/hooks/node-data.ts
+++ b/client/web/src/hooks/node-data.ts
@@ -1,37 +0,0 @@
-import { useEffect, useState } from "react"
-
-export type NodeData = {
-  Profile: UserProfile
-  Status: string
-  DeviceName: string
-  IP: string
-  AdvertiseExitNode: boolean
-  AdvertiseRoutes: string
-  LicensesURL: string
-  TUNMode: boolean
-  IsSynology: boolean
-  DSMVersion: number
-  IsUnraid: boolean
-  UnraidToken: string
-  IPNVersion: string
-}
-
-export type UserProfile = {
-  LoginName: string
-  DisplayName: string
-  ProfilePicURL: string
-}
-
-// useNodeData returns basic data about the current node.
-export default function useNodeData() {
-  const [data, setData] = useState<NodeData>()
-
-  useEffect(() => {
-    fetch("/api/data")
-      .then((response) => response.json())
-      .then((json) => setData(json))
-      .catch((error) => console.error(error))
-  }, [])
-
-  return data
-}
--- a/client/web/src/index.css
+++ b/client/web/src/index.css
@@ -1,130 +0,0 @@
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
-
-/**
- * Non-Tailwind styles begin here.
- */
-
-.bg-gray-0 {
-  --tw-bg-opacity: 1;
-  background-color: rgba(250, 249, 248, var(--tw-bg-opacity));
-}
-
-.bg-gray-50 {
-  --tw-bg-opacity: 1;
-  background-color: rgba(249, 247, 246, var(--tw-bg-opacity));
-}
-
-html {
-  letter-spacing: -0.015em;
-  text-rendering: optimizeLegibility;
-  -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale;
-}
-
-.link {
-  --text-opacity: 1;
-  color: #4b70cc;
-  color: rgba(75, 112, 204, var(--text-opacity));
-}
-
-.link:hover,
-.link:active {
-  --text-opacity: 1;
-  color: #19224a;
-  color: rgba(25, 34, 74, var(--text-opacity));
-}
-
-.link-underline {
-  text-decoration: underline;
-}
-
-.link-underline:hover,
-.link-underline:active {
-  text-decoration: none;
-}
-
-.link-muted {
-  /* same as text-gray-500 */
-  --tw-text-opacity: 1;
-  color: rgba(112, 110, 109, var(--tw-text-opacity));
-}
-
-.link-muted:hover,
-.link-muted:active {
-  /* same as text-gray-500 */
-  --tw-text-opacity: 1;
-  color: rgba(68, 67, 66, var(--tw-text-opacity));
-}
-
-.button {
-  font-weight: 500;
-  padding-top: 0.45rem;
-  padding-bottom: 0.45rem;
-  padding-left: 1rem;
-  padding-right: 1rem;
-  border-radius: 0.375rem;
-  border-width: 1px;
-  border-color: transparent;
-  transition-property: background-color, border-color, color, box-shadow;
-  transition-duration: 120ms;
-  box-shadow: 0 1px 1px rgba(0, 0, 0, 0.04);
-  min-width: 80px;
-}
-
-.button:focus {
-  outline: 0;
-  box-shadow: 0 0 0 3px rgba(66, 153, 225, 0.5);
-}
-
-.button:disabled {
-  cursor: not-allowed;
-  -webkit-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
-}
-
-.button-blue {
-  --bg-opacity: 1;
-  background-color: #4b70cc;
-  background-color: rgba(75, 112, 204, var(--bg-opacity));
-  --border-opacity: 1;
-  border-color: #4b70cc;
-  border-color: rgba(75, 112, 204, var(--border-opacity));
-  --text-opacity: 1;
-  color: #fff;
-  color: rgba(255, 255, 255, var(--text-opacity));
-}
-
-.button-blue:enabled:hover {
-  --bg-opacity: 1;
-  background-color: #3f5db3;
-  background-color: rgba(63, 93, 179, var(--bg-opacity));
-  --border-opacity: 1;
-  border-color: #3f5db3;
-  border-color: rgba(63, 93, 179, var(--border-opacity));
-}
-
-.button-blue:disabled {
-  --text-opacity: 1;
-  color: #cedefd;
-  color: rgba(206, 222, 253, var(--text-opacity));
-  --bg-opacity: 1;
-  background-color: #6c94ec;
-  background-color: rgba(108, 148, 236, var(--bg-opacity));
-  --border-opacity: 1;
-  border-color: #6c94ec;
-  border-color: rgba(108, 148, 236, var(--border-opacity));
-}
-
-.button-red {
-  background-color: #d04841;
-  border-color: #d04841;
-  color: #fff;
-}
-
-.button-red:enabled:hover {
-  background-color: #b22d30;
-  border-color: #b22d30;
-}
--- a/client/web/src/index.tsx
+++ b/client/web/src/index.tsx
@@ -1,16 +0,0 @@
-import React from "react"
-import { createRoot } from "react-dom/client"
-import App from "src/components/app"
-
-const rootEl = document.createElement("div")
-rootEl.id = "app-root"
-rootEl.classList.add("relative", "z-0")
-document.body.append(rootEl)
-
-const root = createRoot(rootEl)
-
-root.render(
-  <React.StrictMode>
-    <App />
-  </React.StrictMode>
-)
--- a/client/web/tailwind.config.js
+++ b/client/web/tailwind.config.js
@@ -1,12 +0,0 @@
-/** @type {import('tailwindcss').Config} */
-module.exports = {
-  content: [
-    "./index.html",
-    "./src/**/*.{js,ts,jsx,tsx}",
-  ],
-  theme: {
-    extend: {},
-  },
-  plugins: [],
-}
-
--- a/client/web/tsconfig.json
+++ b/client/web/tsconfig.json
@@ -1,16 +0,0 @@
-{
-  "compilerOptions": {
-    "baseUrl": ".",
-    "target": "ES2017",
-    "module": "ES2020",
-    "strict": true,
-    "sourceMap": true,
-    "isolatedModules": true,
-    "moduleResolution": "node",
-    "forceConsistentCasingInFileNames": true,
-    "allowSyntheticDefaultImports": true,
-    "jsx": "react",
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules"]
-}
--- a/client/web/vite.config.ts
+++ b/client/web/vite.config.ts
@@ -1,69 +0,0 @@
-/// <reference types="vitest" />
-import { createLogger, defineConfig } from "vite"
-import rewrite from "vite-plugin-rewrite-all"
-import svgr from "vite-plugin-svgr"
-import paths from "vite-tsconfig-paths"
-
-// Use a custom logger that filters out Vite's logging of server URLs, since
-// they are an attractive nuisance (we run a proxy in front of Vite, and the
-// tailscale web client should be accessed through that).
-// Unfortunately there's no option to disable this logging, so the best we can
-// do it to ignore calls from a specific function.
-const filteringLogger = createLogger(undefined, { allowClearScreen: false })
-const originalInfoLog = filteringLogger.info
-filteringLogger.info = (...args) => {
-  if (new Error("ignored").stack?.includes("printServerUrls")) {
-    return
-  }
-  originalInfoLog.apply(filteringLogger, args)
-}
-
-// https://vitejs.dev/config/
-export default defineConfig({
-  base: "/",
-  plugins: [
-    paths(),
-    svgr(),
-    // By default, the Vite dev server doesn't handle dots
-    // in path names and treats them as static files.
-    // This plugin changes Vite's routing logic to fix this.
-    // See: https://github.com/vitejs/vite/issues/2415
-    rewrite(),
-  ],
-  build: {
-    outDir: "build",
-    sourcemap: true,
-  },
-  esbuild: {
-    logOverride: {
-      // Silence a warning about `this` being undefined in ESM when at the
-      // top-level. The way JSX is transpiled causes this to happen, but it
-      // isn't a problem.
-      // See: https://github.com/vitejs/vite/issues/8644
-      "this-is-undefined-in-esm": "silent",
-    },
-  },
-  server: {
-    // This needs to be 127.0.0.1 instead of localhost, because of how our
-    // Go proxy connects to it.
-    host: "127.0.0.1",
-    // If you change the port, be sure to update the proxy in adminhttp.go too.
-    port: 4000,
-    // Don't proxy the WebSocket connection used for live reloading by running
-    // it on a separate port.
-    hmr: {
-      protocol: "ws",
-      port: 4001,
-    },
-  },
-  test: {
-    exclude: ["**/node_modules/**", "**/dist/**"],
-    testTimeout: 20000,
-    environment: "jsdom",
-    deps: {
-      inline: ["date-fns", /\.wasm\?url$/],
-    },
-  },
-  clearScreen: false,
-  customLogger: filteringLogger,
-})
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -1,529 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package web provides the Tailscale client for web.
-package web
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	_ "embed"
-	"encoding/json"
-	"encoding/xml"
-	"fmt"
-	"html/template"
-	"io"
-	"log"
-	"net/http"
-	"net/http/httputil"
-	"net/netip"
-	"net/url"
-	"os"
-	"os/exec"
-	"strings"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/envknob"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/licenses"
-	"tailscale.com/net/netutil"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/groupmember"
-	"tailscale.com/util/httpm"
-	"tailscale.com/version/distro"
-)
-
-//go:embed web.html
-var webHTML string
-
-//go:embed web.css
-var webCSS string
-
-//go:embed auth-redirect.html
-var authenticationRedirectHTML string
-
-var tmpl *template.Template
-
-// Server is the backend server for a Tailscale web client.
-type Server struct {
-	lc *tailscale.LocalClient
-
-	devMode  bool
-	devProxy *httputil.ReverseProxy // only filled when devMode is on
-}
-
-// NewServer constructs a new Tailscale web client server.
-//
-// lc is an optional parameter. When not filled, NewServer
-// initializes its own tailscale.LocalClient.
-func NewServer(devMode bool, lc *tailscale.LocalClient) (s *Server, cleanup func()) {
-	if lc == nil {
-		lc = &tailscale.LocalClient{}
-	}
-	s = &Server{
-		devMode: devMode,
-		lc:      lc,
-	}
-	cleanup = func() {}
-	if s.devMode {
-		cleanup = s.startDevServer()
-		s.addProxyToDevServer()
-	}
-	return s, cleanup
-}
-
-func init() {
-	tmpl = template.Must(template.New("web.html").Parse(webHTML))
-	template.Must(tmpl.New("web.css").Parse(webCSS))
-}
-
-// authorize returns the name of the user accessing the web UI after verifying
-// whether the user has access to the web UI. The function will write the
-// error to the provided http.ResponseWriter.
-// Note: This is different from a tailscale user, and is typically the local
-// user on the node.
-func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
-	switch distro.Get() {
-	case distro.Synology:
-		user, err := synoAuthn()
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
-		}
-		if err := authorizeSynology(user); err != nil {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
-	case distro.QNAP:
-		user, resp, err := qnapAuthn(r)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return "", err
-		}
-		if resp.IsAdmin == 0 {
-			http.Error(w, err.Error(), http.StatusForbidden)
-			return "", err
-		}
-		return user, nil
-	}
-	return "", nil
-}
-
-// authorizeSynology checks whether the provided user has access to the web UI
-// by consulting the membership of the "administrators" group.
-func authorizeSynology(name string) error {
-	yes, err := groupmember.IsMemberOfGroup("administrators", name)
-	if err != nil {
-		return err
-	}
-	if !yes {
-		return fmt.Errorf("not a member of administrators group")
-	}
-	return nil
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
-	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
-	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
-	// SAN. See https://github.com/tailscale/tailscale/issues/6903
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	resp, err := client.Get(url)
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user, authResp, nil
-}
-
-func synoAuthn() (string, error) {
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return "", fmt.Errorf("auth: %v: %s", err, out)
-	}
-	return strings.TrimSpace(string(out)), nil
-}
-
-func authRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if distro.Get() == distro.Synology {
-		return synoTokenRedirect(w, r)
-	}
-	return false
-}
-
-func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if r.Header.Get("X-Syno-Token") != "" {
-		return false
-	}
-	if r.URL.Query().Get("SynoToken") != "" {
-		return false
-	}
-	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
-		return false
-	}
-	// We need a SynoToken for authenticate.cgi.
-	// So we tell the client to get one.
-	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
-	return true
-}
-
-const synoTokenRedirectHTML = `<html><body>
-Redirecting with session token...
-<script>
-var serverURL = window.location.protocol + "//" + window.location.host;
-var req = new XMLHttpRequest();
-req.overrideMimeType("application/json");
-req.open("GET", serverURL + "/webman/login.cgi", true);
-req.onload = function() {
-	var jsonResponse = JSON.parse(req.responseText);
-	var token = jsonResponse["SynoToken"];
-	document.location.href = serverURL + "/webman/3rdparty/Tailscale/?SynoToken=" + token;
-};
-req.send(null);
-</script>
-</body></html>
-`
-
-// ServeHTTP processes all requests for the Tailscale web client.
-func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if s.devMode {
-		if r.URL.Path == "/api/data" {
-			user, err := authorize(w, r)
-			if err != nil {
-				return
-			}
-			switch r.Method {
-			case httpm.GET:
-				s.serveGetNodeDataJSON(w, r, user)
-			case httpm.POST:
-				s.servePostNodeUpdate(w, r)
-			default:
-				http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-			}
-			return
-		}
-		// When in dev mode, proxy to the Vite dev server.
-		s.devProxy.ServeHTTP(w, r)
-		return
-	}
-
-	if authRedirect(w, r) {
-		return
-	}
-
-	user, err := authorize(w, r)
-	if err != nil {
-		return
-	}
-
-	switch {
-	case r.URL.Path == "/redirect" || r.URL.Path == "/redirect/":
-		io.WriteString(w, authenticationRedirectHTML)
-		return
-	case r.Method == "POST":
-		s.servePostNodeUpdate(w, r)
-		return
-	default:
-		s.serveGetNodeData(w, r, user)
-		return
-	}
-}
-
-type nodeData struct {
-	Profile           tailcfg.UserProfile
-	SynologyUser      string
-	Status            string
-	DeviceName        string
-	IP                string
-	AdvertiseExitNode bool
-	AdvertiseRoutes   string
-	LicensesURL       string
-	TUNMode           bool
-	IsSynology        bool
-	DSMVersion        int // 6 or 7, if IsSynology=true
-	IsUnraid          bool
-	UnraidToken       string
-	IPNVersion        string
-}
-
-func (s *Server) getNodeData(ctx context.Context, user string) (*nodeData, error) {
-	st, err := s.lc.Status(ctx)
-	if err != nil {
-		return nil, err
-	}
-	prefs, err := s.lc.GetPrefs(ctx)
-	if err != nil {
-		return nil, err
-	}
-	profile := st.User[st.Self.UserID]
-	deviceName := strings.Split(st.Self.DNSName, ".")[0]
-	versionShort := strings.Split(st.Version, "-")[0]
-	data := &nodeData{
-		SynologyUser: user,
-		Profile:      profile,
-		Status:       st.BackendState,
-		DeviceName:   deviceName,
-		LicensesURL:  licenses.LicensesURL(),
-		TUNMode:      st.TUN,
-		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
-		DSMVersion:   distro.DSMVersion(),
-		IsUnraid:     distro.Get() == distro.Unraid,
-		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
-		IPNVersion:   versionShort,
-	}
-	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
-	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
-	for _, r := range prefs.AdvertiseRoutes {
-		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
-			data.AdvertiseExitNode = true
-		} else {
-			if data.AdvertiseRoutes != "" {
-				data.AdvertiseRoutes += ","
-			}
-			data.AdvertiseRoutes += r.String()
-		}
-	}
-	if len(st.TailscaleIPs) != 0 {
-		data.IP = st.TailscaleIPs[0].String()
-	}
-	return data, nil
-}
-
-func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request, user string) {
-	data, err := s.getNodeData(r.Context(), user)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	buf := new(bytes.Buffer)
-	if err := tmpl.Execute(buf, *data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.Write(buf.Bytes())
-}
-
-func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request, user string) {
-	data, err := s.getNodeData(r.Context(), user)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	if err := json.NewEncoder(w).Encode(*data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	return
-}
-
-type nodeUpdate struct {
-	AdvertiseRoutes   string
-	AdvertiseExitNode bool
-	Reauthenticate    bool
-	ForceLogout       bool
-}
-
-func (s *Server) servePostNodeUpdate(w http.ResponseWriter, r *http.Request) {
-	defer r.Body.Close()
-
-	st, err := s.lc.Status(r.Context())
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	var postData nodeUpdate
-	type mi map[string]any
-	if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
-		w.WriteHeader(400)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-
-	routes, err := netutil.CalcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-	mp := &ipn.MaskedPrefs{
-		AdvertiseRoutesSet: true,
-		WantRunningSet:     true,
-	}
-	mp.Prefs.WantRunning = true
-	mp.Prefs.AdvertiseRoutes = routes
-	log.Printf("Doing edit: %v", mp.Pretty())
-
-	if _, err := s.lc.EditPrefs(r.Context(), mp); err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	var reauth, logout bool
-	if postData.Reauthenticate {
-		reauth = true
-	}
-	if postData.ForceLogout {
-		logout = true
-	}
-	log.Printf("tailscaleUp(reauth=%v, logout=%v) ...", reauth, logout)
-	url, err := s.tailscaleUp(r.Context(), st, postData)
-	log.Printf("tailscaleUp = (URL %v, %v)", url != "", err)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-	if url != "" {
-		json.NewEncoder(w).Encode(mi{"url": url})
-	} else {
-		io.WriteString(w, "{}")
-	}
-	return
-}
-
-func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, postData nodeUpdate) (authURL string, retErr error) {
-	if postData.ForceLogout {
-		if err := s.lc.Logout(ctx); err != nil {
-			return "", fmt.Errorf("Logout error: %w", err)
-		}
-		return "", nil
-	}
-
-	origAuthURL := st.AuthURL
-	isRunning := st.BackendState == ipn.Running.String()
-
-	forceReauth := postData.Reauthenticate
-	if !forceReauth {
-		if origAuthURL != "" {
-			return origAuthURL, nil
-		}
-		if isRunning {
-			return "", nil
-		}
-	}
-
-	// printAuthURL reports whether we should print out the
-	// provided auth URL from an IPN notify.
-	printAuthURL := func(url string) bool {
-		return url != origAuthURL
-	}
-
-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-	watcher, err := s.lc.WatchIPNBus(watchCtx, 0)
-	if err != nil {
-		return "", err
-	}
-	defer watcher.Close()
-
-	go func() {
-		if !isRunning {
-			s.lc.Start(ctx, ipn.Options{})
-		}
-		if forceReauth {
-			s.lc.StartLoginInteractive(ctx)
-		}
-	}()
-
-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			return "", err
-		}
-		if n.ErrMessage != nil {
-			msg := *n.ErrMessage
-			return "", fmt.Errorf("backend error: %v", msg)
-		}
-		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
-			return *url, nil
-		}
-	}
-}
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -1,64 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package web
-
-import (
-	"net/url"
-	"testing"
-)
-
-func TestQnapAuthnURL(t *testing.T) {
-	query := url.Values{
-		"qtoken": []string{"token"},
-	}
-	tests := []struct {
-		name string
-		in   string
-		want string
-	}{
-		{
-			name: "localhost http",
-			in:   "http://localhost:8088/",
-			want: "http://localhost:8088/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "localhost https",
-			in:   "https://localhost:5000/",
-			want: "https://localhost:5000/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP http",
-			in:   "http://10.1.20.4:80/",
-			want: "http://10.1.20.4:80/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP6 https",
-			in:   "https://[ff7d:0:1:2::1]/",
-			want: "https://[ff7d:0:1:2::1]/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "hostname https",
-			in:   "https://qnap.example.com/",
-			want: "https://qnap.example.com/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "invalid URL",
-			in:   "This is not a URL, it is a really really really really really really really really really really really really long string to exercise the URL truncation code in the error path.",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "err != nil",
-			in:   "http://192.168.0.%31/",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			u := qnapAuthnURL(tt.in, query)
-			if u != tt.want {
-				t.Errorf("expected url: %q, got: %q", tt.want, u)
-			}
-		})
-	}
-}
--- a/client/web/yarn.lock
+++ b/client/web/yarn.lock
--- a/clientupdate/clientupdate.go
+++ b/clientupdate/clientupdate.go
@@ -1,998 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package clientupdate implements tailscale client update for all supported
-// platforms. This package can be used from both tailscaled and tailscale
-// binaries.
-package clientupdate
-
-import (
-	"bufio"
-	"bytes"
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"runtime"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/google/uuid"
-	"tailscale.com/hostinfo"
-	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/must"
-	"tailscale.com/util/winutil"
-	"tailscale.com/version"
-	"tailscale.com/version/distro"
-)
-
-const (
-	CurrentTrack  = ""
-	StableTrack   = "stable"
-	UnstableTrack = "unstable"
-)
-
-func versionToTrack(v string) (string, error) {
-	_, rest, ok := strings.Cut(v, ".")
-	if !ok {
-		return "", fmt.Errorf("malformed version %q", v)
-	}
-	minorStr, _, ok := strings.Cut(rest, ".")
-	if !ok {
-		return "", fmt.Errorf("malformed version %q", v)
-	}
-	minor, err := strconv.Atoi(minorStr)
-	if err != nil {
-		return "", fmt.Errorf("malformed version %q", v)
-	}
-	if minor%2 == 0 {
-		return "stable", nil
-	}
-	return "unstable", nil
-}
-
-type updater struct {
-	UpdateArgs
-	track  string
-	update func() error
-}
-
-// UpdateArgs contains arguments needed to run an update.
-type UpdateArgs struct {
-	// Version can be a specific version number or one of the predefined track
-	// constants:
-	//
-	//   - CurrentTrack will use the latest version from the same track as the
-	//     running binary
-	//   - StableTrack and UnstableTrack will use the latest versions of the
-	//     corresponding tracks
-	//
-	// Leaving this empty is the same as using CurrentTrack.
-	Version string
-	// AppStore forces a local app store check, even if the current binary was
-	// not installed via an app store.
-	AppStore bool
-	// Logf is a logger for update progress messages.
-	Logf logger.Logf
-	// Confirm is called when a new version is available and should return true
-	// if this new version should be installed. When Confirm returns false, the
-	// update is aborted.
-	Confirm func(newVer string) bool
-}
-
-func (args UpdateArgs) validate() error {
-	if args.Confirm == nil {
-		return errors.New("missing Confirm callback in UpdateArgs")
-	}
-	if args.Logf == nil {
-		return errors.New("missing Logf callback in UpdateArgs")
-	}
-	return nil
-}
-
-// Update runs a single update attempt using the platform-specific mechanism.
-//
-// On Windows, this copies the calling binary and re-executes it to apply the
-// update. The calling binary should handle an "update" subcommand and call
-// this function again for the re-executed binary to proceed.
-func Update(args UpdateArgs) error {
-	if err := args.validate(); err != nil {
-		return err
-	}
-	up := &updater{
-		UpdateArgs: args,
-	}
-	switch up.Version {
-	case StableTrack, UnstableTrack:
-		up.track = up.Version
-	case CurrentTrack:
-		if version.IsUnstableBuild() {
-			up.track = UnstableTrack
-		} else {
-			up.track = StableTrack
-		}
-	default:
-		var err error
-		up.track, err = versionToTrack(args.Version)
-		if err != nil {
-			return err
-		}
-	}
-	switch runtime.GOOS {
-	case "windows":
-		up.update = up.updateWindows
-	case "linux":
-		switch distro.Get() {
-		case distro.Synology:
-			up.update = up.updateSynology
-		case distro.Debian: // includes Ubuntu
-			up.update = up.updateDebLike
-		case distro.Arch:
-			up.update = up.updateArchLike
-		case distro.Alpine:
-			up.update = up.updateAlpineLike
-		}
-		switch {
-		case haveExecutable("pacman"):
-			up.update = up.updateArchLike
-		case haveExecutable("apt-get"): // TODO(awly): add support for "apt"
-			// The distro.Debian switch case above should catch most apt-based
-			// systems, but add this fallback just in case.
-			up.update = up.updateDebLike
-		case haveExecutable("dnf"):
-			up.update = up.updateFedoraLike("dnf")
-		case haveExecutable("yum"):
-			up.update = up.updateFedoraLike("yum")
-		case haveExecutable("apk"):
-			up.update = up.updateAlpineLike
-		}
-	case "darwin":
-		switch {
-		case !args.AppStore && !version.IsSandboxedMacOS():
-			return errors.ErrUnsupported
-		case !args.AppStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
-			up.update = up.updateMacSys
-		default:
-			up.update = up.updateMacAppStore
-		}
-	case "freebsd":
-		up.update = up.updateFreeBSD
-	}
-	if up.update == nil {
-		return errors.ErrUnsupported
-	}
-	return up.update()
-}
-
-func (up *updater) confirm(ver string) bool {
-	if version.Short() == ver {
-		up.Logf("already running %v; no update needed", ver)
-		return false
-	}
-	if up.Confirm != nil {
-		return up.Confirm(ver)
-	}
-	return true
-}
-
-func (up *updater) updateSynology() error {
-	if up.Version != "" {
-		return errors.New("installing a specific version on Synology is not supported")
-	}
-
-	// Get the latest version and list of SPKs from pkgs.tailscale.com.
-	osName := fmt.Sprintf("dsm%d", distro.DSMVersion())
-	arch, err := synoArch(hostinfo.New())
-	if err != nil {
-		return err
-	}
-	latest, err := latestPackages(up.track)
-	if err != nil {
-		return err
-	}
-	if latest.Version == "" {
-		return fmt.Errorf("no latest version found for %q track", up.track)
-	}
-	spkName := latest.SPKs[osName][arch]
-	if spkName == "" {
-		return fmt.Errorf("cannot find Synology package for os=%s arch=%s, please report a bug with your device model", osName, arch)
-	}
-
-	if !up.confirm(latest.Version) {
-		return nil
-	}
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	// Download the SPK into a temporary directory.
-	spkDir, err := os.MkdirTemp("", "tailscale-update")
-	if err != nil {
-		return err
-	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/%s", up.track, spkName)
-	spkPath := filepath.Join(spkDir, path.Base(url))
-	// TODO(awly): we should sign SPKs and validate signatures here too.
-	if err := up.downloadURLToFile(url, spkPath); err != nil {
-		return err
-	}
-
-	// Install the SPK. Run via nohup to allow install to succeed when we're
-	// connected over tailscale ssh and this parent process dies. Otherwise, if
-	// you abort synopkg install mid-way, tailscaled is not restarted.
-	cmd := exec.Command("nohup", "synopkg", "install", spkPath)
-	// Don't attach cmd.Stdout to os.Stdout because nohup will redirect that
-	// into nohup.out file. synopkg doesn't have any progress output anyway, it
-	// just spits out a JSON result when done.
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("synopkg install failed: %w\noutput:\n%s", err, out)
-	}
-	return nil
-}
-
-// synoArch returns the Synology CPU architecture matching one of the SPK
-// architectures served from pkgs.tailscale.com.
-func synoArch(hinfo *tailcfg.Hostinfo) (string, error) {
-	// Most Synology boxes just use a different arch name from GOARCH.
-	arch := map[string]string{
-		"amd64": "x86_64",
-		"386":   "i686",
-		"arm64": "armv8",
-	}[hinfo.GoArch]
-	// Here's the fun part, some older ARM boxes require you to use SPKs
-	// specifically for their CPU.
-	//
-	// See https://github.com/SynoCommunity/spksrc/wiki/Synology-and-SynoCommunity-Package-Architectures
-	// for a complete list. Here, we override GOARCH for those older boxes that
-	// support at least DSM6.
-	//
-	// This is an artisanal hand-crafted list based on the wiki page. Some
-	// values may be wrong, since we don't have all those devices to actually
-	// test with.
-	switch hinfo.DeviceModel {
-	case "DS213air", "DS213", "DS413j",
-		"DS112", "DS112+", "DS212", "DS212+", "RS212", "RS812", "DS212j", "DS112j",
-		"DS111", "DS211", "DS211+", "DS411slim", "DS411", "RS411", "DS211j", "DS411j":
-		arch = "88f6281"
-	case "NVR1218", "NVR216", "VS960HD", "VS360HD":
-		arch = "hi3535"
-	case "DS1517", "DS1817", "DS416", "DS2015xs", "DS715", "DS1515", "DS215+":
-		arch = "alpine"
-	case "DS216se", "DS115j", "DS114", "DS214se", "DS414slim", "RS214", "DS14", "EDS14", "DS213j":
-		arch = "armada370"
-	case "DS115", "DS215j":
-		arch = "armada375"
-	case "DS419slim", "DS218j", "RS217", "DS116", "DS216j", "DS216", "DS416slim", "RS816", "DS416j":
-		arch = "armada38x"
-	case "RS815", "DS214", "DS214+", "DS414", "RS814":
-		arch = "armadaxp"
-	case "DS414j":
-		arch = "comcerto2k"
-	case "DS216play":
-		arch = "monaco"
-	}
-	if arch == "" {
-		return "", fmt.Errorf("cannot determine CPU architecture for Synology model %q (Go arch %q), please report a bug at https://github.com/tailscale/tailscale/issues/new/choose", hinfo.DeviceModel, hinfo.GoArch)
-	}
-	return arch, nil
-}
-
-func (up *updater) updateDebLike() error {
-	ver, err := requestedTailscaleVersion(up.Version, up.track)
-	if err != nil {
-		return err
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	if updated, err := updateDebianAptSourcesList(up.track); err != nil {
-		return err
-	} else if updated {
-		up.Logf("Updated %s to use the %s track", aptSourcesFile, up.track)
-	}
-
-	cmd := exec.Command("apt-get", "update",
-		// Only update the tailscale repo, not the other ones, treating
-		// the tailscale.list file as the main "sources.list" file.
-		"-o", "Dir::Etc::SourceList=sources.list.d/tailscale.list",
-		// Disable the "sources.list.d" directory:
-		"-o", "Dir::Etc::SourceParts=-",
-		// Don't forget about packages in the other repos just because
-		// we're not updating them:
-		"-o", "APT::Get::List-Cleanup=0",
-	)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return err
-	}
-
-	cmd = exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-const aptSourcesFile = "/etc/apt/sources.list.d/tailscale.list"
-
-// updateDebianAptSourcesList updates the /etc/apt/sources.list.d/tailscale.list
-// file to make sure it has the provided track (stable or unstable) in it.
-//
-// If it already has the right track (including containing both stable and
-// unstable), it does nothing.
-func updateDebianAptSourcesList(dstTrack string) (rewrote bool, err error) {
-	was, err := os.ReadFile(aptSourcesFile)
-	if err != nil {
-		return false, err
-	}
-	newContent, err := updateDebianAptSourcesListBytes(was, dstTrack)
-	if err != nil {
-		return false, err
-	}
-	if bytes.Equal(was, newContent) {
-		return false, nil
-	}
-	return true, os.WriteFile(aptSourcesFile, newContent, 0644)
-}
-
-func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []byte, err error) {
-	trackURLPrefix := []byte("https://pkgs.tailscale.com/" + dstTrack + "/")
-	var buf bytes.Buffer
-	var changes int
-	bs := bufio.NewScanner(bytes.NewReader(was))
-	hadCorrect := false
-	commentLine := regexp.MustCompile(`^\s*\#`)
-	pkgsURL := regexp.MustCompile(`\bhttps://pkgs\.tailscale\.com/((un)?stable)/`)
-	for bs.Scan() {
-		line := bs.Bytes()
-		if !commentLine.Match(line) {
-			line = pkgsURL.ReplaceAllFunc(line, func(m []byte) []byte {
-				if bytes.Equal(m, trackURLPrefix) {
-					hadCorrect = true
-				} else {
-					changes++
-				}
-				return trackURLPrefix
-			})
-		}
-		buf.Write(line)
-		buf.WriteByte('\n')
-	}
-	if hadCorrect || (changes == 1 && bytes.Equal(bytes.TrimSpace(was), bytes.TrimSpace(buf.Bytes()))) {
-		// Unchanged or close enough.
-		return was, nil
-	}
-	if changes != 1 {
-		// No changes, or an unexpected number of changes (what?). Bail.
-		// They probably editted it by hand and we don't know what to do.
-		return nil, fmt.Errorf("unexpected/unsupported %s contents", aptSourcesFile)
-	}
-	return buf.Bytes(), nil
-}
-
-func (up *updater) updateArchLike() (err error) {
-	if up.Version != "" {
-		return errors.New("installing a specific version on Arch-based distros is not supported")
-	}
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf(`%w; you can try updating using "pacman --sync --refresh tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("pacman", "--sync", "--refresh", "--info", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking pacman for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver, err := parsePacmanVersion(out)
-	if err != nil {
-		return err
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	cmd := exec.Command("pacman", "--sync", "--noconfirm", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using pacman: %w", err)
-	}
-	return nil
-}
-
-func parsePacmanVersion(out []byte) (string, error) {
-	for _, line := range strings.Split(string(out), "\n") {
-		// The line we're looking for looks like this:
-		// Version         : 1.44.2-1
-		if !strings.HasPrefix(line, "Version") {
-			continue
-		}
-		parts := strings.SplitN(line, ":", 2)
-		if len(parts) != 2 {
-			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
-		}
-		ver := strings.TrimSpace(parts[1])
-		// Trim the Arch patch version.
-		ver = strings.Split(ver, "-")[0]
-		if ver == "" {
-			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
-		}
-		return ver, nil
-	}
-	return "", fmt.Errorf("could not find latest version of tailscale via pacman")
-}
-
-const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
-
-// updateFedoraLike updates tailscale on any distros in the Fedora family,
-// specifically anything that uses "dnf" or "yum" package managers. The actual
-// package manager is passed via packageManager.
-func (up *updater) updateFedoraLike(packageManager string) func() error {
-	return func() (err error) {
-		if err := requireRoot(); err != nil {
-			return err
-		}
-		defer func() {
-			if err != nil {
-				err = fmt.Errorf(`%w; you can try updating using "%s upgrade tailscale"`, err, packageManager)
-			}
-		}()
-
-		ver, err := requestedTailscaleVersion(up.Version, up.track)
-		if err != nil {
-			return err
-		}
-		if !up.confirm(ver) {
-			return nil
-		}
-
-		if updated, err := updateYUMRepoTrack(yumRepoConfigFile, up.track); err != nil {
-			return err
-		} else if updated {
-			up.Logf("Updated %s to use the %s track", yumRepoConfigFile, up.track)
-		}
-
-		cmd := exec.Command(packageManager, "install", "--assumeyes", fmt.Sprintf("tailscale-%s-1", ver))
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		if err := cmd.Run(); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-// updateYUMRepoTrack updates the repoFile file to make sure it has the
-// provided track (stable or unstable) in it.
-func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) {
-	was, err := os.ReadFile(repoFile)
-	if err != nil {
-		return false, err
-	}
-
-	urlRe := regexp.MustCompile(`^(baseurl|gpgkey)=https://pkgs\.tailscale\.com/(un)?stable/`)
-	urlReplacement := fmt.Sprintf("$1=https://pkgs.tailscale.com/%s/", dstTrack)
-
-	s := bufio.NewScanner(bytes.NewReader(was))
-	newContent := bytes.NewBuffer(make([]byte, 0, len(was)))
-	for s.Scan() {
-		line := s.Text()
-		// Handle repo section name, like "[tailscale-stable]".
-		if len(line) > 0 && line[0] == '[' {
-			if !strings.HasPrefix(line, "[tailscale-") {
-				return false, fmt.Errorf("%q does not look like a tailscale repo file, it contains an unexpected %q section", repoFile, line)
-			}
-			fmt.Fprintf(newContent, "[tailscale-%s]\n", dstTrack)
-			continue
-		}
-		// Update the track mentioned in repo name.
-		if strings.HasPrefix(line, "name=") {
-			fmt.Fprintf(newContent, "name=Tailscale %s\n", dstTrack)
-			continue
-		}
-		// Update the actual repo URLs.
-		if strings.HasPrefix(line, "baseurl=") || strings.HasPrefix(line, "gpgkey=") {
-			fmt.Fprintln(newContent, urlRe.ReplaceAllString(line, urlReplacement))
-			continue
-		}
-		fmt.Fprintln(newContent, line)
-	}
-	if bytes.Equal(was, newContent.Bytes()) {
-		return false, nil
-	}
-	return true, os.WriteFile(repoFile, newContent.Bytes(), 0644)
-}
-
-func (up *updater) updateAlpineLike() (err error) {
-	if up.Version != "" {
-		return errors.New("installing a specific version on Alpine-based distros is not supported")
-	}
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf(`%w; you can try updating using "apk upgrade tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("apk", "update").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed refresh apk repository indexes: %w, output: %q", err, out)
-	}
-	out, err = exec.Command("apk", "info", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking apk for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver, err := parseAlpinePackageVersion(out)
-	if err != nil {
-		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	cmd := exec.Command("apk", "upgrade", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using apk: %w", err)
-	}
-	return nil
-}
-
-func parseAlpinePackageVersion(out []byte) (string, error) {
-	s := bufio.NewScanner(bytes.NewReader(out))
-	for s.Scan() {
-		// The line should look like this:
-		// tailscale-1.44.2-r0 description:
-		line := strings.TrimSpace(s.Text())
-		if !strings.HasPrefix(line, "tailscale-") {
-			continue
-		}
-		parts := strings.SplitN(line, "-", 3)
-		if len(parts) < 3 {
-			return "", fmt.Errorf("malformed info line: %q", line)
-		}
-		return parts[1], nil
-	}
-	return "", errors.New("tailscale version not found in output")
-}
-
-func (up *updater) updateMacSys() error {
-	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
-}
-
-func (up *updater) updateMacAppStore() error {
-	out, err := exec.Command("defaults", "read", "/Library/Preferences/com.apple.commerce.plist", "AutoUpdate").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("can't check App Store auto-update setting: %w, output: %q", err, string(out))
-	}
-	const on = "1\n"
-	if string(out) != on {
-		up.Logf("NOTE: Automatic updating for App Store apps is turned off. You can change this setting in System Settings (search for ‘update’).")
-	}
-
-	out, err = exec.Command("softwareupdate", "--list").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("can't check App Store for available updates: %w, output: %q", err, string(out))
-	}
-
-	newTailscale := parseSoftwareupdateList(out)
-	if newTailscale == "" {
-		up.Logf("no Tailscale update available")
-		return nil
-	}
-
-	newTailscaleVer := strings.TrimPrefix(newTailscale, "Tailscale-")
-	if !up.confirm(newTailscaleVer) {
-		return nil
-	}
-
-	cmd := exec.Command("sudo", "softwareupdate", "--install", newTailscale)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("can't install App Store update for Tailscale: %w", err)
-	}
-	return nil
-}
-
-var macOSAppStoreListPattern = regexp.MustCompile(`(?m)^\s+\*\s+Label:\s*(Tailscale-\d[\d\.]+)`)
-
-// parseSoftwareupdateList searches the output of `softwareupdate --list` on
-// Darwin and returns the matching Tailscale package label. If there is none,
-// returns the empty string.
-//
-// See TestParseSoftwareupdateList for example inputs.
-func parseSoftwareupdateList(stdout []byte) string {
-	matches := macOSAppStoreListPattern.FindSubmatch(stdout)
-	if len(matches) < 2 {
-		return ""
-	}
-	return string(matches[1])
-}
-
-// winMSIEnv is the environment variable that, if set, is the MSI file for the
-// update command to install. It's passed like this so we can stop the
-// tailscale.exe process from running before the msiexec process runs and tries
-// to overwrite ourselves.
-const winMSIEnv = "TS_UPDATE_WIN_MSI"
-
-var (
-	verifyAuthenticode func(string) error // or nil on non-Windows
-	markTempFileFunc   func(string) error // or nil on non-Windows
-)
-
-func (up *updater) updateWindows() error {
-	if msi := os.Getenv(winMSIEnv); msi != "" {
-		up.Logf("installing %v ...", msi)
-		if err := up.installMSI(msi); err != nil {
-			up.Logf("MSI install failed: %v", err)
-			return err
-		}
-		up.Logf("success.")
-		return nil
-	}
-	ver, err := requestedTailscaleVersion(up.Version, up.track)
-	if err != nil {
-		return err
-	}
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-
-	if !up.confirm(ver) {
-		return nil
-	}
-	if !winutil.IsCurrentProcessElevated() {
-		return errors.New("must be run as Administrator")
-	}
-
-	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
-	msiDir := filepath.Join(tsDir, "MSICache")
-	if fi, err := os.Stat(tsDir); err != nil {
-		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
-	} else if !fi.IsDir() {
-		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
-	}
-	if err := os.MkdirAll(msiDir, 0700); err != nil {
-		return err
-	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
-	msiTarget := filepath.Join(msiDir, path.Base(url))
-	if err := up.downloadURLToFile(url, msiTarget); err != nil {
-		return err
-	}
-
-	up.Logf("verifying MSI authenticode...")
-	if err := verifyAuthenticode(msiTarget); err != nil {
-		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
-	}
-	up.Logf("authenticode verification succeeded")
-
-	up.Logf("making tailscale.exe copy to switch to...")
-	selfCopy, err := makeSelfCopy()
-	if err != nil {
-		return err
-	}
-	defer os.Remove(selfCopy)
-	up.Logf("running tailscale.exe copy for final install...")
-
-	cmd := exec.Command(selfCopy, "update")
-	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget)
-	cmd.Stdout = os.Stderr
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	// Once it's started, exit ourselves, so the binary is free
-	// to be replaced.
-	os.Exit(0)
-	panic("unreachable")
-}
-
-func (up *updater) installMSI(msi string) error {
-	var err error
-	for tries := 0; tries < 2; tries++ {
-		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
-		cmd.Dir = filepath.Dir(msi)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		if err == nil {
-			break
-		}
-		uninstallVersion := version.Short()
-		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
-			uninstallVersion = v
-		}
-		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
-		up.Logf("Uninstalling current version %q for downgrade...", uninstallVersion)
-		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		up.Logf("msiexec uninstall: %v", err)
-	}
-	return err
-}
-
-func msiUUIDForVersion(ver string) string {
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	track, err := versionToTrack(ver)
-	if err != nil {
-		track = UnstableTrack
-	}
-	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
-	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
-}
-
-func makeSelfCopy() (tmpPathExe string, err error) {
-	selfExe, err := os.Executable()
-	if err != nil {
-		return "", err
-	}
-	f, err := os.Open(selfExe)
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
-	if err != nil {
-		return "", err
-	}
-	if f := markTempFileFunc; f != nil {
-		if err := f(f2.Name()); err != nil {
-			return "", err
-		}
-	}
-	if _, err := io.Copy(f2, f); err != nil {
-		f2.Close()
-		return "", err
-	}
-	return f2.Name(), f2.Close()
-}
-
-func (up *updater) downloadURLToFile(urlSrc, fileDst string) (ret error) {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.Proxy = tshttpproxy.ProxyFromEnvironment
-	defer tr.CloseIdleConnections()
-	c := &http.Client{Transport: tr}
-
-	quickCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-	headReq := must.Get(http.NewRequestWithContext(quickCtx, "HEAD", urlSrc, nil))
-
-	res, err := c.Do(headReq)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("HEAD %s: %v", urlSrc, res.Status)
-	}
-	if res.ContentLength <= 0 {
-		return fmt.Errorf("HEAD %s: unexpected Content-Length %v", urlSrc, res.ContentLength)
-	}
-	up.Logf("Download size: %v", res.ContentLength)
-
-	hashReq := must.Get(http.NewRequestWithContext(quickCtx, "GET", urlSrc+".sha256", nil))
-	hashRes, err := c.Do(hashReq)
-	if err != nil {
-		return err
-	}
-	hashHex, err := io.ReadAll(io.LimitReader(hashRes.Body, 100))
-	hashRes.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s.sha256: %v", urlSrc, res.Status)
-	}
-	if err != nil {
-		return err
-	}
-	wantHash, err := hex.DecodeString(string(strings.TrimSpace(string(hashHex))))
-	if err != nil {
-		return err
-	}
-	hash := sha256.New()
-
-	dlReq := must.Get(http.NewRequestWithContext(context.Background(), "GET", urlSrc, nil))
-	dlRes, err := c.Do(dlReq)
-	if err != nil {
-		return err
-	}
-	// TODO(bradfitz): resume from existing partial file on disk
-	if dlRes.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s: %v", urlSrc, dlRes.Status)
-	}
-
-	of, err := os.Create(fileDst)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if ret != nil {
-			of.Close()
-			// TODO(bradfitz): os.Remove(fileDst) too? or keep it to resume from/debug later.
-		}
-	}()
-	pw := &progressWriter{total: res.ContentLength, logf: up.Logf}
-	n, err := io.Copy(io.MultiWriter(hash, of, pw), io.LimitReader(dlRes.Body, res.ContentLength))
-	if err != nil {
-		return err
-	}
-	if n != res.ContentLength {
-		return fmt.Errorf("downloaded %v; want %v", n, res.ContentLength)
-	}
-	if err := of.Close(); err != nil {
-		return err
-	}
-	pw.print()
-
-	if !bytes.Equal(hash.Sum(nil), wantHash) {
-		return fmt.Errorf("SHA-256 of downloaded MSI didn't match expected value")
-	}
-	up.Logf("hash matched")
-
-	return nil
-}
-
-type progressWriter struct {
-	done      int64
-	total     int64
-	lastPrint time.Time
-	logf      logger.Logf
-}
-
-func (pw *progressWriter) Write(p []byte) (n int, err error) {
-	pw.done += int64(len(p))
-	if time.Since(pw.lastPrint) > 2*time.Second {
-		pw.print()
-	}
-	return len(p), nil
-}
-
-func (pw *progressWriter) print() {
-	pw.lastPrint = time.Now()
-	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
-}
-
-func (up *updater) updateFreeBSD() (err error) {
-	if up.Version != "" {
-		return errors.New("installing a specific version on FreeBSD is not supported")
-	}
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf(`%w; you can try updating using "pkg upgrade tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("pkg", "update").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed refresh pkg repository indexes: %w, output: %q", err, out)
-	}
-	out, err = exec.Command("pkg", "rquery", "%v", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking pkg for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver := string(bytes.TrimSpace(out))
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	cmd := exec.Command("pkg", "upgrade", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using pkg: %w", err)
-	}
-	return nil
-}
-
-func haveExecutable(name string) bool {
-	path, err := exec.LookPath(name)
-	return err == nil && path != ""
-}
-
-func requestedTailscaleVersion(ver, track string) (string, error) {
-	if ver != "" {
-		return ver, nil
-	}
-	return LatestTailscaleVersion(track)
-}
-
-// LatestTailscaleVersion returns the latest released version for the given
-// track from pkgs.tailscale.com.
-func LatestTailscaleVersion(track string) (string, error) {
-	if track == CurrentTrack {
-		if version.IsUnstableBuild() {
-			track = UnstableTrack
-		} else {
-			track = StableTrack
-		}
-	}
-
-	latest, err := latestPackages(track)
-	if err != nil {
-		return "", err
-	}
-	if latest.Version == "" {
-		return "", fmt.Errorf("no latest version found for %q track", track)
-	}
-	return latest.Version, nil
-}
-
-type trackPackages struct {
-	Version  string
-	Tarballs map[string]string
-	Exes     []string
-	MSIs     map[string]string
-	MacZips  map[string]string
-	SPKs     map[string]map[string]string
-}
-
-func latestPackages(track string) (*trackPackages, error) {
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/?mode=json&os=%s", track, runtime.GOOS)
-	res, err := http.Get(url)
-	if err != nil {
-		return nil, fmt.Errorf("fetching latest tailscale version: %w", err)
-	}
-	defer res.Body.Close()
-	var latest trackPackages
-	if err := json.NewDecoder(res.Body).Decode(&latest); err != nil {
-		return nil, fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
-	}
-	return &latest, nil
-}
-
-func requireRoot() error {
-	if os.Geteuid() == 0 {
-		return nil
-	}
-	switch runtime.GOOS {
-	case "linux":
-		return errors.New("must be root; use sudo")
-	case "freebsd", "openbsd":
-		return errors.New("must be root; use doas")
-	default:
-		return errors.New("must be root")
-	}
-}
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -47,7 +47,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter+
+        go4.org/netipx                                               from tailscale.com/wgengine/filter
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
@@ -116,7 +116,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/derp+
-        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
--- a/cmd/derper/mesh.go
+++ b/cmd/derper/mesh.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"log"
 	"net"
-	"net/netip"
 	"strings"
 	"time"

@@ -68,7 +67,7 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		return d.DialContext(ctx, network, addr)
 	})

-	add := func(k key.NodePublic, _ netip.AddrPort) { s.AddPacketForwarder(k, c) }
+	add := func(k key.NodePublic) { s.AddPacketForwarder(k, c) }
 	remove := func(k key.NodePublic) { s.RemovePacketForwarder(k, c) }
 	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
 	return nil
--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@@ -19,10 +19,10 @@ import (

 var synologyPackageCenter bool

-func getTargets(signers unixpkgs.Signers) ([]dist.Target, error) {
+func getTargets() ([]dist.Target, error) {
 	var ret []dist.Target

-	ret = append(ret, unixpkgs.Targets(signers)...)
+	ret = append(ret, unixpkgs.Targets()...)
 	// Synology packages can be built either for sideloading, or for
 	// distribution by Synology in their package center. When
 	// distributed through the package center, apps can request
--- a/cmd/mkpkg/main.go
+++ b/cmd/mkpkg/main.go
@@ -11,40 +11,35 @@ import (
 	"os"
 	"strings"

-	"github.com/goreleaser/nfpm/v2"
-	_ "github.com/goreleaser/nfpm/v2/deb"
-	"github.com/goreleaser/nfpm/v2/files"
-	_ "github.com/goreleaser/nfpm/v2/rpm"
+	"github.com/goreleaser/nfpm"
+	_ "github.com/goreleaser/nfpm/deb"
+	_ "github.com/goreleaser/nfpm/rpm"
 )

 // parseFiles parses a comma-separated list of colon-separated pairs
-// into files.Contents format.
-func parseFiles(s string, typ string) (files.Contents, error) {
+// into a map of filePathOnDisk -> filePathInPackage.
+func parseFiles(s string) (map[string]string, error) {
+	ret := map[string]string{}
 	if len(s) == 0 {
-		return nil, nil
+		return ret, nil
 	}
-	var contents files.Contents
 	for _, f := range strings.Split(s, ",") {
 		fs := strings.Split(f, ":")
 		if len(fs) != 2 {
 			return nil, fmt.Errorf("unparseable file field %q", f)
 		}
-		contents = append(contents, &files.Content{Type: files.TypeFile, Source: fs[0], Destination: fs[1]})
+		ret[fs[0]] = fs[1]
 	}
-	return contents, nil
+	return ret, nil
 }

-func parseEmptyDirs(s string) files.Contents {
+func parseEmptyDirs(s string) []string {
 	// strings.Split("", ",") would return []string{""}, which is not suitable:
 	// this would create an empty dir record with path "", breaking the package
 	if s == "" {
 		return nil
 	}
-	var contents files.Contents
-	for _, d := range strings.Split(s, ",") {
-		contents = append(contents, &files.Content{Type: files.TypeDir, Destination: d})
-	}
-	return contents
+	return strings.Split(s, ",")
 }

 func main() {
@@ -53,7 +48,7 @@ func main() {
 	description := flag.String("description", "The easiest, most secure, cross platform way to use WireGuard + oauth2 + 2FA/SSO", "package description")
 	goarch := flag.String("arch", "amd64", "GOARCH this package is for")
 	pkgType := flag.String("type", "deb", "type of package to build (deb or rpm)")
-	regularFiles := flag.String("files", "", "comma-separated list of files in src:dst form")
+	files := flag.String("files", "", "comma-separated list of files in src:dst form")
 	configFiles := flag.String("configs", "", "like --files, but for files marked as user-editable config files")
 	emptyDirs := flag.String("emptydirs", "", "comma-separated list of empty directories")
 	version := flag.String("version", "0.0.0", "version of the package")
@@ -65,20 +60,15 @@ func main() {
 	recommends := flag.String("recommends", "", "comma-separated list of packages this package recommends")
 	flag.Parse()

-	filesList, err := parseFiles(*regularFiles, files.TypeFile)
+	filesMap, err := parseFiles(*files)
 	if err != nil {
 		log.Fatalf("Parsing --files: %v", err)
 	}
-	configsList, err := parseFiles(*configFiles, files.TypeConfig)
+	configsMap, err := parseFiles(*configFiles)
 	if err != nil {
 		log.Fatalf("Parsing --configs: %v", err)
 	}
 	emptyDirList := parseEmptyDirs(*emptyDirs)
-	contents := append(filesList, append(configsList, emptyDirList...)...)
-	contents, err = files.PrepareForPackager(contents, 0, *pkgType, false)
-	if err != nil {
-		log.Fatalf("Building package contents: %v", err)
-	}
 	info := nfpm.WithDefaults(&nfpm.Info{
 		Name:        *name,
 		Arch:        *goarch,
@@ -89,7 +79,9 @@ func main() {
 		Homepage:    "https://www.tailscale.com",
 		License:     "MIT",
 		Overridables: nfpm.Overridables{
-			Contents: contents,
+			EmptyFolders: emptyDirList,
+			Files:        filesMap,
+			ConfigFiles:  configsMap,
 			Scripts: nfpm.Scripts{
 				PostInstall: *postinst,
 				PreRemove:   *prerm,
--- a/cmd/netlogfmt/main.go
+++ b/cmd/netlogfmt/main.go
@@ -45,7 +45,6 @@ import (
 	"golang.org/x/exp/slices"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/netlogtype"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/must"
 )

@@ -152,10 +151,10 @@ func printMessage(msg message) {
 		if len(traffic) == 0 {
 			return
 		}
-		slices.SortFunc(traffic, func(x, y netlogtype.ConnectionCounts) int {
+		slices.SortFunc(traffic, func(x, y netlogtype.ConnectionCounts) bool {
 			nx := x.TxPackets + x.TxBytes + x.RxPackets + x.RxBytes
 			ny := y.TxPackets + y.TxBytes + y.RxPackets + y.RxBytes
-			return cmpx.Compare(ny, nx)
+			return nx > ny
 		})
 		var sum netlogtype.Counts
 		for _, cc := range traffic {
--- a/cmd/sniproxy/sniproxy.go
+++ b/cmd/sniproxy/sniproxy.go
@@ -22,7 +22,6 @@ import (
 	"tailscale.com/net/netutil"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/nettype"
-	"tailscale.com/util/clientmetric"
 )

 var (
@@ -33,14 +32,6 @@ var (

 var tsMBox = dnsmessage.MustNewName("support.tailscale.com.")

-var (
-	numSessions    = clientmetric.NewCounter("sniproxy_sessions")
-	numBadAddrPort = clientmetric.NewCounter("sniproxy_bad_addrport")
-	dnsResponses   = clientmetric.NewCounter("sniproxy_dns_responses")
-	dnsFailures    = clientmetric.NewCounter("sniproxy_dns_failed")
-	httpPromoted   = clientmetric.NewCounter("sniproxy_http_promoted")
-)
-
 func main() {
 	flag.Parse()
 	if *ports == "" {
@@ -118,7 +109,6 @@ func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
 	n, err := c.Read(buf)
 	if err != nil {
 		log.Printf("c.Read failed: %v\n ", err)
-		dnsFailures.Add(1)
 		return
 	}

@@ -126,25 +116,20 @@ func (s *server) serveDNSConn(c nettype.ConnPacketConn) {
 	err = msg.Unpack(buf[:n])
 	if err != nil {
 		log.Printf("dnsmessage unpack failed: %v\n ", err)
-		dnsFailures.Add(1)
 		return
 	}

 	buf, err = s.dnsResponse(&msg)
 	if err != nil {
 		log.Printf("s.dnsResponse failed: %v\n", err)
-		dnsFailures.Add(1)
 		return
 	}

 	_, err = c.Write(buf)
 	if err != nil {
 		log.Printf("c.Write failed: %v\n", err)
-		dnsFailures.Add(1)
 		return
 	}
-
-	dnsResponses.Add(1)
 }

 func (s *server) serveConn(c net.Conn) {
@@ -152,7 +137,6 @@ func (s *server) serveConn(c net.Conn) {
 	_, port, err := net.SplitHostPort(addrPortStr)
 	if err != nil {
 		log.Printf("bogus addrPort %q", addrPortStr)
-		numBadAddrPort.Add(1)
 		c.Close()
 		return
 	}
@@ -165,7 +149,6 @@ func (s *server) serveConn(c net.Conn) {
 		return netutil.NewOneConnListener(c, nil), nil
 	}
 	p.AddSNIRouteFunc(addrPortStr, func(ctx context.Context, sniName string) (t tcpproxy.Target, ok bool) {
-		numSessions.Add(1)
 		return &tcpproxy.DialProxy{
 			Addr:        net.JoinHostPort(sniName, port),
 			DialContext: dialer.DialContext,
@@ -235,7 +218,6 @@ func (s *server) dnsResponse(req *dnsmessage.Message) (buf []byte, err error) {

 func (s *server) promoteHTTPS(ln net.Listener) {
 	err := http.Serve(ln, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		httpPromoted.Add(1)
 		http.Redirect(w, r, "https://"+r.Host+r.RequestURI, http.StatusFound)
 	}))
 	log.Fatalf("promoteHTTPS http.Serve: %v", err)
--- a/cmd/tailscale/cli/auth-redirect.html
+++ b/cmd/tailscale/cli/auth-redirect.html
--- a/cmd/tailscale/cli/authenticode_windows.go
+++ b/cmd/tailscale/cli/authenticode_windows.go
@@ -0,0 +1,38 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019-2022 WireGuard LLC. All Rights Reserved.
+ */
+
+package cli
+
+import (
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+)
+
+func init() {
+	verifyAuthenticode = verifyAuthenticodeWindows
+}
+
+func verifyAuthenticodeWindows(path string) error {
+	path16, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return err
+	}
+	data := &windows.WinTrustData{
+		Size:             uint32(unsafe.Sizeof(windows.WinTrustData{})),
+		UIChoice:         windows.WTD_UI_NONE,
+		RevocationChecks: windows.WTD_REVOKE_WHOLECHAIN, // Full revocation checking, as this is called with network connectivity.
+		UnionChoice:      windows.WTD_CHOICE_FILE,
+		StateAction:      windows.WTD_STATEACTION_VERIFY,
+		FileOrCatalogOrBlobOrSgnrOrCert: unsafe.Pointer(&windows.WinTrustFileInfo{
+			Size:     uint32(unsafe.Sizeof(windows.WinTrustFileInfo{})),
+			FilePath: path16,
+		}),
+	}
+	err = windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
+	data.StateAction = windows.WTD_STATEACTION_CLOSE
+	windows.WinVerifyTrustEx(windows.InvalidHWND, &windows.WINTRUST_ACTION_GENERIC_VERIFY_V2, data)
+	return err
+}
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -18,7 +18,6 @@ import (
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstest"
 	"tailscale.com/types/persist"
@@ -835,7 +834,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{},
 			curPrefs: &ipn.Prefs{
 				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
 			},
 			env: upCheckEnv{
 				backendState: "Stopped",
@@ -847,7 +846,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{},
 			curPrefs: &ipn.Prefs{
 				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
 			},
 			env:            upCheckEnv{backendState: "Running"},
 			wantSimpleUp:   true,
@@ -858,7 +857,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--reset"},
 			curPrefs: &ipn.Prefs{
 				ControlURL: ipn.DefaultControlURL,
-				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
 			},
 			env: upCheckEnv{backendState: "Running"},
 			wantJustEditMP: &ipn.MaskedPrefs{
@@ -885,7 +884,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{},
 			curPrefs: &ipn.Prefs{
 				ControlURL: "https://login.tailscale.com",
-				Persist:    &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:    &persist.Persist{LoginName: "crawshaw.github"},
 			},
 			env:            upCheckEnv{backendState: "Running"},
 			wantSimpleUp:   true,
@@ -896,7 +895,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--login-server=https://localhost:1000"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -911,7 +910,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--advertise-tags=tag:foo"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -945,7 +944,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--ssh"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -966,7 +965,7 @@ func TestUpdatePrefs(t *testing.T) {
 			flags: []string{"--ssh=false"},
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				RunSSH:           true,
@@ -991,7 +990,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -1015,7 +1014,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -1038,7 +1037,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				NetfilterMode:    preftype.NetfilterOn,
@@ -1060,7 +1059,7 @@ func TestUpdatePrefs(t *testing.T) {
 			sshOverTailscale: true,
 			curPrefs: &ipn.Prefs{
 				ControlURL:       "https://login.tailscale.com",
-				Persist:          &persist.Persist{UserProfile: tailcfg.UserProfile{LoginName: "crawshaw.github"}},
+				Persist:          &persist.Persist{LoginName: "crawshaw.github"},
 				AllowSingleHosts: true,
 				CorpDNS:          true,
 				RunSSH:           true,
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -127,16 +127,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      localAPIAction("rebind"),
 			ShortHelp: "force a magicsock rebind",
 		},
-		{
-			Name:      "break-tcp-conns",
-			Exec:      localAPIAction("break-tcp-conns"),
-			ShortHelp: "break any open TCP connections from the daemon",
-		},
-		{
-			Name:      "break-derp-conns",
-			Exec:      localAPIAction("break-derp-conns"),
-			ShortHelp: "break any open DERP connections from the daemon",
-		},
 		{
 			Name:      "prefs",
 			Exec:      runPrefs,
--- a/cmd/tailscale/cli/exitnode.go
+++ b/cmd/tailscale/cli/exitnode.go
@@ -18,7 +18,6 @@ import (
 	"golang.org/x/exp/slices"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/cmpx"
 )

 var exitNodeCmd = &ffcli.Command{
@@ -66,7 +65,7 @@ func runExitNodeList(ctx context.Context, args []string) error {
 	var peers []*ipnstate.PeerStatus
 	for _, ps := range st.Peer {
 		if !ps.ExitNodeOption {
-			// We only show exit nodes under the exit-node subcommand.
+			// We only show location based exit nodes.
 			continue
 		}

@@ -228,21 +227,19 @@ func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string)
 // sortPeersByPriority sorts a slice of PeerStatus
 // by location.Priority, in order of highest priority.
 func sortPeersByPriority(peers []*ipnstate.PeerStatus) {
-	slices.SortStableFunc(peers, func(a, b *ipnstate.PeerStatus) int {
-		return cmpx.Compare(b.Location.Priority, a.Location.Priority)
-	})
+	slices.SortFunc(peers, func(a, b *ipnstate.PeerStatus) bool { return a.Location.Priority > b.Location.Priority })
 }

 // sortByCityName sorts a slice of filteredCity alphabetically
 // by name. The '-' used to indicate no location data will always
 // be sorted to the front of the slice.
 func sortByCityName(cities []*filteredCity) {
-	slices.SortStableFunc(cities, func(a, b *filteredCity) int { return strings.Compare(a.Name, b.Name) })
+	slices.SortFunc(cities, func(a, b *filteredCity) bool { return a.Name < b.Name })
 }

 // sortByCountryName sorts a slice of filteredCountry alphabetically
 // by name. The '-' used to indicate no location data will always
 // be sorted to the front of the slice.
 func sortByCountryName(countries []*filteredCountry) {
-	slices.SortStableFunc(countries, func(a, b *filteredCountry) int { return strings.Compare(a.Name, b.Name) })
+	slices.SortFunc(countries, func(a, b *filteredCountry) bool { return a.Name < b.Name })
 }
--- a/cmd/tailscale/cli/funnel.go
+++ b/cmd/tailscale/cli/funnel.go
@@ -13,10 +13,7 @@ import (
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/exp/slices"
 	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 )

@@ -94,15 +91,9 @@ func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
 	}
 	port := uint16(port64)

-	if on {
-		// Don't block from turning off existing Funnel if
-		// network configuration/capabilities have changed.
-		// Only block from starting new Funnels.
-		if err := e.verifyFunnelEnabled(ctx, st, port); err != nil {
-			return err
-		}
+	if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
+		return err
 	}
-
 	dnsName := strings.TrimSuffix(st.Self.DNSName, ".")
 	hp := ipn.HostPort(dnsName + ":" + strconv.Itoa(int(port)))
 	if on == sc.AllowFunnel[hp] {
@@ -126,49 +117,6 @@ func (e *serveEnv) runFunnel(ctx context.Context, args []string) error {
 	return nil
 }

-// verifyFunnelEnabled verifies that the self node is allowed to use Funnel.
-//
-// If Funnel is not yet enabled by the current node capabilities,
-// the user is sent through an interactive flow to enable the feature.
-// Once enabled, verifyFunnelEnabled checks that the given port is allowed
-// with Funnel.
-//
-// If an error is reported, the CLI should stop execution and return the error.
-//
-// verifyFunnelEnabled may refresh the local state and modify the st input.
-func (e *serveEnv) verifyFunnelEnabled(ctx context.Context, st *ipnstate.Status, port uint16) error {
-	hasFunnelAttrs := func(attrs []string) bool {
-		hasHTTPS := slices.Contains(attrs, tailcfg.CapabilityHTTPS)
-		hasFunnel := slices.Contains(attrs, tailcfg.NodeAttrFunnel)
-		return hasHTTPS && hasFunnel
-	}
-	if hasFunnelAttrs(st.Self.Capabilities) {
-		return nil // already enabled
-	}
-	enableErr := e.enableFeatureInteractive(ctx, "funnel", hasFunnelAttrs)
-	st, statusErr := e.getLocalClientStatus(ctx) // get updated status; interactive flow may block
-	switch {
-	case statusErr != nil:
-		return fmt.Errorf("getting client status: %w", statusErr)
-	case enableErr != nil:
-		// enableFeatureInteractive is a new flow behind a control server
-		// feature flag. If anything caused it to error, fallback to using
-		// the old CheckFunnelAccess call. Likely this domain does not have
-		// the feature flag on.
-		// TODO(sonia,tailscale/corp#10577): Remove this fallback once the
-		// control flag is turned on for all domains.
-		if err := ipn.CheckFunnelAccess(port, st.Self.Capabilities); err != nil {
-			return err
-		}
-	default:
-		// Done with enablement, make sure the requested port is allowed.
-		if err := ipn.CheckFunnelPort(port, st.Self.Capabilities); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // printFunnelWarning prints a warning if the Funnel is on but there is no serve
 // config for its host:port.
 func printFunnelWarning(sc *ipn.ServeConfig) {
@@ -181,7 +129,7 @@ func printFunnelWarning(sc *ipn.ServeConfig) {
 		p, _ := strconv.ParseUint(portStr, 10, 16)
 		if _, ok := sc.TCP[uint16(p)]; !ok {
 			warn = true
-			fmt.Fprintf(os.Stderr, "\nWarning: funnel=on for %s, but no serve config\n", hp)
+			fmt.Fprintf(os.Stderr, "Warning: funnel=on for %s, but no serve config\n", hp)
 		}
 	}
 	if warn {
--- a/cmd/tailscale/cli/licenses.go
+++ b/cmd/tailscale/cli/licenses.go
@@ -5,9 +5,9 @@ package cli

 import (
 	"context"
+	"runtime"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/licenses"
 )

 var licensesCmd = &ffcli.Command{
@@ -18,13 +18,27 @@ var licensesCmd = &ffcli.Command{
 	Exec:       runLicenses,
 }

+// licensesURL returns the absolute URL containing open source license information for the current platform.
+func licensesURL() string {
+	switch runtime.GOOS {
+	case "android":
+		return "https://tailscale.com/licenses/android"
+	case "darwin", "ios":
+		return "https://tailscale.com/licenses/apple"
+	case "windows":
+		return "https://tailscale.com/licenses/windows"
+	default:
+		return "https://tailscale.com/licenses/tailscale"
+	}
+}
+
 func runLicenses(ctx context.Context, args []string) error {
-	url := licenses.LicensesURL()
+	licenses := licensesURL()
 	outln(`
 Tailscale wouldn't be possible without the contributions of thousands of open
 source developers. To see the open source packages included in Tailscale and
 their respective license information, visit:

-    ` + url)
+    ` + licenses)
 	return nil
 }
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -52,6 +52,7 @@ func runNetcheck(ctx context.Context, args []string) error {
 		return err
 	}
 	c := &netcheck.Client{
+		UDPBindAddr: envknob.String("TS_DEBUG_NETCHECK_UDP_BIND"),
 		PortMapper:  portmapper.NewClient(logf, netMon, nil, nil),
 		UseDNSCache: false, // always resolve, don't cache
 	}
@@ -66,10 +67,6 @@ func runNetcheck(ctx context.Context, args []string) error {
 		fmt.Fprintln(Stderr, "# Warning: this JSON format is not yet considered a stable interface")
 	}

-	if err := c.Standalone(ctx, envknob.String("TS_DEBUG_NETCHECK_UDP_BIND")); err != nil {
-		fmt.Fprintln(Stderr, "netcheck: UDP test failure:", err)
-	}
-
 	dm, err := localClient.CurrentDERPMap(ctx)
 	noRegions := dm != nil && len(dm.Regions) == 0
 	if noRegions {
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -23,7 +23,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
-	"tailscale.com/types/tkatype"
 )

 var netlockCmd = &ffcli.Command{
@@ -41,7 +40,6 @@ var netlockCmd = &ffcli.Command{
 		nlDisablementKDFCmd,
 		nlLogCmd,
 		nlLocalDisableCmd,
-		nlRevokeKeysCmd,
 	},
 	Exec: runNetworkLockNoSubcommand,
 }
@@ -713,114 +711,3 @@ func wrapAuthKey(ctx context.Context, keyStr string, status *ipnstate.Status) er
 	fmt.Println(wrapped)
 	return nil
 }
-
-var nlRevokeKeysArgs struct {
-	cosign   bool
-	finish   bool
-	forkFrom string
-}
-
-var nlRevokeKeysCmd = &ffcli.Command{
-	Name:       "revoke-keys",
-	ShortUsage: "revoke-keys <tailnet-lock-key>...\n  revoke-keys [--cosign] [--finish] <recovery-blob>",
-	ShortHelp:  "Revoke compromised tailnet-lock keys",
-	LongHelp: `Retroactively revoke the specified tailnet lock keys (tlpub:abc).
-
-Revoked keys are prevented from being used in the future. Any nodes previously signed
-by revoked keys lose their authorization and must be signed again.
-
-Revocation is a multi-step process that requires several signing nodes to ` + "`--cosign`" + ` the revocation. Use ` + "`tailscale lock remove`" + ` instead if the key has not been compromised.
-
-1. To start, run ` + "`tailscale revoke-keys <tlpub-keys>`" + ` with the tailnet lock keys to revoke.
-2. Re-run the ` + "`--cosign`" + ` command output by ` + "`revoke-keys`" + ` on other signing nodes. Use the
-   most recent command output on the next signing node in sequence.
-3. Once the number of ` + "`--cosign`" + `s is greater than the number of keys being revoked,
-   run the command one final time with ` + "`--finish`" + ` instead of ` + "`--cosign`" + `.`,
-	Exec: runNetworkLockRevokeKeys,
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("lock revoke-keys")
-		fs.BoolVar(&nlRevokeKeysArgs.cosign, "cosign", false, "continue generating the recovery using the tailnet lock key on this device and the provided recovery blob")
-		fs.BoolVar(&nlRevokeKeysArgs.finish, "finish", false, "finish the recovery process by transmitting the revocation")
-		fs.StringVar(&nlRevokeKeysArgs.forkFrom, "fork-from", "", "parent AUM hash to rewrite from (advanced users only)")
-		return fs
-	})(),
-}
-
-func runNetworkLockRevokeKeys(ctx context.Context, args []string) error {
-	// First step in the process
-	if !nlRevokeKeysArgs.cosign && !nlRevokeKeysArgs.finish {
-		removeKeys, _, err := parseNLArgs(args, true, false)
-		if err != nil {
-			return err
-		}
-
-		keyIDs := make([]tkatype.KeyID, len(removeKeys))
-		for i, k := range removeKeys {
-			keyIDs[i], err = k.ID()
-			if err != nil {
-				return fmt.Errorf("generating keyID: %v", err)
-			}
-		}
-
-		var forkFrom tka.AUMHash
-		if nlRevokeKeysArgs.forkFrom != "" {
-			if len(nlRevokeKeysArgs.forkFrom) == (len(forkFrom) * 2) {
-				// Hex-encoded: like the output of the lock log command.
-				b, err := hex.DecodeString(nlRevokeKeysArgs.forkFrom)
-				if err != nil {
-					return fmt.Errorf("invalid fork-from hash: %v", err)
-				}
-				copy(forkFrom[:], b)
-			} else {
-				if err := forkFrom.UnmarshalText([]byte(nlRevokeKeysArgs.forkFrom)); err != nil {
-					return fmt.Errorf("invalid fork-from hash: %v", err)
-				}
-			}
-		}
-
-		aumBytes, err := localClient.NetworkLockGenRecoveryAUM(ctx, keyIDs, forkFrom)
-		if err != nil {
-			return fmt.Errorf("generation of recovery AUM failed: %w", err)
-		}
-
-		fmt.Printf(`Run the following command on another machine with a trusted tailnet lock key:
-	%s lock recover-compromised-key --cosign %X
-`, os.Args[0], aumBytes)
-		return nil
-	}
-
-	// If we got this far, we need to co-sign the AUM and/or transmit it for distribution.
-	b, err := hex.DecodeString(args[0])
-	if err != nil {
-		return fmt.Errorf("parsing hex: %v", err)
-	}
-	var recoveryAUM tka.AUM
-	if err := recoveryAUM.Unserialize(b); err != nil {
-		return fmt.Errorf("decoding recovery AUM: %v", err)
-	}
-
-	if nlRevokeKeysArgs.cosign {
-		aumBytes, err := localClient.NetworkLockCosignRecoveryAUM(ctx, recoveryAUM)
-		if err != nil {
-			return fmt.Errorf("co-signing recovery AUM failed: %w", err)
-		}
-
-		fmt.Printf(`Co-signing completed successfully.
-
-To accumulate an additional signature, run the following command on another machine with a trusted tailnet lock key:
-	%s lock recover-compromised-key --cosign %X
-
-Alternatively if you are done with co-signing, complete recovery by running the following command:
-	%s lock recover-compromised-key --finish %X
-`, os.Args[0], aumBytes, os.Args[0], aumBytes)
-	}
-
-	if nlRevokeKeysArgs.finish {
-		if err := localClient.NetworkLockSubmitRecoveryAUM(ctx, recoveryAUM); err != nil {
-			return fmt.Errorf("submitting recovery AUM failed: %w", err)
-		}
-		fmt.Println("Recovery completed.")
-	}
-
-	return nil
-}
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -16,7 +16,6 @@ import (
 	"time"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
 )
@@ -54,7 +53,7 @@ relay node.
 		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
 		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send. 0 for infinity.")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
-		fs.IntVar(&pingArgs.size, "size", 0, "size of the ping message (disco pings only). 0 for minimum size.")
+		fs.IntVar(&pingArgs.size, "size", 0, "send a packet with this many bytes in the payload (disco pings only). 0 for minimum size.")
 		return fs
 	})(),
 }
@@ -118,7 +117,7 @@ func runPing(ctx context.Context, args []string) error {
 	for {
 		n++
 		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.PingWithOpts(ctx, netip.MustParseAddr(ip), pingType(), tailscale.PingOpts{Size: pingArgs.size})
+		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType(), pingArgs.size)
 		cancel()
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) {
@@ -159,6 +158,9 @@ func runPing(ctx context.Context, args []string) error {
 		if pr.PeerAPIPort != 0 {
 			extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
 		}
+		if pr.Size != 0 {
+			extra = fmt.Sprintf(", %d bytes", pr.Size)
+		}
 		printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
 		if pingArgs.tsmp || pingArgs.icmp {
 			return nil
--- a/cmd/tailscale/cli/risks.go
+++ b/cmd/tailscale/cli/risks.go
@@ -12,8 +12,6 @@ import (
 	"strings"
 	"syscall"
 	"time"
-
-	"tailscale.com/util/testenv"
 )

 var (
@@ -58,7 +56,7 @@ func presentRiskToUser(riskType, riskMessage, acceptedRisks string) error {
 	if isRiskAccepted(riskType, acceptedRisks) {
 		return nil
 	}
-	if testenv.InTest() {
+	if inTest() {
 		return errAborted
 	}
 	outln(riskMessage)
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@@ -10,7 +10,6 @@ import (
 	"flag"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/url"
 	"os"
@@ -23,11 +22,8 @@ import (
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/exp/slices"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
 	"tailscale.com/util/mak"
 	"tailscale.com/version"
 )
@@ -132,9 +128,6 @@ type localServeClient interface {
 	Status(context.Context) (*ipnstate.Status, error)
 	GetServeConfig(context.Context) (*ipn.ServeConfig, error)
 	SetServeConfig(context.Context, *ipn.ServeConfig) error
-	QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error)
-	WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (*tailscale.IPNBusWatcher, error)
-	IncrementCounter(ctx context.Context, name string, delta int) error
 }

 // serveEnv is the environment the serve command runs within. All I/O should be
@@ -234,21 +227,6 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return flag.ErrHelp
 	}

-	if srcType == "https" && !turnOff {
-		// Running serve with https requires that the tailnet has enabled
-		// https cert provisioning. Send users through an interactive flow
-		// to enable this if not already done.
-		//
-		// TODO(sonia,tailscale/corp#10577): The interactive feature flow
-		// is behind a control flag. If the tailnet doesn't have the flag
-		// on, enableFeatureInteractive will error. For now, we hide that
-		// error and maintain the previous behavior (prior to 2023-08-15)
-		// of letting them edit the serve config before enabling certs.
-		e.enableFeatureInteractive(ctx, "serve", func(caps []string) bool {
-			return slices.Contains(caps, tailcfg.CapabilityHTTPS)
-		})
-	}
-
 	srcPort, err := parseServePort(srcPortStr)
 	if err != nil {
 		return fmt.Errorf("invalid port %q: %w", srcPortStr, err)
@@ -786,75 +764,3 @@ func parseServePort(s string) (uint16, error) {
 	}
 	return uint16(p), nil
 }
-
-// enableFeatureInteractive sends the node's user through an interactive
-// flow to enable a feature, such as Funnel, on their tailnet.
-//
-// hasRequiredCapabilities should be provided as a function that checks
-// whether a slice of node capabilities encloses the necessary values
-// needed to use the feature.
-//
-// If err is returned empty, the feature has been successfully enabled.
-//
-// If err is returned non-empty, the client failed to query the control
-// server for information about how to enable the feature.
-//
-// If the feature cannot be enabled, enableFeatureInteractive terminates
-// the CLI process.
-//
-// 2023-08-09: The only valid feature values are "serve" and "funnel".
-// This can be moved to some CLI lib when expanded past serve/funnel.
-func (e *serveEnv) enableFeatureInteractive(ctx context.Context, feature string, hasRequiredCapabilities func(caps []string) bool) (err error) {
-	info, err := e.lc.QueryFeature(ctx, feature)
-	if err != nil {
-		return err
-	}
-	if info.Complete {
-		return nil // already enabled
-	}
-	if info.Text != "" {
-		fmt.Fprintln(os.Stdout, "\n"+info.Text)
-	}
-	if info.URL != "" {
-		fmt.Fprintln(os.Stdout, "\n         "+info.URL+"\n")
-	}
-	if !info.ShouldWait {
-		e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_not_awaiting_enablement", feature), 1)
-		// The feature has not been enabled yet,
-		// but the CLI should not block on user action.
-		// Once info.Text is printed, exit the CLI.
-		os.Exit(0)
-	}
-	e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_awaiting_enablement", feature), 1)
-	// Block until feature is enabled.
-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-	watcher, err := e.lc.WatchIPNBus(watchCtx, 0)
-	if err != nil {
-		// If we fail to connect to the IPN notification bus,
-		// don't block. We still present the URL in the CLI,
-		// then close the process. Swallow the error.
-		log.Fatalf("lost connection to tailscaled: %v", err)
-		e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enablement_lost_connection", feature), 1)
-		return err
-	}
-	defer watcher.Close()
-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			// Stop blocking if we error.
-			// Let the user finish enablement then rerun their
-			// command themselves.
-			log.Fatalf("lost connection to tailscaled: %v", err)
-			e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enablement_lost_connection", feature), 1)
-			return err
-		}
-		if nm := n.NetMap; nm != nil && nm.SelfNode != nil {
-			if hasRequiredCapabilities(nm.SelfNode.Capabilities) {
-				e.lc.IncrementCounter(ctx, fmt.Sprintf("%s_enabled", feature), 1)
-				fmt.Fprintln(os.Stdout, "Success.")
-				return nil
-			}
-		}
-	}
-}
--- a/cmd/tailscale/cli/serve_test.go
+++ b/cmd/tailscale/cli/serve_test.go
@@ -6,7 +6,6 @@ package cli
 import (
 	"bytes"
 	"context"
-	"errors"
 	"flag"
 	"fmt"
 	"os"
@@ -17,7 +16,6 @@ import (
 	"testing"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
@@ -747,105 +745,14 @@ func TestServeConfigMutations(t *testing.T) {
 	}
 }

-func TestVerifyFunnelEnabled(t *testing.T) {
-	lc := &fakeLocalServeClient{}
-	var stdout bytes.Buffer
-	var flagOut bytes.Buffer
-	e := &serveEnv{
-		lc:          lc,
-		testFlagOut: &flagOut,
-		testStdout:  &stdout,
-	}
-
-	tests := []struct {
-		name string
-		// queryFeatureResponse is the mock response desired from the
-		// call made to lc.QueryFeature by verifyFunnelEnabled.
-		queryFeatureResponse mockQueryFeatureResponse
-		caps                 []string // optionally set at fakeStatus.Capabilities
-		wantErr              string
-		wantPanic            string
-	}{
-		{
-			name:                 "enabled",
-			queryFeatureResponse: mockQueryFeatureResponse{resp: &tailcfg.QueryFeatureResponse{Complete: true}, err: nil},
-			wantErr:              "", // no error, success
-		},
-		{
-			name:                 "fallback-to-non-interactive-flow",
-			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
-			wantErr:              "Funnel not available; HTTPS must be enabled. See https://tailscale.com/s/https.",
-		},
-		{
-			name:                 "fallback-flow-missing-acl-rule",
-			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
-			caps:                 []string{tailcfg.CapabilityHTTPS},
-			wantErr:              `Funnel not available; "funnel" node attribute not set. See https://tailscale.com/s/no-funnel.`,
-		},
-		{
-			name:                 "fallback-flow-enabled",
-			queryFeatureResponse: mockQueryFeatureResponse{resp: nil, err: errors.New("not-allowed")},
-			caps:                 []string{tailcfg.CapabilityHTTPS, tailcfg.NodeAttrFunnel},
-			wantErr:              "", // no error, success
-		},
-		{
-			name: "not-allowed-to-enable",
-			queryFeatureResponse: mockQueryFeatureResponse{resp: &tailcfg.QueryFeatureResponse{
-				Complete:   false,
-				Text:       "You don't have permission to enable this feature.",
-				ShouldWait: false,
-			}, err: nil},
-			wantErr:   "",
-			wantPanic: "unexpected call to os.Exit(0) during test", // os.Exit(0) should be called to end process
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctx := context.Background()
-			lc.setQueryFeatureResponse(tt.queryFeatureResponse)
-
-			if tt.caps != nil {
-				oldCaps := fakeStatus.Self.Capabilities
-				defer func() { fakeStatus.Self.Capabilities = oldCaps }() // reset after test
-				fakeStatus.Self.Capabilities = tt.caps
-			}
-			st, err := e.getLocalClientStatus(ctx)
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			defer func() {
-				r := recover()
-				var gotPanic string
-				if r != nil {
-					gotPanic = fmt.Sprint(r)
-				}
-				if gotPanic != tt.wantPanic {
-					t.Errorf("wrong panic; got=%s, want=%s", gotPanic, tt.wantPanic)
-				}
-			}()
-			gotErr := e.verifyFunnelEnabled(ctx, st, 443)
-			var got string
-			if gotErr != nil {
-				got = gotErr.Error()
-			}
-			if got != tt.wantErr {
-				t.Errorf("wrong error; got=%s, want=%s", gotErr, tt.wantErr)
-			}
-		})
-	}
-}
-
 // fakeLocalServeClient is a fake tailscale.LocalClient for tests.
 // It's not a full implementation, just enough to test the serve command.
 //
 // The fake client is stateful, and is used to test manipulating
 // ServeConfig state. This implementation cannot be used concurrently.
 type fakeLocalServeClient struct {
-	config               *ipn.ServeConfig
-	setCount             int                       // counts calls to SetServeConfig
-	queryFeatureResponse *mockQueryFeatureResponse // mock response to QueryFeature calls
+	config   *ipn.ServeConfig
+	setCount int // counts calls to SetServeConfig
 }

 // fakeStatus is a fake ipnstate.Status value for tests.
@@ -875,31 +782,6 @@ func (lc *fakeLocalServeClient) SetServeConfig(ctx context.Context, config *ipn.
 	return nil
 }

-type mockQueryFeatureResponse struct {
-	resp *tailcfg.QueryFeatureResponse
-	err  error
-}
-
-func (lc *fakeLocalServeClient) setQueryFeatureResponse(resp mockQueryFeatureResponse) {
-	lc.queryFeatureResponse = &resp
-}
-
-func (lc *fakeLocalServeClient) QueryFeature(ctx context.Context, feature string) (*tailcfg.QueryFeatureResponse, error) {
-	if resp := lc.queryFeatureResponse; resp != nil {
-		// If we're testing QueryFeature, use the response value set for the test.
-		return resp.resp, resp.err
-	}
-	return &tailcfg.QueryFeatureResponse{Complete: true}, nil // fallback to already enabled
-}
-
-func (lc *fakeLocalServeClient) WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (*tailscale.IPNBusWatcher, error) {
-	return nil, nil // unused in tests
-}
-
-func (lc *fakeLocalServeClient) IncrementCounter(ctx context.Context, name string, delta int) error {
-	return nil // unused in tests
-}
-
 // exactError returns an error checker that wants exactly the provided want error.
 // If optName is non-empty, it's used in the error message.
 func exactErr(want error, optName ...string) func(error) string {
--- a/cmd/tailscale/cli/set.go
+++ b/cmd/tailscale/cli/set.go
@@ -12,7 +12,6 @@ import (

 	"github.com/peterbourgon/ff/v3/ffcli"
 	"tailscale.com/ipn"
-	"tailscale.com/net/netutil"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/safesocket"
 )
@@ -160,11 +159,11 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 // setArgs is the parsed command-line arguments.
 func calcAdvertiseRoutesForSet(advertiseExitNodeSet, advertiseRoutesSet bool, curPrefs *ipn.Prefs, setArgs setArgsT) (routes []netip.Prefix, err error) {
 	if advertiseExitNodeSet && advertiseRoutesSet {
-		return netutil.CalcAdvertiseRoutes(setArgs.advertiseRoutes, setArgs.advertiseDefaultRoute)
+		return calcAdvertiseRoutes(setArgs.advertiseRoutes, setArgs.advertiseDefaultRoute)

 	}
 	if advertiseRoutesSet {
-		return netutil.CalcAdvertiseRoutes(setArgs.advertiseRoutes, curPrefs.AdvertisesExitNode())
+		return calcAdvertiseRoutes(setArgs.advertiseRoutes, curPrefs.AdvertisesExitNode())
 	}
 	if advertiseExitNodeSet {
 		alreadyAdvertisesExitNode := curPrefs.AdvertisesExitNode()
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -6,6 +6,7 @@ package cli
 import (
 	"context"
 	"encoding/base64"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"flag"
@@ -32,7 +33,7 @@ import (
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/net/netutil"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
@@ -90,6 +91,8 @@ func acceptRouteDefault(goos string) bool {

 var upFlagSet = newUpFlagSet(effectiveGOOS(), &upArgsGlobal, "up")

+func inTest() bool { return flag.Lookup("test.v") != nil }
+
 // newUpFlagSet returns a new flag set for the "up" and "login" commands.
 func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 	if cmd != "up" && cmd != "login" {
@@ -219,6 +222,82 @@ func warnf(format string, args ...any) {
 	printf("Warning: "+format+"\n", args...)
 }

+var (
+	ipv4default = netip.MustParsePrefix("0.0.0.0/0")
+	ipv6default = netip.MustParsePrefix("::/0")
+)
+
+func validateViaPrefix(ipp netip.Prefix) error {
+	if !tsaddr.IsViaPrefix(ipp) {
+		return fmt.Errorf("%v is not a 4-in-6 prefix", ipp)
+	}
+	if ipp.Bits() < (128 - 32) {
+		return fmt.Errorf("%v 4-in-6 prefix must be at least a /%v", ipp, 128-32)
+	}
+	a := ipp.Addr().As16()
+	// The first 64 bits of a are the via prefix.
+	// The next 32 bits are the "site ID".
+	// The last 32 bits are the IPv4.
+	// For now, we reserve the top 3 bytes of the site ID,
+	// and only allow users to use site IDs 0-255.
+	siteID := binary.BigEndian.Uint32(a[8:12])
+	if siteID > 0xFF {
+		return fmt.Errorf("route %v contains invalid site ID %08x; must be 0xff or less", ipp, siteID)
+	}
+	return nil
+}
+
+func calcAdvertiseRoutes(advertiseRoutes string, advertiseDefaultRoute bool) ([]netip.Prefix, error) {
+	routeMap := map[netip.Prefix]bool{}
+	if advertiseRoutes != "" {
+		var default4, default6 bool
+		advroutes := strings.Split(advertiseRoutes, ",")
+		for _, s := range advroutes {
+			ipp, err := netip.ParsePrefix(s)
+			if err != nil {
+				return nil, fmt.Errorf("%q is not a valid IP address or CIDR prefix", s)
+			}
+			if ipp != ipp.Masked() {
+				return nil, fmt.Errorf("%s has non-address bits set; expected %s", ipp, ipp.Masked())
+			}
+			if tsaddr.IsViaPrefix(ipp) {
+				if err := validateViaPrefix(ipp); err != nil {
+					return nil, err
+				}
+			}
+			if ipp == ipv4default {
+				default4 = true
+			} else if ipp == ipv6default {
+				default6 = true
+			}
+			routeMap[ipp] = true
+		}
+		if default4 && !default6 {
+			return nil, fmt.Errorf("%s advertised without its IPv6 counterpart, please also advertise %s", ipv4default, ipv6default)
+		} else if default6 && !default4 {
+			return nil, fmt.Errorf("%s advertised without its IPv4 counterpart, please also advertise %s", ipv6default, ipv4default)
+		}
+	}
+	if advertiseDefaultRoute {
+		routeMap[netip.MustParsePrefix("0.0.0.0/0")] = true
+		routeMap[netip.MustParsePrefix("::/0")] = true
+	}
+	if len(routeMap) == 0 {
+		return nil, nil
+	}
+	routes := make([]netip.Prefix, 0, len(routeMap))
+	for r := range routeMap {
+		routes = append(routes, r)
+	}
+	sort.Slice(routes, func(i, j int) bool {
+		if routes[i].Bits() != routes[j].Bits() {
+			return routes[i].Bits() < routes[j].Bits()
+		}
+		return routes[i].Addr().Less(routes[j].Addr())
+	})
+	return routes, nil
+}
+
 // prefsFromUpArgs returns the ipn.Prefs for the provided args.
 //
 // Note that the parameters upArgs and warnf are named intentionally
@@ -226,7 +305,7 @@ func warnf(format string, args ...any) {
 // function exists for testing and should have no side effects or
 // outside interactions (e.g. no making Tailscale LocalAPI calls).
 func prefsFromUpArgs(upArgs upArgsT, warnf logger.Logf, st *ipnstate.Status, goos string) (*ipn.Prefs, error) {
-	routes, err := netutil.CalcAdvertiseRoutes(upArgs.advertiseRoutes, upArgs.advertiseDefaultRoute)
+	routes, err := calcAdvertiseRoutes(upArgs.advertiseRoutes, upArgs.advertiseDefaultRoute)
 	if err != nil {
 		return nil, err
 	}
@@ -345,7 +424,7 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus

 	simpleUp = env.flagSet.NFlag() == 0 &&
 		curPrefs.Persist != nil &&
-		curPrefs.Persist.UserProfile.LoginName != "" &&
+		curPrefs.Persist.LoginName != "" &&
 		env.backendState != ipn.NeedsLogin.String()

 	justEdit := env.backendState == ipn.Running.String() &&
--- a/cmd/tailscale/cli/update.go
+++ b/cmd/tailscale/cli/update.go
@@ -4,15 +4,33 @@
 package cli

 import (
+	"bufio"
+	"bytes"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"regexp"
 	"runtime"
+	"strconv"
 	"strings"
+	"time"

+	"github.com/google/uuid"
 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/clientupdate"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/util/must"
+	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
 )
@@ -49,38 +67,147 @@ var updateArgs struct {
 	version  string // explicit version; empty means auto
 }

+// winMSIEnv is the environment variable that, if set, is the MSI file for the
+// update command to install. It's passed like this so we can stop the
+// tailscale.exe process from running before the msiexec process runs and tries
+// to overwrite ourselves.
+const winMSIEnv = "TS_UPDATE_WIN_MSI"
+
 func runUpdate(ctx context.Context, args []string) error {
+	if msi := os.Getenv(winMSIEnv); msi != "" {
+		log.Printf("installing %v ...", msi)
+		if err := installMSI(msi); err != nil {
+			log.Printf("MSI install failed: %v", err)
+			return err
+		}
+		log.Printf("success.")
+		return nil
+	}
 	if len(args) > 0 {
 		return flag.ErrHelp
 	}
 	if updateArgs.version != "" && updateArgs.track != "" {
 		return errors.New("cannot specify both --version and --track")
 	}
-	ver := updateArgs.version
-	if updateArgs.track != "" {
-		ver = updateArgs.track
+	up, err := newUpdater()
+	if err != nil {
+		return err
 	}
-	err := clientupdate.Update(clientupdate.UpdateArgs{
-		Version:  ver,
-		AppStore: updateArgs.appStore,
-		Logf:     func(format string, args ...any) { fmt.Printf(format+"\n", args...) },
-		Confirm:  confirmUpdate,
-	})
-	if errors.Is(err, errors.ErrUnsupported) {
-		return errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/s/client-updates")
-	}
-	return err
+	return up.update()
 }

-func confirmUpdate(ver string) bool {
-	if updateArgs.yes {
-		fmt.Printf("Updating Tailscale from %v to %v; --yes given, continuing without prompts.\n", version.Short(), ver)
+func versionIsStable(v string) (stable, wellFormed bool) {
+	_, rest, ok := strings.Cut(v, ".")
+	if !ok {
+		return false, false
+	}
+	minorStr, _, ok := strings.Cut(rest, ".")
+	if !ok {
+		return false, false
+	}
+	minor, err := strconv.Atoi(minorStr)
+	if err != nil {
+		return false, false
+	}
+	return minor%2 == 0, true
+}
+
+func newUpdater() (*updater, error) {
+	up := &updater{
+		track: updateArgs.track,
+	}
+	switch up.track {
+	case "stable", "unstable":
+	case "":
+		if version.IsUnstableBuild() {
+			up.track = "unstable"
+		} else {
+			up.track = "stable"
+		}
+		if updateArgs.version != "" {
+			stable, ok := versionIsStable(updateArgs.version)
+			if !ok {
+				return nil, fmt.Errorf("malformed version %q", updateArgs.version)
+			}
+			if stable {
+				up.track = "stable"
+			} else {
+				up.track = "unstable"
+			}
+		}
+	default:
+		return nil, fmt.Errorf("unknown track %q; must be 'stable' or 'unstable'", up.track)
+	}
+	switch runtime.GOOS {
+	case "windows":
+		up.update = up.updateWindows
+	case "linux":
+		switch distro.Get() {
+		case distro.Synology:
+			up.update = up.updateSynology
+		case distro.Debian: // includes Ubuntu
+			up.update = up.updateDebLike
+		case distro.Arch:
+			up.update = up.updateArchLike
+		case distro.Alpine:
+			up.update = up.updateAlpineLike
+		}
+		// TODO(awly): add support for Alpine
+		switch {
+		case haveExecutable("pacman"):
+			up.update = up.updateArchLike
+		case haveExecutable("apt-get"): // TODO(awly): add support for "apt"
+			// The distro.Debian switch case above should catch most apt-based
+			// systems, but add this fallback just in case.
+			up.update = up.updateDebLike
+		case haveExecutable("dnf"):
+			up.update = up.updateFedoraLike("dnf")
+		case haveExecutable("yum"):
+			up.update = up.updateFedoraLike("yum")
+		case haveExecutable("apk"):
+			up.update = up.updateAlpineLike
+		}
+	case "darwin":
+		switch {
+		case !updateArgs.appStore && !version.IsSandboxedMacOS():
+			return nil, errors.New("The 'update' command is not yet supported on this platform; see https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS/ for now")
+		case !updateArgs.appStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
+			up.update = up.updateMacSys
+		default:
+			up.update = up.updateMacAppStore
+		}
+	case "freebsd":
+		up.update = up.updateFreeBSD
+	}
+	if up.update == nil {
+		return nil, errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/s/client-updates")
+	}
+	return up, nil
+}
+
+type updater struct {
+	track  string
+	update func() error
+}
+
+func (up *updater) currentOrDryRun(ver string) bool {
+	if version.Short() == ver {
+		fmt.Printf("already running %v; no update needed\n", ver)
 		return true
 	}
-
 	if updateArgs.dryRun {
 		fmt.Printf("Current: %v, Latest: %v\n", version.Short(), ver)
-		return false
+		return true
+	}
+	return false
+}
+
+var errUserAborted = errors.New("aborting update")
+
+func (up *updater) confirm(ver string) error {
+	if updateArgs.yes {
+		log.Printf("Updating Tailscale from %v to %v; --yes given, continuing without prompts.\n", version.Short(), ver)
+		return nil
 	}

 	fmt.Printf("This will update Tailscale from %v to %v. Continue? [y/n] ", version.Short(), ver)
@@ -89,7 +216,693 @@ func confirmUpdate(ver string) bool {
 	resp = strings.ToLower(resp)
 	switch resp {
 	case "y", "yes", "sure":
-		return true
+		return nil
+	}
+	return errUserAborted
+}
+
+func (up *updater) updateSynology() error {
+	// TODO(bradfitz): detect, map GOARCH+CPU to the right Synology arch.
+	// TODO(bradfitz): add pkgs.tailscale.com endpoint to get release info
+	// TODO(bradfitz): require root/sudo
+	// TODO(bradfitz): run /usr/syno/bin/synopkg install tailscale.spk
+	return errors.New("The 'update' command is not yet implemented on Synology.")
+}
+
+func (up *updater) updateDebLike() error {
+	ver, err := requestedTailscaleVersion(updateArgs.version, up.track)
+	if err != nil {
+		return err
+	}
+	if up.currentOrDryRun(ver) {
+		return nil
+	}
+
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	if updated, err := updateDebianAptSourcesList(up.track); err != nil {
+		return err
+	} else if updated {
+		fmt.Printf("Updated %s to use the %s track\n", aptSourcesFile, up.track)
+	}
+
+	cmd := exec.Command("apt-get", "update",
+		// Only update the tailscale repo, not the other ones, treating
+		// the tailscale.list file as the main "sources.list" file.
+		"-o", "Dir::Etc::SourceList=sources.list.d/tailscale.list",
+		// Disable the "sources.list.d" directory:
+		"-o", "Dir::Etc::SourceParts=-",
+		// Don't forget about packages in the other repos just because
+		// we're not updating them:
+		"-o", "APT::Get::List-Cleanup=0",
+	)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return err
+	}
+
+	cmd = exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+const aptSourcesFile = "/etc/apt/sources.list.d/tailscale.list"
+
+// updateDebianAptSourcesList updates the /etc/apt/sources.list.d/tailscale.list
+// file to make sure it has the provided track (stable or unstable) in it.
+//
+// If it already has the right track (including containing both stable and
+// unstable), it does nothing.
+func updateDebianAptSourcesList(dstTrack string) (rewrote bool, err error) {
+	was, err := os.ReadFile(aptSourcesFile)
+	if err != nil {
+		return false, err
+	}
+	newContent, err := updateDebianAptSourcesListBytes(was, dstTrack)
+	if err != nil {
+		return false, err
+	}
+	if bytes.Equal(was, newContent) {
+		return false, nil
+	}
+	return true, os.WriteFile(aptSourcesFile, newContent, 0644)
+}
+
+func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []byte, err error) {
+	trackURLPrefix := []byte("https://pkgs.tailscale.com/" + dstTrack + "/")
+	var buf bytes.Buffer
+	var changes int
+	bs := bufio.NewScanner(bytes.NewReader(was))
+	hadCorrect := false
+	commentLine := regexp.MustCompile(`^\s*\#`)
+	pkgsURL := regexp.MustCompile(`\bhttps://pkgs\.tailscale\.com/((un)?stable)/`)
+	for bs.Scan() {
+		line := bs.Bytes()
+		if !commentLine.Match(line) {
+			line = pkgsURL.ReplaceAllFunc(line, func(m []byte) []byte {
+				if bytes.Equal(m, trackURLPrefix) {
+					hadCorrect = true
+				} else {
+					changes++
+				}
+				return trackURLPrefix
+			})
+		}
+		buf.Write(line)
+		buf.WriteByte('\n')
+	}
+	if hadCorrect || (changes == 1 && bytes.Equal(bytes.TrimSpace(was), bytes.TrimSpace(buf.Bytes()))) {
+		// Unchanged or close enough.
+		return was, nil
+	}
+	if changes != 1 {
+		// No changes, or an unexpected number of changes (what?). Bail.
+		// They probably editted it by hand and we don't know what to do.
+		return nil, fmt.Errorf("unexpected/unsupported %s contents", aptSourcesFile)
+	}
+	return buf.Bytes(), nil
+}
+
+func (up *updater) updateArchLike() (err error) {
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	defer func() {
+		if err != nil && !errors.Is(err, errUserAborted) {
+			err = fmt.Errorf(`%w; you can try updating using "pacman --sync --refresh tailscale"`, err)
+		}
+	}()
+
+	out, err := exec.Command("pacman", "--sync", "--refresh", "--info", "tailscale").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed checking pacman for latest tailscale version: %w, output: %q", err, out)
+	}
+	ver, err := parsePacmanVersion(out)
+	if err != nil {
+		return err
+	}
+	if up.currentOrDryRun(ver) {
+		return nil
+	}
+	if err := up.confirm(ver); err != nil {
+		return err
+	}
+
+	cmd := exec.Command("pacman", "--sync", "--noconfirm", "tailscale")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed tailscale update using pacman: %w", err)
+	}
+	return nil
+}
+
+func parsePacmanVersion(out []byte) (string, error) {
+	for _, line := range strings.Split(string(out), "\n") {
+		// The line we're looking for looks like this:
+		// Version         : 1.44.2-1
+		if !strings.HasPrefix(line, "Version") {
+			continue
+		}
+		parts := strings.SplitN(line, ":", 2)
+		if len(parts) != 2 {
+			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
+		}
+		ver := strings.TrimSpace(parts[1])
+		// Trim the Arch patch version.
+		ver = strings.Split(ver, "-")[0]
+		if ver == "" {
+			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
+		}
+		return ver, nil
+	}
+	return "", fmt.Errorf("could not find latest version of tailscale via pacman")
+}
+
+const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
+
+// updateFedoraLike updates tailscale on any distros in the Fedora family,
+// specifically anything that uses "dnf" or "yum" package managers. The actual
+// package manager is passed via packageManager.
+func (up *updater) updateFedoraLike(packageManager string) func() error {
+	return func() (err error) {
+		if err := requireRoot(); err != nil {
+			return err
+		}
+		defer func() {
+			if err != nil && !errors.Is(err, errUserAborted) {
+				err = fmt.Errorf(`%w; you can try updating using "%s upgrade tailscale"`, err, packageManager)
+			}
+		}()
+
+		ver, err := requestedTailscaleVersion(updateArgs.version, up.track)
+		if err != nil {
+			return err
+		}
+		if up.currentOrDryRun(ver) {
+			return nil
+		}
+		if err := up.confirm(ver); err != nil {
+			return err
+		}
+
+		if updated, err := updateYUMRepoTrack(yumRepoConfigFile, up.track); err != nil {
+			return err
+		} else if updated {
+			fmt.Printf("Updated %s to use the %s track\n", yumRepoConfigFile, up.track)
+		}
+
+		cmd := exec.Command(packageManager, "install", "--assumeyes", fmt.Sprintf("tailscale-%s-1", ver))
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		if err := cmd.Run(); err != nil {
+			return err
+		}
+		return nil
+	}
+}
+
+// updateYUMRepoTrack updates the repoFile file to make sure it has the
+// provided track (stable or unstable) in it.
+func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) {
+	was, err := os.ReadFile(repoFile)
+	if err != nil {
+		return false, err
+	}
+
+	urlRe := regexp.MustCompile(`^(baseurl|gpgkey)=https://pkgs\.tailscale\.com/(un)?stable/`)
+	urlReplacement := fmt.Sprintf("$1=https://pkgs.tailscale.com/%s/", dstTrack)
+
+	s := bufio.NewScanner(bytes.NewReader(was))
+	newContent := bytes.NewBuffer(make([]byte, 0, len(was)))
+	for s.Scan() {
+		line := s.Text()
+		// Handle repo section name, like "[tailscale-stable]".
+		if len(line) > 0 && line[0] == '[' {
+			if !strings.HasPrefix(line, "[tailscale-") {
+				return false, fmt.Errorf("%q does not look like a tailscale repo file, it contains an unexpected %q section", repoFile, line)
+			}
+			fmt.Fprintf(newContent, "[tailscale-%s]\n", dstTrack)
+			continue
+		}
+		// Update the track mentioned in repo name.
+		if strings.HasPrefix(line, "name=") {
+			fmt.Fprintf(newContent, "name=Tailscale %s\n", dstTrack)
+			continue
+		}
+		// Update the actual repo URLs.
+		if strings.HasPrefix(line, "baseurl=") || strings.HasPrefix(line, "gpgkey=") {
+			fmt.Fprintln(newContent, urlRe.ReplaceAllString(line, urlReplacement))
+			continue
+		}
+		fmt.Fprintln(newContent, line)
+	}
+	if bytes.Equal(was, newContent.Bytes()) {
+		return false, nil
+	}
+	return true, os.WriteFile(repoFile, newContent.Bytes(), 0644)
+}
+
+func (up *updater) updateAlpineLike() (err error) {
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	defer func() {
+		if err != nil && !errors.Is(err, errUserAborted) {
+			err = fmt.Errorf(`%w; you can try updating using "apk upgrade tailscale"`, err)
+		}
+	}()
+
+	out, err := exec.Command("apk", "update").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed refresh apk repository indexes: %w, output: %q", err, out)
+	}
+	out, err = exec.Command("apk", "info", "tailscale").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed checking apk for latest tailscale version: %w, output: %q", err, out)
+	}
+	ver, err := parseAlpinePackageVersion(out)
+	if err != nil {
+		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
+	}
+	if up.currentOrDryRun(ver) {
+		return nil
+	}
+	if err := up.confirm(ver); err != nil {
+		return err
+	}
+
+	cmd := exec.Command("apk", "upgrade", "tailscale")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed tailscale update using apk: %w", err)
+	}
+	return nil
+}
+
+func parseAlpinePackageVersion(out []byte) (string, error) {
+	s := bufio.NewScanner(bytes.NewReader(out))
+	for s.Scan() {
+		// The line should look like this:
+		// tailscale-1.44.2-r0 description:
+		line := strings.TrimSpace(s.Text())
+		if !strings.HasPrefix(line, "tailscale-") {
+			continue
+		}
+		parts := strings.SplitN(line, "-", 3)
+		if len(parts) < 3 {
+			return "", fmt.Errorf("malformed info line: %q", line)
+		}
+		return parts[1], nil
+	}
+	return "", errors.New("tailscale version not found in output")
+}
+
+func (up *updater) updateMacSys() error {
+	// use sparkle? do we have permissions from this context? does sudo help?
+	// We can at least fail with a command they can run to update from the shell.
+	// Like "tailscale update --macsys | sudo sh" or something.
+	//
+	// TODO(bradfitz,mihai): implement. But for now:
+	return errors.New("The 'update' command is not yet implemented on macOS.")
+}
+
+func (up *updater) updateMacAppStore() error {
+	out, err := exec.Command("defaults", "read", "/Library/Preferences/com.apple.commerce.plist", "AutoUpdate").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("can't check App Store auto-update setting: %w, output: %q", err, string(out))
+	}
+	const on = "1\n"
+	if string(out) != on {
+		fmt.Fprintln(os.Stderr, "NOTE: Automatic updating for App Store apps is turned off. You can change this setting in System Settings (search for ‘update’).")
+	}
+
+	out, err = exec.Command("softwareupdate", "--list").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("can't check App Store for available updates: %w, output: %q", err, string(out))
+	}
+
+	newTailscale := parseSoftwareupdateList(out)
+	if newTailscale == "" {
+		fmt.Println("no Tailscale update available")
+		return nil
+	}
+
+	newTailscaleVer := strings.TrimPrefix(newTailscale, "Tailscale-")
+	if up.currentOrDryRun(newTailscaleVer) {
+		return nil
+	}
+	if err := up.confirm(newTailscaleVer); err != nil {
+		return err
+	}
+
+	cmd := exec.Command("sudo", "softwareupdate", "--install", newTailscale)
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("can't install App Store update for Tailscale: %w", err)
+	}
+	return nil
+}
+
+var macOSAppStoreListPattern = regexp.MustCompile(`(?m)^\s+\*\s+Label:\s*(Tailscale-\d[\d\.]+)`)
+
+// parseSoftwareupdateList searches the output of `softwareupdate --list` on
+// Darwin and returns the matching Tailscale package label. If there is none,
+// returns the empty string.
+//
+// See TestParseSoftwareupdateList for example inputs.
+func parseSoftwareupdateList(stdout []byte) string {
+	matches := macOSAppStoreListPattern.FindSubmatch(stdout)
+	if len(matches) < 2 {
+		return ""
+	}
+	return string(matches[1])
+}
+
+var (
+	verifyAuthenticode func(string) error // or nil on non-Windows
+	markTempFileFunc   func(string) error // or nil on non-Windows
+)
+
+func (up *updater) updateWindows() error {
+	ver, err := requestedTailscaleVersion(updateArgs.version, up.track)
+	if err != nil {
+		return err
+	}
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
+
+	if up.currentOrDryRun(ver) {
+		return nil
+	}
+	if !winutil.IsCurrentProcessElevated() {
+		return errors.New("must be run as Administrator")
+	}
+
+	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
+	msiDir := filepath.Join(tsDir, "MSICache")
+	if fi, err := os.Stat(tsDir); err != nil {
+		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
+	} else if !fi.IsDir() {
+		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
+	}
+	if err := os.MkdirAll(msiDir, 0700); err != nil {
+		return err
+	}
+
+	if err := up.confirm(ver); err != nil {
+		return err
+	}
+	msiTarget := filepath.Join(msiDir, path.Base(url))
+	if err := downloadURLToFile(url, msiTarget); err != nil {
+		return err
+	}
+
+	log.Printf("verifying MSI authenticode...")
+	if err := verifyAuthenticode(msiTarget); err != nil {
+		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
+	}
+	log.Printf("authenticode verification succeeded")
+
+	log.Printf("making tailscale.exe copy to switch to...")
+	selfCopy, err := makeSelfCopy()
+	if err != nil {
+		return err
+	}
+	defer os.Remove(selfCopy)
+	log.Printf("running tailscale.exe copy for final install...")
+
+	cmd := exec.Command(selfCopy, "update")
+	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget)
+	cmd.Stdout = os.Stderr
+	cmd.Stderr = os.Stderr
+	cmd.Stdin = os.Stdin
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	// Once it's started, exit ourselves, so the binary is free
+	// to be replaced.
+	os.Exit(0)
+	panic("unreachable")
+}
+
+func installMSI(msi string) error {
+	var err error
+	for tries := 0; tries < 2; tries++ {
+		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
+		cmd.Dir = filepath.Dir(msi)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		if err == nil {
+			break
+		}
+		uninstallVersion := version.Short()
+		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
+			uninstallVersion = v
+		}
+		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
+		log.Printf("Uninstalling current version %q for downgrade...", uninstallVersion)
+		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Stdin = os.Stdin
+		err = cmd.Run()
+		log.Printf("msiexec uninstall: %v", err)
+	}
+	return err
+}
+
+func msiUUIDForVersion(ver string) string {
+	arch := runtime.GOARCH
+	if arch == "386" {
+		arch = "x86"
+	}
+	track := "unstable"
+	if stable, ok := versionIsStable(ver); ok && stable {
+		track = "stable"
+	}
+	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
+	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
+}
+
+func makeSelfCopy() (tmpPathExe string, err error) {
+	selfExe, err := os.Executable()
+	if err != nil {
+		return "", err
+	}
+	f, err := os.Open(selfExe)
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
+	if err != nil {
+		return "", err
+	}
+	if f := markTempFileFunc; f != nil {
+		if err := f(f2.Name()); err != nil {
+			return "", err
+		}
+	}
+	if _, err := io.Copy(f2, f); err != nil {
+		f2.Close()
+		return "", err
+	}
+	return f2.Name(), f2.Close()
+}
+
+func downloadURLToFile(urlSrc, fileDst string) (ret error) {
+	tr := http.DefaultTransport.(*http.Transport).Clone()
+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	defer tr.CloseIdleConnections()
+	c := &http.Client{Transport: tr}
+
+	quickCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+	headReq := must.Get(http.NewRequestWithContext(quickCtx, "HEAD", urlSrc, nil))
+
+	res, err := c.Do(headReq)
+	if err != nil {
+		return err
+	}
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("HEAD %s: %v", urlSrc, res.Status)
+	}
+	if res.ContentLength <= 0 {
+		return fmt.Errorf("HEAD %s: unexpected Content-Length %v", urlSrc, res.ContentLength)
+	}
+	log.Printf("Download size: %v", res.ContentLength)
+
+	hashReq := must.Get(http.NewRequestWithContext(quickCtx, "GET", urlSrc+".sha256", nil))
+	hashRes, err := c.Do(hashReq)
+	if err != nil {
+		return err
+	}
+	hashHex, err := io.ReadAll(io.LimitReader(hashRes.Body, 100))
+	hashRes.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return fmt.Errorf("GET %s.sha256: %v", urlSrc, res.Status)
+	}
+	if err != nil {
+		return err
+	}
+	wantHash, err := hex.DecodeString(string(strings.TrimSpace(string(hashHex))))
+	if err != nil {
+		return err
+	}
+	hash := sha256.New()
+
+	dlReq := must.Get(http.NewRequestWithContext(context.Background(), "GET", urlSrc, nil))
+	dlRes, err := c.Do(dlReq)
+	if err != nil {
+		return err
+	}
+	// TODO(bradfitz): resume from existing partial file on disk
+	if dlRes.StatusCode != http.StatusOK {
+		return fmt.Errorf("GET %s: %v", urlSrc, dlRes.Status)
+	}
+
+	of, err := os.Create(fileDst)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if ret != nil {
+			of.Close()
+			// TODO(bradfitz): os.Remove(fileDst) too? or keep it to resume from/debug later.
+		}
+	}()
+	pw := &progressWriter{total: res.ContentLength}
+	n, err := io.Copy(io.MultiWriter(hash, of, pw), io.LimitReader(dlRes.Body, res.ContentLength))
+	if err != nil {
+		return err
+	}
+	if n != res.ContentLength {
+		return fmt.Errorf("downloaded %v; want %v", n, res.ContentLength)
+	}
+	if err := of.Close(); err != nil {
+		return err
+	}
+	pw.print()
+
+	if !bytes.Equal(hash.Sum(nil), wantHash) {
+		return fmt.Errorf("SHA-256 of downloaded MSI didn't match expected value")
+	}
+	log.Printf("hash matched")
+
+	return nil
+}
+
+type progressWriter struct {
+	done      int64
+	total     int64
+	lastPrint time.Time
+}
+
+func (pw *progressWriter) Write(p []byte) (n int, err error) {
+	pw.done += int64(len(p))
+	if time.Since(pw.lastPrint) > 2*time.Second {
+		pw.print()
+	}
+	return len(p), nil
+}
+
+func (pw *progressWriter) print() {
+	pw.lastPrint = time.Now()
+	log.Printf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
+}
+
+func (up *updater) updateFreeBSD() (err error) {
+	if err := requireRoot(); err != nil {
+		return err
+	}
+
+	defer func() {
+		if err != nil && !errors.Is(err, errUserAborted) {
+			err = fmt.Errorf(`%w; you can try updating using "pkg upgrade tailscale"`, err)
+		}
+	}()
+
+	out, err := exec.Command("pkg", "update").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed refresh pkg repository indexes: %w, output: %q", err, out)
+	}
+	out, err = exec.Command("pkg", "rquery", "%v", "tailscale").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("failed checking pkg for latest tailscale version: %w, output: %q", err, out)
+	}
+	ver := string(bytes.TrimSpace(out))
+	if up.currentOrDryRun(ver) {
+		return nil
+	}
+	if err := up.confirm(ver); err != nil {
+		return err
+	}
+
+	cmd := exec.Command("pkg", "upgrade", "tailscale")
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("failed tailscale update using pkg: %w", err)
+	}
+	return nil
+}
+
+func haveExecutable(name string) bool {
+	path, err := exec.LookPath(name)
+	return err == nil && path != ""
+}
+
+func requestedTailscaleVersion(ver, track string) (string, error) {
+	if ver != "" {
+		return ver, nil
+	}
+	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/?mode=json&os=%s", track, runtime.GOOS)
+	res, err := http.Get(url)
+	if err != nil {
+		return "", fmt.Errorf("fetching latest tailscale version: %w", err)
+	}
+	var latest struct {
+		Version string
+	}
+	err = json.NewDecoder(res.Body).Decode(&latest)
+	res.Body.Close()
+	if err != nil {
+		return "", fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
+	}
+	if latest.Version == "" {
+		return "", fmt.Errorf("no version found at %q", url)
+	}
+	return latest.Version, nil
+}
+
+func requireRoot() error {
+	if os.Geteuid() == 0 {
+		return nil
+	}
+	switch runtime.GOOS {
+	case "linux":
+		return errors.New("must be root; use sudo")
+	case "freebsd", "openbsd":
+		return errors.New("must be root; use doas")
+	default:
+		return errors.New("must be root")
 	}
-	return false
 }
--- a/clientupdate/clientupdate_test.go
+++ b/clientupdate/clientupdate_test.go
@@ -1,15 +1,12 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-package clientupdate
+package cli

 import (
-	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
-
-	"tailscale.com/tailcfg"
 )

 func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
@@ -22,38 +19,38 @@ func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
 	}{
 		{
 			name:    "stable-to-unstable",
-			toTrack: UnstableTrack,
+			toTrack: "unstable",
 			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
 			want:    "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
 		},
 		{
 			name:    "stable-unchanged",
-			toTrack: StableTrack,
+			toTrack: "stable",
 			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
 		},
 		{
 			name:    "if-both-stable-and-unstable-dont-change",
-			toTrack: StableTrack,
+			toTrack: "stable",
 			in: "# Tailscale packages for debian buster\n" +
 				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
 				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
 		},
 		{
 			name:    "if-both-stable-and-unstable-dont-change-unstable",
-			toTrack: UnstableTrack,
+			toTrack: "unstable",
 			in: "# Tailscale packages for debian buster\n" +
 				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
 				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
 		},
 		{
 			name:    "signed-by-form",
-			toTrack: UnstableTrack,
+			toTrack: "unstable",
 			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/ubuntu jammy main\n",
 			want:    "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/unstable/ubuntu jammy main\n",
 		},
 		{
 			name:    "unsupported-lines",
-			toTrack: UnstableTrack,
+			toTrack: "unstable",
 			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/foobar/ubuntu jammy main\n",
 			wantErr: "unexpected/unsupported /etc/apt/sources.list.d/tailscale.list contents",
 		},
@@ -282,7 +279,7 @@ repo_gpgcheck=1
 gpgcheck=0
 gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
 `,
-			track: StableTrack,
+			track: "stable",
 			after: `
 [tailscale-stable]
 name=Tailscale stable
@@ -306,7 +303,7 @@ repo_gpgcheck=1
 gpgcheck=0
 gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
 `,
-			track: UnstableTrack,
+			track: "unstable",
 			after: `
 [tailscale-unstable]
 name=Tailscale unstable
@@ -335,7 +332,7 @@ gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
 skip_if_unavailable=False
 `,
-			track:   StableTrack,
+			track:   "stable",
 			wantErr: true,
 		},
 	}
@@ -443,44 +440,3 @@ tailscale installed size:
 		})
 	}
 }
-
-func TestSynoArch(t *testing.T) {
-	tests := []struct {
-		goarch  string
-		model   string
-		want    string
-		wantErr bool
-	}{
-		{goarch: "amd64", model: "DS224+", want: "x86_64"},
-		{goarch: "arm64", model: "DS124", want: "armv8"},
-		{goarch: "386", model: "DS415play", want: "i686"},
-		{goarch: "arm", model: "DS213air", want: "88f6281"},
-		{goarch: "arm", model: "NVR1218", want: "hi3535"},
-		{goarch: "arm", model: "DS1517", want: "alpine"},
-		{goarch: "arm", model: "DS216se", want: "armada370"},
-		{goarch: "arm", model: "DS115", want: "armada375"},
-		{goarch: "arm", model: "DS419slim", want: "armada38x"},
-		{goarch: "arm", model: "RS815", want: "armadaxp"},
-		{goarch: "arm", model: "DS414j", want: "comcerto2k"},
-		{goarch: "arm", model: "DS216play", want: "monaco"},
-		{goarch: "riscv64", model: "DS999", wantErr: true},
-	}
-
-	for _, tt := range tests {
-		t.Run(fmt.Sprintf("%s-%s", tt.goarch, tt.model), func(t *testing.T) {
-			got, err := synoArch(&tailcfg.Hostinfo{GoArch: tt.goarch, DeviceModel: tt.model})
-			if err != nil {
-				if !tt.wantErr {
-					t.Fatalf("got unexpected error %v", err)
-				}
-				return
-			}
-			if tt.wantErr {
-				t.Fatalf("got %q, expected an error", got)
-			}
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
--- a/clientupdate/clientupdate_windows.go
+++ b/clientupdate/clientupdate_windows.go
@@ -1,28 +1,20 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-// Windows-specific stuff that can't go in clientupdate.go because it needs
+// Windows-specific stuff that can't go in update.go because it needs
 // x/sys/windows.

-package clientupdate
+package cli

 import (
 	"golang.org/x/sys/windows"
-	"tailscale.com/util/winutil/authenticode"
 )

 func init() {
 	markTempFileFunc = markTempFileWindows
-	verifyAuthenticode = verifyTailscale
 }

 func markTempFileWindows(name string) error {
 	name16 := windows.StringToUTF16Ptr(name)
 	return windows.MoveFileEx(name16, nil, windows.MOVEFILE_DELAY_UNTIL_REBOOT)
 }
-
-const certSubjectTailscale = "Tailscale Inc."
-
-func verifyTailscale(path string) error {
-	return authenticode.Verify(path, certSubjectTailscale)
-}
--- a/cmd/tailscale/cli/version.go
+++ b/cmd/tailscale/cli/version.go
@@ -11,7 +11,6 @@ import (
 	"os"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/clientupdate"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/version"
 )
@@ -24,16 +23,14 @@ var versionCmd = &ffcli.Command{
 		fs := newFlagSet("version")
 		fs.BoolVar(&versionArgs.daemon, "daemon", false, "also print local node's daemon version")
 		fs.BoolVar(&versionArgs.json, "json", false, "output in JSON format")
-		fs.BoolVar(&versionArgs.upstream, "upstream", false, "fetch and print the latest upstream release version from pkgs.tailscale.com")
 		return fs
 	})(),
 	Exec: runVersion,
 }

 var versionArgs struct {
-	daemon   bool // also check local node's daemon version
-	json     bool
-	upstream bool
+	daemon bool // also check local node's daemon version
+	json   bool
 }

 func runVersion(ctx context.Context, args []string) error {
@@ -50,42 +47,21 @@ func runVersion(ctx context.Context, args []string) error {
 		}
 	}

-	var upstreamVer string
-	if versionArgs.upstream {
-		upstreamVer, err = clientupdate.LatestTailscaleVersion(clientupdate.CurrentTrack)
-		if err != nil {
-			return err
-		}
-	}
-
 	if versionArgs.json {
 		m := version.GetMeta()
 		if st != nil {
 			m.DaemonLong = st.Version
 		}
-		out := struct {
-			version.Meta
-			Upstream string `json:"upstream,omitempty"`
-		}{
-			Meta:     m,
-			Upstream: upstreamVer,
-		}
 		e := json.NewEncoder(os.Stdout)
 		e.SetIndent("", "\t")
-		return e.Encode(out)
+		return e.Encode(m)
 	}

 	if st == nil {
 		outln(version.String())
-		if versionArgs.upstream {
-			printf("  upstream: %s\n", upstreamVer)
-		}
 		return nil
 	}
 	printf("Client: %s\n", version.String())
 	printf("Daemon: %s\n", st.Version)
-	if versionArgs.upstream {
-		printf("Upstream: %s\n", upstreamVer)
-	}
 	return nil
 }
--- a/cmd/tailscale/cli/web.css
+++ b/cmd/tailscale/cli/web.css
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -4,23 +4,76 @@
 package cli

 import (
+	"bytes"
 	"context"
 	"crypto/tls"
 	_ "embed"
+	"encoding/json"
+	"encoding/xml"
 	"flag"
 	"fmt"
+	"html/template"
+	"io"
 	"log"
 	"net"
 	"net/http"
 	"net/http/cgi"
+	"net/netip"
+	"net/url"
 	"os"
+	"os/exec"
 	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/web"
+	"tailscale.com/envknob"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 	"tailscale.com/util/cmpx"
+	"tailscale.com/util/groupmember"
+	"tailscale.com/version/distro"
 )

+//go:embed web.html
+var webHTML string
+
+//go:embed web.css
+var webCSS string
+
+//go:embed auth-redirect.html
+var authenticationRedirectHTML string
+
+var tmpl *template.Template
+
+func init() {
+	tmpl = template.Must(template.New("web.html").Parse(webHTML))
+	template.Must(tmpl.New("web.css").Parse(webCSS))
+}
+
+type tmplData struct {
+	Profile           tailcfg.UserProfile
+	SynologyUser      string
+	Status            string
+	DeviceName        string
+	IP                string
+	AdvertiseExitNode bool
+	AdvertiseRoutes   string
+	LicensesURL       string
+	TUNMode           bool
+	IsSynology        bool
+	DSMVersion        int // 6 or 7, if IsSynology=true
+	IsUnraid          bool
+	UnraidToken       string
+	IPNVersion        string
+}
+
+type postedData struct {
+	AdvertiseRoutes   string
+	AdvertiseExitNode bool
+	Reauthenticate    bool
+	ForceLogout       bool
+}
+
 var webCmd = &ffcli.Command{
 	Name:       "web",
 	ShortUsage: "web [flags]",
@@ -38,7 +91,6 @@ Tailscale, as opposed to a CLI or a native app.
 		webf := newFlagSet("web")
 		webf.StringVar(&webArgs.listen, "listen", "localhost:8088", "listen address; use port 0 for automatic")
 		webf.BoolVar(&webArgs.cgi, "cgi", false, "run as CGI script")
-		webf.BoolVar(&webArgs.dev, "dev", false, "run web client in developer mode [this flag is in development, use is unsupported]")
 		return webf
 	})(),
 	Exec: runWeb,
@@ -47,7 +99,6 @@ Tailscale, as opposed to a CLI or a native app.
 var webArgs struct {
 	listen string
 	cgi    bool
-	dev    bool
 }

 func tlsConfigFromEnvironment() *tls.Config {
@@ -78,11 +129,8 @@ func runWeb(ctx context.Context, args []string) error {
 		return fmt.Errorf("too many non-flag arguments: %q", args)
 	}

-	webServer, cleanup := web.NewServer(webArgs.dev, nil)
-	defer cleanup()
-
 	if webArgs.cgi {
-		if err := cgi.Serve(webServer); err != nil {
+		if err := cgi.Serve(http.HandlerFunc(webHandler)); err != nil {
 			log.Printf("tailscale.cgi: %v", err)
 			return err
 		}
@@ -94,14 +142,14 @@ func runWeb(ctx context.Context, args []string) error {
 		server := &http.Server{
 			Addr:      webArgs.listen,
 			TLSConfig: tlsConfig,
-			Handler:   webServer,
+			Handler:   http.HandlerFunc(webHandler),
 		}

 		log.Printf("web server running on: https://%s", server.Addr)
 		return server.ListenAndServeTLS("", "")
 	} else {
 		log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
-		return http.ListenAndServe(webArgs.listen, webServer)
+		return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 	}
 }

@@ -110,3 +158,372 @@ func urlOfListenAddr(addr string) string {
 	host, port, _ := net.SplitHostPort(addr)
 	return fmt.Sprintf("http://%s", net.JoinHostPort(cmpx.Or(host, "127.0.0.1"), port))
 }
+
+// authorize returns the name of the user accessing the web UI after verifying
+// whether the user has access to the web UI. The function will write the
+// error to the provided http.ResponseWriter.
+// Note: This is different from a tailscale user, and is typically the local
+// user on the node.
+func authorize(w http.ResponseWriter, r *http.Request) (string, error) {
+	switch distro.Get() {
+	case distro.Synology:
+		user, err := synoAuthn()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
+		}
+		if err := authorizeSynology(user); err != nil {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
+	case distro.QNAP:
+		user, resp, err := qnapAuthn(r)
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return "", err
+		}
+		if resp.IsAdmin == 0 {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return "", err
+		}
+		return user, nil
+	}
+	return "", nil
+}
+
+// authorizeSynology checks whether the provided user has access to the web UI
+// by consulting the membership of the "administrators" group.
+func authorizeSynology(name string) error {
+	yes, err := groupmember.IsMemberOfGroup("administrators", name)
+	if err != nil {
+		return err
+	}
+	if !yes {
+		return fmt.Errorf("not a member of administrators group")
+	}
+	return nil
+}
+
+type qnapAuthResponse struct {
+	AuthPassed int    `xml:"authPassed"`
+	IsAdmin    int    `xml:"isAdmin"`
+	AuthSID    string `xml:"authSid"`
+	ErrorValue int    `xml:"errorValue"`
+}
+
+func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
+	user, err := r.Cookie("NAS_USER")
+	if err != nil {
+		return "", nil, err
+	}
+	token, err := r.Cookie("qtoken")
+	if err == nil {
+		return qnapAuthnQtoken(r, user.Value, token.Value)
+	}
+	sid, err := r.Cookie("NAS_SID")
+	if err == nil {
+		return qnapAuthnSid(r, user.Value, sid.Value)
+	}
+	return "", nil, fmt.Errorf("not authenticated by any mechanism")
+}
+
+// qnapAuthnURL returns the auth URL to use by inferring where the UI is
+// running based on the request URL. This is necessary because QNAP has so
+// many options, see https://github.com/tailscale/tailscale/issues/7108
+// and https://github.com/tailscale/tailscale/issues/6903
+func qnapAuthnURL(requestUrl string, query url.Values) string {
+	in, err := url.Parse(requestUrl)
+	scheme := ""
+	host := ""
+	if err != nil || in.Scheme == "" {
+		log.Printf("Cannot parse QNAP login URL %v", err)
+
+		// try localhost and hope for the best
+		scheme = "http"
+		host = "localhost"
+	} else {
+		scheme = in.Scheme
+		host = in.Host
+	}
+
+	u := url.URL{
+		Scheme:   scheme,
+		Host:     host,
+		Path:     "/cgi-bin/authLogin.cgi",
+		RawQuery: query.Encode(),
+	}
+
+	return u.String()
+}
+
+func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"qtoken": []string{token},
+		"user":   []string{user},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
+	query := url.Values{
+		"sid": []string{sid},
+	}
+	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
+}
+
+func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
+	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
+	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
+	// SAN. See https://github.com/tailscale/tailscale/issues/6903
+	tr := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: tr}
+	resp, err := client.Get(url)
+	if err != nil {
+		return "", nil, err
+	}
+	defer resp.Body.Close()
+	out, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return "", nil, err
+	}
+	authResp := &qnapAuthResponse{}
+	if err := xml.Unmarshal(out, authResp); err != nil {
+		return "", nil, err
+	}
+	if authResp.AuthPassed == 0 {
+		return "", nil, fmt.Errorf("not authenticated")
+	}
+	return user, authResp, nil
+}
+
+func synoAuthn() (string, error) {
+	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		return "", fmt.Errorf("auth: %v: %s", err, out)
+	}
+	return strings.TrimSpace(string(out)), nil
+}
+
+func authRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if distro.Get() == distro.Synology {
+		return synoTokenRedirect(w, r)
+	}
+	return false
+}
+
+func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
+	if r.Header.Get("X-Syno-Token") != "" {
+		return false
+	}
+	if r.URL.Query().Get("SynoToken") != "" {
+		return false
+	}
+	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
+		return false
+	}
+	// We need a SynoToken for authenticate.cgi.
+	// So we tell the client to get one.
+	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
+	return true
+}
+
+const synoTokenRedirectHTML = `<html><body>
+Redirecting with session token...
+<script>
+var serverURL = window.location.protocol + "//" + window.location.host;
+var req = new XMLHttpRequest();
+req.overrideMimeType("application/json");
+req.open("GET", serverURL + "/webman/login.cgi", true);
+req.onload = function() {
+	var jsonResponse = JSON.parse(req.responseText);
+	var token = jsonResponse["SynoToken"];
+	document.location.href = serverURL + "/webman/3rdparty/Tailscale/?SynoToken=" + token;
+};
+req.send(null);
+</script>
+</body></html>
+`
+
+func webHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	if authRedirect(w, r) {
+		return
+	}
+
+	user, err := authorize(w, r)
+	if err != nil {
+		return
+	}
+
+	if r.URL.Path == "/redirect" || r.URL.Path == "/redirect/" {
+		io.WriteString(w, authenticationRedirectHTML)
+		return
+	}
+
+	st, err := localClient.StatusWithoutPeers(ctx)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	prefs, err := localClient.GetPrefs(ctx)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if r.Method == "POST" {
+		defer r.Body.Close()
+		var postData postedData
+		type mi map[string]any
+		if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
+			w.WriteHeader(400)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			return
+		}
+
+		routes, err := calcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
+		if err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			return
+		}
+		mp := &ipn.MaskedPrefs{
+			AdvertiseRoutesSet: true,
+			WantRunningSet:     true,
+		}
+		mp.Prefs.WantRunning = true
+		mp.Prefs.AdvertiseRoutes = routes
+		log.Printf("Doing edit: %v", mp.Pretty())
+
+		if _, err := localClient.EditPrefs(ctx, mp); err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		var reauth, logout bool
+		if postData.Reauthenticate {
+			reauth = true
+		}
+		if postData.ForceLogout {
+			logout = true
+		}
+		log.Printf("tailscaleUp(reauth=%v, logout=%v) ...", reauth, logout)
+		url, err := tailscaleUp(r.Context(), st, postData)
+		log.Printf("tailscaleUp = (URL %v, %v)", url != "", err)
+		if err != nil {
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(mi{"error": err.Error()})
+			return
+		}
+		if url != "" {
+			json.NewEncoder(w).Encode(mi{"url": url})
+		} else {
+			io.WriteString(w, "{}")
+		}
+		return
+	}
+
+	profile := st.User[st.Self.UserID]
+	deviceName := strings.Split(st.Self.DNSName, ".")[0]
+	versionShort := strings.Split(st.Version, "-")[0]
+	data := tmplData{
+		SynologyUser: user,
+		Profile:      profile,
+		Status:       st.BackendState,
+		DeviceName:   deviceName,
+		LicensesURL:  licensesURL(),
+		TUNMode:      st.TUN,
+		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
+		DSMVersion:   distro.DSMVersion(),
+		IsUnraid:     distro.Get() == distro.Unraid,
+		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
+		IPNVersion:   versionShort,
+	}
+	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
+	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
+	for _, r := range prefs.AdvertiseRoutes {
+		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
+			data.AdvertiseExitNode = true
+		} else {
+			if data.AdvertiseRoutes != "" {
+				data.AdvertiseRoutes += ","
+			}
+			data.AdvertiseRoutes += r.String()
+		}
+	}
+	if len(st.TailscaleIPs) != 0 {
+		data.IP = st.TailscaleIPs[0].String()
+	}
+
+	buf := new(bytes.Buffer)
+	if err := tmpl.Execute(buf, data); err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Write(buf.Bytes())
+}
+
+func tailscaleUp(ctx context.Context, st *ipnstate.Status, postData postedData) (authURL string, retErr error) {
+	if postData.ForceLogout {
+		if err := localClient.Logout(ctx); err != nil {
+			return "", fmt.Errorf("Logout error: %w", err)
+		}
+		return "", nil
+	}
+
+	origAuthURL := st.AuthURL
+	isRunning := st.BackendState == ipn.Running.String()
+
+	forceReauth := postData.Reauthenticate
+	if !forceReauth {
+		if origAuthURL != "" {
+			return origAuthURL, nil
+		}
+		if isRunning {
+			return "", nil
+		}
+	}
+
+	// printAuthURL reports whether we should print out the
+	// provided auth URL from an IPN notify.
+	printAuthURL := func(url string) bool {
+		return url != origAuthURL
+	}
+
+	watchCtx, cancelWatch := context.WithCancel(ctx)
+	defer cancelWatch()
+	watcher, err := localClient.WatchIPNBus(watchCtx, 0)
+	if err != nil {
+		return "", err
+	}
+	defer watcher.Close()
+
+	go func() {
+		if !isRunning {
+			localClient.Start(ctx, ipn.Options{})
+		}
+		if forceReauth {
+			localClient.StartLoginInteractive(ctx)
+		}
+	}()
+
+	for {
+		n, err := watcher.Next()
+		if err != nil {
+			return "", err
+		}
+		if n.ErrMessage != nil {
+			msg := *n.ErrMessage
+			return "", fmt.Errorf("backend error: %v", msg)
+		}
+		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
+			return *url, nil
+		}
+	}
+}
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
--- a/cmd/tailscale/cli/web_test.go
+++ b/cmd/tailscale/cli/web_test.go
@@ -4,6 +4,7 @@
 package cli

 import (
+	"net/url"
 	"testing"
 )

@@ -43,3 +44,58 @@ func TestUrlOfListenAddr(t *testing.T) {
 		})
 	}
 }
+
+func TestQnapAuthnURL(t *testing.T) {
+	query := url.Values{
+		"qtoken": []string{"token"},
+	}
+	tests := []struct {
+		name string
+		in   string
+		want string
+	}{
+		{
+			name: "localhost http",
+			in:   "http://localhost:8088/",
+			want: "http://localhost:8088/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "localhost https",
+			in:   "https://localhost:5000/",
+			want: "https://localhost:5000/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "IP http",
+			in:   "http://10.1.20.4:80/",
+			want: "http://10.1.20.4:80/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "IP6 https",
+			in:   "https://[ff7d:0:1:2::1]/",
+			want: "https://[ff7d:0:1:2::1]/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "hostname https",
+			in:   "https://qnap.example.com/",
+			want: "https://qnap.example.com/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "invalid URL",
+			in:   "This is not a URL, it is a really really really really really really really really really really really really long string to exercise the URL truncation code in the error path.",
+			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+		{
+			name: "err != nil",
+			in:   "http://192.168.0.%31/",
+			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			u := qnapAuthnURL(tt.in, query)
+			if u != tt.want {
+				t.Errorf("expected url: %q, got: %q", tt.want, u)
+			}
+		})
+	}
+}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -11,8 +11,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil/authenticode
-   W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/winutil/authenticode
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
@@ -54,7 +52,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/derp+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter+
+        go4.org/netipx                                               from tailscale.com/wgengine/filter
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        gopkg.in/yaml.v2                                             from sigs.k8s.io/yaml
        k8s.io/client-go/util/homedir                                from tailscale.com/cmd/tailscale/cli
@@ -68,9 +66,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/client/web                                     from tailscale.com/cmd/tailscale/cli
-        tailscale.com/clientupdate                                   from tailscale.com/cmd/tailscale/cli
-        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
+     💣 tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
        tailscale.com/control/controlbase                            from tailscale.com/control/controlhttp
        tailscale.com/control/controlhttp                            from tailscale.com/cmd/tailscale/cli
        tailscale.com/control/controlknobs                           from tailscale.com/net/portmapper
@@ -83,7 +79,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/licenses                                       from tailscale.com/cmd/tailscale/cli+
        tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
@@ -113,8 +108,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/control/controlhttp+
-        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+        tailscale.com/tstime                                         from tailscale.com/derp+
+     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/empty                                    from tailscale.com/ipn
@@ -137,20 +132,18 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/cmpx                                      from tailscale.com/cmd/tailscale/cli+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/util/groupmember                               from tailscale.com/client/web
-        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
+        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
+        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
        tailscale.com/util/mak                                       from tailscale.com/net/netcheck+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp+
-        tailscale.com/util/must                                      from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/util/must                                      from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/quarantine                                from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
-        tailscale.com/util/testenv                                   from tailscale.com/cmd/tailscale/cli
     💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
-   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/clientupdate
        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/wgengine/capture                               from tailscale.com/cmd/tailscale/cli
@@ -201,7 +194,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        bytes                                                        from bufio+
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from net/http
-        compress/zlib                                                from image/png+
+        compress/zlib                                                from image/png
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@@ -226,8 +219,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
        database/sql/driver                                          from github.com/google/uuid
-   W    debug/dwarf                                                  from debug/pe
-   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
        embed                                                        from tailscale.com/cmd/tailscale/cli+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -237,7 +228,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        encoding/hex                                                 from crypto/x509+
        encoding/json                                                from expvar+
        encoding/pem                                                 from crypto/tls+
-        encoding/xml                                                 from github.com/tailscale/goupnp+
+        encoding/xml                                                 from tailscale.com/cmd/tailscale/cli+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
        flag                                                         from github.com/peterbourgon/ff/v3+
@@ -247,7 +238,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        hash/crc32                                                   from compress/gzip+
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnstate+
-        html/template                                                from tailscale.com/client/web
+        html/template                                                from tailscale.com/cmd/tailscale/cli
        image                                                        from github.com/skip2/go-qrcode+
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
@@ -267,7 +258,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        net/http                                                     from expvar+
        net/http/cgi                                                 from tailscale.com/cmd/tailscale/cli
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/httputil                                            from tailscale.com/cmd/tailscale/cli+
+        net/http/httputil                                            from tailscale.com/cmd/tailscale/cli
        net/http/internal                                            from net/http+
        net/netip                                                    from net+
        net/textproto                                                from golang.org/x/net/http/httpguts+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -77,10 +77,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
-   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com+
+   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com
   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
   W    github.com/dblohm7/wingoes/internal                          from github.com/dblohm7/wingoes/com
-   W 💣 github.com/dblohm7/wingoes/pe                                from tailscale.com/util/osdiag+
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
@@ -292,12 +291,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale/apitype+
     💣 tailscale.com/tempfork/device                                from tailscale.com/net/tstun/table
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
-        tailscale.com/tempfork/heap                                  from tailscale.com/wgengine/magicsock
        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock+
-        tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
+     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
@@ -334,7 +332,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
        tailscale.com/util/must                                      from tailscale.com/logpolicy
-     💣 tailscale.com/util/osdiag                                    from tailscale.com/cmd/tailscaled+
        tailscale.com/util/osshare                                   from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnauth
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
@@ -344,10 +341,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
        tailscale.com/util/sysresources                              from tailscale.com/wgengine/magicsock
        tailscale.com/util/systemd                                   from tailscale.com/control/controlclient+
-        tailscale.com/util/testenv                                   from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock+
     💣 tailscale.com/util/winutil                                   from tailscale.com/control/controlclient+
-   W 💣 tailscale.com/util/winutil/authenticode                      from tailscale.com/util/osdiag
   W    tailscale.com/util/winutil/policy                            from tailscale.com/ipn/ipnlocal
        tailscale.com/version                                        from tailscale.com/derp+
        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
@@ -412,10 +407,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/time/rate                                       from gvisor.dev/gvisor/pkg/tcpip/stack+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
-        cmp                                                          from slices
        compress/flate                                               from compress/gzip+
        compress/gzip                                                from golang.org/x/net/http2+
-   W    compress/zlib                                                from debug/pe
        container/heap                                               from gvisor.dev/gvisor/pkg/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
@@ -440,8 +433,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
-   W    debug/dwarf                                                  from debug/pe
-   W    debug/pe                                                     from github.com/dblohm7/wingoes/pe
        embed                                                        from tailscale.com+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -457,7 +448,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        flag                                                         from net/http/httptest+
        fmt                                                          from compress/flate+
        hash                                                         from crypto+
-        hash/adler32                                                 from tailscale.com/ipn/ipnlocal+
+        hash/adler32                                                 from tailscale.com/ipn/ipnlocal
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@@ -497,7 +488,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        runtime/debug                                                from github.com/klauspost/compress/zstd+
        runtime/pprof                                                from tailscale.com/log/logheap+
        runtime/trace                                                from net/http/pprof
-        slices                                                       from tailscale.com/wgengine/magicsock
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
        strings                                                      from bufio+
--- a/cmd/tailscaled/required_version.go
+++ b/cmd/tailscaled/required_version.go
@@ -1,10 +1,10 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-//go:build !go1.21
+//go:build !go1.20

 package main

 func init() {
-	you_need_Go_1_21_to_compile_Tailscale()
+	you_need_Go_1_20_to_compile_Tailscale()
 }
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -50,7 +50,6 @@ import (
 	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
-	"tailscale.com/util/osdiag"
 	"tailscale.com/util/winutil"
 	"tailscale.com/version"
 	"tailscale.com/wf"
@@ -128,7 +127,7 @@ var syslogf logger.Logf = logger.Discard
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
 	go func() {
-		osdiag.LogSupportInfo(logger.WithPrefix(log.Printf, "Support Info: "), osdiag.LogSupportInfoReasonStartup)
+		winutil.LogSupportInfo(log.Printf)
 	}()

 	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
--- a/cmd/tsconnect/common.go
+++ b/cmd/tsconnect/common.go
@@ -32,9 +32,6 @@ func commonSetup(dev bool) (*esbuild.BuildOptions, error) {
 	if err != nil {
 		return nil, err
 	}
-	if *yarnPath == "" {
-		*yarnPath = path.Join(root, "tool", "yarn")
-	}
 	tsConnectDir := filepath.Join(root, "cmd", "tsconnect")
 	if err := os.Chdir(tsConnectDir); err != nil {
 		return nil, fmt.Errorf("Cannot change cwd: %w", err)
--- a/cmd/tsconnect/tsconnect.go
+++ b/cmd/tsconnect/tsconnect.go
@@ -20,7 +20,7 @@ var (
 	addr            = flag.String("addr", ":9090", "address to listen on")
 	distDir         = flag.String("distdir", "./dist", "path of directory to place build output in")
 	pkgDir          = flag.String("pkgdir", "./pkg", "path of directory to place NPM package build output in")
-	yarnPath        = flag.String("yarnpath", "", "path yarn executable used to install JavaScript dependencies")
+	yarnPath        = flag.String("yarnpath", "../../tool/yarn", "path yarn executable used to install JavaScript dependencies")
 	fastCompression = flag.Bool("fast-compression", false, "Use faster compression when building, to speed up build time. Meant to iterative/debugging use only.")
 	devControl      = flag.String("dev-control", "", "URL of a development control server to be used with dev. If provided without specifying dev, an error will be returned.")
 	rootDir         = flag.String("rootdir", "", "Root directory of repo. If not specified, will be inferred from the cwd.")
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -9,20 +9,17 @@ import (
 	"fmt"
 	"net/http"
 	"sync"
-	"sync/atomic"
 	"time"

 	"tailscale.com/health"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/sockstats"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
-	"tailscale.com/types/ptr"
 	"tailscale.com/types/structs"
 )

@@ -47,103 +44,14 @@ func (g *LoginGoal) sendLogoutError(err error) {

 var _ Client = (*Auto)(nil)

-// waitUnpause waits until the client is unpaused then returns. It only
-// returns an error if the client is closed.
-func (c *Auto) waitUnpause(routineLogName string) error {
-	c.mu.Lock()
-	if !c.paused {
-		c.mu.Unlock()
-		return nil
-	}
-	unpaused := c.unpausedChanLocked()
-	c.mu.Unlock()
-	c.logf("%s: awaiting unpause", routineLogName)
-	select {
-	case <-unpaused:
-		c.logf("%s: unpaused", routineLogName)
-		return nil
-	case <-c.quit:
-		return errors.New("quit")
-	}
-}
-
-// updateRoutine is responsible for informing the server of worthy changes to
-// our local state. It runs in its own goroutine.
-func (c *Auto) updateRoutine() {
-	defer close(c.updateDone)
-	bo := backoff.NewBackoff("updateRoutine", c.logf, 30*time.Second)
-
-	// lastUpdateGenInformed is the value of lastUpdateAt that we've successfully
-	// informed the server of.
-	var lastUpdateGenInformed updateGen
-
-	for {
-		if err := c.waitUnpause("updateRoutine"); err != nil {
-			c.logf("updateRoutine: exiting")
-			return
-		}
-		c.mu.Lock()
-		gen := c.lastUpdateGen
-		ctx := c.mapCtx
-		needUpdate := gen > 0 && gen != lastUpdateGenInformed && c.loggedIn
-		c.mu.Unlock()
-
-		if needUpdate {
-			select {
-			case <-c.quit:
-				c.logf("updateRoutine: exiting")
-				return
-			default:
-			}
-		} else {
-			// Nothing to do, wait for a signal.
-			select {
-			case <-c.quit:
-				c.logf("updateRoutine: exiting")
-				return
-			case <-c.updateCh:
-				continue
-			}
-		}
-
-		t0 := c.clock.Now()
-		err := c.direct.SendUpdate(ctx)
-		d := time.Since(t0).Round(time.Millisecond)
-		if err != nil {
-			if ctx.Err() == nil {
-				c.direct.logf("lite map update error after %v: %v", d, err)
-			}
-			bo.BackOff(ctx, err)
-			continue
-		}
-		bo.BackOff(ctx, nil)
-		c.direct.logf("[v1] successful lite map update in %v", d)
-
-		lastUpdateGenInformed = gen
-	}
-}
-
-// atomicGen is an atomic int64 generator. It is used to generate monotonically
-// increasing numbers for updateGen.
-var atomicGen atomic.Int64
-
-func nextUpdateGen() updateGen {
-	return updateGen(atomicGen.Add(1))
-}
-
-// updateGen is a monotonically increasing number that represents a particular
-// update to the local state.
-type updateGen int64
-
 // Auto connects to a tailcontrol server for a node.
 // It's a concrete implementation of the Client interface.
 type Auto struct {
 	direct     *Direct // our interface to the server APIs
-	clock      tstime.Clock
+	timeNow    func() time.Time
 	logf       logger.Logf
 	expiry     *time.Time
 	closed     bool
-	updateCh   chan struct{} // readable when we should inform the server of a change
 	newMapCh   chan struct{} // readable when we must restart a map request
 	statusFunc func(Status)  // called to update Client status; always non-nil

@@ -151,26 +59,25 @@ type Auto struct {

 	mu sync.Mutex // mutex guards the following fields

-	// lastUpdateGen is the gen of last update we had an update worth sending to
-	// the server.
-	lastUpdateGen updateGen
-
-	paused         bool // whether we should stop making HTTP requests
-	unpauseWaiters []chan struct{}
-	loggedIn       bool       // true if currently logged in
-	loginGoal      *LoginGoal // non-nil if some login activity is desired
-	synced         bool       // true if our netmap is up-to-date
-	inSendStatus   int        // number of sendStatus calls currently in progress
-	state          State
+	paused               bool // whether we should stop making HTTP requests
+	unpauseWaiters       []chan struct{}
+	loggedIn             bool               // true if currently logged in
+	loginGoal            *LoginGoal         // non-nil if some login activity is desired
+	synced               bool               // true if our netmap is up-to-date
+	inPollNetMap         bool               // true if currently running a PollNetMap
+	inLiteMapUpdate      bool               // true if a lite (non-streaming) map request is outstanding
+	liteMapUpdateCancel  context.CancelFunc // cancels a lite map update, may be nil
+	liteMapUpdateCancels int                // how many times we've canceled a lite map update
+	inSendStatus         int                // number of sendStatus calls currently in progress
+	state                State

 	authCtx    context.Context // context used for auth requests
-	mapCtx     context.Context // context used for netmap and update requests
-	authCancel func()          // cancel authCtx
-	mapCancel  func()          // cancel mapCtx
+	mapCtx     context.Context // context used for netmap requests
+	authCancel func()          // cancel the auth context
+	mapCancel  func()          // cancel the netmap context
 	quit       chan struct{}   // when closed, goroutines should all exit
-	authDone   chan struct{}   // when closed, authRoutine is done
-	mapDone    chan struct{}   // when closed, mapRoutine is done
-	updateDone chan struct{}   // when closed, updateRoutine is done
+	authDone   chan struct{}   // when closed, auth goroutine is done
+	mapDone    chan struct{}   // when closed, map goroutine is done
 }

 // New creates and starts a new Auto.
@@ -200,19 +107,17 @@ func NewNoStart(opts Options) (_ *Auto, err error) {
 	if opts.Logf == nil {
 		opts.Logf = func(fmt string, args ...any) {}
 	}
-	if opts.Clock == nil {
-		opts.Clock = tstime.StdClock{}
+	if opts.TimeNow == nil {
+		opts.TimeNow = time.Now
 	}
 	c := &Auto{
 		direct:     direct,
-		clock:      opts.Clock,
+		timeNow:    opts.TimeNow,
 		logf:       opts.Logf,
-		updateCh:   make(chan struct{}, 1),
 		newMapCh:   make(chan struct{}, 1),
 		quit:       make(chan struct{}),
 		authDone:   make(chan struct{}),
 		mapDone:    make(chan struct{}),
-		updateDone: make(chan struct{}),
 		statusFunc: opts.Status,
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
@@ -255,34 +160,85 @@ func (c *Auto) SetPaused(paused bool) {
 func (c *Auto) Start() {
 	go c.authRoutine()
 	go c.mapRoutine()
-	go c.updateRoutine()
 }

-// updateControl sends a new OmitPeers, non-streaming map request (to just send
-// Hostinfo/Netinfo/Endpoints info, while keeping an existing streaming response
-// open).
+// sendNewMapRequest either sends a new OmitPeers, non-streaming map request
+// (to just send Hostinfo/Netinfo/Endpoints info, while keeping an existing
+// streaming response open), or start a new streaming one if necessary.
 //
 // It should be called whenever there's something new to tell the server.
-func (c *Auto) updateControl() {
-	gen := nextUpdateGen()
+func (c *Auto) sendNewMapRequest() {
 	c.mu.Lock()
-	if gen < c.lastUpdateGen {
-		// This update is out of date.
+
+	// If we're not already streaming a netmap, then tear down everything
+	// and start a new stream (which starts by sending a new map request)
+	if !c.inPollNetMap || !c.loggedIn {
 		c.mu.Unlock()
+		c.cancelMapSafely()
 		return
 	}
-	c.lastUpdateGen = gen
-	c.mu.Unlock()

-	select {
-	case c.updateCh <- struct{}{}:
-	default:
+	// If we are already in process of doing a LiteMapUpdate, cancel it and
+	// try a new one. If this is the 10th time we have done this
+	// cancelation, tear down everything and start again.
+	const maxLiteMapUpdateAttempts = 10
+	if c.inLiteMapUpdate {
+		// Always cancel the in-flight lite map update, regardless of
+		// whether we cancel the streaming map request or not.
+		c.liteMapUpdateCancel()
+		c.inLiteMapUpdate = false
+
+		if c.liteMapUpdateCancels >= maxLiteMapUpdateAttempts {
+			// Not making progress
+			c.mu.Unlock()
+			c.cancelMapSafely()
+			return
+		}
+
+		// Increment our cancel counter and continue below to start a
+		// new lite update.
+		c.liteMapUpdateCancels++
 	}
+
+	// Otherwise, send a lite update that doesn't keep a
+	// long-running stream response.
+	defer c.mu.Unlock()
+	c.inLiteMapUpdate = true
+	ctx, cancel := context.WithTimeout(c.mapCtx, 10*time.Second)
+	c.liteMapUpdateCancel = cancel
+	go func() {
+		defer cancel()
+		t0 := time.Now()
+		err := c.direct.SendLiteMapUpdate(ctx)
+		d := time.Since(t0).Round(time.Millisecond)
+
+		c.mu.Lock()
+		c.inLiteMapUpdate = false
+		c.liteMapUpdateCancel = nil
+		if err == nil {
+			c.liteMapUpdateCancels = 0
+		}
+		c.mu.Unlock()
+
+		if err == nil {
+			c.logf("[v1] successful lite map update in %v", d)
+			return
+		}
+		if ctx.Err() == nil {
+			c.logf("lite map update after %v: %v", d, err)
+		}
+		if !errors.Is(ctx.Err(), context.Canceled) {
+			// Fall back to restarting the long-polling map
+			// request (the old heavy way) if the lite update
+			// failed for reasons other than the context being
+			// canceled.
+			c.cancelMapSafely()
+		}
+	}()
 }

 func (c *Auto) cancelAuth() {
 	c.mu.Lock()
-	defer c.mu.Unlock()
 	if c.authCancel != nil {
 		c.authCancel()
 	}
@@ -290,9 +246,9 @@ func (c *Auto) cancelAuth() {
 		c.authCtx, c.authCancel = context.WithCancel(context.Background())
 		c.authCtx = sockstats.WithSockStats(c.authCtx, sockstats.LabelControlClientAuto, c.logf)
 	}
+	c.mu.Unlock()
 }

-// cancelMapLocked is like cancelMap, but assumes the caller holds c.mu.
 func (c *Auto) cancelMapLocked() {
 	if c.mapCancel != nil {
 		c.mapCancel()
@@ -300,36 +256,56 @@ func (c *Auto) cancelMapLocked() {
 	if !c.closed {
 		c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
 		c.mapCtx = sockstats.WithSockStats(c.mapCtx, sockstats.LabelControlClientAuto, c.logf)
+
 	}
 }

-// cancelMap cancels the existing mapPoll and liteUpdates.
-func (c *Auto) cancelMap() {
+func (c *Auto) cancelMapUnsafely() {
+	c.mu.Lock()
+	c.cancelMapLocked()
+	c.mu.Unlock()
+}
+
+func (c *Auto) cancelMapSafely() {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	c.cancelMapLocked()
-}

-// restartMap cancels the existing mapPoll and liteUpdates, and then starts a
-// new one.
-func (c *Auto) restartMap() {
-	c.mu.Lock()
-	c.cancelMapLocked()
-	synced := c.synced
-	c.mu.Unlock()
+	// Always reset our lite map cancels counter if we're canceling
+	// everything, since we're about to restart with a new map update; this
+	// allows future calls to sendNewMapRequest to retry sending lite
+	// updates.
+	c.liteMapUpdateCancels = 0

-	c.logf("[v1] restartMap: synced=%v", synced)
+	c.logf("[v1] cancelMapSafely: synced=%v", c.synced)

-	select {
-	case c.newMapCh <- struct{}{}:
-		c.logf("[v1] restartMap: wrote to channel")
-	default:
-		// if channel write failed, then there was already
-		// an outstanding newMapCh request. One is enough,
-		// since it'll always use the latest endpoints.
-		c.logf("[v1] restartMap: channel was full")
+	if c.inPollNetMap {
+		// received at least one netmap since the last
+		// interruption. That means the server has already
+		// fully processed our last request, which might
+		// include UpdateEndpoints(). Interrupt it and try
+		// again.
+		c.cancelMapLocked()
+	} else {
+		// !synced means we either haven't done a netmap
+		// request yet, or it hasn't answered yet. So the
+		// server is in an undefined state. If we send
+		// another netmap request too soon, it might race
+		// with the last one, and if we're very unlucky,
+		// the new request will be applied before the old one,
+		// and the wrong endpoints will get registered. We
+		// have to tell the client to abort politely, only
+		// after it receives a response to its existing netmap
+		// request.
+		select {
+		case c.newMapCh <- struct{}{}:
+			c.logf("[v1] cancelMapSafely: wrote to channel")
+		default:
+			// if channel write failed, then there was already
+			// an outstanding newMapCh request. One is enough,
+			// since it'll always use the latest endpoints.
+			c.logf("[v1] cancelMapSafely: channel was full")
+		}
 	}
-	c.updateControl()
 }

 func (c *Auto) authRoutine() {
@@ -450,7 +426,7 @@ func (c *Auto) authRoutine() {
 			c.mu.Unlock()

 			c.sendStatus("authRoutine-success", nil, "", nil)
-			c.restartMap()
+			c.cancelMapSafely()
 			bo.BackOff(ctx, nil)
 		}
 	}
@@ -480,50 +456,25 @@ func (c *Auto) unpausedChanLocked() <-chan struct{} {
 	return unpaused
 }

-// mapRoutineState is the state of Auto.mapRoutine while it's running.
-type mapRoutineState struct {
-	c  *Auto
-	bo *backoff.Backoff
-}
-
-func (mrs mapRoutineState) UpdateFullNetmap(nm *netmap.NetworkMap) {
-	c := mrs.c
-	health.SetInPollNetMap(true)
-
-	c.mu.Lock()
-	ctx := c.mapCtx
-	c.synced = true
-	if c.loggedIn {
-		c.state = StateSynchronized
-	}
-	c.expiry = ptr.To(nm.Expiry)
-	stillAuthed := c.loggedIn
-	c.logf("[v1] mapRoutine: netmap received: %s", c.state)
-	c.mu.Unlock()
-
-	if stillAuthed {
-		c.sendStatus("mapRoutine-got-netmap", nil, "", nm)
-	}
-	// Reset the backoff timer if we got a netmap.
-	mrs.bo.BackOff(ctx, nil)
-}
-
-// mapRoutine is responsible for keeping a read-only streaming connection to the
-// control server, and keeping the netmap up to date.
 func (c *Auto) mapRoutine() {
 	defer close(c.mapDone)
-	mrs := &mapRoutineState{
-		c:  c,
-		bo: backoff.NewBackoff("mapRoutine", c.logf, 30*time.Second),
-	}
+	bo := backoff.NewBackoff("mapRoutine", c.logf, 30*time.Second)

 	for {
-		if err := c.waitUnpause("mapRoutine"); err != nil {
-			c.logf("mapRoutine: exiting")
-			return
-		}
-
 		c.mu.Lock()
+		if c.paused {
+			unpaused := c.unpausedChanLocked()
+			c.mu.Unlock()
+			c.logf("mapRoutine: awaiting unpause")
+			select {
+			case <-unpaused:
+				c.logf("mapRoutine: unpaused")
+			case <-c.quit:
+				c.logf("mapRoutine: quit")
+				return
+			}
+			continue
+		}
 		c.logf("[v1] mapRoutine: %s", c.state)
 		loggedIn := c.loggedIn
 		ctx := c.mapCtx
@@ -560,13 +511,54 @@ func (c *Auto) mapRoutine() {
 				c.logf("[v1] mapRoutine: new map needed while idle.")
 			}
 		} else {
+			// Be sure this is false when we're not inside
+			// PollNetMap, so that cancelMapSafely() can notify
+			// us correctly.
+			c.mu.Lock()
+			c.inPollNetMap = false
+			c.mu.Unlock()
 			health.SetInPollNetMap(false)

-			err := c.direct.PollNetMap(ctx, mrs)
+			err := c.direct.PollNetMap(ctx, func(nm *netmap.NetworkMap) {
+				health.SetInPollNetMap(true)
+				c.mu.Lock()
+
+				select {
+				case <-c.newMapCh:
+					c.logf("[v1] mapRoutine: new map request during PollNetMap. canceling.")
+					c.cancelMapLocked()
+
+					// Don't emit this netmap; we're
+					// about to request a fresh one.
+					c.mu.Unlock()
+					return
+				default:
+				}
+
+				c.synced = true
+				c.inPollNetMap = true
+				if c.loggedIn {
+					c.state = StateSynchronized
+				}
+				exp := nm.Expiry
+				c.expiry = &exp
+				stillAuthed := c.loggedIn
+				state := c.state
+
+				c.mu.Unlock()
+
+				c.logf("[v1] mapRoutine: netmap received: %s", state)
+				if stillAuthed {
+					c.sendStatus("mapRoutine-got-netmap", nil, "", nm)
+				}
+				// Reset the backoff timer if we got a netmap.
+				bo.BackOff(ctx, nil)
+			})

 			health.SetInPollNetMap(false)
 			c.mu.Lock()
 			c.synced = false
+			c.inPollNetMap = false
 			if c.state == StateSynchronized {
 				c.state = StateAuthenticated
 			}
@@ -574,14 +566,16 @@ func (c *Auto) mapRoutine() {
 			c.mu.Unlock()

 			if paused {
-				mrs.bo.BackOff(ctx, nil)
 				c.logf("mapRoutine: paused")
 				continue
 			}

-			report(err, "PollNetMap")
-			mrs.bo.BackOff(ctx, err)
-			continue
+			if err != nil {
+				report(err, "PollNetMap")
+				bo.BackOff(ctx, err)
+				continue
+			}
+			bo.BackOff(ctx, nil)
 		}
 	}
 }
@@ -606,7 +600,7 @@ func (c *Auto) SetHostinfo(hi *tailcfg.Hostinfo) {
 	}

 	// Send new Hostinfo to server
-	c.updateControl()
+	c.sendNewMapRequest()
 }

 func (c *Auto) SetNetInfo(ni *tailcfg.NetInfo) {
@@ -618,17 +612,12 @@ func (c *Auto) SetNetInfo(ni *tailcfg.NetInfo) {
 	}

 	// Send new NetInfo to server
-	c.updateControl()
+	c.sendNewMapRequest()
 }

 // SetTKAHead updates the TKA head hash that map-request infrastructure sends.
 func (c *Auto) SetTKAHead(headHash string) {
-	if !c.direct.SetTKAHead(headHash) {
-		return
-	}
-
-	// Send new TKAHead to server
-	c.updateControl()
+	c.direct.SetTKAHead(headHash)
 }

 func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkMap) {
@@ -654,7 +643,8 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		logoutFin = new(empty.Message)
 	}
 	if nm != nil && loggedIn && synced {
-		p = ptr.To(c.direct.GetPersist())
+		pp := c.direct.GetPersist()
+		p = &pp
 	} else {
 		// don't send netmap status, as it's misleading when we're
 		// not logged in.
@@ -714,14 +704,14 @@ func (c *Auto) Logout(ctx context.Context) error {
 	c.mu.Unlock()
 	c.cancelAuth()

-	timer, timerChannel := c.clock.NewTimer(10 * time.Second)
+	timer := time.NewTimer(10 * time.Second)
 	defer timer.Stop()
 	select {
 	case err := <-errc:
 		return err
 	case <-ctx.Done():
 		return ctx.Err()
-	case <-timerChannel:
+	case <-timer.C:
 		return context.DeadlineExceeded
 	}
 }
@@ -737,7 +727,7 @@ func (c *Auto) SetExpirySooner(ctx context.Context, expiry time.Time) error {
 func (c *Auto) UpdateEndpoints(endpoints []tailcfg.Endpoint) {
 	changed := c.direct.SetEndpoints(endpoints)
 	if changed {
-		c.updateControl()
+		c.sendNewMapRequest()
 	}
 }

@@ -759,9 +749,8 @@ func (c *Auto) Shutdown() {
 		close(c.quit)
 		c.cancelAuth()
 		<-c.authDone
-		c.cancelMap()
+		c.cancelMapUnsafely()
 		<-c.mapDone
-		<-c.updateDone
 		if direct != nil {
 			direct.Close()
 		}
@@ -783,7 +772,7 @@ func (c *Auto) TestOnlySetAuthKey(authkey string) {
 }

 func (c *Auto) TestOnlyTimeNow() time.Time {
-	return c.clock.Now()
+	return c.timeNow()
 }

 // SetDNS sends the SetDNSRequest request to the control plane server,
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -45,13 +45,11 @@ import (
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
-	"tailscale.com/types/ptr"
 	"tailscale.com/types/tkatype"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
@@ -65,7 +63,7 @@ type Direct struct {
 	dialer                 *tsdial.Dialer
 	dnsCache               *dnscache.Resolver
 	serverURL              string // URL of the tailcontrol server
-	clock                  tstime.Clock
+	timeNow                func() time.Time
 	lastPrintMap           time.Time
 	newDecompressor        func() (Decompressor, error)
 	keepAlive              bool
@@ -107,8 +105,8 @@ type Options struct {
 	GetMachinePrivateKey func() (key.MachinePrivate, error) // returns the machine key to use
 	ServerURL            string                             // URL of the tailcontrol server
 	AuthKey              string                             // optional node auth key for auto registration
-	Clock                tstime.Clock
-	Hostinfo             *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
+	TimeNow              func() time.Time                   // time.Now implementation used by Client
+	Hostinfo             *tailcfg.Hostinfo                  // non-nil passes ownership, nil means to use default using os.Hostname, etc
 	DiscoPublicKey       key.DiscoPublic
 	NewDecompressor      func() (Decompressor, error)
 	KeepAlive            bool
@@ -180,16 +178,6 @@ type Decompressor interface {
 	Close()
 }

-// NetmapUpdater is the interface needed by the controlclient to enact change in
-// the world as a function of updates received from the network.
-type NetmapUpdater interface {
-	UpdateFullNetmap(*netmap.NetworkMap)
-
-	// TODO(bradfitz): add methods to do fine-grained updates, mutating just
-	// parts of peers, without implementations of NetmapUpdater needing to do
-	// the diff themselves between the previous full & next full network maps.
-}
-
 // NewDirect returns a new Direct client.
 func NewDirect(opts Options) (*Direct, error) {
 	if opts.ServerURL == "" {
@@ -203,8 +191,8 @@ func NewDirect(opts Options) (*Direct, error) {
 	if err != nil {
 		return nil, err
 	}
-	if opts.Clock == nil {
-		opts.Clock = tstime.StdClock{}
+	if opts.TimeNow == nil {
+		opts.TimeNow = time.Now
 	}
 	if opts.Logf == nil {
 		// TODO(apenwarr): remove this default and fail instead.
@@ -247,7 +235,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		httpc:                  httpc,
 		getMachinePrivKey:      opts.GetMachinePrivateKey,
 		serverURL:              opts.ServerURL,
-		clock:                  opts.Clock,
+		timeNow:                opts.TimeNow,
 		logf:                   opts.Logf,
 		newDecompressor:        opts.NewDecompressor,
 		keepAlive:              opts.KeepAlive,
@@ -270,8 +258,10 @@ func NewDirect(opts Options) (*Direct, error) {
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
 	} else {
+		ni := opts.Hostinfo.NetInfo
+		opts.Hostinfo.NetInfo = nil
 		c.SetHostinfo(opts.Hostinfo)
-		if ni := opts.Hostinfo.NetInfo; ni != nil {
+		if ni != nil {
 			c.SetNetInfo(ni)
 		}
 	}
@@ -303,8 +293,6 @@ func (c *Direct) SetHostinfo(hi *tailcfg.Hostinfo) bool {
 	if hi == nil {
 		panic("nil Hostinfo")
 	}
-	hi = ptr.To(*hi)
-	hi.NetInfo = nil
 	c.mu.Lock()
 	defer c.mu.Unlock()

@@ -444,7 +432,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	authKey, isWrapped, wrappedSig, wrappedKey := decodeWrappedAuthkey(c.authKey, c.logf)
 	hi := c.hostInfoLocked()
 	backendLogID := hi.BackendLogID
-	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.clock.Now())
+	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
 	c.mu.Unlock()

 	machinePrivKey, err := c.getMachinePrivKey()
@@ -549,7 +537,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		err = errors.New("hostinfo: BackendLogID missing")
 		return regen, opt.URL, nil, err
 	}
-	now := c.clock.Now().Round(time.Second)
+	now := time.Now().Round(time.Second)
 	request := tailcfg.RegisterRequest{
 		Version:          1,
 		OldNodeKey:       oldNodeKey,
@@ -571,7 +559,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		request.NodeKey.ShortString(), opt.URL != "", len(nodeKeySignature) > 0)
 	request.Auth.Oauth2Token = opt.Token
 	request.Auth.Provider = persist.Provider
-	request.Auth.LoginName = persist.UserProfile.LoginName
+	request.Auth.LoginName = persist.LoginName
 	request.Auth.AuthKey = authKey
 	err = signRegisterRequest(&request, c.serverURL, c.serverKey, machinePrivKey.Public())
 	if err != nil {
@@ -657,6 +645,9 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 	if resp.Login.Provider != "" {
 		persist.Provider = resp.Login.Provider
 	}
+	if resp.Login.LoginName != "" {
+		persist.LoginName = resp.Login.LoginName
+	}
 	persist.UserProfile = tailcfg.UserProfile{
 		ID:            resp.User.ID,
 		DisplayName:   resp.Login.DisplayName,
@@ -777,38 +768,31 @@ func (c *Direct) SetEndpoints(endpoints []tailcfg.Endpoint) (changed bool) {
 	return c.newEndpoints(endpoints)
 }

-// PollNetMap makes a /map request to download the network map, calling
-// NetmapUpdater on each update from the control plane.
-//
-// It always returns a non-nil error describing the reason for the failure or
-// why the request ended.
-func (c *Direct) PollNetMap(ctx context.Context, nu NetmapUpdater) error {
-	return c.sendMapRequest(ctx, true, nu)
+// PollNetMap makes a /map request to download the network map, calling cb with
+// each new netmap.
+// It always returns a non-nil error describing the reason for the failure
+// or why the request ended.
+func (c *Direct) PollNetMap(ctx context.Context, cb func(*netmap.NetworkMap)) error {
+	return c.sendMapRequest(ctx, -1, false, cb)
 }

-type rememberLastNetmapUpdater struct {
-	last *netmap.NetworkMap
-}
-
-func (nu *rememberLastNetmapUpdater) UpdateFullNetmap(nm *netmap.NetworkMap) {
-	nu.last = nm
-}
-
-// FetchNetMapForTest fetches the netmap once.
-func (c *Direct) FetchNetMapForTest(ctx context.Context) (*netmap.NetworkMap, error) {
-	var nu rememberLastNetmapUpdater
-	err := c.sendMapRequest(ctx, false, &nu)
-	if err == nil && nu.last == nil {
+// FetchNetMap fetches the netmap once.
+func (c *Direct) FetchNetMap(ctx context.Context) (*netmap.NetworkMap, error) {
+	var ret *netmap.NetworkMap
+	err := c.sendMapRequest(ctx, 1, false, func(nm *netmap.NetworkMap) {
+		ret = nm
+	})
+	if err == nil && ret == nil {
 		return nil, errors.New("[unexpected] sendMapRequest success without callback")
 	}
-	return nu.last, err
+	return ret, err
 }

-// SendUpdate makes a /map request to update the server of our latest state, but
-// does not fetch anything. It returns an error if the server did not return a
+// SendLiteMapUpdate makes a /map request to update the server of our latest state,
+// but does not fetch anything. It returns an error if the server did not return a
 // successful 200 OK response.
-func (c *Direct) SendUpdate(ctx context.Context) error {
-	return c.sendMapRequest(ctx, false, nil)
+func (c *Direct) SendLiteMapUpdate(ctx context.Context) error {
+	return c.sendMapRequest(ctx, 1, false, nil)
 }

 // If we go more than pollTimeout without hearing from the server,
@@ -816,21 +800,17 @@ func (c *Direct) SendUpdate(ctx context.Context) error {
 // every minute.
 const pollTimeout = 120 * time.Second

-// sendMapRequest makes a /map request to download the network map, calling cb
-// with each new netmap. If isStreaming, it will poll forever and only returns
-// if the context expires or the server returns an error/closes the connection
-// and as such always returns a non-nil error.
+// sendMapRequest makes a /map request to download the network map, calling cb with
+// each new netmap. If maxPolls is -1, it will poll forever and only returns if
+// the context expires or the server returns an error/closes the connection and as
+// such always returns a non-nil error.
 //
 // If cb is nil, OmitPeers will be set to true.
-func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu NetmapUpdater) error {
-	if isStreaming && nu == nil {
-		panic("cb must be non-nil if isStreaming is true")
-	}
-
+func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool, cb func(*netmap.NetworkMap)) error {
 	metricMapRequests.Add(1)
 	metricMapRequestsActive.Add(1)
 	defer metricMapRequestsActive.Add(-1)
-	if isStreaming {
+	if maxPolls == -1 {
 		metricMapRequestsPoll.Add(1)
 	} else {
 		metricMapRequestsLite.Add(1)
@@ -866,7 +846,8 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 		return errors.New("hostinfo: BackendLogID missing")
 	}

-	c.logf("[v1] PollNetMap: stream=%v ep=%v", isStreaming, epStrs)
+	allowStream := maxPolls != 1
+	c.logf("[v1] PollNetMap: stream=%v ep=%v", allowStream, epStrs)

 	vlogf := logger.Discard
 	if DevKnob.DumpNetMaps() {
@@ -882,11 +863,23 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 		DiscoKey:      c.discoPubKey,
 		Endpoints:     epStrs,
 		EndpointTypes: epTypes,
-		Stream:        isStreaming,
+		Stream:        allowStream,
 		Hostinfo:      hi,
 		DebugFlags:    c.debugFlags,
-		OmitPeers:     nu == nil,
+		OmitPeers:     cb == nil,
 		TKAHead:       c.tkaHead,
+
+		// Previously we'd set ReadOnly to true if we didn't have any endpoints
+		// yet as we expected to learn them in a half second and restart the full
+		// streaming map poll, however as we are trying to reduce the number of
+		// times we restart the full streaming map poll we now just set ReadOnly
+		// false when we're doing a full streaming map poll.
+		//
+		// TODO(maisem/bradfitz): really ReadOnly should be set to true if for
+		// all streams and we should only do writes via lite map updates.
+		// However that requires an audit and a bunch of testing to make sure we
+		// don't break anything.
+		ReadOnly: readOnly && !allowStream,
 	}
 	var extraDebugFlags []string
 	if hi != nil && c.netMon != nil && !c.skipIPForwardingCheck &&
@@ -918,7 +911,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 	defer cancel()

 	machinePubKey := machinePrivKey.Public()
-	t0 := c.clock.Now()
+	t0 := time.Now()

 	// Url and httpc are protocol specific.
 	var url string
@@ -956,12 +949,12 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap

 	health.NoteMapRequestHeard(request)

-	if nu == nil {
+	if cb == nil {
 		io.Copy(io.Discard, res.Body)
 		return nil
 	}

-	timeout, timeoutChannel := c.clock.NewTimer(pollTimeout)
+	timeout := time.NewTimer(pollTimeout)
 	timeoutReset := make(chan struct{})
 	pollDone := make(chan struct{})
 	defer close(pollDone)
@@ -971,14 +964,14 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 			case <-pollDone:
 				vlogf("netmap: ending timeout goroutine")
 				return
-			case <-timeoutChannel:
+			case <-timeout.C:
 				c.logf("map response long-poll timed out!")
 				cancel()
 				return
 			case <-timeoutReset:
 				if !timeout.Stop() {
 					select {
-					case <-timeoutChannel:
+					case <-timeout.C:
 					case <-pollDone:
 						vlogf("netmap: ending timeout goroutine")
 						return
@@ -1003,7 +996,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 	// the same format before just closing the connection.
 	// We can use this same read loop either way.
 	var msg []byte
-	for i := 0; i == 0 || isStreaming; i++ {
+	for i := 0; i < maxPolls || maxPolls < 0; i++ {
 		vlogf("netmap: starting size read after %v (poll %v)", time.Since(t0).Round(time.Millisecond), i)
 		var siz [4]byte
 		if _, err := io.ReadFull(res.Body, siz[:]); err != nil {
@@ -1027,7 +1020,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap

 		metricMapResponseMessages.Add(1)

-		if isStreaming {
+		if allowStream {
 			health.GotStreamedMapResponse()
 		}

@@ -1103,23 +1096,13 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 				go dumpGoroutinesToURL(c.httpc, resp.Debug.GoroutineDumpURL)
 			}
 			if sleep := time.Duration(resp.Debug.SleepSeconds * float64(time.Second)); sleep > 0 {
-				if err := sleepAsRequested(ctx, c.logf, timeoutReset, sleep, c.clock); err != nil {
+				if err := sleepAsRequested(ctx, c.logf, timeoutReset, sleep); err != nil {
 					return err
 				}
 			}
 		}

 		nm := sess.netmapForResponse(&resp)
-
-		// Occasionally print the netmap header.
-		// This is handy for debugging, and our logs processing
-		// pipeline depends on it. (TODO: Remove this dependency.)
-		// Code elsewhere prints netmap diffs every time they are received.
-		now := c.clock.Now()
-		if now.Sub(c.lastPrintMap) >= 5*time.Minute {
-			c.lastPrintMap = now
-			c.logf("[v1] new network map[%d]:\n%s", i, nm.VeryConcise())
-		}
 		if nm.SelfNode == nil {
 			c.logf("MapResponse lacked node")
 			return errors.New("MapResponse lacked node")
@@ -1139,21 +1122,21 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap
 			nm.SelfNode.Capabilities = nil
 		}

-		newPersist := persist.AsStruct()
-		newPersist.NodeID = nm.SelfNode.StableID
-		newPersist.UserProfile = nm.UserProfiles[nm.User]
+		// Occasionally print the netmap header.
+		// This is handy for debugging, and our logs processing
+		// pipeline depends on it. (TODO: Remove this dependency.)
+		// Code elsewhere prints netmap diffs every time they are received.
+		now := c.timeNow()
+		if now.Sub(c.lastPrintMap) >= 5*time.Minute {
+			c.lastPrintMap = now
+			c.logf("[v1] new network map[%d]:\n%s", i, nm.VeryConcise())
+		}

 		c.mu.Lock()
-		// If we are the ones who last updated persist, then we can update it
-		// again. Otherwise, we should not touch it.
-		if persist == c.persist {
-			c.persist = newPersist.View()
-			persist = c.persist
-		}
 		c.expiry = &nm.Expiry
 		c.mu.Unlock()

-		nu.UpdateFullNetmap(nm)
+		cb(nm)
 	}
 	if ctx.Err() != nil {
 		return ctx.Err()
@@ -1321,7 +1304,7 @@ func initDevKnob() devKnobs {
 	}
 }

-var clock tstime.Clock = tstime.StdClock{}
+var clockNow = time.Now

 // opt.Bool configs from control.
 var (
@@ -1425,9 +1408,9 @@ func answerHeadPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest) {
 	if pr.Log {
 		logf("answerHeadPing: sending HEAD ping to %v ...", pr.URL)
 	}
-	t0 := clock.Now()
+	t0 := time.Now()
 	_, err = c.Do(req)
-	d := clock.Since(t0).Round(time.Millisecond)
+	d := time.Since(t0).Round(time.Millisecond)
 	if err != nil {
 		logf("answerHeadPing error: %v to %v (after %v)", err, pr.URL, d)
 	} else if pr.Log {
@@ -1473,7 +1456,7 @@ func answerC2NPing(logf logger.Logf, c2nHandler http.Handler, c *http.Client, pr
 	if pr.Log {
 		logf("answerC2NPing: sending POST ping to %v ...", pr.URL)
 	}
-	t0 := clock.Now()
+	t0 := time.Now()
 	_, err = c.Do(req)
 	d := time.Since(t0).Round(time.Millisecond)
 	if err != nil {
@@ -1483,7 +1466,7 @@ func answerC2NPing(logf logger.Logf, c2nHandler http.Handler, c *http.Client, pr
 	}
 }

-func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<- struct{}, d time.Duration, clock tstime.Clock) error {
+func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<- struct{}, d time.Duration) error {
 	const maxSleep = 5 * time.Minute
 	if d > maxSleep {
 		logf("sleeping for %v, capped from server-requested %v ...", maxSleep, d)
@@ -1492,20 +1475,20 @@ func sleepAsRequested(ctx context.Context, logf logger.Logf, timeoutReset chan<-
 		logf("sleeping for server-requested %v ...", d)
 	}

-	ticker, tickerChannel := clock.NewTicker(pollTimeout / 2)
+	ticker := time.NewTicker(pollTimeout / 2)
 	defer ticker.Stop()
-	timer, timerChannel := clock.NewTimer(d)
+	timer := time.NewTimer(d)
 	defer timer.Stop()
 	for {
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
-		case <-timerChannel:
+		case <-timer.C:
 			return nil
-		case <-tickerChannel:
+		case <-ticker.C:
 			select {
 			case timeoutReset <- struct{}{}:
-			case <-timerChannel:
+			case <-timer.C:
 				return nil
 			case <-ctx.Done():
 				return ctx.Err()
@@ -1682,7 +1665,7 @@ func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pin
 		logf("invalid ping request: missing url, ip or pinger")
 		return
 	}
-	start := clock.Now()
+	start := time.Now()

 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
@@ -1720,7 +1703,7 @@ func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailc
 	if pr.Log {
 		logf("postPingResult: sending ping results to %v ...", pr.URL)
 	}
-	t0 := clock.Now()
+	t0 := time.Now()
 	_, err = c.Do(req)
 	d := time.Since(t0).Round(time.Millisecond)
 	if err != nil {
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -42,10 +42,7 @@ func TestNewDirect(t *testing.T) {
 		t.Errorf("c.serverURL got %v want %v", c.serverURL, opts.ServerURL)
 	}

-	// hi is stored without its NetInfo field.
-	hiWithoutNi := *hi
-	hiWithoutNi.NetInfo = nil
-	if !hiWithoutNi.Equal(c.hostinfo) {
+	if !hi.Equal(c.hostinfo) {
 		t.Errorf("c.hostinfo got %v want %v", c.hostinfo, hi)
 	}

--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -307,7 +307,7 @@ func undeltaPeers(mapRes *tailcfg.MapResponse, prev []*tailcfg.Node) {
 		for _, n := range newFull {
 			peerByID[n.ID] = n
 		}
-		now := clock.Now()
+		now := clockNow()
 		for nodeID, seen := range mapRes.PeerSeenChange {
 			if n, ok := peerByID[nodeID]; ok {
 				if seen {
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -14,7 +14,6 @@ import (
 	"go4.org/mem"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tstest"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/opt"
@@ -24,6 +23,9 @@ import (

 func TestUndeltaPeers(t *testing.T) {
 	var curTime time.Time
+	tstest.Replace(t, &clockNow, func() time.Time {
+		return curTime
+	})

 	online := func(v bool) func(*tailcfg.Node) {
 		return func(n *tailcfg.Node) {
@@ -296,7 +298,6 @@ func TestUndeltaPeers(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			if !tt.curTime.IsZero() {
 				curTime = tt.curTime
-				tstest.Replace(t, &clock, tstime.Clock(tstest.NewClock(tstest.ClockOpts{Start: curTime})))
 			}
 			undeltaPeers(tt.mapRes, tt.prev)
 			if !reflect.DeepEqual(tt.mapRes.Peers, tt.want) {
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -23,7 +23,6 @@ import (
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/mak"
@@ -451,7 +450,6 @@ func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
 		DialPlan:        dialPlan,
 		Logf:            nc.logf,
 		NetMon:          nc.netMon,
-		Clock:           tstime.StdClock{},
 	}).Dial(ctx)
 	if err != nil {
 		return nil, err
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -127,7 +127,7 @@ func findIdentity(subject string, st certstore.Store) (certstore.Identity, []*x5
 		return nil, nil, err
 	}

-	selected, chain := selectIdentityFromSlice(subject, ids, clock.Now())
+	selected, chain := selectIdentityFromSlice(subject, ids, time.Now())

 	for _, id := range ids {
 		if id != selected {
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -45,7 +45,6 @@ import (
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/util/multierr"
 )

@@ -148,16 +147,13 @@ func (a *Dialer) dial(ctx context.Context) (*ClientConn, error) {
 			// before we do anything.
 			if c.DialStartDelaySec > 0 {
 				a.logf("[v2] controlhttp: waiting %.2f seconds before dialing %q @ %v", c.DialStartDelaySec, a.Hostname, c.IP)
-				if a.Clock == nil {
-					a.Clock = tstime.StdClock{}
-				}
-				tmr, tmrChannel := a.Clock.NewTimer(time.Duration(c.DialStartDelaySec * float64(time.Second)))
+				tmr := time.NewTimer(time.Duration(c.DialStartDelaySec * float64(time.Second)))
 				defer tmr.Stop()
 				select {
 				case <-ctx.Done():
 					err = ctx.Err()
 					return
-				case <-tmrChannel:
+				case <-tmr.C:
 				}
 			}

@@ -323,10 +319,7 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*ClientConn, er

 	// In case outbound port 80 blocked or MITM'ed poorly, start a backup timer
 	// to dial port 443 if port 80 doesn't either succeed or fail quickly.
-	if a.Clock == nil {
-		a.Clock = tstime.StdClock{}
-	}
-	try443Timer := a.Clock.AfterFunc(a.httpsFallbackDelay(), func() { try(u443) })
+	try443Timer := time.AfterFunc(a.httpsFallbackDelay(), func() { try(u443) })
 	defer try443Timer.Stop()

 	var err80, err443 error
--- a/control/controlhttp/constants.go
+++ b/control/controlhttp/constants.go
@@ -11,7 +11,6 @@ import (
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netmon"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -90,10 +89,6 @@ type Dialer struct {
 	drainFinished        chan struct{}
 	omitCertErrorLogging bool
 	testFallbackDelay    time.Duration
-
-	// tstime.Clock is used instead of time package for methods such as time.Now.
-	// If not specified, will default to tstime.StdClock{}.
-	Clock tstime.Clock
 }

 func strDef(v1, v2 string) string {
--- a/control/controlhttp/http_test.go
+++ b/control/controlhttp/http_test.go
@@ -25,8 +25,6 @@ import (
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -173,12 +171,8 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 	}

 	var httpHandler http.Handler = handler
-	const fallbackDelay = 50 * time.Millisecond
-	clock := tstest.NewClock(tstest.ClockOpts{Step: 2 * fallbackDelay})
-	// Advance once to init the clock.
-	clock.Now()
 	if param.makeHTTPHangAfterUpgrade {
-		httpHandler = brokenMITMHandler(clock)
+		httpHandler = http.HandlerFunc(brokenMITMHandler)
 	}
 	httpServer := &http.Server{Handler: httpHandler}
 	go httpServer.Serve(httpLn)
@@ -209,8 +203,7 @@ func testControlHTTP(t *testing.T, param httpTestParam) {
 		Dialer:               new(tsdial.Dialer).SystemDial,
 		Logf:                 t.Logf,
 		omitCertErrorLogging: true,
-		testFallbackDelay:    fallbackDelay,
-		Clock:                clock,
+		testFallbackDelay:    50 * time.Millisecond,
 	}

 	if proxy != nil {
@@ -476,16 +469,12 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 	}
 }

-func brokenMITMHandler(clock tstime.Clock) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Upgrade", upgradeHeaderValue)
-		w.Header().Set("Connection", "upgrade")
-		w.WriteHeader(http.StatusSwitchingProtocols)
-		w.(http.Flusher).Flush()
-		// Advance the clock to trigger HTTPs fallback.
-		clock.Now()
-		<-r.Context().Done()
-	}
+func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Upgrade", upgradeHeaderValue)
+	w.Header().Set("Connection", "upgrade")
+	w.WriteHeader(http.StatusSwitchingProtocols)
+	w.(http.Flusher).Flush()
+	<-r.Context().Done()
 }

 func TestDialPlan(t *testing.T) {
@@ -630,15 +619,12 @@ func TestDialPlan(t *testing.T) {
 	}
 	for _, tt := range testCases {
 		t.Run(tt.name, func(t *testing.T) {
-			// TODO(awly): replace this with tstest.NewClock and update the
-			// test to advance the clock correctly.
-			clock := tstime.StdClock{}
 			makeHandler(t, "fallback", fallbackAddr, nil)
 			makeHandler(t, "good", goodAddr, nil)
 			makeHandler(t, "other", otherAddr, nil)
 			makeHandler(t, "other2", other2Addr, nil)
 			makeHandler(t, "broken", brokenAddr, func(h http.Handler) http.Handler {
-				return brokenMITMHandler(clock)
+				return http.HandlerFunc(brokenMITMHandler)
 			})

 			dialer := closeTrackDialer{
@@ -674,7 +660,6 @@ func TestDialPlan(t *testing.T) {
 				drainFinished:        drained,
 				omitCertErrorLogging: true,
 				testFallbackDelay:    50 * time.Millisecond,
-				Clock:                clock,
 			}

 			conn, err := a.dial(ctx)
--- a/derp/derp.go
+++ b/derp/derp.go
@@ -85,7 +85,7 @@ const (

 	// framePeerPresent is like framePeerGone, but for other
 	// members of the DERP region when they're meshed up together.
-	framePeerPresent = frameType(0x09) // 32B pub key of peer that's connected + optional 18B ip:port (16 byte IP + 2 byte BE uint16 port)
+	framePeerPresent = frameType(0x09) // 32B pub key of peer that's connected

 	// frameWatchConns is how one DERP node in a regional mesh
 	// subscribes to the others in the region.
@@ -199,7 +199,7 @@ func readFrame(br *bufio.Reader, maxSize uint32, b []byte) (t frameType, frameLe
 		return 0, 0, fmt.Errorf("frame header size %d exceeds reader limit of %d", frameLen, maxSize)
 	}

-	n, err := io.ReadFull(br, b[:min(frameLen, uint32(len(b)))])
+	n, err := io.ReadFull(br, b[:minUint32(frameLen, uint32(len(b)))])
 	if err != nil {
 		return 0, 0, err
 	}
@@ -233,3 +233,10 @@ func writeFrame(bw *bufio.Writer, t frameType, b []byte) error {
 	}
 	return bw.Flush()
 }
+
+func minUint32(a, b uint32) uint32 {
+	if a < b {
+		return a
+	}
+	return b
+}
--- a/derp/derp_client.go
+++ b/derp/derp_client.go
@@ -363,12 +363,7 @@ func (PeerGoneMessage) msg() {}

 // PeerPresentMessage is a ReceivedMessage that indicates that the client
 // is connected to the server. (Only used by trusted mesh clients)
-type PeerPresentMessage struct {
-	// Key is the public key of the client.
-	Key key.NodePublic
-	// IPPort is the remote IP and port of the client.
-	IPPort netip.AddrPort
-}
+type PeerPresentMessage key.NodePublic

 func (PeerPresentMessage) msg() {}

@@ -551,15 +546,8 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 				c.logf("[unexpected] dropping short peerPresent frame from DERP server")
 				continue
 			}
-			var msg PeerPresentMessage
-			msg.Key = key.NodePublicFromRaw32(mem.B(b[:keyLen]))
-			if n >= keyLen+16+2 {
-				msg.IPPort = netip.AddrPortFrom(
-					netip.AddrFrom16([16]byte(b[keyLen:keyLen+16])).Unmap(),
-					binary.BigEndian.Uint16(b[keyLen+16:keyLen+16+2]),
-				)
-			}
-			return msg, nil
+			pg := PeerPresentMessage(key.NodePublicFromRaw32(mem.B(b[:keyLen])))
+			return pg, nil

 		case frameRecvPacket:
 			var rp ReceivedPacket
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -12,7 +12,6 @@ import (
 	crand "crypto/rand"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"expvar"
@@ -44,7 +43,6 @@ import (
 	"tailscale.com/tstime/rate"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/set"
 	"tailscale.com/version"
 )

@@ -152,7 +150,7 @@ type Server struct {
 	closed   bool
 	netConns map[Conn]chan struct{} // chan is closed when conn closes
 	clients  map[key.NodePublic]clientSet
-	watchers set.Set[*sclient] // mesh peers
+	watchers map[*sclient]bool // mesh peer -> true
 	// clientsMesh tracks all clients in the cluster, both locally
 	// and to mesh peers.  If the value is nil, that means the
 	// peer is only local (and thus in the clients Map, but not
@@ -221,7 +219,8 @@ func (s singleClient) ForeachClient(f func(*sclient)) { f(s.c) }
 // All fields are guarded by Server.mu.
 type dupClientSet struct {
 	// set is the set of connected clients for sclient.key.
-	set set.Set[*sclient]
+	// The values are all true.
+	set map[*sclient]bool

 	// last is the most recent addition to set, or nil if the most
 	// recent one has since disconnected and nobody else has send
@@ -262,7 +261,7 @@ func (s *dupClientSet) removeClient(c *sclient) bool {

 	trim := s.sendHistory[:0]
 	for _, v := range s.sendHistory {
-		if s.set.Contains(v) && (len(trim) == 0 || trim[len(trim)-1] != v) {
+		if s.set[v] && (len(trim) == 0 || trim[len(trim)-1] != v) {
 			trim = append(trim, v)
 		}
 	}
@@ -317,7 +316,7 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 		clientsMesh:          map[key.NodePublic]PacketForwarder{},
 		netConns:             map[Conn]chan struct{}{},
 		memSys0:              ms.Sys,
-		watchers:             set.Set[*sclient]{},
+		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.NodePublic]map[key.NodePublic]int64{},
 		avgQueueDuration:     new(uint64),
 		tcpRtt:               metrics.LabelMap{Label: "le"},
@@ -499,8 +498,8 @@ func (s *Server) registerClient(c *sclient) {
 	s.mu.Lock()
 	defer s.mu.Unlock()

-	curSet := s.clients[c.key]
-	switch curSet := curSet.(type) {
+	set := s.clients[c.key]
+	switch set := set.(type) {
 	case nil:
 		s.clients[c.key] = singleClient{c}
 		c.debugLogf("register single client")
@@ -508,14 +507,14 @@ func (s *Server) registerClient(c *sclient) {
 		s.dupClientKeys.Add(1)
 		s.dupClientConns.Add(2) // both old and new count
 		s.dupClientConnTotal.Add(1)
-		old := curSet.ActiveClient()
+		old := set.ActiveClient()
 		old.isDup.Store(true)
 		c.isDup.Store(true)
 		s.clients[c.key] = &dupClientSet{
 			last: c,
-			set: set.Set[*sclient]{
-				old: struct{}{},
-				c:   struct{}{},
+			set: map[*sclient]bool{
+				old: true,
+				c:   true,
 			},
 			sendHistory: []*sclient{old},
 		}
@@ -524,9 +523,9 @@ func (s *Server) registerClient(c *sclient) {
 		s.dupClientConns.Add(1)     // the gauge
 		s.dupClientConnTotal.Add(1) // the counter
 		c.isDup.Store(true)
-		curSet.set.Add(c)
-		curSet.last = c
-		curSet.sendHistory = append(curSet.sendHistory, c)
+		set.set[c] = true
+		set.last = c
+		set.sendHistory = append(set.sendHistory, c)
 		c.debugLogf("register another duplicate client")
 	}

@@ -535,7 +534,7 @@ func (s *Server) registerClient(c *sclient) {
 	}
 	s.keyOfAddr[c.remoteIPPort] = c.key
 	s.curClients.Add(1)
-	s.broadcastPeerStateChangeLocked(c.key, c.remoteIPPort, true)
+	s.broadcastPeerStateChangeLocked(c.key, true)
 }

 // broadcastPeerStateChangeLocked enqueues a message to all watchers
@@ -543,13 +542,9 @@ func (s *Server) registerClient(c *sclient) {
 // presence changed.
 //
 // s.mu must be held.
-func (s *Server) broadcastPeerStateChangeLocked(peer key.NodePublic, ipPort netip.AddrPort, present bool) {
+func (s *Server) broadcastPeerStateChangeLocked(peer key.NodePublic, present bool) {
 	for w := range s.watchers {
-		w.peerStateChange = append(w.peerStateChange, peerConnState{
-			peer:    peer,
-			present: present,
-			ipPort:  ipPort,
-		})
+		w.peerStateChange = append(w.peerStateChange, peerConnState{peer: peer, present: present})
 		go w.requestMeshUpdate()
 	}
 }
@@ -570,7 +565,7 @@ func (s *Server) unregisterClient(c *sclient) {
 			delete(s.clientsMesh, c.key)
 			s.notePeerGoneFromRegionLocked(c.key)
 		}
-		s.broadcastPeerStateChangeLocked(c.key, netip.AddrPort{}, false)
+		s.broadcastPeerStateChangeLocked(c.key, false)
 	case *dupClientSet:
 		c.debugLogf("removed duplicate client")
 		if set.removeClient(c) {
@@ -660,21 +655,13 @@ func (s *Server) addWatcher(c *sclient) {
 	defer s.mu.Unlock()

 	// Queue messages for each already-connected client.
-	for peer, clientSet := range s.clients {
-		ac := clientSet.ActiveClient()
-		if ac == nil {
-			continue
-		}
-		c.peerStateChange = append(c.peerStateChange, peerConnState{
-			peer:    peer,
-			present: true,
-			ipPort:  ac.remoteIPPort,
-		})
+	for peer := range s.clients {
+		c.peerStateChange = append(c.peerStateChange, peerConnState{peer: peer, present: true})
 	}

 	// And enroll the watcher in future updates (of both
 	// connections & disconnections).
-	s.watchers.Add(c)
+	s.watchers[c] = true

 	go c.requestMeshUpdate()
 }
@@ -1362,7 +1349,6 @@ type sclient struct {
 type peerConnState struct {
 	peer    key.NodePublic
 	present bool
-	ipPort  netip.AddrPort // if present, the peer's IP:port
 }

 // pkt is a request to write a data frame to an sclient.
@@ -1556,18 +1542,12 @@ func (c *sclient) sendPeerGone(peer key.NodePublic, reason PeerGoneReasonType) e
 }

 // sendPeerPresent sends a peerPresent frame, without flushing.
-func (c *sclient) sendPeerPresent(peer key.NodePublic, ipPort netip.AddrPort) error {
+func (c *sclient) sendPeerPresent(peer key.NodePublic) error {
 	c.setWriteDeadline()
-	const frameLen = keyLen + 16 + 2
-	if err := writeFrameHeader(c.bw.bw(), framePeerPresent, frameLen); err != nil {
+	if err := writeFrameHeader(c.bw.bw(), framePeerPresent, keyLen); err != nil {
 		return err
 	}
-	payload := make([]byte, frameLen)
-	_ = peer.AppendTo(payload[:0])
-	a16 := ipPort.Addr().As16()
-	copy(payload[keyLen:], a16[:])
-	binary.BigEndian.PutUint16(payload[keyLen+16:], ipPort.Port())
-	_, err := c.bw.Write(payload)
+	_, err := c.bw.Write(peer.AppendTo(nil))
 	return err
 }

@@ -1586,7 +1566,7 @@ func (c *sclient) sendMeshUpdates() error {
 		}
 		var err error
 		if pcs.present {
-			err = c.sendPeerPresent(pcs.peer, pcs.ipPort)
+			err = c.sendPeerPresent(pcs.peer)
 		} else {
 			err = c.sendPeerGone(pcs.peer, PeerGoneReasonDisconnected)
 		}
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -92,7 +92,7 @@ func TestSendRecv(t *testing.T) {
 		defer cancel()

 		brwServer := bufio.NewReadWriter(bufio.NewReader(cin), bufio.NewWriter(cin))
-		go s.Accept(ctx, cin, brwServer, fmt.Sprintf("[abc::def]:%v", i))
+		go s.Accept(ctx, cin, brwServer, fmt.Sprintf("test-client-%d", i))

 		key := clientPrivateKeys[i]
 		brw := bufio.NewReadWriter(bufio.NewReader(cout), bufio.NewWriter(cout))
@@ -528,7 +528,7 @@ func newTestServer(t *testing.T, ctx context.Context) *testServer {
 			// TODO: register c in ts so Close also closes it?
 			go func(i int) {
 				brwServer := bufio.NewReadWriter(bufio.NewReader(c), bufio.NewWriter(c))
-				go s.Accept(ctx, c, brwServer, c.RemoteAddr().String())
+				go s.Accept(ctx, c, brwServer, fmt.Sprintf("test-client-%d", i))
 			}(i)
 		}
 	}()
@@ -615,7 +615,7 @@ func (tc *testClient) wantPresent(t *testing.T, peers ...key.NodePublic) {
 		}
 		switch m := m.(type) {
 		case PeerPresentMessage:
-			got := m.Key
+			got := key.NodePublic(m)
 			if !want[got] {
 				t.Fatalf("got peer present for %v; want present for %v", tc.ts.keyName(got), logger.ArgWriter(func(bw *bufio.Writer) {
 					for _, pub := range peers {
@@ -623,7 +623,6 @@ func (tc *testClient) wantPresent(t *testing.T, peers ...key.NodePublic) {
 					}
 				}))
 			}
-			t.Logf("got present with IP %v", m.IPPort)
 			delete(want, got)
 			if len(want) == 0 {
 				return
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -56,11 +56,6 @@ type Client struct {
 	MeshKey   string             // optional; for trusted clients
 	IsProber  bool               // optional; for probers to optional declare themselves as such

-	// BaseContext, if non-nil, returns the base context to use for dialing a
-	// new derp server. If nil, context.Background is used.
-	// In either case, additional timeouts may be added to the base context.
-	BaseContext func() context.Context
-
 	privateKey key.NodePrivate
 	logf       logger.Logf
 	netMon     *netmon.Monitor // optional; nil means interfaces will be looked up on-demand
@@ -149,19 +144,6 @@ func (c *Client) Connect(ctx context.Context) error {
 	return err
 }

-// newContext returns a new context for setting up a new DERP connection.
-// It uses either c.BaseContext or returns context.Background.
-func (c *Client) newContext() context.Context {
-	if c.BaseContext != nil {
-		ctx := c.BaseContext()
-		if ctx == nil {
-			panic("BaseContext returned nil")
-		}
-		return ctx
-	}
-	return context.Background()
-}
-
 // TLSConnectionState returns the last TLS connection state, if any.
 // The client must already be connected.
 func (c *Client) TLSConnectionState() (_ *tls.ConnectionState, ok bool) {
@@ -794,7 +776,7 @@ func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, pr
 }

 func (c *Client) Send(dstKey key.NodePublic, b []byte) error {
-	client, _, err := c.connect(c.newContext(), "derphttp.Client.Send")
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.Send")
 	if err != nil {
 		return err
 	}
@@ -894,7 +876,7 @@ func (c *Client) LocalAddr() (netip.AddrPort, error) {
 }

 func (c *Client) ForwardPacket(from, to key.NodePublic, b []byte) error {
-	client, _, err := c.connect(c.newContext(), "derphttp.Client.ForwardPacket")
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.ForwardPacket")
 	if err != nil {
 		return err
 	}
@@ -960,7 +942,7 @@ func (c *Client) NotePreferred(v bool) {
 //
 // Only trusted connections (using MeshKey) are allowed to use this.
 func (c *Client) WatchConnectionChanges() error {
-	client, _, err := c.connect(c.newContext(), "derphttp.Client.WatchConnectionChanges")
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.WatchConnectionChanges")
 	if err != nil {
 		return err
 	}
@@ -975,7 +957,7 @@ func (c *Client) WatchConnectionChanges() error {
 //
 // Only trusted connections (using MeshKey) are allowed to use this.
 func (c *Client) ClosePeer(target key.NodePublic) error {
-	client, _, err := c.connect(c.newContext(), "derphttp.Client.ClosePeer")
+	client, _, err := c.connect(context.TODO(), "derphttp.Client.ClosePeer")
 	if err != nil {
 		return err
 	}
@@ -996,7 +978,7 @@ func (c *Client) Recv() (derp.ReceivedMessage, error) {
 // RecvDetail is like Recv, but additional returns the connection generation on each message.
 // The connGen value is incremented every time the derphttp.Client reconnects to the server.
 func (c *Client) RecvDetail() (m derp.ReceivedMessage, connGen int, err error) {
-	client, connGen, err := c.connect(c.newContext(), "derphttp.Client.Recv")
+	client, connGen, err := c.connect(context.TODO(), "derphttp.Client.Recv")
 	if err != nil {
 		return nil, 0, err
 	}
--- a/derp/derphttp/mesh_client.go
+++ b/derp/derphttp/mesh_client.go
@@ -5,7 +5,6 @@ package derphttp

 import (
 	"context"
-	"net/netip"
 	"sync"
 	"time"

@@ -27,7 +26,7 @@ import (
 //
 // To force RunWatchConnectionLoop to return quickly, its ctx needs to
 // be closed, and c itself needs to be closed.
-func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key.NodePublic, infoLogf logger.Logf, add func(key.NodePublic, netip.AddrPort), remove func(key.NodePublic)) {
+func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key.NodePublic, infoLogf logger.Logf, add, remove func(key.NodePublic)) {
 	if infoLogf == nil {
 		infoLogf = logger.Discard
 	}
@@ -69,9 +68,9 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 	})
 	defer timer.Stop()

-	updatePeer := func(k key.NodePublic, ipPort netip.AddrPort, isPresent bool) {
+	updatePeer := func(k key.NodePublic, isPresent bool) {
 		if isPresent {
-			add(k, ipPort)
+			add(k)
 		} else {
 			remove(k)
 		}
@@ -127,7 +126,7 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 			}
 			switch m := m.(type) {
 			case derp.PeerPresentMessage:
-				updatePeer(m.Key, m.IPPort, true)
+				updatePeer(key.NodePublic(m), true)
 			case derp.PeerGoneMessage:
 				switch m.Reason {
 				case derp.PeerGoneReasonDisconnected:
@@ -139,7 +138,7 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 					logf("Recv: peer %s not at server %s for unknown reason %v",
 						key.NodePublic(m.Peer).ShortString(), c.ServerPublicKey().ShortString(), m.Reason)
 				}
-				updatePeer(key.NodePublic(m.Peer), netip.AddrPort{}, false)
+				updatePeer(key.NodePublic(m.Peer), false)
 			default:
 				continue
 			}
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -230,7 +230,7 @@ type Pong struct {
 }

 // pongLen is the length of a marshalled pong message, without the message
-// header or padding.
+// header.
 const pongLen = 12 + 16 + 2

 func (m *Pong) AppendMarshal(b []byte) []byte {
--- a/flake.nix
+++ b/flake.nix
@@ -115,4 +115,4 @@
  in
    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-Fr4VZcKrXnT1PZuEG110KBefjcZzRsQRBSvByELKAy4=
+# nix-direnv cache busting line: sha256-hWfdcvm2ief313JMgzDIispAnwi+D1iWsm0UHWOomxg=
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module tailscale.com

-go 1.21
+go 1.20

 require (
 	filippo.io/mkcert v1.4.4
@@ -18,7 +18,7 @@ require (
 	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/creack/pty v1.1.18
 	github.com/dave/jennifer v1.6.1
-	github.com/dblohm7/wingoes v0.0.0-20230803162905-5c6286bb8c6e
+	github.com/dblohm7/wingoes v0.0.0-20230426155039-111c8c3b57c8
 	github.com/dsnet/try v0.0.3
 	github.com/evanw/esbuild v0.14.53
 	github.com/frankban/quicktest v1.14.5
@@ -33,7 +33,7 @@ require (
 	github.com/google/go-containerregistry v0.14.0
 	github.com/google/nftables v0.1.1-0.20230115205135-9aa6fdf5a28c
 	github.com/google/uuid v1.3.0
-	github.com/goreleaser/nfpm/v2 v2.32.1-0.20230803123630-24a43c5ad7cf
+	github.com/goreleaser/nfpm v1.10.3
 	github.com/hdevalence/ed25519consensus v0.1.0
 	github.com/iancoleman/strcase v0.2.0
 	github.com/illarion/gonotify v1.0.1
@@ -41,7 +41,7 @@ require (
 	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86
 	github.com/jsimonetti/rtnetlink v1.3.2
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.16.7
+	github.com/klauspost/compress v1.16.5
 	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a
 	github.com/mattn/go-colorable v0.1.13
 	github.com/mattn/go-isatty v0.0.18
@@ -73,10 +73,10 @@ require (
 	github.com/vishvananda/netns v0.0.4
 	go.uber.org/zap v1.24.0
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13
-	go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516
+	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
 	golang.org/x/crypto v0.11.0
-	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
-	golang.org/x/mod v0.11.0
+	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
+	golang.org/x/mod v0.10.0
 	golang.org/x/net v0.10.0
 	golang.org/x/oauth2 v0.7.0
 	golang.org/x/sync v0.2.0
@@ -103,10 +103,8 @@ require (
 require (
 	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
 	4d63.com/gochecknoglobals v0.2.1 // indirect
-	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
 	github.com/Abirdcfly/dupword v0.0.11 // indirect
-	github.com/AlekSi/pointer v1.2.0 // indirect
 	github.com/Antonboom/errname v0.1.9 // indirect
 	github.com/Antonboom/nilnil v0.1.4 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
@@ -115,9 +113,9 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
+	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
 	github.com/OpenPeeDeeP/depguard v1.1.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230626094100-7e9e0395ebec // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230426101702-58e86b294756 // indirect
 	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/alexkohler/prealloc v1.0.0 // indirect
 	github.com/alingse/asasalint v0.0.11 // indirect
@@ -172,9 +170,9 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fzipp/gocyclo v0.6.0 // indirect
 	github.com/go-critic/go-critic v0.8.0 // indirect
-	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.4.1 // indirect
-	github.com/go-git/go-git/v5 v5.7.0 // indirect
+	github.com/go-git/go-git/v5 v5.6.1 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -204,10 +202,10 @@ require (
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/goterm v0.0.0-20200907032337-555d40f16ae2 // indirect
-	github.com/google/rpmpack v0.5.0 // indirect
+	github.com/google/rpmpack v0.0.0-20221120200012-98b63d62fd77 // indirect
 	github.com/gordonklaus/ineffassign v0.0.0-20230107090616-13ace0543b28 // indirect
-	github.com/goreleaser/chglog v0.5.0 // indirect
-	github.com/goreleaser/fileglob v1.3.0 // indirect
+	github.com/goreleaser/chglog v0.4.2 // indirect
+	github.com/goreleaser/fileglob v0.3.1 // indirect
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.4.2 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
@@ -218,7 +216,7 @@ require (
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/huandu/xstrings v1.4.0 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jgautheron/goconst v1.5.1 // indirect
@@ -233,7 +231,7 @@ require (
 	github.com/kisielk/errcheck v1.6.3 // indirect
 	github.com/kisielk/gotool v1.0.0 // indirect
 	github.com/kkHAIKE/contextcheck v1.1.4 // indirect
-	github.com/klauspost/pgzip v1.2.6 // indirect
+	github.com/klauspost/pgzip v1.2.5 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -271,7 +269,7 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc3 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.7 // indirect
 	github.com/pierrec/lz4/v4 v4.1.17 // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e // indirect
@@ -290,27 +288,27 @@ require (
 	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
 	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
 	github.com/sashamelentyev/usestdlibvars v1.23.0 // indirect
+	github.com/sassoftware/go-rpmutils v0.2.0 // indirect
 	github.com/securego/gosec/v2 v2.15.0 // indirect
 	github.com/sergi/go-diff v1.3.1 // indirect
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
-	github.com/shopspring/decimal v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/sivchari/containedctx v1.0.3 // indirect
 	github.com/sivchari/nosnakecase v1.7.0 // indirect
 	github.com/sivchari/tenv v1.7.1 // indirect
-	github.com/skeema/knownhosts v1.1.1 // indirect
+	github.com/skeema/knownhosts v1.1.0 // indirect
 	github.com/sonatard/noctx v0.0.2 // indirect
 	github.com/sourcegraph/go-diff v0.7.0 // indirect
 	github.com/spf13/afero v1.9.5 // indirect
-	github.com/spf13/cast v1.5.1 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.16.0 // indirect
+	github.com/spf13/viper v1.15.0 // indirect
 	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
 	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
-	github.com/stretchr/testify v1.8.4 // indirect
+	github.com/stretchr/testify v1.8.2 // indirect
 	github.com/subosito/gotenv v1.4.2 // indirect
 	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
 	github.com/tdakkota/asciicheck v0.2.0 // indirect
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -1 +1 @@
-sha256-Fr4VZcKrXnT1PZuEG110KBefjcZzRsQRBSvByELKAy4=
+sha256-hWfdcvm2ief313JMgzDIispAnwi+D1iWsm0UHWOomxg=
--- a/go.sum
+++ b/go.sum
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-27f103a44f8fd34a2cc36995ce7bf83d04433ead
+a96a9eddc031c85f22378ef1e37e3fd7e9c482ef
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -141,16 +141,15 @@ func packageTypeCached() string {
 type EnvType string

 const (
-	KNative            = EnvType("kn")
-	AWSLambda          = EnvType("lm")
-	Heroku             = EnvType("hr")
-	AzureAppService    = EnvType("az")
-	AWSFargate         = EnvType("fg")
-	FlyDotIo           = EnvType("fly")
-	Kubernetes         = EnvType("k8s")
-	DockerDesktop      = EnvType("dde")
-	Replit             = EnvType("repl")
-	HomeAssistantAddOn = EnvType("haao")
+	KNative         = EnvType("kn")
+	AWSLambda       = EnvType("lm")
+	Heroku          = EnvType("hr")
+	AzureAppService = EnvType("az")
+	AWSFargate      = EnvType("fg")
+	FlyDotIo        = EnvType("fly")
+	Kubernetes      = EnvType("k8s")
+	DockerDesktop   = EnvType("dde")
+	Replit          = EnvType("repl")
 )

 var envType atomic.Value // of EnvType
@@ -171,7 +170,6 @@ var (
 	desktopAtomic         atomic.Value // of opt.Bool
 	packagingType         atomic.Value // of string
 	appType               atomic.Value // of string
-	firewallMode          atomic.Value // of string
 )

 // SetPushDeviceToken sets the device token for use in Hostinfo updates.
@@ -183,9 +181,6 @@ func SetDeviceModel(model string) { deviceModelAtomic.Store(model) }
 // SetOSVersion sets the OS version.
 func SetOSVersion(v string) { osVersionAtomic.Store(v) }

-// SetFirewallMode sets the firewall mode for the app.
-func SetFirewallMode(v string) { firewallMode.Store(v) }
-
 // SetPackage sets the packaging type for the app.
 //
 // As of 2022-03-25, this is used by Android ("nogoogle" for the
@@ -207,13 +202,6 @@ func pushDeviceToken() string {
 	return s
 }

-// FirewallMode returns the firewall mode for the app.
-// It is empty if unset.
-func FirewallMode() string {
-	s, _ := firewallMode.Load().(string)
-	return s
-}
-
 func desktop() (ret opt.Bool) {
 	if runtime.GOOS != "linux" {
 		return opt.Bool("")
@@ -267,9 +255,6 @@ func getEnvType() EnvType {
 	if inReplit() {
 		return Replit
 	}
-	if inHomeAssistantAddOn() {
-		return HomeAssistantAddOn
-	}
 	return ""
 }

@@ -379,13 +364,6 @@ func inDockerDesktop() bool {
 	return false
 }

-func inHomeAssistantAddOn() bool {
-	if os.Getenv("SUPERVISOR_TOKEN") != "" || os.Getenv("HASSIO_TOKEN") != "" {
-		return true
-	}
-	return false
-}
-
 // goArchVar returns the GOARM or GOAMD64 etc value that the binary was built
 // with.
 func goArchVar() string {
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -64,7 +64,6 @@ const (
 	NotifyInitialState  // if set, the first Notify message (sent immediately) will contain the current State + BrowseToURL
 	NotifyInitialPrefs  // if set, the first Notify message (sent immediately) will contain the current Prefs
 	NotifyInitialNetMap // if set, the first Notify message (sent immediately) will contain the current NetMap
-	NotifyGUINetMap     // if set, only use the Notify.GUINetMap; Notify.Netmap will always be nil. Also impacts NotifyInitialNetMap.

 	NotifyNoPrivateKeys // if set, private keys that would normally be sent in updates are zeroed out
 )
@@ -82,14 +81,13 @@ type Notify struct {
 	// For State InUseOtherUser, ErrMessage is not critical and just contains the details.
 	ErrMessage *string

-	LoginFinished *empty.Message // non-nil when/if the login process succeeded
-	State         *State         // if non-nil, the new or current IPN state
-	Prefs         *PrefsView     // if non-nil && Valid, the new or current preferences
-	//NetMap        *netmap.NetworkMap    // if non-nil, the new or current netmap
-	GUINetMap    *netmap.GUINetworkMap // if non-nil, the new or current netmap
-	Engine       *EngineStatus         // if non-nil, the new or current wireguard stats
-	BrowseToURL  *string               // if non-nil, UI should open a browser right now
-	BackendLogID *string               // if non-nil, the public logtail ID used by backend
+	LoginFinished *empty.Message     // non-nil when/if the login process succeeded
+	State         *State             // if non-nil, the new or current IPN state
+	Prefs         *PrefsView         // if non-nil && Valid, the new or current preferences
+	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
+	Engine        *EngineStatus      // if non-nil, the new or current wireguard stats
+	BrowseToURL   *string            // if non-nil, UI should open a browser right now
+	BackendLogID  *string            // if non-nil, the public logtail ID used by backend

 	// FilesWaiting if non-nil means that files are buffered in
 	// the Tailscale daemon and ready for local transfer to the
@@ -135,9 +133,9 @@ func (n Notify) String() string {
 	if n.Prefs != nil && n.Prefs.Valid() {
 		fmt.Fprintf(&sb, "%v ", n.Prefs.Pretty())
 	}
-	// if n.NetMap != nil {
-	// 	sb.WriteString("NetMap{...} ")
-	// }
+	if n.NetMap != nil {
+		sb.WriteString("NetMap{...} ")
+	}
 	if n.Engine != nil {
 		fmt.Fprintf(&sb, "wg=%v ", *n.Engine)
 	}
--- a/ipn/ipnlocal/breaktcp_darwin.go
+++ b/ipn/ipnlocal/breaktcp_darwin.go
@@ -1,30 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package ipnlocal
-
-import (
-	"log"
-
-	"golang.org/x/sys/unix"
-)
-
-func init() {
-	breakTCPConns = breakTCPConnsDarwin
-}
-
-func breakTCPConnsDarwin() error {
-	var matched int
-	for fd := 0; fd < 1000; fd++ {
-		_, err := unix.GetsockoptTCPConnectionInfo(fd, unix.IPPROTO_TCP, unix.TCP_CONNECTION_INFO)
-		if err == nil {
-			matched++
-			err = unix.Close(fd)
-			log.Printf("debug: closed TCP fd %v: %v", fd, err)
-		}
-	}
-	if matched == 0 {
-		log.Printf("debug: no TCP connections found")
-	}
-	return nil
-}
--- a/ipn/ipnlocal/breaktcp_linux.go
+++ b/ipn/ipnlocal/breaktcp_linux.go
@@ -1,30 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package ipnlocal
-
-import (
-	"log"
-
-	"golang.org/x/sys/unix"
-)
-
-func init() {
-	breakTCPConns = breakTCPConnsLinux
-}
-
-func breakTCPConnsLinux() error {
-	var matched int
-	for fd := 0; fd < 1000; fd++ {
-		_, err := unix.GetsockoptTCPInfo(fd, unix.IPPROTO_TCP, unix.TCP_INFO)
-		if err == nil {
-			matched++
-			err = unix.Close(fd)
-			log.Printf("debug: closed TCP fd %v: %v", fd, err)
-		}
-	}
-	if matched == 0 {
-		log.Printf("debug: no TCP connections found")
-	}
-	return nil
-}
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -339,11 +339,11 @@ func (s certStateStore) Read(domain string, now time.Time) (*TLSCertKeyPair, err
 }

 func (s certStateStore) WriteCert(domain string, cert []byte) error {
-	return ipn.WriteState(s.StateStore, ipn.StateKey(domain+".crt"), cert)
+	return s.WriteState(ipn.StateKey(domain+".crt"), cert)
 }

 func (s certStateStore) WriteKey(domain string, key []byte) error {
-	return ipn.WriteState(s.StateStore, ipn.StateKey(domain+".key"), key)
+	return s.WriteState(ipn.StateKey(domain+".key"), key)
 }

 func (s certStateStore) ACMEKey() ([]byte, error) {
@@ -351,7 +351,7 @@ func (s certStateStore) ACMEKey() ([]byte, error) {
 }

 func (s certStateStore) WriteACMEKey(key []byte) error {
-	return ipn.WriteState(s.StateStore, ipn.StateKey(acmePEMName), key)
+	return s.WriteState(ipn.StateKey(acmePEMName), key)
 }

 // TLSCertKeyPair is a TLS public and private key, and whether they were obtained
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -79,7 +79,6 @@ import (
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/set"
 	"tailscale.com/util/systemd"
-	"tailscale.com/util/testenv"
 	"tailscale.com/util/uniq"
 	"tailscale.com/version"
 	"tailscale.com/version/distro"
@@ -491,17 +490,13 @@ func (b *LocalBackend) SetDirectFileDoFinalRename(v bool) {
 	b.directFileDoFinalRename = v
 }

-// pauseOrResumeControlClientLocked pauses b.cc if there is no network available
-// or if the LocalBackend is in Stopped state with a valid NetMap. In all other
-// cases, it unpauses it. It is a no-op if b.cc is nil.
-//
 // b.mu must be held.
-func (b *LocalBackend) pauseOrResumeControlClientLocked() {
+func (b *LocalBackend) maybePauseControlClientLocked() {
 	if b.cc == nil {
 		return
 	}
 	networkUp := b.prevIfState.AnyInterfaceUp()
-	b.cc.SetPaused((b.state == ipn.Stopped && b.netMap != nil) || (!networkUp && !testenv.InTest()))
+	b.cc.SetPaused((b.state == ipn.Stopped && b.netMap != nil) || !networkUp)
 }

 // linkChange is our network monitor callback, called whenever the network changes.
@@ -512,7 +507,7 @@ func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {

 	hadPAC := b.prevIfState.HasPAC()
 	b.prevIfState = ifst
-	b.pauseOrResumeControlClientLocked()
+	b.maybePauseControlClientLocked()

 	// If the PAC-ness of the network changed, reconfig wireguard+route to
 	// add/remove subnets.
@@ -952,7 +947,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	b.mu.Lock()

 	if st.LogoutFinished != nil {
-		if p := b.pm.CurrentPrefs(); !p.Persist().Valid() || p.Persist().UserProfile().LoginName() == "" {
+		if p := b.pm.CurrentPrefs(); !p.Persist().Valid() || p.Persist().LoginName() == "" {
 			b.mu.Unlock()
 			return
 		}
@@ -999,13 +994,18 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		prefs.WantRunning = true
 		prefs.LoggedOut = false
 	}
-	if setExitNodeID(prefs, st.NetMap) {
+	if findExitNodeIDLocked(prefs, st.NetMap) {
 		prefsChanged = true
 	}

 	// Perform all mutations of prefs based on the netmap here.
+	if st.NetMap != nil {
+		if b.updatePersistFromNetMapLocked(st.NetMap, prefs) {
+			prefsChanged = true
+		}
+	}
+	// Prefs will be written out if stale; this is not safe unless locked or cloned.
 	if prefsChanged {
-		// Prefs will be written out if stale; this is not safe unless locked or cloned.
 		if err := b.pm.SetPrefs(prefs.View()); err != nil {
 			b.logf("Failed to save new controlclient state: %v", err)
 		}
@@ -1093,9 +1093,9 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	b.authReconfig()
 }

-// setExitNodeID updates prefs to reference an exit node by ID, rather
+// findExitNodeIDLocked updates prefs to reference an exit node by ID, rather
 // than by IP. It returns whether prefs was mutated.
-func setExitNodeID(prefs *ipn.Prefs, nm *netmap.NetworkMap) (prefsChanged bool) {
+func findExitNodeIDLocked(prefs *ipn.Prefs, nm *netmap.NetworkMap) (prefsChanged bool) {
 	if nm == nil {
 		// No netmap, can't resolve anything.
 		return false
@@ -2209,7 +2209,7 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 	}

 	keyText, _ = b.machinePrivKey.MarshalText()
-	if err := ipn.WriteState(b.store, ipn.MachineKeyStateKey, keyText); err != nil {
+	if err := b.store.WriteState(ipn.MachineKeyStateKey, keyText); err != nil {
 		b.logf("error writing machine key to store: %v", err)
 		return err
 	}
@@ -2224,7 +2224,7 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 //
 // b.mu must be held.
 func (b *LocalBackend) clearMachineKeyLocked() error {
-	if err := ipn.WriteState(b.store, ipn.MachineKeyStateKey, nil); err != nil {
+	if err := b.store.WriteState(ipn.MachineKeyStateKey, nil); err != nil {
 		return err
 	}
 	b.machinePrivKey = key.MachinePrivate{}
@@ -2751,7 +2751,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) ipn
 	// findExitNodeIDLocked returns whether it updated b.prefs, but
 	// everything in this function treats b.prefs as completely new
 	// anyway. No-op if no exit node resolution is needed.
-	setExitNodeID(newp, netMap)
+	findExitNodeIDLocked(newp, netMap)
 	// We do this to avoid holding the lock while doing everything else.

 	oldHi := b.hostinfo
@@ -2774,16 +2774,16 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) ipn
 		}
 	}
 	if netMap != nil {
-		newProfile := netMap.UserProfiles[netMap.User]
-		if newLoginName := newProfile.LoginName; newLoginName != "" {
-			if !oldp.Persist().Valid() {
-				b.logf("active login: %s", newLoginName)
+		up := netMap.UserProfiles[netMap.User]
+		if login := up.LoginName; login != "" {
+			if newp.Persist == nil {
+				b.logf("active login: %s", login)
 			} else {
-				oldLoginName := oldp.Persist().UserProfile().LoginName()
-				if oldLoginName != newLoginName {
-					b.logf("active login: %q (changed from %q)", newLoginName, oldLoginName)
+				if newp.Persist.LoginName != login {
+					b.logf("active login: %q (changed from %q)", login, newp.Persist.LoginName)
+					newp.Persist.LoginName = login
 				}
-				newp.Persist.UserProfile = newProfile
+				newp.Persist.UserProfile = up
 			}
 		}
 	}
@@ -3635,7 +3635,7 @@ func (b *LocalBackend) enterStateLockedOnEntry(newState ipn.State) {
 		// Transitioning away from running.
 		b.closePeerAPIListenersLocked()
 	}
-	b.pauseOrResumeControlClientLocked()
+	b.maybePauseControlClientLocked()
 	b.mu.Unlock()

 	// prefs may change irrespective of state; WantRunning should be explicitly
@@ -3952,9 +3952,28 @@ func hasCapability(nm *netmap.NetworkMap, cap string) bool {
 	return false
 }

-// setNetMapLocked updates the LocalBackend state to reflect the newly
-// received nm. If nm is nil, it resets all configuration as though
-// Tailscale is turned off.
+func (b *LocalBackend) updatePersistFromNetMapLocked(nm *netmap.NetworkMap, prefs *ipn.Prefs) (changed bool) {
+	if nm == nil || nm.SelfNode == nil {
+		return
+	}
+	up := nm.UserProfiles[nm.User]
+	if prefs.Persist.UserProfile.ID != up.ID {
+		// If the current profile doesn't match the
+		// network map's user profile, then we need to
+		// update the persisted UserProfile to match.
+		prefs.Persist.UserProfile = up
+		changed = true
+	}
+	if prefs.Persist.NodeID == "" {
+		// If the current profile doesn't have a NodeID,
+		// then we need to update the persisted NodeID to
+		// match.
+		prefs.Persist.NodeID = nm.SelfNode.StableID
+		changed = true
+	}
+	return changed
+}
+
 func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	b.dialer.SetNetMap(nm)
 	var login string
@@ -3966,7 +3985,7 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 		b.logf("active login: %v", login)
 		b.activeLogin = login
 	}
-	b.pauseOrResumeControlClientLocked()
+	b.maybePauseControlClientLocked()

 	if nm != nil {
 		health.SetControlHealth(nm.ControlHealth)
@@ -4444,7 +4463,7 @@ func (b *LocalBackend) CheckIPForwarding() error {
 	}

 	// TODO: let the caller pass in the ranges.
-	warn, err := netutil.CheckIPForwarding(tsaddr.ExitRoutes(), b.sys.NetMon.Get().InterfaceState())
+	warn, err := netutil.CheckIPForwarding(tsaddr.ExitRoutes(), nil)
 	if err != nil {
 		return err
 	}
@@ -4811,7 +4830,7 @@ func (b *LocalBackend) SetDevStateStore(key, value string) error {
 	if b.store == nil {
 		return errors.New("no state store")
 	}
-	err := ipn.WriteState(b.store, ipn.StateKey(key), []byte(value))
+	err := b.store.WriteState(ipn.StateKey(key), []byte(value))
 	b.logf("SetDevStateStore(%q, %q) = %v", key, value, err)

 	if err != nil {
@@ -5030,20 +5049,3 @@ func (b *LocalBackend) GetPeerEndpointChanges(ctx context.Context, ip netip.Addr
 	}
 	return chs, nil
 }
-
-var breakTCPConns func() error
-
-func (b *LocalBackend) DebugBreakTCPConns() error {
-	if breakTCPConns == nil {
-		return errors.New("TCP connection breaking not available on this platform")
-	}
-	return breakTCPConns()
-}
-
-func (b *LocalBackend) DebugBreakDERPConns() error {
-	mc, err := b.magicConn()
-	if err != nil {
-		return err
-	}
-	return mc.DebugBreakDERPConns()
-}
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -845,93 +845,6 @@ func (b *LocalBackend) NetworkLockAffectedSigs(keyID tkatype.KeyID) ([]tkatype.M
 	return resp.Signatures, nil
 }

-// NetworkLockGenerateRecoveryAUM generates an AUM which retroactively removes trust in the
-// specified keys. This AUM is signed by the current node and returned.
-//
-// If forkFrom is specified, it is used as the parent AUM to fork from. If the zero value,
-// the parent AUM is determined automatically.
-func (b *LocalBackend) NetworkLockGenerateRecoveryAUM(removeKeys []tkatype.KeyID, forkFrom tka.AUMHash) (*tka.AUM, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return nil, errNetworkLockNotActive
-	}
-	var nlPriv key.NLPrivate
-	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() {
-		nlPriv = p.Persist().NetworkLockKey()
-	}
-	if nlPriv.IsZero() {
-		return nil, errMissingNetmap
-	}
-
-	aum, err := b.tka.authority.MakeRetroactiveRevocation(b.tka.storage, removeKeys, nlPriv.KeyID(), forkFrom)
-	if err != nil {
-		return nil, err
-	}
-
-	// Sign it ourselves.
-	aum.Signatures, err = nlPriv.SignAUM(aum.SigHash())
-	if err != nil {
-		return nil, fmt.Errorf("signing failed: %w", err)
-	}
-
-	return aum, nil
-}
-
-// NetworkLockCosignRecoveryAUM co-signs the provided recovery AUM and returns
-// the updated structure.
-//
-// The recovery AUM provided should be the output from a previous call to
-// NetworkLockGenerateRecoveryAUM or NetworkLockCosignRecoveryAUM.
-func (b *LocalBackend) NetworkLockCosignRecoveryAUM(aum *tka.AUM) (*tka.AUM, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return nil, errNetworkLockNotActive
-	}
-	var nlPriv key.NLPrivate
-	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() {
-		nlPriv = p.Persist().NetworkLockKey()
-	}
-	if nlPriv.IsZero() {
-		return nil, errMissingNetmap
-	}
-	for _, sig := range aum.Signatures {
-		if bytes.Equal(sig.KeyID, nlPriv.KeyID()) {
-			return nil, errors.New("this node has already signed this recovery AUM")
-		}
-	}
-
-	// Sign it ourselves.
-	sigs, err := nlPriv.SignAUM(aum.SigHash())
-	if err != nil {
-		return nil, fmt.Errorf("signing failed: %w", err)
-	}
-	aum.Signatures = append(aum.Signatures, sigs...)
-
-	return aum, nil
-}
-
-func (b *LocalBackend) NetworkLockSubmitRecoveryAUM(aum *tka.AUM) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return errNetworkLockNotActive
-	}
-	var ourNodeKey key.NodePublic
-	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {
-		ourNodeKey = p.Persist().PublicNodeKey()
-	}
-	if ourNodeKey.IsZero() {
-		return errors.New("no node-key: is tailscale logged in?")
-	}
-
-	b.mu.Unlock()
-	_, err := b.tkaDoSyncSend(ourNodeKey, aum.Hash(), []tka.AUM{*aum}, false)
-	b.mu.Lock()
-	return err
-}
-
 var tkaSuffixEncoder = base64.RawStdEncoding

 // NetworkLockWrapPreauthKey wraps a pre-auth key with information to
--- a/ipn/ipnlocal/network-lock_test.go
+++ b/ipn/ipnlocal/network-lock_test.go
@@ -994,129 +994,3 @@ func TestTKAAffectedSigs(t *testing.T) {
 		})
 	}
 }
-
-func TestTKARecoverCompromisedKeyFlow(t *testing.T) {
-	nodePriv := key.NewNode()
-	nlPriv := key.NewNLPrivate()
-	cosignPriv := key.NewNLPrivate()
-	compromisedPriv := key.NewNLPrivate()
-
-	pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
-	must.Do(pm.SetPrefs((&ipn.Prefs{
-		Persist: &persist.Persist{
-			PrivateNodeKey: nodePriv,
-			NetworkLockKey: nlPriv,
-		},
-	}).View()))
-
-	// Make a fake TKA authority, to seed local state.
-	disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
-	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-	cosignKey := tka.Key{Kind: tka.Key25519, Public: cosignPriv.Public().Verifier(), Votes: 2}
-	compromisedKey := tka.Key{Kind: tka.Key25519, Public: compromisedPriv.Public().Verifier(), Votes: 1}
-
-	temp := t.TempDir()
-	tkaPath := filepath.Join(temp, "tka-profile", string(pm.CurrentProfile().ID))
-	os.Mkdir(tkaPath, 0755)
-	chonk, err := tka.ChonkDir(tkaPath)
-	if err != nil {
-		t.Fatal(err)
-	}
-	authority, _, err := tka.Create(chonk, tka.State{
-		Keys:               []tka.Key{key, compromisedKey, cosignKey},
-		DisablementSecrets: [][]byte{tka.DisablementKDF(disablementSecret)},
-	}, nlPriv)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-		switch r.URL.Path {
-		case "/machine/tka/sync/send":
-			body := new(tailcfg.TKASyncSendRequest)
-			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-				t.Fatal(err)
-			}
-			t.Logf("got sync send:\n%+v", body)
-
-			var remoteHead tka.AUMHash
-			if err := remoteHead.UnmarshalText([]byte(body.Head)); err != nil {
-				t.Fatalf("head unmarshal: %v", err)
-			}
-			toApply := make([]tka.AUM, len(body.MissingAUMs))
-			for i, a := range body.MissingAUMs {
-				if err := toApply[i].Unserialize(a); err != nil {
-					t.Fatalf("decoding missingAUM[%d]: %v", i, err)
-				}
-			}
-
-			// Apply the recovery AUM to an authority to make sure it works.
-			if err := authority.Inform(chonk, toApply); err != nil {
-				t.Errorf("recovery AUM could not be applied: %v", err)
-			}
-			// Make sure the key we removed isn't trusted.
-			if authority.KeyTrusted(compromisedPriv.KeyID()) {
-				t.Error("compromised key was not removed from tka")
-			}
-
-			w.WriteHeader(200)
-			if err := json.NewEncoder(w).Encode(tailcfg.TKASubmitSignatureResponse{}); err != nil {
-				t.Fatal(err)
-			}
-
-		default:
-			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
-			w.WriteHeader(404)
-		}
-	}))
-	defer ts.Close()
-	cc := fakeControlClient(t, client)
-	b := LocalBackend{
-		varRoot: temp,
-		cc:      cc,
-		ccAuto:  cc,
-		logf:    t.Logf,
-		tka: &tkaState{
-			authority: authority,
-			storage:   chonk,
-		},
-		pm:    pm,
-		store: pm.Store(),
-	}
-
-	aum, err := b.NetworkLockGenerateRecoveryAUM([]tkatype.KeyID{compromisedPriv.KeyID()}, tka.AUMHash{})
-	if err != nil {
-		t.Fatalf("NetworkLockGenerateRecoveryAUM() failed: %v", err)
-	}
-
-	// Cosign using the cosigning key.
-	{
-		pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
-		must.Do(pm.SetPrefs((&ipn.Prefs{
-			Persist: &persist.Persist{
-				PrivateNodeKey: nodePriv,
-				NetworkLockKey: cosignPriv,
-			},
-		}).View()))
-		b := LocalBackend{
-			varRoot: temp,
-			logf:    t.Logf,
-			tka: &tkaState{
-				authority: authority,
-				storage:   chonk,
-			},
-			pm:    pm,
-			store: pm.Store(),
-		}
-		if aum, err = b.NetworkLockCosignRecoveryAUM(aum); err != nil {
-			t.Fatalf("NetworkLockCosignRecoveryAUM() failed: %v", err)
-		}
-	}
-
-	// Finally, submit the recovery AUM. Validation is done
-	// in the fake control handler.
-	if err := b.NetworkLockSubmitRecoveryAUM(aum); err != nil {
-		t.Errorf("NetworkLockSubmitRecoveryAUM() failed: %v", err)
-	}
-}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -902,8 +902,8 @@ func (h *peerAPIHandler) handleServeSockStats(w http.ResponseWriter, r *http.Req
 	for label := range stats.Stats {
 		labels = append(labels, label)
 	}
-	slices.SortFunc(labels, func(a, b sockstats.Label) int {
-		return strings.Compare(a.String(), b.String())
+	slices.SortFunc(labels, func(a, b sockstats.Label) bool {
+		return a.String() < b.String()
 	})

 	txTotal := uint64(0)
@@ -1282,8 +1282,8 @@ func (h *peerAPIHandler) handleWakeOnLAN(w http.ResponseWriter, r *http.Request)
 		return
 	}
 	var password []byte // TODO(bradfitz): support?
-	st := h.ps.b.sys.NetMon.Get().InterfaceState()
-	if st == nil {
+	st, err := interfaces.GetState()
+	if err != nil {
 		http.Error(w, "failed to get interfaces state", http.StatusInternalServerError)
 		return
 	}
--- a/ipn/ipnlocal/profiles.go
+++ b/ipn/ipnlocal/profiles.go
@@ -16,9 +16,9 @@ import (
 	"golang.org/x/exp/slices"
 	"tailscale.com/envknob"
 	"tailscale.com/ipn"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/winutil"
 )

@@ -33,9 +33,15 @@ type profileManager struct {
 	logf  logger.Logf

 	currentUserID  ipn.WindowsUserID
-	knownProfiles  map[ipn.ProfileID]*ipn.LoginProfile // always non-nil
-	currentProfile *ipn.LoginProfile                   // always non-nil
-	prefs          ipn.PrefsView                       // always Valid.
+	knownProfiles  map[ipn.ProfileID]*ipn.LoginProfile
+	currentProfile *ipn.LoginProfile // always non-nil
+	prefs          ipn.PrefsView     // always Valid.
+
+	// isNewProfile is a sentinel value that indicates that the
+	// current profile is new and has not been saved to disk yet.
+	// It is reset to false after a call to SetPrefs with a filled
+	// in LoginName.
+	isNewProfile bool
 }

 func (pm *profileManager) dlogf(format string, args ...any) {
@@ -45,10 +51,6 @@ func (pm *profileManager) dlogf(format string, args ...any) {
 	pm.logf(format, args...)
 }

-func (pm *profileManager) WriteState(id ipn.StateKey, val []byte) error {
-	return ipn.WriteState(pm.store, id, val)
-}
-
 // CurrentUserID returns the current user ID. It is only non-empty on
 // Windows where we have a multi-user system.
 func (pm *profileManager) CurrentUserID() ipn.WindowsUserID {
@@ -101,45 +103,40 @@ func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) error {
 	}
 	pm.currentProfile = prof
 	pm.prefs = prefs
+	pm.isNewProfile = false
 	return nil
 }

-// allProfiles returns all profiles that belong to the currentUserID.
-// The returned profiles are sorted by Name.
-func (pm *profileManager) allProfiles() (out []*ipn.LoginProfile) {
-	for _, p := range pm.knownProfiles {
-		if p.LocalUserID == pm.currentUserID {
-			out = append(out, p)
-		}
-	}
-	slices.SortFunc(out, func(a, b *ipn.LoginProfile) int {
-		return cmpx.Compare(a.Name, b.Name)
-	})
-	return out
-}
-
 // matchingProfiles returns all profiles that match the given predicate and
 // belong to the currentUserID.
-// The returned profiles are sorted by Name.
 func (pm *profileManager) matchingProfiles(f func(*ipn.LoginProfile) bool) (out []*ipn.LoginProfile) {
-	all := pm.allProfiles()
-	out = all[:0]
-	for _, p := range all {
-		if f(p) {
+	for _, p := range pm.knownProfiles {
+		if p.LocalUserID == pm.currentUserID && f(p) {
 			out = append(out, p)
 		}
 	}
 	return out
 }

-// findMatchinProfiles returns all profiles that represent the same node/user as
-// prefs.
-// The returned profiles are sorted by Name.
-func (pm *profileManager) findMatchingProfiles(prefs *ipn.Prefs) []*ipn.LoginProfile {
+// findProfilesByNodeID returns all profiles that have the provided nodeID and
+// belong to the same control server.
+func (pm *profileManager) findProfilesByNodeID(controlURL string, nodeID tailcfg.StableNodeID) []*ipn.LoginProfile {
+	if nodeID.IsZero() {
+		return nil
+	}
 	return pm.matchingProfiles(func(p *ipn.LoginProfile) bool {
-		return p.ControlURL == prefs.ControlURL &&
-			(p.UserProfile.ID == prefs.Persist.UserProfile.ID ||
-				p.NodeID == prefs.Persist.NodeID)
+		return p.NodeID == nodeID && p.ControlURL == controlURL
+	})
+}
+
+// findProfilesByUserID returns all profiles that have the provided userID and
+// belong to the same control server.
+func (pm *profileManager) findProfilesByUserID(controlURL string, userID tailcfg.UserID) []*ipn.LoginProfile {
+	if userID.IsZero() {
+		return nil
+	}
+	return pm.matchingProfiles(func(p *ipn.LoginProfile) bool {
+		return p.UserProfile.ID == userID && p.ControlURL == controlURL
 	})
 }

@@ -185,9 +182,9 @@ func (pm *profileManager) setUnattendedModeAsConfigured() error {
 	}

 	if pm.prefs.ForceDaemon() {
-		return pm.WriteState(ipn.ServerModeStartKey, []byte(pm.currentProfile.Key))
+		return pm.store.WriteState(ipn.ServerModeStartKey, []byte(pm.currentProfile.Key))
 	} else {
-		return pm.WriteState(ipn.ServerModeStartKey, nil)
+		return pm.store.WriteState(ipn.ServerModeStartKey, nil)
 	}
 }

@@ -205,47 +202,46 @@ func init() {
 // It also saves the prefs to the StateStore. It stores a copy of the
 // provided prefs, which may be accessed via CurrentPrefs.
 func (pm *profileManager) SetPrefs(prefsIn ipn.PrefsView) error {
-	prefs := prefsIn.AsStruct()
-	newPersist := prefs.Persist
-	if newPersist == nil || newPersist.NodeID == "" || newPersist.UserProfile.LoginName == "" {
-		// We don't know anything about this profile, so ignore it for now.
-		return pm.setPrefsLocked(prefs.View())
+	prefs := prefsIn.AsStruct().View()
+	newPersist := prefs.Persist().AsStruct()
+	if newPersist == nil || newPersist.NodeID == "" {
+		return pm.setPrefsLocked(prefs)
 	}
 	up := newPersist.UserProfile
+	if up.LoginName == "" {
+		// Backwards compatibility with old prefs files.
+		up.LoginName = newPersist.LoginName
+	} else {
+		newPersist.LoginName = up.LoginName
+	}
 	if up.DisplayName == "" {
 		up.DisplayName = up.LoginName
 	}
 	cp := pm.currentProfile
-	// Check if we already have an existing profile that matches the user/node.
-	if existing := pm.findMatchingProfiles(prefs); len(existing) > 0 {
-		// We already have a profile for this user/node we should reuse it. Also
-		// cleanup any other duplicate profiles.
-		cp = existing[0]
-		existing = existing[1:]
-		for _, p := range existing {
-			// Clear the state.
-			if err := pm.store.WriteState(p.Key, nil); err != nil {
-				// We couldn't delete the state, so keep the profile around.
-				continue
+	if pm.isNewProfile {
+		pm.isNewProfile = false
+		// Check if we already have a profile for this user.
+		existing := pm.findProfilesByUserID(prefs.ControlURL(), newPersist.UserProfile.ID)
+		// Also check if we have a profile with the same NodeID.
+		existing = append(existing, pm.findProfilesByNodeID(prefs.ControlURL(), newPersist.NodeID)...)
+		if len(existing) == 0 {
+			cp.ID, cp.Key = newUnusedID(pm.knownProfiles)
+		} else {
+			// Only one profile per user/nodeID should exist.
+			for _, p := range existing[1:] {
+				// Best effort cleanup.
+				pm.DeleteProfile(p.ID)
 			}
-			// Remove the profile, knownProfiles will be persisted below.
-			delete(pm.knownProfiles, p.ID)
+			cp = existing[0]
 		}
-	} else if cp.ID == "" {
-		// We didn't have an existing profile, so create a new one.
-		cp.ID, cp.Key = newUnusedID(pm.knownProfiles)
 		cp.LocalUserID = pm.currentUserID
-	} else {
-		// This means that there was a force-reauth as a new node that
-		// we haven't seen before.
 	}
-
-	if prefs.ProfileName != "" {
-		cp.Name = prefs.ProfileName
+	if prefs.ProfileName() != "" {
+		cp.Name = prefs.ProfileName()
 	} else {
 		cp.Name = up.LoginName
 	}
-	cp.ControlURL = prefs.ControlURL
+	cp.ControlURL = prefs.ControlURL()
 	cp.UserProfile = newPersist.UserProfile
 	cp.NodeID = newPersist.NodeID
 	pm.knownProfiles[cp.ID] = cp
@@ -256,7 +252,7 @@ func (pm *profileManager) SetPrefs(prefsIn ipn.PrefsView) error {
 	if err := pm.setAsUserSelectedProfileLocked(); err != nil {
 		return err
 	}
-	if err := pm.setPrefsLocked(prefs.View()); err != nil {
+	if err := pm.setPrefsLocked(prefs); err != nil {
 		return err
 	}
 	return nil
@@ -279,7 +275,7 @@ func newUnusedID(knownProfiles map[ipn.ProfileID]*ipn.LoginProfile) (ipn.Profile
 // is not new.
 func (pm *profileManager) setPrefsLocked(clonedPrefs ipn.PrefsView) error {
 	pm.prefs = clonedPrefs
-	if pm.currentProfile.ID == "" {
+	if pm.isNewProfile {
 		return nil
 	}
 	if err := pm.writePrefsToStore(pm.currentProfile.Key, pm.prefs); err != nil {
@@ -292,7 +288,7 @@ func (pm *profileManager) writePrefsToStore(key ipn.StateKey, prefs ipn.PrefsVie
 	if key == "" {
 		return nil
 	}
-	if err := pm.WriteState(key, prefs.ToBytes()); err != nil {
+	if err := pm.store.WriteState(key, prefs.ToBytes()); err != nil {
 		pm.logf("WriteState(%q): %v", key, err)
 		return err
 	}
@@ -301,9 +297,12 @@ func (pm *profileManager) writePrefsToStore(key ipn.StateKey, prefs ipn.PrefsVie

 // Profiles returns the list of known profiles.
 func (pm *profileManager) Profiles() []ipn.LoginProfile {
-	allProfiles := pm.allProfiles()
-	out := make([]ipn.LoginProfile, 0, len(allProfiles))
-	for _, p := range allProfiles {
+	profiles := pm.matchingProfiles(func(*ipn.LoginProfile) bool { return true })
+	slices.SortFunc(profiles, func(a, b *ipn.LoginProfile) bool {
+		return a.Name < b.Name
+	})
+	out := make([]ipn.LoginProfile, 0, len(profiles))
+	for _, p := range profiles {
 		out = append(out, *p)
 	}
 	return out
@@ -331,12 +330,13 @@ func (pm *profileManager) SwitchProfile(id ipn.ProfileID) error {
 	}
 	pm.prefs = prefs
 	pm.currentProfile = kp
+	pm.isNewProfile = false
 	return pm.setAsUserSelectedProfileLocked()
 }

 func (pm *profileManager) setAsUserSelectedProfileLocked() error {
 	k := ipn.CurrentProfileKey(string(pm.currentUserID))
-	return pm.WriteState(k, []byte(pm.currentProfile.Key))
+	return pm.store.WriteState(k, []byte(pm.currentProfile.Key))
 }

 func (pm *profileManager) loadSavedPrefs(key ipn.StateKey) (ipn.PrefsView, error) {
@@ -382,7 +382,7 @@ var errProfileNotFound = errors.New("profile not found")
 func (pm *profileManager) DeleteProfile(id ipn.ProfileID) error {
 	metricDeleteProfile.Add(1)

-	if id == "" {
+	if id == "" && pm.isNewProfile {
 		// Deleting the in-memory only new profile, just create a new one.
 		pm.NewProfile()
 		return nil
@@ -394,7 +394,7 @@ func (pm *profileManager) DeleteProfile(id ipn.ProfileID) error {
 	if kp.ID == pm.currentProfile.ID {
 		pm.NewProfile()
 	}
-	if err := pm.WriteState(kp.Key, nil); err != nil {
+	if err := pm.store.WriteState(kp.Key, nil); err != nil {
 		return err
 	}
 	delete(pm.knownProfiles, id)
@@ -407,7 +407,7 @@ func (pm *profileManager) DeleteAllProfiles() error {
 	metricDeleteAllProfile.Add(1)

 	for _, kp := range pm.knownProfiles {
-		if err := pm.WriteState(kp.Key, nil); err != nil {
+		if err := pm.store.WriteState(kp.Key, nil); err != nil {
 			// Write to remove references to profiles we've already deleted, but
 			// return the original error.
 			pm.writeKnownProfiles()
@@ -424,7 +424,7 @@ func (pm *profileManager) writeKnownProfiles() error {
 	if err != nil {
 		return err
 	}
-	return pm.WriteState(ipn.KnownProfilesStateKey, b)
+	return pm.store.WriteState(ipn.KnownProfilesStateKey, b)
 }

 // NewProfile creates and switches to a new unnamed profile. The new profile is
@@ -433,6 +433,7 @@ func (pm *profileManager) NewProfile() {
 	metricNewProfile.Add(1)

 	pm.prefs = defaultPrefs
+	pm.isNewProfile = true
 	pm.currentProfile = &ipn.LoginProfile{}
 }

--- a/ipn/ipnlocal/profiles_notwindows.go
+++ b/ipn/ipnlocal/profiles_notwindows.go
@@ -16,7 +16,9 @@ import (
 func (pm *profileManager) loadLegacyPrefs() (string, ipn.PrefsView, error) {
 	k := ipn.LegacyGlobalDaemonStateKey
 	switch {
-	case runtime.GOOS == "ios", version.IsSandboxedMacOS():
+	case runtime.GOOS == "ios":
+		k = "ipn-go-bridge"
+	case version.IsSandboxedMacOS():
 		k = "ipn-go-bridge"
 	case runtime.GOOS == "android":
 		k = "ipn-android"
--- a/ipn/ipnlocal/profiles_test.go
+++ b/ipn/ipnlocal/profiles_test.go
@@ -4,21 +4,17 @@
 package ipnlocal

 import (
-	"encoding/json"
 	"fmt"
 	"os/user"
 	"strconv"
 	"testing"

-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/persist"
-	"tailscale.com/util/must"
 )

 func TestProfileCurrentUserSwitch(t *testing.T) {
@@ -36,6 +32,7 @@ func TestProfileCurrentUserSwitch(t *testing.T) {
 		p := pm.CurrentPrefs().AsStruct()
 		p.Persist = &persist.Persist{
 			NodeID:         tailcfg.StableNodeID(fmt.Sprint(id)),
+			LoginName:      loginName,
 			PrivateNodeKey: key.NewNode(),
 			UserProfile: tailcfg.UserProfile{
 				ID:        tailcfg.UserID(id),
@@ -91,6 +88,7 @@ func TestProfileList(t *testing.T) {
 		p := pm.CurrentPrefs().AsStruct()
 		p.Persist = &persist.Persist{
 			NodeID:         tailcfg.StableNodeID(fmt.Sprint(id)),
+			LoginName:      loginName,
 			PrivateNodeKey: key.NewNode(),
 			UserProfile: tailcfg.UserProfile{
 				ID:        tailcfg.UserID(id),
@@ -134,186 +132,22 @@ func TestProfileList(t *testing.T) {
 	if lp := pm.findProfileByName(carol.Name); lp != nil {
 		t.Fatalf("found profile for user2 in user1's profile list")
 	}
+	if lp := pm.findProfilesByNodeID(carol.ControlURL, carol.NodeID); lp != nil {
+		t.Fatalf("found profile for user2 in user1's profile list")
+	}
+	if lp := pm.findProfilesByUserID(carol.ControlURL, carol.UserProfile.ID); lp != nil {
+		t.Fatalf("found profile for user2 in user1's profile list")
+	}

 	pm.SetCurrentUserID("user2")
 	checkProfiles(t, "carol")
-}
-
-func TestProfileDupe(t *testing.T) {
-	newPersist := func(user, node int) *persist.Persist {
-		return &persist.Persist{
-			NodeID: tailcfg.StableNodeID(fmt.Sprintf("node%d", node)),
-			UserProfile: tailcfg.UserProfile{
-				ID:        tailcfg.UserID(user),
-				LoginName: fmt.Sprintf("user%d@example.com", user),
-			},
-		}
+	if lp := pm.findProfilesByNodeID(carol.ControlURL, carol.NodeID); lp == nil {
+		t.Fatalf("did not find profile for user2 in user2's profile list")
 	}
-	user1Node1 := newPersist(1, 1)
-	user1Node2 := newPersist(1, 2)
-	user2Node1 := newPersist(2, 1)
-	user2Node2 := newPersist(2, 2)
-	user3Node3 := newPersist(3, 3)
-
-	reauth := func(pm *profileManager, p *persist.Persist) {
-		prefs := ipn.NewPrefs()
-		prefs.Persist = p
-		must.Do(pm.SetPrefs(prefs.View()))
-	}
-	login := func(pm *profileManager, p *persist.Persist) {
-		pm.NewProfile()
-		reauth(pm, p)
+	if lp := pm.findProfilesByUserID(carol.ControlURL, carol.UserProfile.ID); lp == nil {
+		t.Fatalf("did not find profile for user2 in user2's profile list")
 	}

-	type step struct {
-		fn func(pm *profileManager, p *persist.Persist)
-		p  *persist.Persist
-	}
-
-	tests := []struct {
-		name  string
-		steps []step
-		profs []*persist.Persist
-	}{
-		{
-			name: "reauth-new-node",
-			steps: []step{
-				{login, user1Node1},
-				{reauth, user3Node3},
-			},
-			profs: []*persist.Persist{
-				user3Node3,
-			},
-		},
-		{
-			name: "reauth-same-node",
-			steps: []step{
-				{login, user1Node1},
-				{reauth, user1Node1},
-			},
-			profs: []*persist.Persist{
-				user1Node1,
-			},
-		},
-		{
-			name: "reauth-other-profile",
-			steps: []step{
-				{login, user1Node1},
-				{login, user2Node2},
-				{reauth, user1Node1},
-			},
-			profs: []*persist.Persist{
-				user1Node1,
-				user2Node2,
-			},
-		},
-		{
-			name: "reauth-replace-user",
-			steps: []step{
-				{login, user1Node1},
-				{login, user3Node3},
-				{reauth, user2Node1},
-			},
-			profs: []*persist.Persist{
-				user2Node1,
-				user3Node3,
-			},
-		},
-		{
-			name: "reauth-replace-node",
-			steps: []step{
-				{login, user1Node1},
-				{login, user3Node3},
-				{reauth, user1Node2},
-			},
-			profs: []*persist.Persist{
-				user1Node2,
-				user3Node3,
-			},
-		},
-		{
-			name: "login-same-node",
-			steps: []step{
-				{login, user1Node1},
-				{login, user3Node3}, // random other profile
-				{login, user1Node1},
-			},
-			profs: []*persist.Persist{
-				user1Node1,
-				user3Node3,
-			},
-		},
-		{
-			name: "login-replace-user",
-			steps: []step{
-				{login, user1Node1},
-				{login, user3Node3}, // random other profile
-				{login, user2Node1},
-			},
-			profs: []*persist.Persist{
-				user2Node1,
-				user3Node3,
-			},
-		},
-		{
-			name: "login-replace-node",
-			steps: []step{
-				{login, user1Node1},
-				{login, user3Node3}, // random other profile
-				{login, user1Node2},
-			},
-			profs: []*persist.Persist{
-				user1Node2,
-				user3Node3,
-			},
-		},
-		{
-			name: "login-new-node",
-			steps: []step{
-				{login, user1Node1},
-				{login, user2Node2},
-			},
-			profs: []*persist.Persist{
-				user1Node1,
-				user2Node2,
-			},
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			store := new(mem.Store)
-			pm, err := newProfileManagerWithGOOS(store, logger.Discard, "linux")
-			if err != nil {
-				t.Fatal(err)
-			}
-			for _, s := range tc.steps {
-				s.fn(pm, s.p)
-			}
-			profs := pm.Profiles()
-			var got []*persist.Persist
-			for _, p := range profs {
-				prefs, err := pm.loadSavedPrefs(p.Key)
-				if err != nil {
-					t.Fatal(err)
-				}
-				got = append(got, prefs.Persist().AsStruct())
-			}
-			d := cmp.Diff(tc.profs, got, cmpopts.SortSlices(func(a, b *persist.Persist) bool {
-				if a.NodeID != b.NodeID {
-					return a.NodeID < b.NodeID
-				}
-				return a.UserProfile.ID < b.UserProfile.ID
-			}))
-			if d != "" {
-				t.Fatal(d)
-			}
-		})
-	}
-}
-
-func asJSON(v any) []byte {
-	return must.Get(json.MarshalIndent(v, "", "  "))
 }

 // TestProfileManagement tests creating, loading, and switching profiles.
@@ -377,6 +211,7 @@ func TestProfileManagement(t *testing.T) {
 			nodeIDs[loginName] = nid
 		}
 		p.Persist = &persist.Persist{
+			LoginName:      loginName,
 			PrivateNodeKey: key.NewNode(),
 			UserProfile: tailcfg.UserProfile{
 				ID:        uid,
@@ -505,6 +340,7 @@ func TestProfileManagementWindows(t *testing.T) {
 		p := pm.CurrentPrefs().AsStruct()
 		p.ForceDaemon = forceDaemon
 		p.Persist = &persist.Persist{
+			LoginName: loginName,
 			UserProfile: tailcfg.UserProfile{
 				ID:        id,
 				LoginName: loginName,
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -499,7 +499,6 @@ func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
 	// Clear any incoming values squatting in the headers.
 	r.Out.Header.Del("Tailscale-User-Login")
 	r.Out.Header.Del("Tailscale-User-Name")
-	r.Out.Header.Del("Tailscale-User-Profile-Pic")
 	r.Out.Header.Del("Tailscale-Headers-Info")

 	c, ok := getServeHTTPContext(r.Out)
@@ -517,7 +516,6 @@ func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
 	}
 	r.Out.Header.Set("Tailscale-User-Login", user.LoginName)
 	r.Out.Header.Set("Tailscale-User-Name", user.DisplayName)
-	r.Out.Header.Set("Tailscale-User-Profile-Pic", user.ProfilePicURL)
 	r.Out.Header.Set("Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers")
 }

--- a/ipn/ipnlocal/serve_test.go
+++ b/ipn/ipnlocal/serve_test.go
@@ -195,9 +195,8 @@ func TestServeHTTPProxy(t *testing.T) {
 		},
 		UserProfiles: map[tailcfg.UserID]tailcfg.UserProfile{
 			tailcfg.UserID(1): {
-				LoginName:     "someone@example.com",
-				DisplayName:   "Some One",
-				ProfilePicURL: "https://example.com/photo.jpg",
+				LoginName:   "someone@example.com",
+				DisplayName: "Some One",
 			},
 		},
 	}
@@ -254,7 +253,6 @@ func TestServeHTTPProxy(t *testing.T) {
 				{"X-Forwarded-For", "100.150.151.152"},
 				{"Tailscale-User-Login", "someone@example.com"},
 				{"Tailscale-User-Name", "Some One"},
-				{"Tailscale-User-Profile-Pic", "https://example.com/photo.jpg"},
 				{"Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers"},
 			},
 		},
@@ -266,7 +264,6 @@ func TestServeHTTPProxy(t *testing.T) {
 				{"X-Forwarded-For", "100.150.151.153"},
 				{"Tailscale-User-Login", ""},
 				{"Tailscale-User-Name", ""},
-				{"Tailscale-User-Profile-Pic", ""},
 				{"Tailscale-Headers-Info", ""},
 			},
 		},
@@ -278,7 +275,6 @@ func TestServeHTTPProxy(t *testing.T) {
 				{"X-Forwarded-For", "100.160.161.162"},
 				{"Tailscale-User-Login", ""},
 				{"Tailscale-User-Name", ""},
-				{"Tailscale-User-Profile-Pic", ""},
 				{"Tailscale-Headers-Info", ""},
 			},
 		},
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -476,6 +476,7 @@ func TestStateMachine(t *testing.T) {
 	// The backend should propagate this upward for the UI.
 	t.Logf("\n\nLoginFinished")
 	notifies.expect(3)
+	cc.persist.LoginName = "user1"
 	cc.persist.UserProfile.LoginName = "user1"
 	cc.persist.NodeID = "node1"
 	cc.send(nil, "", true, &netmap.NetworkMap{})
@@ -493,7 +494,7 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[0].LoginFinished, qt.IsNotNil)
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
 		c.Assert(nn[2].State, qt.IsNotNil)
-		c.Assert(nn[1].Prefs.Persist().UserProfile().LoginName(), qt.Equals, "user1")
+		c.Assert(nn[1].Prefs.Persist().LoginName(), qt.Equals, "user1")
 		c.Assert(ipn.NeedsMachineAuth, qt.Equals, *nn[2].State)
 		c.Assert(ipn.NeedsMachineAuth, qt.Equals, b.State())
 	}
@@ -702,6 +703,7 @@ func TestStateMachine(t *testing.T) {
 	b.Login(nil)
 	t.Logf("\n\nLoginFinished3")
 	notifies.expect(3)
+	cc.persist.LoginName = "user2"
 	cc.persist.UserProfile.LoginName = "user2"
 	cc.persist.NodeID = "node2"
 	cc.send(nil, "", true, &netmap.NetworkMap{
@@ -715,7 +717,7 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[1].Prefs.Persist(), qt.IsNotNil)
 		c.Assert(nn[2].State, qt.IsNotNil)
 		// Prefs after finishing the login, so LoginName updated.
-		c.Assert(nn[1].Prefs.Persist().UserProfile().LoginName(), qt.Equals, "user2")
+		c.Assert(nn[1].Prefs.Persist().LoginName(), qt.Equals, "user2")
 		c.Assert(nn[1].Prefs.LoggedOut(), qt.IsFalse)
 		c.Assert(nn[1].Prefs.WantRunning(), qt.IsTrue)
 		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
@@ -838,6 +840,7 @@ func TestStateMachine(t *testing.T) {
 	// interactive login, so we end up unpaused.
 	t.Logf("\n\nLoginDifferent URL visited")
 	notifies.expect(3)
+	cc.persist.LoginName = "user3"
 	cc.persist.UserProfile.LoginName = "user3"
 	cc.persist.NodeID = "node3"
 	cc.send(nil, "", true, &netmap.NetworkMap{
@@ -856,7 +859,7 @@ func TestStateMachine(t *testing.T) {
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
 		c.Assert(nn[2].State, qt.IsNotNil)
 		// Prefs after finishing the login, so LoginName updated.
-		c.Assert(nn[1].Prefs.Persist().UserProfile().LoginName(), qt.Equals, "user3")
+		c.Assert(nn[1].Prefs.Persist().LoginName(), qt.Equals, "user3")
 		c.Assert(nn[1].Prefs.LoggedOut(), qt.IsFalse)
 		c.Assert(nn[1].Prefs.WantRunning(), qt.IsTrue)
 		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -639,6 +639,9 @@ type PingResult struct {
 	// a ping to the local node.
 	IsLocalIP bool `json:",omitempty"`

+	// Size is the size of the ping message.
+	Size int `json:",omitempty"`
+
 	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
 }

@@ -655,6 +658,7 @@ func (pr *PingResult) ToPingResponse(pingType tailcfg.PingType) *tailcfg.PingRes
 		DERPRegionCode: pr.DERPRegionCode,
 		PeerAPIPort:    pr.PeerAPIPort,
 		IsLocalIP:      pr.IsLocalIP,
+		Size:           pr.Size,
 	}
 }

--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -37,7 +37,6 @@ import (
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/portmapper"
-	"tailscale.com/net/tstun"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/tstime"
@@ -45,11 +44,9 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/types/ptr"
-	"tailscale.com/types/tkatype"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/httpm"
 	"tailscale.com/util/mak"
-	"tailscale.com/util/osdiag"
 	"tailscale.com/version"
 )

@@ -109,13 +106,9 @@ var handler = map[string]localAPIHandler{
 	"tka/affected-sigs":           (*Handler).serveTKAAffectedSigs,
 	"tka/wrap-preauth-key":        (*Handler).serveTKAWrapPreauthKey,
 	"tka/verify-deeplink":         (*Handler).serveTKAVerifySigningDeeplink,
-	"tka/generate-recovery-aum":   (*Handler).serveTKAGenerateRecoveryAUM,
-	"tka/cosign-recovery-aum":     (*Handler).serveTKACosignRecoveryAUM,
-	"tka/submit-recovery-aum":     (*Handler).serveTKASubmitRecoveryAUM,
 	"upload-client-metrics":       (*Handler).serveUploadClientMetrics,
 	"watch-ipn-bus":               (*Handler).serveWatchIPNBus,
 	"whois":                       (*Handler).serveWhoIs,
-	"query-feature":               (*Handler).serveQueryFeature,
 }

 func randHex(n int) string {
@@ -352,9 +345,6 @@ func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 	// logs for them.
 	envknob.LogCurrent(logger.WithPrefix(h.logf, "user bugreport: "))

-	// OS-specific details
-	osdiag.LogSupportInfo(logger.WithPrefix(h.logf, "user bugreport OS: "), osdiag.LogSupportInfoReasonBugReport)
-
 	if defBool(r.URL.Query().Get("diagnose"), false) {
 		h.b.Doctor(r.Context(), logger.WithPrefix(h.logf, "diag: "))
 	}
@@ -437,8 +427,8 @@ func (h *Handler) serveWhoIs(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	res := &apitype.WhoIsResponse{
-		Node:        n,  // always non-nil per WhoIsResponse contract
-		UserProfile: &u, // always non-nil per WhoIsResponse contract
+		Node:        n,
+		UserProfile: &u,
 		CapMap:      b.PeerCaps(ipp.Addr()),
 	}
 	j, err := json.MarshalIndent(res, "", "\t")
@@ -559,10 +549,7 @@ func (h *Handler) serveDebug(w http.ResponseWriter, r *http.Request) {
 			break
 		}
 		h.b.DebugNotify(n)
-	case "break-tcp-conns":
-		err = h.b.DebugBreakTCPConns()
-	case "break-derp-conns":
-		err = h.b.DebugBreakDERPConns()
+
 	case "":
 		err = fmt.Errorf("missing parameter 'action'")
 	default:
@@ -1358,14 +1345,6 @@ func (h *Handler) servePing(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "invalid 'size' parameter", 400)
 			return
 		}
-		if size != 0 && tailcfg.PingType(pingTypeStr) != tailcfg.PingDisco {
-			http.Error(w, "'size' parameter is only supported with disco pings", 400)
-			return
-		}
-		if size > int(tstun.DefaultMTU()) {
-			http.Error(w, fmt.Sprintf("maximum value for 'size' is %v", tstun.DefaultMTU()), 400)
-			return
-		}
 	}
 	res, err := h.b.Ping(ctx, ip, tailcfg.PingType(pingTypeStr), size)
 	if err != nil {
@@ -1458,9 +1437,10 @@ func (h *Handler) serveUploadClientMetrics(w http.ResponseWriter, r *http.Reques
 		return
 	}
 	type clientMetricJSON struct {
-		Name  string `json:"name"`
-		Type  string `json:"type"`  // one of "counter" or "gauge"
-		Value int    `json:"value"` // amount to increment metric by
+		Name string `json:"name"`
+		// One of "counter" or "gauge"
+		Type  string `json:"type"`
+		Value int    `json:"value"`
 	}

 	var clientMetrics []clientMetricJSON
@@ -1776,103 +1756,6 @@ func (h *Handler) serveTKAAffectedSigs(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }

-func (h *Handler) serveTKAGenerateRecoveryAUM(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != httpm.POST {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-
-	type verifyRequest struct {
-		Keys     []tkatype.KeyID
-		ForkFrom string
-	}
-	var req verifyRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		http.Error(w, "invalid JSON for verifyRequest body", http.StatusBadRequest)
-		return
-	}
-
-	var forkFrom tka.AUMHash
-	if req.ForkFrom != "" {
-		if err := forkFrom.UnmarshalText([]byte(req.ForkFrom)); err != nil {
-			http.Error(w, "decoding fork-from: "+err.Error(), http.StatusBadRequest)
-			return
-		}
-	}
-
-	res, err := h.b.NetworkLockGenerateRecoveryAUM(req.Keys, forkFrom)
-	if err != nil {
-		http.Error(w, err.Error(), 500)
-		return
-	}
-	w.Header().Set("Content-Type", "application/octet-stream")
-	w.Write(res.Serialize())
-}
-
-func (h *Handler) serveTKACosignRecoveryAUM(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != httpm.POST {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-
-	body := io.LimitReader(r.Body, 1024*1024)
-	aumBytes, err := ioutil.ReadAll(body)
-	if err != nil {
-		http.Error(w, "reading AUM", http.StatusBadRequest)
-		return
-	}
-	var aum tka.AUM
-	if err := aum.Unserialize(aumBytes); err != nil {
-		http.Error(w, "decoding AUM", http.StatusBadRequest)
-		return
-	}
-
-	res, err := h.b.NetworkLockCosignRecoveryAUM(&aum)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.Header().Set("Content-Type", "application/octet-stream")
-	w.Write(res.Serialize())
-}
-
-func (h *Handler) serveTKASubmitRecoveryAUM(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != httpm.POST {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-
-	body := io.LimitReader(r.Body, 1024*1024)
-	aumBytes, err := ioutil.ReadAll(body)
-	if err != nil {
-		http.Error(w, "reading AUM", http.StatusBadRequest)
-		return
-	}
-	var aum tka.AUM
-	if err := aum.Unserialize(aumBytes); err != nil {
-		http.Error(w, "decoding AUM", http.StatusBadRequest)
-		return
-	}
-
-	if err := h.b.NetworkLockSubmitRecoveryAUM(&aum); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.WriteHeader(http.StatusOK)
-}
-
 // serveProfiles serves profile switching-related endpoints. Supported methods
 // and paths are:
 //   - GET /profiles/: list all profiles (JSON-encoded array of ipn.LoginProfiles)
@@ -1957,66 +1840,6 @@ func (h *Handler) serveProfiles(w http.ResponseWriter, r *http.Request) {
 	}
 }

-// serveQueryFeature makes a request to the "/machine/feature/query"
-// Noise endpoint to get instructions on how to enable a feature, such as
-// Funnel, for the node's tailnet.
-//
-// This request itself does not directly enable the feature on behalf of
-// the node, but rather returns information that can be presented to the
-// acting user about where/how to enable the feature. If relevant, this
-// includes a control URL the user can visit to explicitly consent to
-// using the feature.
-//
-// See tailcfg.QueryFeatureResponse for full response structure.
-func (h *Handler) serveQueryFeature(w http.ResponseWriter, r *http.Request) {
-	feature := r.FormValue("feature")
-	switch {
-	case !h.PermitRead:
-		http.Error(w, "access denied", http.StatusForbidden)
-		return
-	case r.Method != httpm.POST:
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	case feature == "":
-		http.Error(w, "missing feature", http.StatusInternalServerError)
-		return
-	}
-	nm := h.b.NetMap()
-	if nm == nil {
-		http.Error(w, "no netmap", http.StatusServiceUnavailable)
-		return
-	}
-
-	b, err := json.Marshal(&tailcfg.QueryFeatureRequest{
-		NodeKey: nm.NodeKey,
-		Feature: feature,
-	})
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	req, err := http.NewRequestWithContext(r.Context(),
-		"POST", "https://unused/machine/feature/query", bytes.NewReader(b))
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	resp, err := h.b.DoNoiseRequest(req)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	defer resp.Body.Close()
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(resp.StatusCode)
-	if _, err := io.Copy(w, resp.Body); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-}
-
 func defBool(a string, def bool) bool {
 	if a == "" {
 		return def
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Val	0a6ddae0de	tmp: introduce wire/user/safe mtu	2023-08-07 23:05:24 +02:00
Val	7d18398d7f	tmp: more callmemaybe debugging	2023-08-07 21:04:10 +02:00
Val	01ed896b4d	tmp: add both kinds of mtu to printout of probe	2023-08-04 11:02:07 +02:00
Val	c3fac3f6a5	tmp: cut down on probe mtus for debugging	2023-08-03 18:03:26 +02:00
Val	bebb0dc684	Debugging printfs for PTB and MTU Signed-off-by: Val <valerie@tailscale.com>	2023-08-02 15:34:19 +02:00
salman	aec143eb97	WIP wgengine: inject ICMP PTB for oversize packets Now with IPv4/6 header math.	2023-08-02 15:34:00 +02:00
Val	1f7de20fe1	wgengine/magicsock: probe likely mtus when connecting to peers Updates #311 Signed-off-by: Val <valerie@tailscale.com>	2023-08-02 13:49:35 +02:00
Val	4bfeb8b483	wgengine/magicsock: add metric to record highest MTU Record the highest MTU we probe on any link at any time. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	2023-08-01 21:29:55 +02:00
Val	c989d08ac7	wgengine/magicsock: record best mtu to an endpoint Record any mtu information we get from CLI ping, but do not use it yet. Updates #311 Signed-off-by: Val <valerie@tailscale.com>	2023-08-01 21:29:47 +02:00
Val	b43c20872e	tmp: reminder to update max udp header when we start using bigger mtus	2023-07-31 20:58:36 +02:00
Val	9438ed7438	For merge: don't pad the pong reply Signed-off-by: Val <valerie@tailscale.com>	2023-07-29 21:58:45 +02:00
Val	f113eec45b	For merge: add payload size to ping log message	2023-07-29 21:17:21 +02:00
salman	7e9ed47026	wgengine,ipn,cmd/tailscale: add size option to ping This adds the capability to pad disco ping message payloads to reach a specified size. It also plumbs it through to the tailscale ping -size flag. Disco pings used for actual endpoint discovery do not use this yet. Updates #311. Co-authored-by: Val <valerie@tailscale.com> Signed-off-by: salman <salman@tailscale.com>	2023-07-29 21:17:21 +02:00
Val	c661d61e24	magicsock: set the don't fragment sockopt This sets the Don't Fragment flag, for now behind the TS_DEBUG_PMTUD envknob. Updates #311. Co-authored-by: salman <salman@tailscale.com> Signed-off-by: Val <valerie@tailscale.com>	2023-07-29 21:17:21 +02:00
@@ -1 +1 @@
 .49.0
 .47.0