net/interfaces: use a uint32_t for ipv4 address

The code was using a C "int", which is a signed 32-bit integer.
That means some valid IP addresses were negative numbers.
(In particular, the default router address handed out by AT&T
fiber: 192.168.1.254. No I don't know why they do that.)
A negative number is < 255, and so was treated by the Go code
as an error.

This fixes the unit test failure:

	$ go test -v -run=TestLikelyHomeRouterIPSyscallExec ./net/interfaces
	=== RUN   TestLikelyHomeRouterIPSyscallExec
	    interfaces_darwin_cgo_test.go:15: syscall() = invalid IP, false, netstat = 192.168.1.254, true
	--- FAIL: TestLikelyHomeRouterIPSyscallExec (0.00s)

Signed-off-by: David Crawshaw <crawshaw@tailscale.com>

cmd/hello/hello.go

@@ -0,0 +1,134 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// The hello binary runs hello.ipn.dev.
+package main // import "tailscale.com/cmd/hello"
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"html/template"
+	"io/ioutil"
+	"log"
+	"net"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"tailscale.com/safesocket"
+	"tailscale.com/tailcfg"
+)
+
+var (
+	httpAddr  = flag.String("http", ":80", "address to run an HTTP server on, or empty for none")
+	httpsAddr = flag.String("https", ":443", "address to run an HTTPS server on, or empty for none")
+)
+
+func main() {
+	flag.Parse()
+
+	http.HandleFunc("/", root)
+	log.Printf("Starting hello server.")
+
+	errc := make(chan error, 1)
+	if *httpAddr != "" {
+		log.Printf("running HTTP server on %s", *httpAddr)
+		go func() {
+			errc <- http.ListenAndServe(*httpAddr, nil)
+		}()
+	}
+	if *httpsAddr != "" {
+		log.Printf("running HTTPS server on %s", *httpsAddr)
+		go func() {
+			errc <- http.ListenAndServeTLS(*httpsAddr,
+				"/etc/hello/hello.ipn.dev.crt",
+				"/etc/hello/hello.ipn.dev.key",
+				nil,
+			)
+		}()
+	}
+	log.Fatal(<-errc)
+}
+
+func slurpHTML() string {
+	slurp, err := ioutil.ReadFile("hello.tmpl.html")
+	if err != nil {
+		log.Fatal(err)
+	}
+	return string(slurp)
+}
+
+var tmpl = template.Must(template.New("home").Parse(slurpHTML()))
+
+type tmplData struct {
+	DisplayName string // "Foo Barberson"
+	LoginName   string // "foo@bar.com"
+	MachineName string // "imac5k"
+	IP          string // "100.2.3.4"
+}
+
+func root(w http.ResponseWriter, r *http.Request) {
+	if r.TLS == nil && *httpsAddr != "" {
+		host := r.Host
+		if strings.Contains(r.Host, "100.101.102.103") {
+			host = "hello.ipn.dev"
+		}
+		http.Redirect(w, r, "https://"+host, http.StatusFound)
+		return
+	}
+	if r.RequestURI != "/" {
+		http.Redirect(w, r, "/", http.StatusFound)
+		return
+	}
+	ip, _, err := net.SplitHostPort(r.RemoteAddr)
+	if err != nil {
+		http.Error(w, "no remote addr", 500)
+		return
+	}
+	who, err := whoIs(ip)
+	if err != nil {
+		log.Printf("whois(%q) error: %v", ip, err)
+		http.Error(w, "Your Tailscale works, but we failed to look you up.", 500)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	tmpl.Execute(w, tmplData{
+		DisplayName: who.UserProfile.DisplayName,
+		LoginName:   who.UserProfile.LoginName,
+		MachineName: who.Node.ComputedName,
+		IP:          ip,
+	})
+}
+
+// tsSockClient does HTTP requests to the local Tailscale daemon.
+// The hostname in the HTTP request is ignored.
+var tsSockClient = &http.Client{
+	Transport: &http.Transport{
+		DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) {
+			return safesocket.ConnectDefault()
+		},
+	},
+}
+
+func whoIs(ip string) (*tailcfg.WhoIsResponse, error) {
+	res, err := tsSockClient.Get("http://local-tailscaled.sock/localapi/v0/whois?ip=" + url.QueryEscape(ip))
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	slurp, _ := ioutil.ReadAll(res.Body)
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("HTTP %s: %s", res.Status, slurp)
+	}
+	r := new(tailcfg.WhoIsResponse)
+	if err := json.Unmarshal(slurp, r); err != nil {
+		if max := 200; len(slurp) > max {
+			slurp = slurp[:max]
+		}
+		return nil, fmt.Errorf("failed to parse JSON WhoIsResponse from %q", slurp)
+	}
+	return r, nil
+}

cmd/hello/hello.tmpl.html

@@ -0,0 +1,17 @@
+<html>
+  <head>
+    <title>Hello from Tailscale</title>
+  </head>
+  <body>
+    <h1>Hello!</h1>
+    <p>
+      Hello {{.DisplayName}} ({{.LoginName}}) from {{.MachineName}} ({{.IP}}).
+    </p>
+    <p>
+      <b>Your Tailscale is working!</b>
+    </p>
+    <p>
+      Welcome to Tailscale.
+    </p>
+  </body>
+</html>

cmd/tailscale/cli/up.go

@@ -228,7 +228,16 @@ func runUp(ctx context.Context, args []string) error {
 		AuthKey:  upArgs.authKey,
 		Notify: func(n ipn.Notify) {
 			if n.ErrMessage != nil {
-				fatalf("backend error: %v\n", *n.ErrMessage)
+				msg := *n.ErrMessage
+				if msg == ipn.ErrMsgPermissionDenied {
+					switch runtime.GOOS {
+					case "windows":
+						msg += " (Tailscale service in use by other user?)"
+					default:
+						msg += " (try 'sudo tailscale up [...]')"
+					}
+				}
+				fatalf("backend error: %v\n", msg)
 			}
 			if s := n.State; s != nil {
 				switch *s {

cmd/tailscale/depaware.txt

@@ -27,7 +27,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
      💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
    W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
-        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/device+
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
         github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
      💣 go4.org/intern                                               from inet.af/netaddr
@@ -89,6 +88,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
         tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
         tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
+        tailscale.com/wgengine/wgcfg                                 from tailscale.com/control/controlclient+
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
    W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box

cmd/tailscaled/depaware.txt

@@ -31,7 +31,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device+
      💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
    W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun+
-        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/device+
         github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
      💣 go4.org/intern                                               from inet.af/netaddr
      💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
@@ -130,6 +129,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
         tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
         tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
         tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine+
+        tailscale.com/wgengine/wgcfg                                 from tailscale.com/control/controlclient+
         tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
    W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
         golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box

cmd/tailscaled/tailscaled.service

@@ -20,24 +20,5 @@ CacheDirectory=tailscale
 CacheDirectoryMode=0750
 Type=notify
 
-DeviceAllow=/dev/net/tun
-DeviceAllow=/dev/null
-DeviceAllow=/dev/random
-DeviceAllow=/dev/urandom
-DevicePolicy=strict
-LockPersonality=true
-MemoryDenyWriteExecute=true
-PrivateTmp=true
-ProtectClock=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-ReadWritePaths=/etc/
-ReadWritePaths=/run/
-ReadWritePaths=/var/run/
-RestrictSUIDSGID=true
-SystemCallArchitectures=native
-
 [Install]
 WantedBy=multi-user.target

control/controlclient/netmap.go

@@ -13,12 +13,12 @@ import (
 	"strings"
 	"time"
 
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/filter"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 type NetworkMap struct {

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
-	github.com/tailscale/wireguard-go v0.0.0-20210120212909-7ad8a0443bd3
+	github.com/tailscale/wireguard-go v0.0.0-20210201213041-c9817e648365
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174

go.sum

@@ -296,6 +296,10 @@ github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d h1:8GcGtZ4U
 github.com/tailscale/wireguard-go v0.0.0-20210116013233-4cd297ed5a7d/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
 github.com/tailscale/wireguard-go v0.0.0-20210120212909-7ad8a0443bd3 h1:wpgSErXul2ysBGZVVM0fKISMgZ9BZRXuOYAyn8MxAbY=
 github.com/tailscale/wireguard-go v0.0.0-20210120212909-7ad8a0443bd3/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
+github.com/tailscale/wireguard-go v0.0.0-20210129202040-ddaf8316eff8 h1:7OWHhbjWEuEjt+VlgOXLC4+iPkAvwTMU4zASxa+mKbw=
+github.com/tailscale/wireguard-go v0.0.0-20210129202040-ddaf8316eff8/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
+github.com/tailscale/wireguard-go v0.0.0-20210201213041-c9817e648365 h1:0OC8+fnUCx5ww7uRSlzbcVC6Q/FK0PmVclmimbpWbyk=
+github.com/tailscale/wireguard-go v0.0.0-20210201213041-c9817e648365/go.mod h1:K/wyv4+3PcdVVTV7szyoiEjJ1nVHonM8cJ2mQwG5Fl8=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=

internal/deepprint/deepprint_test.go

@@ -8,10 +8,10 @@ import (
 	"bytes"
 	"testing"
 
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"inet.af/netaddr"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/router/dns"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 func TestDeepPrint(t *testing.T) {

ipn/ipnserver/server.go

@@ -115,10 +115,11 @@ type server struct {
 
 // connIdentity represents the owner of a localhost TCP connection.
 type connIdentity struct {
-	Unknown bool
-	Pid     int
-	UserID  string
-	User    *user.User
+	Unknown    bool
+	Pid        int
+	UserID     string
+	User       *user.User
+	IsUnixSock bool
 }
 
 // getConnIdentity returns the localhost TCP connection's identity information
@@ -127,7 +128,9 @@ type connIdentity struct {
 // to be able to map it and couldn't.
 func (s *server) getConnIdentity(c net.Conn) (ci connIdentity, err error) {
 	if runtime.GOOS != "windows" { // for now; TODO: expand to other OSes
-		return connIdentity{Unknown: true}, nil
+		ci = connIdentity{Unknown: true}
+		_, ci.IsUnixSock = c.(*net.UnixConn)
+		return ci, nil
 	}
 	la, err := netaddr.ParseIPPort(c.LocalAddr().String())
 	if err != nil {
@@ -622,7 +625,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		opts.DebugMux.HandleFunc("/debug/ipn", func(w http.ResponseWriter, r *http.Request) {
 			serveHTMLStatus(w, b)
 		})
-		opts.DebugMux.Handle("/whois", whoIsHandler{b})
+		opts.DebugMux.Handle("/localapi/v0/whois", whoIsHandler{b})
 	}
 
 	server.b = b
@@ -863,6 +866,10 @@ func (psc *protoSwitchConn) Close() error {
 
 func (s *server) localhostHandler(ci connIdentity) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if ci.IsUnixSock && r.URL.Path == "/localapi/v0/whois" {
+			whoIsHandler{s.b}.ServeHTTP(w, r)
+			return
+		}
 		if ci.Unknown {
 			io.WriteString(w, "<html><title>Tailscale</title><body><h1>Tailscale</h1>This is the local Tailscale daemon.")
 			return

ipn/local.go

@@ -15,7 +15,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/oauth2"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
@@ -37,6 +36,7 @@ import (
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/router/dns"
 	"tailscale.com/wgengine/tsdns"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 var controlDebugFlags = getControlDebugFlags()

ipn/message.go

@@ -146,6 +146,10 @@ func (bs *BackendServer) GotFakeCommand(ctx context.Context, cmd *Command) error
 	return bs.GotCommand(ctx, cmd)
 }
 
+// ErrMsgPermissionDenied is the Notify.ErrMessage value used an
+// operation was done from a user/context that didn't have permission.
+const ErrMsgPermissionDenied = "permission denied"
+
 func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	if cmd.Version != version.Long && !cmd.AllowVersionSkew {
 		vs := fmt.Sprintf("GotCommand: Version mismatch! frontend=%#v backend=%#v",
@@ -178,7 +182,7 @@ func (bs *BackendServer) GotCommand(ctx context.Context, cmd *Command) error {
 	}
 
 	if IsReadonlyContext(ctx) {
-		msg := "permission denied"
+		msg := ErrMsgPermissionDenied
 		bs.send(Notify{ErrMessage: &msg})
 		return nil
 	}

net/interfaces/interfaces_darwin_cgo.go

@@ -15,7 +15,7 @@ package interfaces
 
 // privateGatewayIPFromRoute returns the private gateway ip address from rtm, if it exists.
 // Otherwise, it returns 0.
-int privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
+uint32_t privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
 {
     // sockaddrs are after the message header
     struct sockaddr* dst_sa = (struct sockaddr *)(rtm + 1);
@@ -38,7 +38,7 @@ int privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
         return 0; // gateway not IPv4
 
     struct sockaddr_in* gateway_si= (struct sockaddr_in *)gateway_sa;
-    int ip;
+    uint32_t ip;
     ip = gateway_si->sin_addr.s_addr;
 
     unsigned char a, b;
@@ -62,7 +62,7 @@ int privateGatewayIPFromRoute(struct rt_msghdr2 *rtm)
 // If no private gateway IP address was found, it returns 0.
 // On an error, it returns an error code in (0, 255].
 // Any private gateway IP address is > 255.
-int privateGatewayIP()
+uint32_t privateGatewayIP()
 {
     size_t needed;
     int mib[6];
@@ -90,7 +90,7 @@ int privateGatewayIP()
 	struct rt_msghdr2 *rtm;
     for (next = buf; next < lim; next += rtm->rtm_msglen) {
         rtm = (struct rt_msghdr2 *)next;
-		int ip;
+        uint32_t ip;
         ip = privateGatewayIPFromRoute(rtm);
         if (ip) {
             free(buf);

safesocket/basic_test.go

@@ -32,7 +32,7 @@ func TestBasics(t *testing.T) {
 			errs <- err
 			return
 		}
-		fmt.Printf("server read %d bytes.\n", n)
+		t.Logf("server read %d bytes.", n)
 		if string(b[:n]) != "world" {
 			errs <- fmt.Errorf("got %#v, expected %#v\n", string(b[:n]), "world")
 			return

safesocket/safesocket.go

@@ -7,7 +7,9 @@
 package safesocket
 
 import (
+	"errors"
 	"net"
+	"runtime"
 )
 
 type closeable interface {
@@ -27,6 +29,11 @@ func ConnCloseWrite(c net.Conn) error {
 	return c.(closeable).CloseWrite()
 }
 
+// ConnectDefault connects to the local Tailscale daemon.
+func ConnectDefault() (net.Conn, error) {
+	return Connect("/var/run/tailscale/tailscaled.sock", 41112)
+}
+
 // Connect connects to either path (on Unix) or the provided localhost port (on Windows).
 func Connect(path string, port uint16) (net.Conn, error) {
 	return connect(path, port)
@@ -38,3 +45,21 @@ func Connect(path string, port uint16) (net.Conn, error) {
 func Listen(path string, port uint16) (_ net.Listener, gotPort uint16, _ error) {
 	return listen(path, port)
 }
+
+var (
+	ErrTokenNotFound = errors.New("no token found")
+	ErrNoTokenOnOS   = errors.New("no token on " + runtime.GOOS)
+)
+
+var localTCPPortAndToken func() (port int, token string, err error)
+
+// LocalTCPPortAndToken returns the port number and auth token to connect to
+// the local Tailscale daemon. It's currently only applicable on macOS
+// when tailscaled is being run in the Mac Sandbox from the App Store version
+// of Tailscale.
+func LocalTCPPortAndToken() (port int, token string, err error) {
+	if localTCPPortAndToken == nil {
+		return 0, "", ErrNoTokenOnOS
+	}
+	return localTCPPortAndToken()
+}

safesocket/safesocket_darwin.go

@@ -0,0 +1,52 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package safesocket
+
+import (
+	"bufio"
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"strconv"
+	"strings"
+)
+
+func init() {
+	localTCPPortAndToken = localTCPPortAndTokenDarwin
+}
+
+func localTCPPortAndTokenDarwin() (port int, token string, err error) {
+	out, err := exec.Command("lsof",
+		"-n",                             // numeric sockets; don't do DNS lookups, etc
+		"-a",                             // logical AND remaining options
+		fmt.Sprintf("-u%d", os.Getuid()), // process of same user only
+		"-c", "IPNExtension",             // starting with IPNExtension
+		"-F", // machine-readable output
+	).Output()
+	if err != nil {
+		return 0, "", fmt.Errorf("failed to run lsof looking for IPNExtension: %w", err)
+	}
+	bs := bufio.NewScanner(bytes.NewReader(out))
+	subStr := []byte(".tailscale.ipn.macos/sameuserproof-")
+	for bs.Scan() {
+		line := bs.Bytes()
+		i := bytes.Index(line, subStr)
+		if i == -1 {
+			continue
+		}
+		f := strings.SplitN(string(line[i+len(subStr):]), "-", 2)
+		if len(f) != 2 {
+			continue
+		}
+		portStr, token := f[0], f[1]
+		port, err := strconv.Atoi(portStr)
+		if err != nil {
+			return 0, "", fmt.Errorf("invalid port %q found in lsof", portStr)
+		}
+		return port, token, nil
+	}
+	return 0, "", ErrTokenNotFound
+}

safesocket/safesocket_test.go

@@ -0,0 +1,13 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package safesocket
+
+import "testing"
+
+func TestLocalTCPPortAndToken(t *testing.T) {
+	// Just test that it compiles for now (is available on all platforms).
+	port, token, err := LocalTCPPortAndToken()
+	t.Logf("got %v, %s, %v", port, token, err)
+}

safesocket/unixsocket.go

@@ -7,17 +7,15 @@
 package safesocket
 
 import (
-	"bufio"
-	"bytes"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"net"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
+	"strconv"
 	"strings"
 )
 
@@ -166,42 +164,24 @@ func connectMacOSAppSandbox() (net.Conn, error) {
 		}
 		f := strings.SplitN(best.Name(), "-", 3)
 		portStr, token := f[1], f[2]
-		return connectMacTCP(portStr, token)
+		port, err := strconv.Atoi(portStr)
+		if err != nil {
+			return nil, fmt.Errorf("invalid port %q", portStr)
+		}
+		return connectMacTCP(port, token)
 	}
 
 	// Otherwise, assume we're running the cmd/tailscale binary from outside the
 	// App Sandbox.
-
-	out, err := exec.Command("lsof",
-		"-n",                             // numeric sockets; don't do DNS lookups, etc
-		"-a",                             // logical AND remaining options
-		fmt.Sprintf("-u%d", os.Getuid()), // process of same user only
-		"-c", "IPNExtension",             // starting with IPNExtension
-		"-F", // machine-readable output
-	).Output()
+	port, token, err := LocalTCPPortAndToken()
 	if err != nil {
 		return nil, err
 	}
-	bs := bufio.NewScanner(bytes.NewReader(out))
-	subStr := []byte(".tailscale.ipn.macos/sameuserproof-")
-	for bs.Scan() {
-		line := bs.Bytes()
-		i := bytes.Index(line, subStr)
-		if i == -1 {
-			continue
-		}
-		f := strings.SplitN(string(line[i+len(subStr):]), "-", 2)
-		if len(f) != 2 {
-			continue
-		}
-		portStr, token := f[0], f[1]
-		return connectMacTCP(portStr, token)
-	}
-	return nil, fmt.Errorf("failed to find Tailscale's IPNExtension process")
+	return connectMacTCP(port, token)
 }
 
-func connectMacTCP(portStr, token string) (net.Conn, error) {
-	c, err := net.Dial("tcp", "localhost:"+portStr)
+func connectMacTCP(port int, token string) (net.Conn, error) {
+	c, err := net.Dial("tcp", "localhost:"+strconv.Itoa(port))
 	if err != nil {
 		return nil, fmt.Errorf("error dialing IPNExtension: %w", err)
 	}

tsweb/tsweb.go

@@ -42,6 +42,7 @@ func NewMux(debugHandler http.Handler) *http.ServeMux {
 
 func registerCommonDebug(mux *http.ServeMux) {
 	expvar.Publish("counter_uptime_sec", expvar.Func(func() interface{} { return int64(Uptime().Seconds()) }))
+	expvar.Publish("gauge_goroutines", expvar.Func(func() interface{} { return runtime.NumGoroutine() }))
 	mux.Handle("/debug/pprof/", Protected(http.DefaultServeMux)) // to net/http/pprof
 	mux.Handle("/debug/vars", Protected(http.DefaultServeMux))   // to expvar
 	mux.Handle("/debug/varz", Protected(http.HandlerFunc(VarzHandler)))

wgengine/magicsock/legacy.go

@@ -19,7 +19,6 @@ import (
 
 	"github.com/tailscale/wireguard-go/conn"
 	"github.com/tailscale/wireguard-go/tai64n"
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/blake2s"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/crypto/poly1305"
@@ -28,6 +27,7 @@ import (
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/wgkey"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 var (
@@ -438,7 +438,17 @@ func (a *addrSet) DstToBytes() []byte {
 	return packIPPort(a.dst())
 }
 func (a *addrSet) DstToString() string {
-	return a.Addrs()
+	var addrs []string
+	for _, addr := range a.addrs {
+		addrs = append(addrs, addr.String())
+	}
+
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if a.roamAddr != nil {
+		addrs = append(addrs, a.roamAddr.String())
+	}
+	return strings.Join(addrs, ",")
 }
 func (a *addrSet) DstIP() net.IP {
 	return a.dst().IP.IPAddr().IP // TODO: add netaddr accessor to cut an alloc here?
@@ -577,20 +587,6 @@ func (as *addrSet) populatePeerStatus(ps *ipnstate.PeerStatus) {
 	}
 }
 
-func (a *addrSet) Addrs() string {
-	var addrs []string
-	for _, addr := range a.addrs {
-		addrs = append(addrs, addr.String())
-	}
-
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	if a.roamAddr != nil {
-		addrs = append(addrs, a.roamAddr.String())
-	}
-	return strings.Join(addrs, ",")
-}
-
 // Message types copied from wireguard-go/device/noise-protocol.go
 const (
 	messageInitiationType  = 1

wgengine/magicsock/magicsock.go

@@ -3056,13 +3056,6 @@ func (de *discoEndpoint) String() string {
 	return fmt.Sprintf("magicsock.discoEndpoint{%v, %v}", de.publicKey.ShortString(), de.discoShort)
 }
 
-func (de *discoEndpoint) Addrs() string {
-	// This has to be the same string that was passed to
-	// CreateEndpoint, otherwise Reconfig will end up recreating
-	// Endpoints and losing state over time.
-	return de.wgEndpointHostPort
-}
-
 func (de *discoEndpoint) ClearSrc()           {}
 func (de *discoEndpoint) SrcToString() string { panic("unused") } // unused by wireguard-go
 func (de *discoEndpoint) SrcIP() net.IP       { panic("unused") } // unused by wireguard-go

wgengine/magicsock/magicsock_test.go

@@ -28,7 +28,6 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"github.com/tailscale/wireguard-go/device"
 	"github.com/tailscale/wireguard-go/tun/tuntest"
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"golang.org/x/crypto/nacl/box"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
@@ -46,6 +45,7 @@ import (
 	"tailscale.com/types/wgkey"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/tstun"
+	"tailscale.com/wgengine/wgcfg"
 	"tailscale.com/wgengine/wglog"
 )
 
@@ -196,7 +196,7 @@ func newMagicStack(t testing.TB, logf logger.Logf, l nettype.PacketListener, der
 
 func (s *magicStack) Reconfig(cfg *wgcfg.Config) error {
 	s.wgLogger.SetPeers(cfg.Peers)
-	return s.dev.Reconfig(cfg)
+	return wgcfg.ReconfigDevice(s.dev, cfg, s.conn.logf)
 }
 
 func (s *magicStack) String() string {
@@ -1131,7 +1131,11 @@ func testTwoDevicePing(t *testing.T, d *devices) {
 		defer setT(outerT)
 		pingSeq(t, 50, 700*time.Millisecond, false)
 
-		ep2 := m2.dev.Config().Peers[0].Endpoints
+		cfg, err := wgcfg.DeviceConfig(m2.dev)
+		if err != nil {
+			t.Fatal(err)
+		}
+		ep2 := cfg.Peers[0].Endpoints
 		if len(ep2) != 2 {
 			t.Error("handshake spray failed to find real route")
 		}

wgengine/userspace.go

@@ -23,7 +23,6 @@ import (
 
 	"github.com/tailscale/wireguard-go/device"
 	"github.com/tailscale/wireguard-go/tun"
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
@@ -46,6 +45,7 @@ import (
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tsdns"
 	"tailscale.com/wgengine/tstun"
+	"tailscale.com/wgengine/wgcfg"
 	"tailscale.com/wgengine/wglog"
 )
 
@@ -836,7 +836,7 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Publ
 		}
 		if numRemove > 0 {
 			e.logf("wgengine: Reconfig: removing session keys for %d peers", numRemove)
-			if err := e.wgdev.Reconfig(&minner); err != nil {
+			if err := wgcfg.ReconfigDevice(e.wgdev, &minner, e.logf); err != nil {
 				e.logf("wgdev.Reconfig: %v", err)
 				return err
 			}
@@ -844,7 +844,7 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked(discoChanged map[key.Publ
 	}
 
 	e.logf("wgengine: Reconfig: configuring userspace wireguard config (with %d/%d peers)", len(min.Peers), len(full.Peers))
-	if err := e.wgdev.Reconfig(&min); err != nil {
+	if err := wgcfg.ReconfigDevice(e.wgdev, &min, e.logf); err != nil {
 		e.logf("wgdev.Reconfig: %v", err)
 		return err
 	}

wgengine/userspace_test.go

@@ -11,13 +11,13 @@ import (
 	"testing"
 	"time"
 
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tstun"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 func TestNoteReceiveActivity(t *testing.T) {

wgengine/watchdog.go

@@ -12,7 +12,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn/ipnstate"
@@ -21,6 +20,7 @@ import (
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tsdns"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 // NewWatchdog wraps an Engine and makes sure that all methods complete

wgengine/wgcfg/config.go

@@ -0,0 +1,67 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package wgcfg has types and a parser for representing WireGuard config.
+package wgcfg
+
+import (
+	"inet.af/netaddr"
+)
+
+// Config is a WireGuard configuration.
+// It only supports the set of things Tailscale uses.
+type Config struct {
+	Name       string
+	PrivateKey PrivateKey
+	Addresses  []netaddr.IPPrefix
+	ListenPort uint16
+	MTU        uint16
+	DNS        []netaddr.IP
+	Peers      []Peer
+}
+
+type Peer struct {
+	PublicKey           Key
+	AllowedIPs          []netaddr.IPPrefix
+	Endpoints           string // comma-separated host/port pairs: "1.2.3.4:56,[::]:80"
+	PersistentKeepalive uint16
+}
+
+// Copy makes a deep copy of Config.
+// The result aliases no memory with the original.
+func (cfg Config) Copy() Config {
+	res := cfg
+	if res.Addresses != nil {
+		res.Addresses = append([]netaddr.IPPrefix{}, res.Addresses...)
+	}
+	if res.DNS != nil {
+		res.DNS = append([]netaddr.IP{}, res.DNS...)
+	}
+	peers := make([]Peer, 0, len(res.Peers))
+	for _, peer := range res.Peers {
+		peers = append(peers, peer.Copy())
+	}
+	res.Peers = peers
+	return res
+}
+
+// Copy makes a deep copy of Peer.
+// The result aliases no memory with the original.
+func (peer Peer) Copy() Peer {
+	res := peer
+	if res.AllowedIPs != nil {
+		res.AllowedIPs = append([]netaddr.IPPrefix{}, res.AllowedIPs...)
+	}
+	return res
+}
+
+// PeerWithKey returns the Peer with key k and reports whether it was found.
+func (config Config) PeerWithKey(k Key) (Peer, bool) {
+	for _, p := range config.Peers {
+		if p.PublicKey == k {
+			return p, true
+		}
+	}
+	return Peer{}, false
+}

wgengine/wgcfg/device.go

@@ -0,0 +1,61 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wgcfg
+
+import (
+	"io"
+	"sort"
+
+	"github.com/tailscale/wireguard-go/device"
+	"tailscale.com/types/logger"
+)
+
+func DeviceConfig(d *device.Device) (*Config, error) {
+	r, w := io.Pipe()
+	errc := make(chan error, 1)
+	go func() {
+		errc <- d.IpcGetOperation(w)
+		w.Close()
+	}()
+	cfg, err := FromUAPI(r)
+	if err != nil {
+		return nil, err
+	}
+	if err := <-errc; err != nil {
+		return nil, err
+	}
+
+	sort.Slice(cfg.Peers, func(i, j int) bool {
+		return cfg.Peers[i].PublicKey.LessThan(&cfg.Peers[j].PublicKey)
+	})
+	return cfg, nil
+}
+
+// ReconfigDevice replaces the existing device configuration with cfg.
+func ReconfigDevice(d *device.Device, cfg *Config, logf logger.Logf) (err error) {
+	defer func() {
+		if err != nil {
+			logf("wgcfg.Reconfig failed: %v", err)
+		}
+	}()
+
+	prev, err := DeviceConfig(d)
+	if err != nil {
+		return err
+	}
+
+	r, w := io.Pipe()
+	errc := make(chan error)
+	go func() {
+		errc <- d.IpcSetOperation(r)
+	}()
+
+	err = cfg.ToUAPI(w, prev)
+	if err != nil {
+		return err
+	}
+	w.Close()
+	return <-errc
+}

wgengine/wgcfg/device_test.go

@@ -0,0 +1,242 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wgcfg
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"os"
+	"sort"
+	"strings"
+	"sync"
+	"testing"
+
+	"github.com/tailscale/wireguard-go/device"
+	"github.com/tailscale/wireguard-go/tun"
+	"inet.af/netaddr"
+	"tailscale.com/types/wgkey"
+)
+
+func TestDeviceConfig(t *testing.T) {
+	newPrivateKey := func() (Key, PrivateKey) {
+		t.Helper()
+		pk, err := wgkey.NewPrivate()
+		if err != nil {
+			t.Fatal(err)
+		}
+		return Key(pk.Public()), PrivateKey(pk)
+	}
+	k1, pk1 := newPrivateKey()
+	ip1 := netaddr.MustParseIPPrefix("10.0.0.1/32")
+
+	k2, pk2 := newPrivateKey()
+	ip2 := netaddr.MustParseIPPrefix("10.0.0.2/32")
+
+	k3, _ := newPrivateKey()
+	ip3 := netaddr.MustParseIPPrefix("10.0.0.3/32")
+
+	cfg1 := &Config{
+		PrivateKey: PrivateKey(pk1),
+		Peers: []Peer{{
+			PublicKey:  k2,
+			AllowedIPs: []netaddr.IPPrefix{ip2},
+		}},
+	}
+
+	cfg2 := &Config{
+		PrivateKey: PrivateKey(pk2),
+		Peers: []Peer{{
+			PublicKey:           k1,
+			AllowedIPs:          []netaddr.IPPrefix{ip1},
+			PersistentKeepalive: 5,
+		}},
+	}
+
+	device1 := device.NewDevice(newNilTun(), &device.DeviceOptions{
+		Logger: device.NewLogger(device.LogLevelError, "device1"),
+	})
+	device2 := device.NewDevice(newNilTun(), &device.DeviceOptions{
+		Logger: device.NewLogger(device.LogLevelError, "device2"),
+	})
+	defer device1.Close()
+	defer device2.Close()
+
+	cmp := func(t *testing.T, d *device.Device, want *Config) {
+		t.Helper()
+		got, err := DeviceConfig(d)
+		if err != nil {
+			t.Fatal(err)
+		}
+		prev := new(Config)
+		gotbuf := new(strings.Builder)
+		err = got.ToUAPI(gotbuf, prev)
+		gotStr := gotbuf.String()
+		if err != nil {
+			t.Errorf("got.ToUAPI(): error: %v", err)
+			return
+		}
+		wantbuf := new(strings.Builder)
+		err = want.ToUAPI(wantbuf, prev)
+		wantStr := wantbuf.String()
+		if err != nil {
+			t.Errorf("want.ToUAPI(): error: %v", err)
+			return
+		}
+		if gotStr != wantStr {
+			buf := new(bytes.Buffer)
+			w := bufio.NewWriter(buf)
+			if err := d.IpcGetOperation(w); err != nil {
+				t.Errorf("on error, could not IpcGetOperation: %v", err)
+			}
+			w.Flush()
+			t.Errorf("cfg:\n%s\n---- want:\n%s\n---- uapi:\n%s", gotStr, wantStr, buf.String())
+		}
+	}
+
+	t.Run("device1 config", func(t *testing.T) {
+		if err := ReconfigDevice(device1, cfg1, t.Logf); err != nil {
+			t.Fatal(err)
+		}
+		cmp(t, device1, cfg1)
+	})
+
+	t.Run("device2 config", func(t *testing.T) {
+		if err := ReconfigDevice(device2, cfg2, t.Logf); err != nil {
+			t.Fatal(err)
+		}
+		cmp(t, device2, cfg2)
+	})
+
+	// This is only to test that Config and Reconfig are properly synchronized.
+	t.Run("device2 config/reconfig", func(t *testing.T) {
+		var wg sync.WaitGroup
+		wg.Add(2)
+
+		go func() {
+			ReconfigDevice(device2, cfg2, t.Logf)
+			wg.Done()
+		}()
+
+		go func() {
+			DeviceConfig(device2)
+			wg.Done()
+		}()
+
+		wg.Wait()
+	})
+
+	t.Run("device1 modify peer", func(t *testing.T) {
+		cfg1.Peers[0].Endpoints = "1.2.3.4:12345"
+		if err := ReconfigDevice(device1, cfg1, t.Logf); err != nil {
+			t.Fatal(err)
+		}
+		cmp(t, device1, cfg1)
+	})
+
+	t.Run("device1 replace endpoint", func(t *testing.T) {
+		cfg1.Peers[0].Endpoints = "1.1.1.1:123"
+		if err := ReconfigDevice(device1, cfg1, t.Logf); err != nil {
+			t.Fatal(err)
+		}
+		cmp(t, device1, cfg1)
+	})
+
+	t.Run("device1 add new peer", func(t *testing.T) {
+		cfg1.Peers = append(cfg1.Peers, Peer{
+			PublicKey:  k3,
+			AllowedIPs: []netaddr.IPPrefix{ip3},
+		})
+		sort.Slice(cfg1.Peers, func(i, j int) bool {
+			return cfg1.Peers[i].PublicKey.LessThan(&cfg1.Peers[j].PublicKey)
+		})
+
+		origCfg, err := DeviceConfig(device1)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		if err := ReconfigDevice(device1, cfg1, t.Logf); err != nil {
+			t.Fatal(err)
+		}
+		cmp(t, device1, cfg1)
+
+		newCfg, err := DeviceConfig(device1)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		peer0 := func(cfg *Config) Peer {
+			p, ok := cfg.PeerWithKey(k2)
+			if !ok {
+				t.Helper()
+				t.Fatal("failed to look up peer 2")
+			}
+			return p
+		}
+		peersEqual := func(p, q Peer) bool {
+			return p.PublicKey == q.PublicKey && p.PersistentKeepalive == q.PersistentKeepalive &&
+				p.Endpoints == q.Endpoints && cidrsEqual(p.AllowedIPs, q.AllowedIPs)
+		}
+		if !peersEqual(peer0(origCfg), peer0(newCfg)) {
+			t.Error("reconfig modified old peer")
+		}
+	})
+
+	t.Run("device1 remove peer", func(t *testing.T) {
+		removeKey := cfg1.Peers[len(cfg1.Peers)-1].PublicKey
+		cfg1.Peers = cfg1.Peers[:len(cfg1.Peers)-1]
+
+		if err := ReconfigDevice(device1, cfg1, t.Logf); err != nil {
+			t.Fatal(err)
+		}
+		cmp(t, device1, cfg1)
+
+		newCfg, err := DeviceConfig(device1)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		_, ok := newCfg.PeerWithKey(removeKey)
+		if ok {
+			t.Error("reconfig failed to remove peer")
+		}
+	})
+}
+
+// TODO: replace with a loopback tunnel
+type nilTun struct {
+	events chan tun.Event
+	closed chan struct{}
+}
+
+func newNilTun() tun.Device {
+	return &nilTun{
+		events: make(chan tun.Event),
+		closed: make(chan struct{}),
+	}
+}
+
+func (t *nilTun) File() *os.File         { return nil }
+func (t *nilTun) Flush() error           { return nil }
+func (t *nilTun) MTU() (int, error)      { return 1420, nil }
+func (t *nilTun) Name() (string, error)  { return "niltun", nil }
+func (t *nilTun) Events() chan tun.Event { return t.events }
+
+func (t *nilTun) Read(data []byte, offset int) (int, error) {
+	<-t.closed
+	return 0, io.EOF
+}
+
+func (t *nilTun) Write(data []byte, offset int) (int, error) {
+	<-t.closed
+	return 0, io.EOF
+}
+
+func (t *nilTun) Close() error {
+	close(t.events)
+	close(t.closed)
+	return nil
+}

wgengine/wgcfg/key.go

@@ -0,0 +1,240 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wgcfg
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"strings"
+
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/crypto/curve25519"
+)
+
+const KeySize = 32
+
+// Key is curve25519 key.
+// It is used by WireGuard to represent public and preshared keys.
+type Key [KeySize]byte
+
+// NewPresharedKey generates a new random key.
+func NewPresharedKey() (*Key, error) {
+	var k [KeySize]byte
+	_, err := rand.Read(k[:])
+	if err != nil {
+		return nil, err
+	}
+	return (*Key)(&k), nil
+}
+
+func ParseKey(b64 string) (*Key, error) { return parseKeyBase64(base64.StdEncoding, b64) }
+
+func ParseHexKey(s string) (Key, error) {
+	b, err := hex.DecodeString(s)
+	if err != nil {
+		return Key{}, &ParseError{"invalid hex key: " + err.Error(), s}
+	}
+	if len(b) != KeySize {
+		return Key{}, &ParseError{fmt.Sprintf("invalid hex key length: %d", len(b)), s}
+	}
+
+	var key Key
+	copy(key[:], b)
+	return key, nil
+}
+
+func ParsePrivateHexKey(v string) (PrivateKey, error) {
+	k, err := ParseHexKey(v)
+	if err != nil {
+		return PrivateKey{}, err
+	}
+	pk := PrivateKey(k)
+	if pk.IsZero() {
+		// Do not clamp a zero key, pass the zero through
+		// (much like NaN propagation) so that IsZero reports
+		// a useful result.
+		return pk, nil
+	}
+	pk.clamp()
+	return pk, nil
+}
+
+func (k Key) Base64() string    { return base64.StdEncoding.EncodeToString(k[:]) }
+func (k Key) String() string    { return k.ShortString() }
+func (k Key) HexString() string { return hex.EncodeToString(k[:]) }
+func (k Key) Equal(k2 Key) bool { return subtle.ConstantTimeCompare(k[:], k2[:]) == 1 }
+
+func (k *Key) ShortString() string {
+	long := k.Base64()
+	return "[" + long[0:5] + "]"
+}
+
+func (k *Key) IsZero() bool {
+	if k == nil {
+		return true
+	}
+	var zeros Key
+	return subtle.ConstantTimeCompare(zeros[:], k[:]) == 1
+}
+
+func (k *Key) MarshalJSON() ([]byte, error) {
+	if k == nil {
+		return []byte("null"), nil
+	}
+	buf := new(bytes.Buffer)
+	fmt.Fprintf(buf, `"%x"`, k[:])
+	return buf.Bytes(), nil
+}
+
+func (k *Key) UnmarshalJSON(b []byte) error {
+	if k == nil {
+		return errors.New("wgcfg.Key: UnmarshalJSON on nil pointer")
+	}
+	if len(b) < 3 || b[0] != '"' || b[len(b)-1] != '"' {
+		return errors.New("wgcfg.Key: UnmarshalJSON not given a string")
+	}
+	b = b[1 : len(b)-1]
+	key, err := ParseHexKey(string(b))
+	if err != nil {
+		return fmt.Errorf("wgcfg.Key: UnmarshalJSON: %v", err)
+	}
+	copy(k[:], key[:])
+	return nil
+}
+
+func (a *Key) LessThan(b *Key) bool {
+	for i := range a {
+		if a[i] < b[i] {
+			return true
+		} else if a[i] > b[i] {
+			return false
+		}
+	}
+	return false
+}
+
+// PrivateKey is curve25519 key.
+// It is used by WireGuard to represent private keys.
+type PrivateKey [KeySize]byte
+
+// NewPrivateKey generates a new curve25519 secret key.
+// It conforms to the format described on https://cr.yp.to/ecdh.html.
+func NewPrivateKey() (PrivateKey, error) {
+	k, err := NewPresharedKey()
+	if err != nil {
+		return PrivateKey{}, err
+	}
+	k[0] &= 248
+	k[31] = (k[31] & 127) | 64
+	return (PrivateKey)(*k), nil
+}
+
+func ParsePrivateKey(b64 string) (*PrivateKey, error) {
+	k, err := parseKeyBase64(base64.StdEncoding, b64)
+	return (*PrivateKey)(k), err
+}
+
+func (k *PrivateKey) String() string           { return base64.StdEncoding.EncodeToString(k[:]) }
+func (k *PrivateKey) HexString() string        { return hex.EncodeToString(k[:]) }
+func (k *PrivateKey) Equal(k2 PrivateKey) bool { return subtle.ConstantTimeCompare(k[:], k2[:]) == 1 }
+
+func (k *PrivateKey) IsZero() bool {
+	pk := Key(*k)
+	return pk.IsZero()
+}
+
+func (k *PrivateKey) clamp() {
+	k[0] &= 248
+	k[31] = (k[31] & 127) | 64
+}
+
+// Public computes the public key matching this curve25519 secret key.
+func (k *PrivateKey) Public() Key {
+	pk := Key(*k)
+	if pk.IsZero() {
+		panic("Tried to generate emptyPrivateKey.Public()")
+	}
+	var p [KeySize]byte
+	curve25519.ScalarBaseMult(&p, (*[KeySize]byte)(k))
+	return (Key)(p)
+}
+
+func (k PrivateKey) MarshalText() ([]byte, error) {
+	buf := new(bytes.Buffer)
+	fmt.Fprintf(buf, `privkey:%x`, k[:])
+	return buf.Bytes(), nil
+}
+
+func (k *PrivateKey) UnmarshalText(b []byte) error {
+	s := string(b)
+	if !strings.HasPrefix(s, `privkey:`) {
+		return errors.New("wgcfg.PrivateKey: UnmarshalText not given a private-key string")
+	}
+	s = strings.TrimPrefix(s, `privkey:`)
+	key, err := ParseHexKey(s)
+	if err != nil {
+		return fmt.Errorf("wgcfg.PrivateKey: UnmarshalText: %v", err)
+	}
+	copy(k[:], key[:])
+	return nil
+}
+
+func (k PrivateKey) SharedSecret(pub Key) (ss [KeySize]byte) {
+	apk := (*[KeySize]byte)(&pub)
+	ask := (*[KeySize]byte)(&k)
+	curve25519.ScalarMult(&ss, ask, apk) //lint:ignore SA1019 Jason says this is OK; match wireguard-go exactyl
+	return ss
+}
+
+func parseKeyBase64(enc *base64.Encoding, s string) (*Key, error) {
+	k, err := enc.DecodeString(s)
+	if err != nil {
+		return nil, &ParseError{"Invalid key: " + err.Error(), s}
+	}
+	if len(k) != KeySize {
+		return nil, &ParseError{"Keys must decode to exactly 32 bytes", s}
+	}
+	var key Key
+	copy(key[:], k)
+	return &key, nil
+}
+
+func ParseSymmetricKey(b64 string) (SymmetricKey, error) {
+	k, err := parseKeyBase64(base64.StdEncoding, b64)
+	if err != nil {
+		return SymmetricKey{}, err
+	}
+	return SymmetricKey(*k), nil
+}
+
+func ParseSymmetricHexKey(s string) (SymmetricKey, error) {
+	b, err := hex.DecodeString(s)
+	if err != nil {
+		return SymmetricKey{}, &ParseError{"invalid symmetric hex key: " + err.Error(), s}
+	}
+	if len(b) != chacha20poly1305.KeySize {
+		return SymmetricKey{}, &ParseError{fmt.Sprintf("invalid symmetric hex key length: %d", len(b)), s}
+	}
+	var key SymmetricKey
+	copy(key[:], b)
+	return key, nil
+}
+
+// SymmetricKey is a chacha20poly1305 key.
+// It is used by WireGuard to represent pre-shared symmetric keys.
+type SymmetricKey [chacha20poly1305.KeySize]byte
+
+func (k SymmetricKey) Base64() string    { return base64.StdEncoding.EncodeToString(k[:]) }
+func (k SymmetricKey) String() string    { return "sym:" + k.Base64()[:8] }
+func (k SymmetricKey) HexString() string { return hex.EncodeToString(k[:]) }
+func (k SymmetricKey) IsZero() bool      { return k.Equal(SymmetricKey{}) }
+func (k SymmetricKey) Equal(k2 SymmetricKey) bool {
+	return subtle.ConstantTimeCompare(k[:], k2[:]) == 1
+}

wgengine/wgcfg/key_test.go

@@ -0,0 +1,111 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wgcfg
+
+import (
+	"bytes"
+	"testing"
+)
+
+func TestKeyBasics(t *testing.T) {
+	k1, err := NewPresharedKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	b, err := k1.MarshalJSON()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("JSON round-trip", func(t *testing.T) {
+		// should preserve the keys
+		k2 := new(Key)
+		if err := k2.UnmarshalJSON(b); err != nil {
+			t.Fatal(err)
+		}
+		if !bytes.Equal(k1[:], k2[:]) {
+			t.Fatalf("k1 %v != k2 %v", k1[:], k2[:])
+		}
+		if b1, b2 := k1.String(), k2.String(); b1 != b2 {
+			t.Fatalf("base64-encoded keys do not match: %s, %s", b1, b2)
+		}
+	})
+
+	t.Run("JSON incompatible with PrivateKey", func(t *testing.T) {
+		k2 := new(PrivateKey)
+		if err := k2.UnmarshalText(b); err == nil {
+			t.Fatalf("successfully decoded key as private key")
+		}
+	})
+
+	t.Run("second key", func(t *testing.T) {
+		// A second call to NewPresharedKey should make a new key.
+		k3, err := NewPresharedKey()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if bytes.Equal(k1[:], k3[:]) {
+			t.Fatalf("k1 %v == k3 %v", k1[:], k3[:])
+		}
+		// Check for obvious comparables to make sure we are not generating bad strings somewhere.
+		if b1, b2 := k1.String(), k3.String(); b1 == b2 {
+			t.Fatalf("base64-encoded keys match: %s, %s", b1, b2)
+		}
+	})
+}
+func TestPrivateKeyBasics(t *testing.T) {
+	pri, err := NewPrivateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	b, err := pri.MarshalText()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	t.Run("JSON round-trip", func(t *testing.T) {
+		// should preserve the keys
+		pri2 := new(PrivateKey)
+		if err := pri2.UnmarshalText(b); err != nil {
+			t.Fatal(err)
+		}
+		if !bytes.Equal(pri[:], pri2[:]) {
+			t.Fatalf("pri %v != pri2 %v", pri[:], pri2[:])
+		}
+		if b1, b2 := pri.String(), pri2.String(); b1 != b2 {
+			t.Fatalf("base64-encoded keys do not match: %s, %s", b1, b2)
+		}
+		if pub1, pub2 := pri.Public().String(), pri2.Public().String(); pub1 != pub2 {
+			t.Fatalf("base64-encoded public keys do not match: %s, %s", pub1, pub2)
+		}
+	})
+
+	t.Run("JSON incompatible with Key", func(t *testing.T) {
+		k2 := new(Key)
+		if err := k2.UnmarshalJSON(b); err == nil {
+			t.Fatalf("successfully decoded private key as key")
+		}
+	})
+
+	t.Run("second key", func(t *testing.T) {
+		// A second call to New should make a new key.
+		pri3, err := NewPrivateKey()
+		if err != nil {
+			t.Fatal(err)
+		}
+		if bytes.Equal(pri[:], pri3[:]) {
+			t.Fatalf("pri %v == pri3 %v", pri[:], pri3[:])
+		}
+		// Check for obvious comparables to make sure we are not generating bad strings somewhere.
+		if b1, b2 := pri.String(), pri3.String(); b1 == b2 {
+			t.Fatalf("base64-encoded keys match: %s, %s", b1, b2)
+		}
+		if pub1, pub2 := pri.Public().String(), pri3.Public().String(); pub1 == pub2 {
+			t.Fatalf("base64-encoded public keys match: %s, %s", pub1, pub2)
+		}
+	})
+}

wgengine/wgcfg/parser.go

@@ -0,0 +1,201 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wgcfg
+
+import (
+	"bufio"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"net"
+	"strconv"
+	"strings"
+
+	"inet.af/netaddr"
+)
+
+type ParseError struct {
+	why      string
+	offender string
+}
+
+func (e *ParseError) Error() string {
+	return fmt.Sprintf("%s: %q", e.why, e.offender)
+}
+
+func validateEndpoints(s string) error {
+	if s == "" {
+		// Otherwise strings.Split of the empty string produces [""].
+		return nil
+	}
+	vals := strings.Split(s, ",")
+	for _, val := range vals {
+		_, _, err := parseEndpoint(val)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func parseEndpoint(s string) (host string, port uint16, err error) {
+	i := strings.LastIndexByte(s, ':')
+	if i < 0 {
+		return "", 0, &ParseError{"Missing port from endpoint", s}
+	}
+	host, portStr := s[:i], s[i+1:]
+	if len(host) < 1 {
+		return "", 0, &ParseError{"Invalid endpoint host", host}
+	}
+	uport, err := strconv.ParseUint(portStr, 10, 16)
+	if err != nil {
+		return "", 0, err
+	}
+	hostColon := strings.IndexByte(host, ':')
+	if host[0] == '[' || host[len(host)-1] == ']' || hostColon > 0 {
+		err := &ParseError{"Brackets must contain an IPv6 address", host}
+		if len(host) > 3 && host[0] == '[' && host[len(host)-1] == ']' && hostColon > 0 {
+			maybeV6 := net.ParseIP(host[1 : len(host)-1])
+			if maybeV6 == nil || len(maybeV6) != net.IPv6len {
+				return "", 0, err
+			}
+		} else {
+			return "", 0, err
+		}
+		host = host[1 : len(host)-1]
+	}
+	return host, uint16(uport), nil
+}
+
+func parseKeyHex(s string) (*Key, error) {
+	k, err := hex.DecodeString(s)
+	if err != nil {
+		return nil, &ParseError{"Invalid key: " + err.Error(), s}
+	}
+	if len(k) != KeySize {
+		return nil, &ParseError{"Keys must decode to exactly 32 bytes", s}
+	}
+	var key Key
+	copy(key[:], k)
+	return &key, nil
+}
+
+// FromUAPI generates a Config from r.
+// r should be generated by calling device.IpcGetOperation;
+// it is not compatible with other uapi streams.
+func FromUAPI(r io.Reader) (*Config, error) {
+	cfg := new(Config)
+	var peer *Peer // current peer being operated on
+	deviceConfig := true
+
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		line := scanner.Text()
+		if line == "" {
+			continue
+		}
+		parts := strings.Split(line, "=")
+		if len(parts) != 2 {
+			return nil, fmt.Errorf("failed to parse line %q, found %d =-separated parts, want 2", line, len(parts))
+		}
+		key := parts[0]
+		value := parts[1]
+
+		if key == "public_key" {
+			if deviceConfig {
+				deviceConfig = false
+			}
+			// Load/create the peer we are now configuring.
+			var err error
+			peer, err = cfg.handlePublicKeyLine(value)
+			if err != nil {
+				return nil, err
+			}
+			continue
+		}
+
+		var err error
+		if deviceConfig {
+			err = cfg.handleDeviceLine(key, value)
+		} else {
+			err = cfg.handlePeerLine(peer, key, value)
+		}
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	return cfg, nil
+}
+
+func (cfg *Config) handleDeviceLine(key, value string) error {
+	switch key {
+	case "private_key":
+		k, err := parseKeyHex(value)
+		if err != nil {
+			return err
+		}
+		// wireguard-go guarantees not to send zero value; private keys are already clamped.
+		cfg.PrivateKey = PrivateKey(*k)
+	case "listen_port":
+		port, err := strconv.ParseUint(value, 10, 16)
+		if err != nil {
+			return fmt.Errorf("failed to parse listen_port: %w", err)
+		}
+		cfg.ListenPort = uint16(port)
+	case "fwmark":
+		// ignore
+	default:
+		return fmt.Errorf("unexpected IpcGetOperation key: %v", key)
+	}
+	return nil
+}
+
+func (cfg *Config) handlePublicKeyLine(value string) (*Peer, error) {
+	k, err := parseKeyHex(value)
+	if err != nil {
+		return nil, err
+	}
+	cfg.Peers = append(cfg.Peers, Peer{})
+	peer := &cfg.Peers[len(cfg.Peers)-1]
+	peer.PublicKey = *k
+	return peer, nil
+}
+
+func (cfg *Config) handlePeerLine(peer *Peer, key, value string) error {
+	switch key {
+	case "endpoint":
+		err := validateEndpoints(value)
+		if err != nil {
+			return err
+		}
+		peer.Endpoints = value
+	case "persistent_keepalive_interval":
+		n, err := strconv.ParseUint(value, 10, 16)
+		if err != nil {
+			return err
+		}
+		peer.PersistentKeepalive = uint16(n)
+	case "allowed_ip":
+		ipp, err := netaddr.ParseIPPrefix(value)
+		if err != nil {
+			return err
+		}
+		peer.AllowedIPs = append(peer.AllowedIPs, ipp)
+	case "protocol_version":
+		if value != "1" {
+			return fmt.Errorf("invalid protocol version: %v", value)
+		}
+	case "preshared_key", "last_handshake_time_sec", "last_handshake_time_nsec", "tx_bytes", "rx_bytes":
+		// ignore
+	default:
+		return fmt.Errorf("unexpected IpcGetOperation key: %v", key)
+	}
+	return nil
+}

wgengine/wgcfg/parser_test.go

@@ -0,0 +1,73 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wgcfg
+
+import (
+	"reflect"
+	"runtime"
+	"testing"
+)
+
+func noError(t *testing.T, err error) bool {
+	if err == nil {
+		return true
+	}
+	_, fn, line, _ := runtime.Caller(1)
+	t.Errorf("Error at %s:%d: %#v", fn, line, err)
+	return false
+}
+
+func equal(t *testing.T, expected, actual interface{}) bool {
+	if reflect.DeepEqual(expected, actual) {
+		return true
+	}
+	_, fn, line, _ := runtime.Caller(1)
+	t.Errorf("Failed equals at %s:%d\nactual   %#v\nexpected %#v", fn, line, actual, expected)
+	return false
+}
+
+func TestParseEndpoint(t *testing.T) {
+	_, _, err := parseEndpoint("[192.168.42.0:]:51880")
+	if err == nil {
+		t.Error("Error was expected")
+	}
+	host, port, err := parseEndpoint("192.168.42.0:51880")
+	if noError(t, err) {
+		equal(t, "192.168.42.0", host)
+		equal(t, uint16(51880), port)
+	}
+	host, port, err = parseEndpoint("test.wireguard.com:18981")
+	if noError(t, err) {
+		equal(t, "test.wireguard.com", host)
+		equal(t, uint16(18981), port)
+	}
+	host, port, err = parseEndpoint("[2607:5300:60:6b0::c05f:543]:2468")
+	if noError(t, err) {
+		equal(t, "2607:5300:60:6b0::c05f:543", host)
+		equal(t, uint16(2468), port)
+	}
+	_, _, err = parseEndpoint("[::::::invalid:18981")
+	if err == nil {
+		t.Error("Error was expected")
+	}
+}
+
+func TestValidateEndpoints(t *testing.T) {
+	tests := []struct {
+		in   string
+		want error
+	}{
+		{"", nil},
+		{"1.2.3.4:5", nil},
+		{"1.2.3.4:5,6.7.8.9:10", nil},
+		{",", &ParseError{why: "Missing port from endpoint", offender: ""}},
+	}
+	for _, tt := range tests {
+		got := validateEndpoints(tt.in)
+		if !reflect.DeepEqual(got, tt.want) {
+			t.Errorf("%q = %#v (%s); want %#v (%s)", tt.in, got, got, tt.want, tt.want)
+		}
+	}
+}

wgengine/wgcfg/writer.go

@@ -0,0 +1,141 @@
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wgcfg
+
+import (
+	"fmt"
+	"io"
+	"sort"
+	"strconv"
+	"strings"
+
+	"inet.af/netaddr"
+)
+
+// ToUAPI writes cfg in UAPI format to w.
+// Prev is the previous device Config.
+// Prev is required so that we can remove now-defunct peers
+// without having to remove and re-add all peers.
+func (cfg *Config) ToUAPI(w io.Writer, prev *Config) error {
+	var stickyErr error
+	set := func(key, value string) {
+		if stickyErr != nil {
+			return
+		}
+		_, err := fmt.Fprintf(w, "%s=%s\n", key, value)
+		if err != nil {
+			stickyErr = err
+		}
+	}
+	setUint16 := func(key string, value uint16) {
+		set(key, strconv.FormatUint(uint64(value), 10))
+	}
+	setPeer := func(peer Peer) {
+		set("public_key", peer.PublicKey.HexString())
+	}
+
+	// Device config.
+	if prev.PrivateKey != cfg.PrivateKey {
+		set("private_key", cfg.PrivateKey.HexString())
+	}
+	if prev.ListenPort != cfg.ListenPort {
+		setUint16("listen_port", cfg.ListenPort)
+	}
+
+	old := make(map[Key]Peer)
+	for _, p := range prev.Peers {
+		old[p.PublicKey] = p
+	}
+
+	// Add/configure all new peers.
+	for _, p := range cfg.Peers {
+		oldPeer := old[p.PublicKey]
+		setPeer(p)
+		set("protocol_version", "1")
+
+		if !endpointsEqual(oldPeer.Endpoints, p.Endpoints) {
+			set("endpoint", p.Endpoints)
+		}
+
+		// TODO: replace_allowed_ips is expensive.
+		// If p.AllowedIPs is a strict superset of oldPeer.AllowedIPs,
+		// then skip replace_allowed_ips and instead add only
+		// the new ipps with allowed_ip.
+		if !cidrsEqual(oldPeer.AllowedIPs, p.AllowedIPs) {
+			set("replace_allowed_ips", "true")
+			for _, ipp := range p.AllowedIPs {
+				set("allowed_ip", ipp.String())
+			}
+		}
+
+		// Set PersistentKeepalive after the peer is otherwise configured,
+		// because it can trigger handshake packets.
+		if oldPeer.PersistentKeepalive != p.PersistentKeepalive {
+			setUint16("persistent_keepalive_interval", p.PersistentKeepalive)
+		}
+	}
+
+	// Remove peers that were present but should no longer be.
+	for _, p := range cfg.Peers {
+		delete(old, p.PublicKey)
+	}
+	for _, p := range old {
+		setPeer(p)
+		set("remove", "true")
+	}
+
+	if stickyErr != nil {
+		stickyErr = fmt.Errorf("ToUAPI: %w", stickyErr)
+	}
+	return stickyErr
+}
+
+func endpointsEqual(x, y string) bool {
+	// Cheap comparisons.
+	if x == y {
+		return true
+	}
+	xs := strings.Split(x, ",")
+	ys := strings.Split(y, ",")
+	if len(xs) != len(ys) {
+		return false
+	}
+	// Otherwise, see if they're the same, but out of order.
+	sort.Strings(xs)
+	sort.Strings(ys)
+	x = strings.Join(xs, ",")
+	y = strings.Join(ys, ",")
+	return x == y
+}
+
+func cidrsEqual(x, y []netaddr.IPPrefix) bool {
+	// TODO: re-implement using netaddr.IPSet.Equal.
+	if len(x) != len(y) {
+		return false
+	}
+	// First see if they're equal in order, without allocating.
+	exact := true
+	for i := range x {
+		if x[i] != y[i] {
+			exact = false
+			break
+		}
+	}
+	if exact {
+		return true
+	}
+
+	// Otherwise, see if they're the same, but out of order.
+	m := make(map[netaddr.IPPrefix]bool)
+	for _, v := range x {
+		m[v] = true
+	}
+	for _, v := range y {
+		if !m[v] {
+			return false
+		}
+	}
+	return true
+}

wgengine/wgengine.go

@@ -8,7 +8,6 @@ import (
 	"errors"
 	"time"
 
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn/ipnstate"
@@ -17,6 +16,7 @@ import (
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
 	"tailscale.com/wgengine/tsdns"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 // ByteCount is the number of bytes that have been sent or received.

wgengine/wglog/wglog.go

@@ -12,8 +12,8 @@ import (
 	"sync/atomic"
 
 	"github.com/tailscale/wireguard-go/device"
-	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/types/logger"
+	"tailscale.com/wgengine/wgcfg"
 )
 
 // A Logger is a wireguard-go log wrapper that cleans up and rewrites log lines.

wgengine/wglog/wglog_test.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/tailscale/wireguard-go/wgcfg"
+	"tailscale.com/wgengine/wgcfg"
 	"tailscale.com/wgengine/wglog"
 )