WIP: playing with using gvisor's netstack for pure userspace TCP/relaying

cmd/tailscale/cli: add debug -derp mode
net/tshttpproxy: fix typo in Windows code added at least second
2020-09-07 21:23:21 -07:00 · 2020-09-03 09:09:23 -07:00 · 2020-09-02 21:25:38 -07:00 · 2020-09-02 21:25:28 -07:00 · 2020-09-02 21:15:36 -07:00 · 2020-09-02 15:44:55 -07:00
93 changed files with 4512 additions and 1020 deletions
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -16,7 +16,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -19,7 +19,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -16,7 +16,7 @@ jobs:
    - name: Set up Go
      uses: actions/setup-go@v1
      with:
-        go-version: 1.14
+        go-version: 1.15

    - name: Check out code
      uses: actions/checkout@v1
--- a/5
+++ b/5
@@ -1,7 +1,10 @@
 usage:
 	echo "See Makefile"

-check: staticcheck
+vet:
+	go vet ./...
+
+check: staticcheck vet

 staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ go install tailscale.com/cmd/tailscale{,d}
 ```

 We only guarantee to support the latest Go release and any Go beta or
-release candidate builds (currently Go 1.14) in module mode. It might
+release candidate builds (currently Go 1.15) in module mode. It might
 work in earlier Go versions or in GOPATH mode, but we're making no
 effort to keep those working.

--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -7,6 +7,7 @@ package main // import "tailscale.com/cmd/derper"

 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"expvar"
@@ -185,6 +186,15 @@ func main() {
 			certManager.Email = "security@tailscale.com"
 		}
 		httpsrv.TLSConfig = certManager.TLSConfig()
+		letsEncryptGetCert := httpsrv.TLSConfig.GetCertificate
+		httpsrv.TLSConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			cert, err := letsEncryptGetCert(hi)
+			if err != nil {
+				return nil, err
+			}
+			cert.Certificate = append(cert.Certificate, s.MetaCert())
+			return cert, nil
+		}
 		go func() {
 			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 			if err != nil {
--- a/cmd/microproxy/microproxy.go
+++ b/cmd/microproxy/microproxy.go
@@ -19,6 +19,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"

@@ -88,7 +89,16 @@ func promPrint(w io.Writer, prefix string, obj map[string]interface{}) {
 		case map[string]interface{}:
 			promPrint(w, k, v)
 		case float64:
-			fmt.Fprintf(w, "%s %f\n", k, v)
+			const saveConfigReject = "control_save_config_rejected_"
+			const saveConfig = "control_save_config_"
+			switch {
+			case strings.HasPrefix(k, saveConfigReject):
+				fmt.Fprintf(w, "control_save_config_rejected{reason=%q} %f\n", k[len(saveConfigReject):], v)
+			case strings.HasPrefix(k, saveConfig):
+				fmt.Fprintf(w, "control_save_config{reason=%q} %f\n", k[len(saveConfig):], v)
+			default:
+				fmt.Fprintf(w, "%s %f\n", k, v)
+			}
 		default:
 			fmt.Fprintf(w, "# Skipping key %q, unhandled type %T\n", k, v)
 		}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -31,7 +31,8 @@ func ActLikeCLI() bool {
 		return false
 	}
 	switch os.Args[1] {
-	case "up", "status", "netcheck", "version",
+	case "up", "down", "status", "netcheck", "ping", "version",
+		"debug",
 		"-V", "--version", "-h", "--help":
 		return true
 	}
@@ -57,14 +58,21 @@ change in the future.
 `),
 		Subcommands: []*ffcli.Command{
 			upCmd,
+			downCmd,
 			netcheckCmd,
 			statusCmd,
+			pingCmd,
 			versionCmd,
 		},
 		FlagSet: rootfs,
 		Exec:    func(context.Context, []string) error { return flag.ErrHelp },
 	}

+	// Don't advertise the debug command, but it exists.
+	if strSliceContains(args, "debug") {
+		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
+	}
+
 	if err := rootCmd.Parse(args); err != nil {
 		return err
 	}
@@ -126,3 +134,12 @@ func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) {
 		bc.GotNotifyMsg(msg)
 	}
 }
+
+func strSliceContains(ss []string, s string) bool {
+	for _, v := range ss {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -0,0 +1,175 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/derp/derphttp"
+	"tailscale.com/derp/derpmap"
+	"tailscale.com/net/interfaces"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/wgengine/monitor"
+)
+
+var debugCmd = &ffcli.Command{
+	Name: "debug",
+	Exec: runDebug,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("debug", flag.ExitOnError)
+		fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
+		fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
+		fs.StringVar(&debugArgs.derpCheck, "derp", "", "if non-empty, test a DERP ping via named region code")
+		return fs
+	})(),
+}
+
+var debugArgs struct {
+	monitor   bool
+	getURL    string
+	derpCheck string
+}
+
+func runDebug(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unknown arguments")
+	}
+	if debugArgs.derpCheck != "" {
+		return checkDerp(ctx, debugArgs.derpCheck)
+	}
+	if debugArgs.monitor {
+		return runMonitor(ctx)
+	}
+	if debugArgs.getURL != "" {
+		return getURL(ctx, debugArgs.getURL)
+	}
+	return errors.New("only --monitor is available at the moment")
+}
+
+func runMonitor(ctx context.Context) error {
+	dump := func() {
+		st, err := interfaces.GetState()
+		if err != nil {
+			log.Printf("error getting state: %v", err)
+			return
+		}
+		j, _ := json.MarshalIndent(st, "", "    ")
+		os.Stderr.Write(j)
+	}
+	mon, err := monitor.New(log.Printf, func() {
+		log.Printf("Link monitor fired. State:")
+		dump()
+	})
+	if err != nil {
+		return err
+	}
+	log.Printf("Starting link change monitor; initial state:")
+	dump()
+	mon.Start()
+	log.Printf("Started link change monitor; waiting...")
+	select {}
+}
+
+func getURL(ctx context.Context, urlStr string) error {
+	if urlStr == "login" {
+		urlStr = "https://login.tailscale.com"
+	}
+	log.SetOutput(os.Stdout)
+	ctx = httptrace.WithClientTrace(ctx, &httptrace.ClientTrace{
+		GetConn:           func(hostPort string) { log.Printf("GetConn(%q)", hostPort) },
+		GotConn:           func(info httptrace.GotConnInfo) { log.Printf("GotConn: %+v", info) },
+		DNSStart:          func(info httptrace.DNSStartInfo) { log.Printf("DNSStart: %+v", info) },
+		DNSDone:           func(info httptrace.DNSDoneInfo) { log.Printf("DNSDoneInfo: %+v", info) },
+		TLSHandshakeStart: func() { log.Printf("TLSHandshakeStart") },
+		TLSHandshakeDone:  func(cs tls.ConnectionState, err error) { log.Printf("TLSHandshakeDone: %+v, %v", cs, err) },
+		WroteRequest:      func(info httptrace.WroteRequestInfo) { log.Printf("WroteRequest: %+v", info) },
+	})
+	req, err := http.NewRequestWithContext(ctx, "GET", urlStr, nil)
+	if err != nil {
+		return fmt.Errorf("http.NewRequestWithContext: %v", err)
+	}
+	proxyURL, err := tshttpproxy.ProxyFromEnvironment(req)
+	if err != nil {
+		return fmt.Errorf("tshttpproxy.ProxyFromEnvironment: %v", err)
+	}
+	log.Printf("proxy: %v", proxyURL)
+	tr := &http.Transport{
+		Proxy:              func(*http.Request) (*url.URL, error) { return proxyURL, nil },
+		ProxyConnectHeader: http.Header{},
+		DisableKeepAlives:  true,
+	}
+	if proxyURL != nil {
+		auth, err := tshttpproxy.GetAuthHeader(proxyURL)
+		if err == nil && auth != "" {
+			tr.ProxyConnectHeader.Set("Proxy-Authorization", auth)
+		}
+		const truncLen = 20
+		if len(auth) > truncLen {
+			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
+		}
+		log.Printf("tshttpproxy.GetAuthHeader(%v) for Proxy-Auth: = %q, %v", proxyURL, auth, err)
+	}
+	res, err := tr.RoundTrip(req)
+	if err != nil {
+		return fmt.Errorf("Transport.RoundTrip: %v", err)
+	}
+	defer res.Body.Close()
+	return res.Write(os.Stdout)
+}
+
+func checkDerp(ctx context.Context, derpRegion string) error {
+	dmap := derpmap.Prod()
+	getRegion := func() *tailcfg.DERPRegion {
+		for _, r := range dmap.Regions {
+			if r.RegionCode == derpRegion {
+				return r
+			}
+		}
+		for _, r := range dmap.Regions {
+			log.Printf("Known region: %q", r.RegionCode)
+		}
+		log.Fatalf("unknown region %q", derpRegion)
+		panic("unreachable")
+	}
+
+	priv1 := key.NewPrivate()
+	priv2 := key.NewPrivate()
+
+	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
+	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
+
+	c2.NotePreferred(true) // just to open it
+
+	m, err := c2.Recv()
+	log.Printf("c2 got %T, %v", m, err)
+
+	t0 := time.Now()
+	if err := c1.Send(priv2.Public(), []byte("hello")); err != nil {
+		return err
+	}
+	fmt.Println(time.Since(t0))
+
+	m, err = c2.Recv()
+	log.Printf("c2 got %T, %v", m, err)
+	if err != nil {
+		return err
+	}
+	log.Printf("ok")
+	return err
+}
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -0,0 +1,67 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+)
+
+var downCmd = &ffcli.Command{
+	Name:       "down",
+	ShortUsage: "down",
+	ShortHelp:  "Disconnect from Tailscale",
+
+	Exec: runDown,
+}
+
+func runDown(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		log.Fatalf("too many non-flag arguments: %q", args)
+	}
+
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	timer := time.AfterFunc(5*time.Second, func() {
+		log.Fatalf("timeout running stop")
+	})
+	defer timer.Stop()
+
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if n.Status != nil {
+			cur := n.Status.BackendState
+			switch cur {
+			case "Stopped":
+				log.Printf("already stopped")
+				cancel()
+			default:
+				log.Printf("was in state %q", cur)
+			}
+			return
+		}
+		if n.State != nil {
+			log.Printf("now in state %q", *n.State)
+			if *n.State == ipn.Stopped {
+				cancel()
+			}
+			return
+		}
+		log.Printf("Notify: %#v", n)
+	})
+
+	bc.RequestStatus()
+	bc.SetWantRunning(false)
+	pump(ctx, bc, c)
+
+	return nil
+}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -125,20 +125,35 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	if len(report.RegionLatency) == 0 {
 		fmt.Printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
 	} else {
-		fmt.Printf("\t* Nearest DERP: %v (%v)\n", report.PreferredDERP, dm.Regions[report.PreferredDERP].RegionCode)
+		fmt.Printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
 		fmt.Printf("\t* DERP latency:\n")
 		var rids []int
 		for rid := range dm.Regions {
 			rids = append(rids, rid)
 		}
-		sort.Ints(rids)
+		sort.Slice(rids, func(i, j int) bool {
+			l1, ok1 := report.RegionLatency[rids[i]]
+			l2, ok2 := report.RegionLatency[rids[j]]
+			if ok1 != ok2 {
+				return ok1 // defined things sort first
+			}
+			if !ok1 {
+				return rids[i] < rids[j]
+			}
+			return l1 < l2
+		})
 		for _, rid := range rids {
 			d, ok := report.RegionLatency[rid]
 			var latency string
 			if ok {
 				latency = d.Round(time.Millisecond / 10).String()
 			}
-			fmt.Printf("\t\t- %v, %3s = %s\n", rid, dm.Regions[rid].RegionCode, latency)
+			r := dm.Regions[rid]
+			var derpNum string
+			if netcheckArgs.verbose {
+				derpNum = fmt.Sprintf("derp%d, ", rid)
+			}
+			fmt.Printf("\t\t- %3s: %-7s (%s%s)\n", r.RegionCode, latency, derpNum, r.RegionName)
 		}
 	}
 	return nil
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -0,0 +1,130 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+)
+
+var pingCmd = &ffcli.Command{
+	Name:       "ping",
+	ShortUsage: "ping <hostname-or-IP>",
+	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
+	LongHelp: strings.TrimSpace(`
+
+The 'tailscale ping' command pings a peer node at the Tailscale layer
+and reports which route it took for each response. The first ping or
+so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
+traversal finds a direct path through.
+
+If 'tailscale ping' works but a normal ping does not, that means one
+side's operating system firewall is blocking packets; 'tailscale ping'
+does not inject packets into either side's TUN devices.
+
+By default, 'tailscale ping' stops after 10 pings or once a direct
+(non-DERP) path has been established, whichever comes first.
+
+The provided hostname must resolve to or be a Tailscale IP
+(e.g. 100.x.y.z) or a subnet IP advertised by a Tailscale
+relay node.
+
+`),
+	Exec: runPing,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("ping", flag.ExitOnError)
+		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
+		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
+		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
+		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
+		return fs
+	})(),
+}
+
+var pingArgs struct {
+	num         int
+	untilDirect bool
+	verbose     bool
+	timeout     time.Duration
+}
+
+func runPing(ctx context.Context, args []string) error {
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	if len(args) != 1 {
+		return errors.New("usage: ping <hostname-or-IP>")
+	}
+	hostOrIP := args[0]
+	var ip string
+	var res net.Resolver
+	if addrs, err := res.LookupHost(ctx, hostOrIP); err != nil {
+		return fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
+	} else if len(addrs) == 0 {
+		return fmt.Errorf("no IPs found for %q", hostOrIP)
+	} else {
+		ip = addrs[0]
+	}
+	if pingArgs.verbose && ip != hostOrIP {
+		log.Printf("lookup %q => %q", hostOrIP, ip)
+	}
+
+	ch := make(chan *ipnstate.PingResult, 1)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if pr := n.PingResult; pr != nil && pr.IP == ip {
+			ch <- pr
+		}
+	})
+	go pump(ctx, bc, c)
+
+	n := 0
+	anyPong := false
+	for {
+		n++
+		bc.Ping(ip)
+		timer := time.NewTimer(pingArgs.timeout)
+		select {
+		case <-timer.C:
+			fmt.Printf("timeout waiting for ping reply\n")
+		case pr := <-ch:
+			timer.Stop()
+			if pr.Err != "" {
+				return errors.New(pr.Err)
+			}
+			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
+			via := pr.Endpoint
+			if pr.DERPRegionID != 0 {
+				via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
+			}
+			anyPong = true
+			fmt.Printf("pong from %s (%s) via %v in %v\n", pr.NodeName, pr.NodeIP, via, latency)
+			if pr.Endpoint != "" && pingArgs.untilDirect {
+				return nil
+			}
+			time.Sleep(time.Second)
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+		if n == pingArgs.num {
+			if !anyPong {
+				return errors.New("no reply")
+			}
+			return nil
+		}
+	}
+}
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -33,6 +33,7 @@ var statusCmd = &ffcli.Command{
 		fs.BoolVar(&statusArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
 		fs.BoolVar(&statusArgs.web, "web", false, "run webserver with HTML showing status")
 		fs.BoolVar(&statusArgs.active, "active", false, "filter output to only peers with active sessions (not applicable to web mode)")
+		fs.BoolVar(&statusArgs.self, "self", true, "show status of local machine")
 		fs.StringVar(&statusArgs.listen, "listen", "127.0.0.1:8384", "listen address; use port 0 for automatic")
 		fs.BoolVar(&statusArgs.browser, "browser", true, "Open a browser in web mode")
 		return fs
@@ -45,6 +46,7 @@ var statusArgs struct {
 	listen  string // in web mode, webserver address to listen on, empty means auto
 	browser bool   // in web mode, whether to open browser
 	active  bool   // in CLI mode, filter output to only peers with active sessions
+	self    bool   // in CLI mode, show status of local machine
 }

 func runStatus(ctx context.Context, args []string) error {
@@ -125,16 +127,17 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}

+	if st.BackendState == ipn.Stopped.String() {
+		fmt.Println("Tailscale is stopped.")
+		os.Exit(1)
+	}
+
 	var buf bytes.Buffer
 	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
-	for _, peer := range st.Peers() {
-		ps := st.Peer[peer]
+	printPS := func(ps *ipnstate.PeerStatus) {
 		active := peerActive(ps)
-		if statusArgs.active && !active {
-			continue
-		}
 		f("%s %-7s %-15s %-18s tx=%8d rx=%8d ",
-			peer.ShortString(),
+			ps.PublicKey.ShortString(),
 			ps.OS,
 			ps.TailAddr,
 			ps.SimpleHostName(),
@@ -160,6 +163,18 @@ func runStatus(ctx context.Context, args []string) error {
 		}
 		f("\n")
 	}
+
+	if statusArgs.self && st.Self != nil {
+		printPS(st.Self)
+	}
+	for _, peer := range st.Peers() {
+		ps := st.Peer[peer]
+		active := peerActive(ps)
+		if statusArgs.active && !active {
+			continue
+		}
+		printPS(ps)
+	}
 	os.Stdout.Write(buf.Bytes())
 	return nil
 }
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -15,6 +15,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"

 	"github.com/peterbourgon/ff/v2/ffcli"
 	"github.com/tailscale/wireguard-go/wgcfg"
@@ -53,6 +54,7 @@ specify any flags, options are reset to their default.
 		upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
 		upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
 		upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
 		upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "ACL tags to request (comma-separated, e.g. eng,montreal,ssh)")
 		upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
 		upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
@@ -75,6 +77,7 @@ var upArgs struct {
 	acceptDNS       bool
 	singleRoutes    bool
 	shieldsUp       bool
+	forceReauth     bool
 	advertiseRoutes string
 	advertiseTags   string
 	enableDERP      bool
@@ -181,7 +184,6 @@ func runUp(ctx context.Context, args []string) error {
 	}

 	// TODO(apenwarr): fix different semantics between prefs and uflags
-	// TODO(apenwarr): allow setting/using CorpDNS
 	prefs := ipn.NewPrefs()
 	prefs.ControlURL = upArgs.server
 	prefs.WantRunning = true
@@ -213,6 +215,8 @@ func runUp(ctx context.Context, args []string) error {
 	defer cancel()

 	var printed bool
+	var loginOnce sync.Once
+	startLoginInteractive := func() { loginOnce.Do(func() { bc.StartLoginInteractive() }) }

 	bc.SetPrefs(prefs)
 	opts := ipn.Options{
@@ -226,7 +230,7 @@ func runUp(ctx context.Context, args []string) error {
 				switch *s {
 				case ipn.NeedsLogin:
 					printed = true
-					bc.StartLoginInteractive()
+					startLoginInteractive()
 				case ipn.NeedsMachineAuth:
 					printed = true
 					fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server)
@@ -252,6 +256,10 @@ func runUp(ctx context.Context, args []string) error {
 	// ephemeral frontends that read/modify/write state, once
 	// Windows/Mac state is moved into backend.
 	bc.Start(opts)
+	if upArgs.forceReauth {
+		printed = true
+		startLoginInteractive()
+	}
 	pump(ctx, bc, c)

 	return nil
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -29,6 +29,7 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/magicsock"
+	"tailscale.com/wgengine/netstack"
 	"tailscale.com/wgengine/router"
 )

@@ -136,7 +137,11 @@ func run() error {

 	var e wgengine.Engine
 	if args.fake {
-		e, err = wgengine.NewFakeUserspaceEngine(logf, 0)
+		impl := netstack.Impl
+		if args.tunname != "netstack" {
+			impl = nil
+		}
+		e, err = wgengine.NewFakeUserspaceEngine(logf, 0, impl)
 	} else {
 		e, err = wgengine.NewUserspaceEngine(logf, args.tunname, args.port)
 	}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -26,6 +26,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	"github.com/tailscale/wireguard-go/wgcfg"
@@ -35,8 +36,10 @@ import (
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
 	"tailscale.com/version"
 )
@@ -145,6 +148,8 @@ func NewDirect(opts Options) (*Direct, error) {
 	if httpc == nil {
 		dialer := netns.NewDialer()
 		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.Proxy = tshttpproxy.ProxyFromEnvironment
+		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
 		tr.DialContext = dialer.DialContext
 		tr.ForceAttemptHTTP2 = true
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Host, tr.TLSClientConfig)
@@ -621,8 +626,12 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 			vlogf("netmap: new map contains DERP map")
 			lastDERPMap = resp.DERPMap
 		}
-		if resp.Debug != nil && resp.Debug.LogHeapPprof {
-			go logheap.LogHeap(resp.Debug.LogHeapURL)
+		if resp.Debug != nil {
+			if resp.Debug.LogHeapPprof {
+				go logheap.LogHeap(resp.Debug.LogHeapURL)
+			}
+			setControlAtomic(&controlUseDERPRoute, resp.Debug.DERPRoute)
+			setControlAtomic(&controlTrimWGConfig, resp.Debug.TrimWGConfig)
 		}
 		// Temporarily (2020-06-29) support removing all but
 		// discovery-supporting nodes during development, for
@@ -953,3 +962,30 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 	}
 	return v2
 }
+
+// opt.Bool configs from control.
+var (
+	controlUseDERPRoute atomic.Value
+	controlTrimWGConfig atomic.Value
+)
+
+func setControlAtomic(dst *atomic.Value, v opt.Bool) {
+	old, ok := dst.Load().(opt.Bool)
+	if !ok || old != v {
+		dst.Store(v)
+	}
+}
+
+// DERPRouteFlag reports the last reported value from control for whether
+// DERP route optimization (Issue 150) should be enabled.
+func DERPRouteFlag() opt.Bool {
+	v, _ := controlUseDERPRoute.Load().(opt.Bool)
+	return v
+}
+
+// TrimWGConfig reports the last reported value from control for whether
+// we should do lazy wireguard configuration.
+func TrimWGConfig() opt.Bool {
+	v, _ := controlTrimWGConfig.Load().(opt.Bool)
+	return v
+}
--- a/control/controlclient/filter.go
+++ b/control/controlclient/filter.go
@@ -5,80 +5,16 @@
 package controlclient

 import (
-	"fmt"
-	"net"
 	"tailscale.com/tailcfg"
 	"tailscale.com/wgengine/filter"
 )

-func parseIP(host string, defaultBits int) (filter.Net, error) {
-	ip := net.ParseIP(host)
-	if ip != nil && ip.IsUnspecified() {
-		// For clarity, reject 0.0.0.0 as an input
-		return filter.NetNone, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", host)
-	} else if ip == nil && host == "*" {
-		// User explicitly requested wildcard dst ip
-		return filter.NetAny, nil
-	} else {
-		if ip != nil {
-			ip = ip.To4()
-		}
-		if ip == nil || len(ip) != 4 {
-			return filter.NetNone, fmt.Errorf("ports=%#v: invalid IPv4 address", host)
-		}
-		return filter.Net{
-			IP:   filter.NewIP(ip),
-			Mask: filter.Netmask(defaultBits),
-		}, nil
-	}
-}
-
 // Parse a backward-compatible FilterRule used by control's wire format,
 // producing the most current filter.Matches format.
 func (c *Direct) parsePacketFilter(pf []tailcfg.FilterRule) filter.Matches {
-	mm := make([]filter.Match, 0, len(pf))
-	var erracc error
-
-	for _, r := range pf {
-		m := filter.Match{}
-
-		for i, s := range r.SrcIPs {
-			bits := 32
-			if len(r.SrcBits) > i {
-				bits = r.SrcBits[i]
-			}
-			net, err := parseIP(s, bits)
-			if err != nil && erracc == nil {
-				erracc = err
-				continue
-			}
-			m.Srcs = append(m.Srcs, net)
-		}
-
-		for _, d := range r.DstPorts {
-			bits := 32
-			if d.Bits != nil {
-				bits = *d.Bits
-			}
-			net, err := parseIP(d.IP, bits)
-			if err != nil && erracc == nil {
-				erracc = err
-				continue
-			}
-			m.Dsts = append(m.Dsts, filter.NetPortRange{
-				Net: net,
-				Ports: filter.PortRange{
-					First: d.Ports.First,
-					Last:  d.Ports.Last,
-				},
-			})
-		}
-
-		mm = append(mm, m)
-	}
-
-	if erracc != nil {
-		c.logf("parsePacketFilter: %s\n", erracc)
+	mm, err := filter.MatchesFromFilterRules(pf)
+	if err != nil {
+		c.logf("parsePacketFilter: %s\n", err)
 	}
 	return mm
 }
--- a/derp/derp.go
+++ b/derp/derp.go
@@ -39,14 +39,10 @@ const (
 	keepAlive      = 60 * time.Second
 )

-// protocolVersion is bumped whenever there's a wire-incompatible change.
+// ProtocolVersion is bumped whenever there's a wire-incompatible change.
 //   * version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
 //   * version 2: received packets have src addrs in frameRecvPacket at beginning
-const protocolVersion = 2
-
-const (
-	protocolSrcAddrs = 2 // protocol version at which client expects src addresses
-)
+const ProtocolVersion = 2

 // frameType is the one byte frame type at the beginning of the frame
 // header.  The second field is a big-endian uint32 describing the
@@ -108,16 +104,31 @@ var bin = binary.BigEndian
 func writeUint32(bw *bufio.Writer, v uint32) error {
 	var b [4]byte
 	bin.PutUint32(b[:], v)
-	_, err := bw.Write(b[:])
-	return err
+	// Writing a byte at a time is a bit silly,
+	// but it causes b not to escape,
+	// which more than pays for the silliness.
+	for _, c := range &b {
+		err := bw.WriteByte(c)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }

 func readUint32(br *bufio.Reader) (uint32, error) {
-	b := make([]byte, 4)
-	if _, err := io.ReadFull(br, b); err != nil {
-		return 0, err
+	var b [4]byte
+	// Reading a byte at a time is a bit silly,
+	// but it causes b not to escape,
+	// which more than pays for the silliness.
+	for i := range &b {
+		c, err := br.ReadByte()
+		if err != nil {
+			return 0, err
+		}
+		b[i] = c
 	}
-	return bin.Uint32(b), nil
+	return bin.Uint32(b[:]), nil
 }

 func readFrameTypeHeader(br *bufio.Reader, wantType frameType) (frameLen uint32, err error) {
@@ -194,13 +205,6 @@ func writeFrame(bw *bufio.Writer, t frameType, b []byte) error {
 	return bw.Flush()
 }

-func minInt(a, b int) int {
-	if a < b {
-		return a
-	}
-	return b
-}
-
 func minUint32(a, b uint32) uint32 {
 	if a < b {
 		return a
--- a/derp/derp_client.go
+++ b/derp/derp_client.go
@@ -21,14 +21,13 @@ import (

 // Client is a DERP client.
 type Client struct {
-	serverKey    key.Public // of the DERP server; not a machine or node key
-	privateKey   key.Private
-	publicKey    key.Public // of privateKey
-	protoVersion int        // min of server+client
-	logf         logger.Logf
-	nc           Conn
-	br           *bufio.Reader
-	meshKey      string
+	serverKey  key.Public // of the DERP server; not a machine or node key
+	privateKey key.Private
+	publicKey  key.Public // of privateKey
+	logf       logger.Logf
+	nc         Conn
+	br         *bufio.Reader
+	meshKey    string

 	wmu sync.Mutex // hold while writing to bw
 	bw  *bufio.Writer
@@ -49,7 +48,8 @@ func (f clientOptFunc) update(o *clientOpt) { f(o) }

 // clientOpt are the options passed to newClient.
 type clientOpt struct {
-	MeshKey string
+	MeshKey   string
+	ServerPub key.Public
 }

 // MeshKey returns a ClientOpt to pass to the DERP server during connect to get
@@ -58,6 +58,12 @@ type clientOpt struct {
 // An empty key means to not use a mesh key.
 func MeshKey(key string) ClientOpt { return clientOptFunc(func(o *clientOpt) { o.MeshKey = key }) }

+// ServerPublicKey returns a ClientOpt to declare that the server's DERP public key is known.
+// If key is the zero value, the returned ClientOpt is a no-op.
+func ServerPublicKey(key key.Public) ClientOpt {
+	return clientOptFunc(func(o *clientOpt) { o.ServerPub = key })
+}
+
 func NewClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logger.Logf, opts ...ClientOpt) (*Client, error) {
 	var opt clientOpt
 	for _, o := range opts {
@@ -79,17 +85,16 @@ func newClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logg
 		bw:         brw.Writer,
 		meshKey:    opt.MeshKey,
 	}
-	if err := c.recvServerKey(); err != nil {
-		return nil, fmt.Errorf("derp.Client: failed to receive server key: %v", err)
+	if opt.ServerPub.IsZero() {
+		if err := c.recvServerKey(); err != nil {
+			return nil, fmt.Errorf("derp.Client: failed to receive server key: %v", err)
+		}
+	} else {
+		c.serverKey = opt.ServerPub
 	}
 	if err := c.sendClientKey(); err != nil {
 		return nil, fmt.Errorf("derp.Client: failed to send client key: %v", err)
 	}
-	info, err := c.recvServerInfo()
-	if err != nil {
-		return nil, fmt.Errorf("derp.Client: failed to receive server info: %v", err)
-	}
-	c.protoVersion = minInt(protocolVersion, info.Version)
 	return c, nil
 }

@@ -110,12 +115,9 @@ func (c *Client) recvServerKey() error {
 	return nil
 }

-func (c *Client) recvServerInfo() (*serverInfo, error) {
-	fl, err := readFrameTypeHeader(c.br, frameServerInfo)
-	if err != nil {
-		return nil, err
-	}
+func (c *Client) parseServerInfo(b []byte) (*serverInfo, error) {
 	const maxLength = nonceLen + maxInfoLen
+	fl := len(b)
 	if fl < nonceLen {
 		return nil, fmt.Errorf("short serverInfo frame")
 	}
@@ -124,33 +126,27 @@ func (c *Client) recvServerInfo() (*serverInfo, error) {
 	}
 	// TODO: add a read-nonce-and-box helper
 	var nonce [nonceLen]byte
-	if _, err := io.ReadFull(c.br, nonce[:]); err != nil {
-		return nil, fmt.Errorf("nonce: %v", err)
-	}
-	msgLen := fl - nonceLen
-	msgbox := make([]byte, msgLen)
-	if _, err := io.ReadFull(c.br, msgbox); err != nil {
-		return nil, fmt.Errorf("msgbox: %v", err)
-	}
+	copy(nonce[:], b)
+	msgbox := b[nonceLen:]
 	msg, ok := box.Open(nil, msgbox, &nonce, c.serverKey.B32(), c.privateKey.B32())
 	if !ok {
-		return nil, fmt.Errorf("msgbox: cannot open len=%d with server key %x", msgLen, c.serverKey[:])
+		return nil, fmt.Errorf("failed to open naclbox from server key %x", c.serverKey[:])
 	}
 	info := new(serverInfo)
 	if err := json.Unmarshal(msg, info); err != nil {
-		return nil, fmt.Errorf("msg: %v", err)
+		return nil, fmt.Errorf("invalid JSON: %v", err)
 	}
 	return info, nil
 }

 type clientInfo struct {
-	Version int // `json:"version,omitempty"`
+	Version int `json:"version,omitempty"`

 	// MeshKey optionally specifies a pre-shared key used by
 	// trusted clients.  It's required to subscribe to the
 	// connection list & forward packets. It's empty for regular
 	// users.
-	MeshKey string // `json:"meshKey,omitempty"`
+	MeshKey string `json:"meshKey,omitempty"`
 }

 func (c *Client) sendClientKey() error {
@@ -159,7 +155,7 @@ func (c *Client) sendClientKey() error {
 		return err
 	}
 	msg, err := json.Marshal(clientInfo{
-		Version: protocolVersion,
+		Version: ProtocolVersion,
 		MeshKey: c.meshKey,
 	})
 	if err != nil {
@@ -318,6 +314,11 @@ type PeerPresentMessage key.Public

 func (PeerPresentMessage) msg() {}

+// ServerInfoMessage is sent by the server upon first connect.
+type ServerInfoMessage struct{}
+
+func (ServerInfoMessage) msg() {}
+
 // Recv reads a message from the DERP server.
 //
 // The returned message may alias memory owned by the Client; it
@@ -364,7 +365,7 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 		// If the frame fits in our bufio.Reader buffer, just use it.
 		// In practice it's 4KB (from derphttp.Client's bufio.NewReader(httpConn)) and
 		// in practive, WireGuard packets (and thus DERP frames) are under 1.5KB.
-		// So This is the common path.
+		// So this is the common path.
 		if int(n) <= c.br.Size() {
 			b, err = c.br.Peek(int(n))
 			c.peeked = int(n)
@@ -382,6 +383,19 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 		switch t {
 		default:
 			continue
+		case frameServerInfo:
+			// Server sends this at start-up. Currently unused.
+			// Just has a JSON message saying "version: 2",
+			// but the protocol seems extensible enough as-is without
+			// needing to wait an RTT to discover the version at startup.
+			// We'd prefer to give the connection to the client (magicsock)
+			// to start writing as soon as possible.
+			_, err := c.parseServerInfo(b)
+			if err != nil {
+				return nil, fmt.Errorf("invalid server info frame: %v", err)
+			}
+			// TODO: add the results of parseServerInfo to ServerInfoMessage if we ever need it.
+			return ServerInfoMessage{}, nil
 		case frameKeepAlive:
 			// TODO: eventually we'll have server->client pings that
 			// require ack pongs.
@@ -406,16 +420,12 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro

 		case frameRecvPacket:
 			var rp ReceivedPacket
-			if c.protoVersion < protocolSrcAddrs {
-				rp.Data = b[:n]
-			} else {
-				if n < keyLen {
-					c.logf("[unexpected] dropping short packet from DERP server")
-					continue
-				}
-				copy(rp.Source[:], b[:keyLen])
-				rp.Data = b[keyLen:n]
+			if n < keyLen {
+				c.logf("[unexpected] dropping short packet from DERP server")
+				continue
 			}
+			copy(rp.Source[:], b[:keyLen])
+			rp.Data = b[keyLen:n]
 			return rp, nil
 		}
 	}
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -9,14 +9,19 @@ package derp
 import (
 	"bufio"
 	"context"
+	"crypto/ed25519"
 	crand "crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
 	"errors"
 	"expvar"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"math/big"
+	"math/rand"
 	"os"
 	"runtime"
 	"strconv"
@@ -24,8 +29,10 @@ import (
 	"sync"
 	"time"

+	"go4.org/mem"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/sync/errgroup"
+	"tailscale.com/disco"
 	"tailscale.com/metrics"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -34,6 +41,29 @@ import (

 var debug, _ = strconv.ParseBool(os.Getenv("DERP_DEBUG_LOGS"))

+// verboseDropKeys is the set of destination public keys that should
+// verbosely log whenever DERP drops a packet.
+var verboseDropKeys = map[key.Public]bool{}
+
+func init() {
+	keys := os.Getenv("TS_DEBUG_VERBOSE_DROPS")
+	if keys == "" {
+		return
+	}
+	for _, keyStr := range strings.Split(keys, ",") {
+		k, err := key.NewPublicFromHexMem(mem.S(keyStr))
+		if err != nil {
+			log.Printf("ignoring invalid debug key %q: %v", keyStr, err)
+		} else {
+			verboseDropKeys[k] = true
+		}
+	}
+}
+
+func init() {
+	rand.Seed(time.Now().UnixNano())
+}
+
 const (
 	perClientSendQueueDepth = 32 // packets buffered for sending
 	writeTimeout            = 2 * time.Second
@@ -52,16 +82,22 @@ type Server struct {
 	// before failing when writing to a client.
 	WriteTimeout time.Duration

-	privateKey key.Private
-	publicKey  key.Public
-	logf       logger.Logf
-	memSys0    uint64 // runtime.MemStats.Sys at start (or early-ish)
-	meshKey    string
+	privateKey  key.Private
+	publicKey   key.Public
+	logf        logger.Logf
+	memSys0     uint64 // runtime.MemStats.Sys at start (or early-ish)
+	meshKey     string
+	limitedLogf logger.Logf
+	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate

 	// Counters:
 	_                        [pad32bit]byte
 	packetsSent, bytesSent   expvar.Int
 	packetsRecv, bytesRecv   expvar.Int
+	packetsRecvByKind        metrics.LabelMap
+	packetsRecvDisco         *expvar.Int
+	packetsRecvOther         *expvar.Int
+	_                        [pad32bit]byte
 	packetsDropped           expvar.Int
 	packetsDroppedReason     metrics.LabelMap
 	packetsDroppedUnknown    *expvar.Int // unknown dst pubkey
@@ -136,6 +172,8 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		privateKey:           privateKey,
 		publicKey:            privateKey.Public(),
 		logf:                 logf,
+		limitedLogf:          logger.RateLimitedFn(logf, 30*time.Second, 5, 100),
+		packetsRecvByKind:    metrics.LabelMap{Label: "kind"},
 		packetsDroppedReason: metrics.LabelMap{Label: "reason"},
 		clients:              map[key.Public]*sclient{},
 		clientsEver:          map[key.Public]bool{},
@@ -145,6 +183,9 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.Public]map[key.Public]int64{},
 	}
+	s.initMetacert()
+	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
+	s.packetsRecvOther = s.packetsRecvByKind.Get("other")
 	s.packetsDroppedUnknown = s.packetsDroppedReason.Get("unknown_dest")
 	s.packetsDroppedFwdUnknown = s.packetsDroppedReason.Get("unknown_dest_on_fwd")
 	s.packetsDroppedGone = s.packetsDroppedReason.Get("gone")
@@ -236,6 +277,50 @@ func (s *Server) Accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string) {
 	}
 }

+// initMetacert initialized s.metaCert with a self-signed x509 cert
+// encoding this server's public key and protocol version. cmd/derper
+// then sends this after the Let's Encrypt leaf + intermediate certs
+// after the ServerHello (encrypted in TLS 1.3, not that it matters
+// much).
+//
+// Then the client can save a round trip getting that and can start
+// speaking DERP right away. (We don't use ALPN because that's sent in
+// the clear and we're being paranoid to not look too weird to any
+// middleboxes, given that DERP is an ultimate fallback path). But
+// since the post-ServerHello certs are encrypted we can have the
+// client also use them as a signal to be able to start speaking DERP
+// right away, starting with its identity proof, encrypted to the
+// server's public key.
+//
+// This RTT optimization fails where there's a corp-mandated
+// TLS proxy with corp-mandated root certs on employee machines and
+// and TLS proxy cleans up unnecessary certs. In that case we just fall
+// back to the extra RTT.
+func (s *Server) initMetacert() {
+	pub, priv, err := ed25519.GenerateKey(crand.Reader)
+	if err != nil {
+		log.Fatal(err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(ProtocolVersion),
+		Subject: pkix.Name{
+			CommonName: fmt.Sprintf("derpkey%x", s.publicKey[:]),
+		},
+		// Windows requires NotAfter and NotBefore set:
+		NotAfter:  time.Now().Add(30 * 24 * time.Hour),
+		NotBefore: time.Now().Add(-30 * 24 * time.Hour),
+	}
+	cert, err := x509.CreateCertificate(crand.Reader, tmpl, tmpl, pub, priv)
+	if err != nil {
+		log.Fatalf("CreateCertificate: %v", err)
+	}
+	s.metaCert = cert
+}
+
+// MetaCert returns the server metadata cert that can be sent by the
+// TLS server to let the client skip a round trip during start-up.
+func (s *Server) MetaCert() []byte { return s.metaCert }
+
 // registerClient notes that client c is now authenticated and ready for packets.
 // If c's public key was already connected with a different connection, the prior one is closed.
 func (s *Server) registerClient(c *sclient) {
@@ -580,10 +665,8 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	}

 	p := pkt{
-		bs: contents,
-	}
-	if dst.info.Version >= protocolSrcAddrs {
-		p.src = c.key
+		bs:  contents,
+		src: c.key,
 	}
 	return c.sendPkt(dst, p)
 }
@@ -616,6 +699,12 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		case <-dst.sendQueue:
 			s.packetsDropped.Add(1)
 			s.packetsDroppedQueueHead.Add(1)
+			if verboseDropKeys[dstKey] {
+				// Generate a full string including src and dst, so
+				// the limiter kicks in once per src.
+				msg := fmt.Sprintf("tail drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
+				c.s.limitedLogf(msg)
+			}
 			if debug {
 				c.logf("dropping packet from client %x queue head", dstKey)
 			}
@@ -627,6 +716,12 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 	// this case to keep reader unblocked.
 	s.packetsDropped.Add(1)
 	s.packetsDroppedQueueTail.Add(1)
+	if verboseDropKeys[dstKey] {
+		// Generate a full string including src and dst, so
+		// the limiter kicks in once per src.
+		msg := fmt.Sprintf("head drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
+		c.s.limitedLogf(msg)
+	}
 	if debug {
 		c.logf("dropping packet from client %x queue tail", dstKey)
 	}
@@ -668,7 +763,7 @@ func (s *Server) sendServerKey(bw *bufio.Writer) error {
 }

 type serverInfo struct {
-	Version int // `json:"version,omitempty"`
+	Version int `json:"version,omitempty"`
 }

 func (s *Server) sendServerInfo(bw *bufio.Writer, clientKey key.Public) error {
@@ -676,7 +771,7 @@ func (s *Server) sendServerInfo(bw *bufio.Writer, clientKey key.Public) error {
 	if _, err := crand.Read(nonce[:]); err != nil {
 		return err
 	}
-	msg, err := json.Marshal(serverInfo{Version: protocolVersion})
+	msg, err := json.Marshal(serverInfo{Version: ProtocolVersion})
 	if err != nil {
 		return err
 	}
@@ -738,7 +833,7 @@ func (s *Server) recvPacket(br *bufio.Reader, frameLen uint32) (dstKey key.Publi
 	if frameLen < keyLen {
 		return zpub, nil, errors.New("short send packet frame")
 	}
-	if _, err := io.ReadFull(br, dstKey[:]); err != nil {
+	if err := readPublicKey(br, &dstKey); err != nil {
 		return zpub, nil, err
 	}
 	packetLen := frameLen - keyLen
@@ -751,6 +846,11 @@ func (s *Server) recvPacket(br *bufio.Reader, frameLen uint32) (dstKey key.Publi
 	}
 	s.packetsRecv.Add(1)
 	s.bytesRecv.Add(int64(len(contents)))
+	if disco.LooksLikeDiscoWrapper(contents) {
+		s.packetsRecvDisco.Add(1)
+	} else {
+		s.packetsRecvOther.Add(1)
+	}
 	return dstKey, contents, nil
 }

@@ -880,11 +980,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		}
 	}()

-	jitterMs, err := crand.Int(crand.Reader, big.NewInt(5000))
-	if err != nil {
-		panic(err)
-	}
-	jitter := time.Duration(jitterMs.Int64()) * time.Millisecond
+	jitter := time.Duration(rand.Intn(5000)) * time.Millisecond
 	keepAliveTick := time.NewTicker(keepAlive + jitter)
 	defer keepAliveTick.Stop()

@@ -1040,7 +1136,8 @@ func (c *sclient) sendPacket(srcKey key.Public, contents []byte) (err error) {
 		return err
 	}
 	if withKey {
-		if _, err = c.bw.Write(srcKey[:]); err != nil {
+		err := writePublicKey(c.bw, &srcKey)
+		if err != nil {
 			return err
 		}
 	}
@@ -1181,6 +1278,7 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("bytes_sent", &s.bytesSent)
 	m.Set("packets_dropped", &s.packetsDropped)
 	m.Set("counter_packets_dropped_reason", &s.packetsDroppedReason)
+	m.Set("counter_packets_received_kind", &s.packetsRecvByKind)
 	m.Set("packets_sent", &s.packetsSent)
 	m.Set("packets_received", &s.packetsRecv)
 	m.Set("unknown_frames", &s.unknownFrames)
@@ -1236,3 +1334,34 @@ func (s *Server) ConsistencyCheck() error {
 	}
 	return errors.New(strings.Join(errs, ", "))
 }
+
+// readPublicKey reads key from br.
+// It is ~4x slower than io.ReadFull(br, key),
+// but it prevents key from escaping and thus being allocated.
+// If io.ReadFull(br, key) does not cause key to escape, use that instead.
+func readPublicKey(br *bufio.Reader, key *key.Public) error {
+	// Do io.ReadFull(br, key), but one byte at a time, to avoid allocation.
+	for i := range key {
+		b, err := br.ReadByte()
+		if err != nil {
+			return err
+		}
+		key[i] = b
+	}
+	return nil
+}
+
+// writePublicKey writes key to bw.
+// It is ~3x slower than bw.Write(key[:]),
+// but it prevents key from escaping and thus being allocated.
+// If bw.Write(key[:]) does not cause key to escape, use that instead.
+func writePublicKey(bw *bufio.Writer, key *key.Public) error {
+	// Do bw.Write(key[:]), but one byte at a time to avoid allocation.
+	for _, b := range key {
+		err := bw.WriteByte(b)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -8,10 +8,14 @@ import (
 	"bufio"
 	"context"
 	crand "crypto/rand"
+	"crypto/x509"
+	"encoding/json"
 	"errors"
 	"expvar"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"log"
 	"net"
 	"reflect"
 	"sync"
@@ -31,6 +35,22 @@ func newPrivateKey(tb testing.TB) (k key.Private) {
 	return
 }

+func TestClientInfoUnmarshal(t *testing.T) {
+	for i, in := range []string{
+		`{"Version":5,"MeshKey":"abc"}`,
+		`{"version":5,"meshKey":"abc"}`,
+	} {
+		var got clientInfo
+		if err := json.Unmarshal([]byte(in), &got); err != nil {
+			t.Fatalf("[%d]: %v", i, err)
+		}
+		want := clientInfo{Version: 5, MeshKey: "abc"}
+		if got != want {
+			t.Errorf("[%d]: got %+v; want %+v", i, got, want)
+		}
+	}
+}
+
 func TestSendRecv(t *testing.T) {
 	serverPrivateKey := newPrivateKey(t)
 	s := NewServer(serverPrivateKey, t.Logf)
@@ -79,6 +99,8 @@ func TestSendRecv(t *testing.T) {
 		if err != nil {
 			t.Fatalf("client %d: %v", i, err)
 		}
+		waitConnect(t, c)
+
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))
 		t.Logf("Connected client %d.", i)
@@ -118,7 +140,7 @@ func TestSendRecv(t *testing.T) {
 			if got := string(b); got != want {
 				t.Errorf("client1.Recv=%q, want %q", got, want)
 			}
-		case <-time.After(1 * time.Second):
+		case <-time.After(5 * time.Second):
 			t.Errorf("client%d.Recv, got nothing, want %q", i, want)
 		}
 	}
@@ -224,6 +246,7 @@ func TestSendFreeze(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
+		waitConnect(t, c)
 		return c, c2
 	}

@@ -502,7 +525,13 @@ func newTestClient(t *testing.T, ts *testServer, name string, newClient func(net
 func newRegularClient(t *testing.T, ts *testServer, name string) *testClient {
 	return newTestClient(t, ts, name, func(nc net.Conn, priv key.Private, logf logger.Logf) (*Client, error) {
 		brw := bufio.NewReadWriter(bufio.NewReader(nc), bufio.NewWriter(nc))
-		return NewClient(priv, nc, brw, logf)
+		c, err := NewClient(priv, nc, brw, logf)
+		if err != nil {
+			return nil, err
+		}
+		waitConnect(t, c)
+		return c, nil
+
 	})
 }

@@ -513,6 +542,7 @@ func newTestWatcher(t *testing.T, ts *testServer, name string) *testClient {
 		if err != nil {
 			return nil, err
 		}
+		waitConnect(t, c)
 		if err := c.WatchConnectionChanges(); err != nil {
 			return nil, err
 		}
@@ -743,6 +773,24 @@ func TestForwarderRegistration(t *testing.T) {
 	})
 }

+func TestMetaCert(t *testing.T) {
+	priv := newPrivateKey(t)
+	pub := priv.Public()
+	s := NewServer(priv, t.Logf)
+
+	certBytes := s.MetaCert()
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if fmt.Sprint(cert.SerialNumber) != fmt.Sprint(ProtocolVersion) {
+		t.Errorf("serial = %v; want %v", cert.SerialNumber, ProtocolVersion)
+	}
+	if g, w := cert.Subject.CommonName, fmt.Sprintf("derpkey%x", pub[:]); g != w {
+		t.Errorf("CommonName = %q; want %q", g, w)
+	}
+}
+
 func BenchmarkSendRecv(b *testing.B) {
 	for _, size := range []int{10, 100, 1000, 10000} {
 		b.Run(fmt.Sprintf("msgsize=%d", size), func(b *testing.B) { benchmarkSendRecvSize(b, size) })
@@ -803,3 +851,42 @@ func benchmarkSendRecvSize(b *testing.B, packetSize int) {
 		}
 	}
 }
+
+func BenchmarkWriteUint32(b *testing.B) {
+	w := bufio.NewWriter(ioutil.Discard)
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		writeUint32(w, 0x0ba3a)
+	}
+}
+
+type nopRead struct{}
+
+func (r nopRead) Read(p []byte) (int, error) {
+	return len(p), nil
+}
+
+var sinkU32 uint32
+
+func BenchmarkReadUint32(b *testing.B) {
+	r := bufio.NewReader(nopRead{})
+	var err error
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		sinkU32, err = readUint32(r)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func waitConnect(t testing.TB, c *Client) {
+	t.Helper()
+	if m, err := c.Recv(); err != nil {
+		t.Fatalf("client first Recv: %v", err)
+	} else if v, ok := m.(ServerInfoMessage); !ok {
+		t.Fatalf("client first Recv was unexpected type %T", v)
+	}
+}
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -14,21 +14,27 @@ import (
 	"bufio"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"net"
 	"net/http"
 	"net/url"
+	"os"
+	"strings"
 	"sync"
 	"time"

+	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/derp"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -252,14 +258,41 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		}
 	}()

-	var httpConn net.Conn // a TCP conn or a TLS conn; what we speak HTTP to
+	var httpConn net.Conn    // a TCP conn or a TLS conn; what we speak HTTP to
+	var serverPub key.Public // or zero if unknown (if not using TLS or TLS middlebox eats it)
+	var serverProtoVersion int
 	if c.useHTTPS() {
-		httpConn = c.tlsClient(tcpConn, node)
+		tlsConn := c.tlsClient(tcpConn, node)
+		httpConn = tlsConn
+
+		// Force a handshake now (instead of waiting for it to
+		// be done implicitly on read/write) so we can check
+		// the ConnectionState.
+		if err := tlsConn.Handshake(); err != nil {
+			return nil, 0, err
+		}
+
+		// We expect to be using TLS 1.3 to our own servers, and only
+		// starting at TLS 1.3 are the server's returned certificates
+		// encrypted, so only look for and use our "meta cert" if we're
+		// using TLS 1.3. If we're not using TLS 1.3, it might be a user
+		// running cmd/derper themselves with a different configuration,
+		// in which case we can avoid this fast-start optimization.
+		// (If a corporate proxy is MITM'ing TLS 1.3 connections with
+		// corp-mandated TLS root certs than all bets are off anyway.)
+		// Note that we're not specifically concerned about TLS downgrade
+		// attacks. TLS handles that fine:
+		// https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html
+		connState := tlsConn.ConnectionState()
+		if connState.Version >= tls.VersionTLS13 {
+			serverPub, serverProtoVersion = parseMetaCert(connState.PeerCertificates)
+		}
 	} else {
 		httpConn = tcpConn
 	}

 	brw := bufio.NewReadWriter(bufio.NewReader(httpConn), bufio.NewWriter(httpConn))
+	var derpClient *derp.Client

 	req, err := http.NewRequest("GET", c.urlString(node), nil)
 	if err != nil {
@@ -268,24 +301,39 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	req.Header.Set("Upgrade", "DERP")
 	req.Header.Set("Connection", "Upgrade")

-	if err := req.Write(brw); err != nil {
-		return nil, 0, err
-	}
-	if err := brw.Flush(); err != nil {
-		return nil, 0, err
-	}
+	if !serverPub.IsZero() && serverProtoVersion != 0 {
+		// parseMetaCert found the server's public key (no TLS
+		// middlebox was in the way), so skip the HTTP upgrade
+		// exchange.  See https://github.com/tailscale/tailscale/issues/693
+		// for an overview. We still send the HTTP request
+		// just to get routed into the server's HTTP Handler so it
+		// can Hijack the request, but we signal with a special header
+		// that we don't want to deal with its HTTP response.
+		req.Header.Set(fastStartHeader, "1") // suppresses the server's HTTP response
+		if err := req.Write(brw); err != nil {
+			return nil, 0, err
+		}
+		// No need to flush the HTTP request. the derp.Client's initial
+		// client auth frame will flush it.
+	} else {
+		if err := req.Write(brw); err != nil {
+			return nil, 0, err
+		}
+		if err := brw.Flush(); err != nil {
+			return nil, 0, err
+		}

-	resp, err := http.ReadResponse(brw.Reader, req)
-	if err != nil {
-		return nil, 0, err
+		resp, err := http.ReadResponse(brw.Reader, req)
+		if err != nil {
+			return nil, 0, err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			b, _ := ioutil.ReadAll(resp.Body)
+			resp.Body.Close()
+			return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
+		}
 	}
-	if resp.StatusCode != http.StatusSwitchingProtocols {
-		b, _ := ioutil.ReadAll(resp.Body)
-		resp.Body.Close()
-		return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
-	}
-
-	derpClient, err := derp.NewClient(c.privateKey, httpConn, brw, c.logf, derp.MeshKey(c.MeshKey))
+	derpClient, err = derp.NewClient(c.privateKey, httpConn, brw, c.logf, derp.MeshKey(c.MeshKey), derp.ServerPublicKey(serverPub))
 	if err != nil {
 		return nil, 0, err
 	}
@@ -364,6 +412,14 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
 		}
 	}
+	if n := os.Getenv("SSLKEYLOGFILE"); n != "" {
+		f, err := os.OpenFile(n, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
+		if err != nil {
+			log.Fatal(err)
+		}
+		log.Printf("WARNING: writing to SSLKEYLOGFILE %v", n)
+		tlsConf.KeyLogWriter = f
+	}
 	return tls.Client(nc, tlsConf)
 }

@@ -420,6 +476,19 @@ const dialNodeTimeout = 1500 * time.Millisecond
 // TODO(bradfitz): longer if no options remain perhaps? ...  Or longer
 // overall but have dialRegion start overlapping races?
 func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, error) {
+	// First see if we need to use an HTTP proxy.
+	proxyReq := &http.Request{
+		Method: "GET", // doesn't really matter
+		URL: &url.URL{
+			Scheme: "https",
+			Host:   c.tlsServerName(n),
+			Path:   "/", // unused
+		},
+	}
+	if proxyURL, err := tshttpproxy.ProxyFromEnvironment(proxyReq); err == nil && proxyURL != nil {
+		return c.dialNodeUsingProxy(ctx, n, proxyURL)
+	}
+
 	type res struct {
 		c   net.Conn
 		err error
@@ -480,6 +549,77 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 	}
 }

+func firstStr(a, b string) string {
+	if a != "" {
+		return a
+	}
+	return b
+}
+
+// dialNodeUsingProxy connects to n using a CONNECT to the HTTP(s) proxy in proxyURL.
+func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, proxyURL *url.URL) (proxyConn net.Conn, err error) {
+	pu := proxyURL
+	if pu.Scheme == "https" {
+		var d tls.Dialer
+		proxyConn, err = d.DialContext(ctx, "tcp", net.JoinHostPort(pu.Hostname(), firstStr(pu.Port(), "443")))
+	} else {
+		var d net.Dialer
+		proxyConn, err = d.DialContext(ctx, "tcp", net.JoinHostPort(pu.Hostname(), firstStr(pu.Port(), "80")))
+	}
+	defer func() {
+		if err != nil && proxyConn != nil {
+			// In a goroutine in case it's a *tls.Conn (that can block on Close)
+			// TODO(bradfitz): track the underlying tcp.Conn and just close that instead.
+			go proxyConn.Close()
+		}
+	}()
+	if err != nil {
+		return nil, err
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-done:
+			return
+		case <-ctx.Done():
+			proxyConn.Close()
+		}
+	}()
+
+	target := net.JoinHostPort(n.HostName, "443")
+
+	var authHeader string
+	if v, err := tshttpproxy.GetAuthHeader(pu); err != nil {
+		c.logf("derphttp: error getting proxy auth header for %v: %v", proxyURL, err)
+	} else if v != "" {
+		authHeader = fmt.Sprintf("Proxy-Authorization: %s\r\n", v)
+	}
+
+	if _, err := fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n%s\r\n", target, pu.Hostname(), authHeader); err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+		return nil, err
+	}
+
+	br := bufio.NewReader(proxyConn)
+	res, err := http.ReadResponse(br, nil)
+	if err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+		c.logf("derphttp: CONNECT dial to %s: %v", target, err)
+		return nil, err
+	}
+	c.logf("derphttp: CONNECT dial to %s: %v", target, res.Status)
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("invalid response status from HTTP proxy %s on CONNECT to %s: %v", pu, target, res.Status)
+	}
+	return proxyConn, nil
+}
+
 func (c *Client) Send(dstKey key.Public, b []byte) error {
 	client, _, err := c.connect(context.TODO(), "derphttp.Client.Send")
 	if err != nil {
@@ -614,3 +754,16 @@ func (c *Client) closeForReconnect(brokenClient *derp.Client) {
 }

 var ErrClientClosed = errors.New("derphttp.Client closed")
+
+func parseMetaCert(certs []*x509.Certificate) (serverPub key.Public, serverProtoVersion int) {
+	for _, cert := range certs {
+		if cn := cert.Subject.CommonName; strings.HasPrefix(cn, "derpkey") {
+			var err error
+			serverPub, err = key.NewPublicFromHexMem(mem.S(strings.TrimPrefix(cn, "derpkey")))
+			if err == nil && cert.SerialNumber.BitLen() <= 8 { // supports up to version 255
+				return serverPub, int(cert.SerialNumber.Int64())
+			}
+		}
+	}
+	return key.Public{}, 0
+}
--- a/derp/derphttp/derphttp_server.go
+++ b/derp/derphttp/derphttp_server.go
@@ -5,33 +5,51 @@
 package derphttp

 import (
+	"fmt"
 	"log"
 	"net/http"

 	"tailscale.com/derp"
 )

+// fastStartHeader is the header (with value "1") that signals to the HTTP
+// server that the DERP HTTP client does not want the HTTP 101 response
+// headers and it will begin writing & reading the DERP protocol immediately
+// following its HTTP request.
+const fastStartHeader = "Derp-Fast-Start"
+
 func Handler(s *derp.Server) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if p := r.Header.Get("Upgrade"); p != "WebSocket" && p != "DERP" {
 			http.Error(w, "DERP requires connection upgrade", http.StatusUpgradeRequired)
 			return
 		}
-		w.Header().Set("Upgrade", "DERP")
-		w.Header().Set("Connection", "Upgrade")
-		w.WriteHeader(http.StatusSwitchingProtocols)
+		fastStart := r.Header.Get(fastStartHeader) == "1"

 		h, ok := w.(http.Hijacker)
 		if !ok {
 			http.Error(w, "HTTP does not support general TCP support", 500)
 			return
 		}
+
 		netConn, conn, err := h.Hijack()
 		if err != nil {
 			log.Printf("Hijack failed: %v", err)
 			http.Error(w, "HTTP does not support general TCP support", 500)
 			return
 		}
+
+		if !fastStart {
+			pubKey := s.PublicKey()
+			fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
+				"Upgrade: DERP\r\n"+
+				"Connection: Upgrade\r\n"+
+				"Derp-Version: %v\r\n"+
+				"Derp-Public-Key: %x\r\n\r\n",
+				derp.ProtocolVersion,
+				pubKey[:])
+		}
+
 		s.Accept(netConn, conn, netConn.RemoteAddr().String())
 	})
 }
--- a/derp/derphttp/derphttp_test.go
+++ b/derp/derphttp/derphttp_test.go
@@ -6,7 +6,6 @@ package derphttp

 import (
 	"context"
-	crand "crypto/rand"
 	"crypto/tls"
 	"net"
 	"net/http"
@@ -19,22 +18,15 @@ import (
 )

 func TestSendRecv(t *testing.T) {
+	serverPrivateKey := key.NewPrivate()
+
 	const numClients = 3
-	var serverPrivateKey key.Private
-	if _, err := crand.Read(serverPrivateKey[:]); err != nil {
-		t.Fatal(err)
-	}
 	var clientPrivateKeys []key.Private
-	for i := 0; i < numClients; i++ {
-		var key key.Private
-		if _, err := crand.Read(key[:]); err != nil {
-			t.Fatal(err)
-		}
-		clientPrivateKeys = append(clientPrivateKeys, key)
-	}
 	var clientKeys []key.Public
-	for _, privKey := range clientPrivateKeys {
-		clientKeys = append(clientKeys, privKey.Public())
+	for i := 0; i < numClients; i++ {
+		priv := key.NewPrivate()
+		clientPrivateKeys = append(clientPrivateKeys, priv)
+		clientKeys = append(clientKeys, priv.Public())
 	}

 	s := derp.NewServer(serverPrivateKey, t.Logf)
@@ -81,6 +73,7 @@ func TestSendRecv(t *testing.T) {
 		if err := c.Connect(context.Background()); err != nil {
 			t.Fatalf("client %d Connect: %v", i, err)
 		}
+		waitConnect(t, c)
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))

@@ -95,6 +88,11 @@ func TestSendRecv(t *testing.T) {
 				}
 				m, err := c.Recv()
 				if err != nil {
+					select {
+					case <-done:
+						return
+					default:
+					}
 					t.Logf("client%d: %v", i, err)
 					break
 				}
@@ -118,7 +116,7 @@ func TestSendRecv(t *testing.T) {
 			if got := string(b); got != want {
 				t.Errorf("client1.Recv=%q, want %q", got, want)
 			}
-		case <-time.After(1 * time.Second):
+		case <-time.After(5 * time.Second):
 			t.Errorf("client%d.Recv, got nothing, want %q", i, want)
 		}
 	}
@@ -146,5 +144,13 @@ func TestSendRecv(t *testing.T) {
 	recv(2, string(msg2))
 	recvNothing(0)
 	recvNothing(1)
-
+}
+
+func waitConnect(t testing.TB, c *Client) {
+	t.Helper()
+	if m, err := c.Recv(); err != nil {
+		t.Fatalf("client first Recv: %v", err)
+	} else if v, ok := m.(derp.ServerInfoMessage); !ok {
+		t.Fatalf("client first Recv was unexpected type %T", v)
+	}
 }
--- a/derp/derpmap/derpmap.go
+++ b/derp/derpmap/derpmap.go
@@ -3,6 +3,13 @@
 // license that can be found in the LICENSE file.

 // Package derpmap contains information about Tailscale.com's production DERP nodes.
+//
+// This package is only used by the "tailscale netcheck" command for debugging.
+// In normal operation the Tailscale nodes get this sent to them from the control
+// server.
+//
+// TODO: remove this package and make "tailscale netcheck" get the
+// list from the control server too.
 package derpmap

 import (
@@ -21,9 +28,10 @@ func derpNode(suffix, v4, v6 string) *tailcfg.DERPNode {
 	}
 }

-func derpRegion(id int, code string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
+func derpRegion(id int, code, name string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
 	region := &tailcfg.DERPRegion{
 		RegionID:   id,
+		RegionName: name,
 		RegionCode: code,
 		Nodes:      nodes,
 	}
@@ -45,21 +53,36 @@ func derpRegion(id int, code string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRe
 func Prod() *tailcfg.DERPMap {
 	return &tailcfg.DERPMap{
 		Regions: map[int]*tailcfg.DERPRegion{
-			1: derpRegion(1, "nyc",
+			1: derpRegion(1, "nyc", "New York City",
 				derpNode("a", "159.89.225.99", "2604:a880:400:d1::828:b001"),
 			),
-			2: derpRegion(2, "sfo",
+			2: derpRegion(2, "sfo", "San Francisco",
 				derpNode("a", "167.172.206.31", "2604:a880:2:d1::c5:7001"),
 			),
-			3: derpRegion(3, "sin",
+			3: derpRegion(3, "sin", "Singapore",
 				derpNode("a", "68.183.179.66", "2400:6180:0:d1::67d:8001"),
 			),
-			4: derpRegion(4, "fra",
+			4: derpRegion(4, "fra", "Frankfurt",
 				derpNode("a", "167.172.182.26", "2a03:b0c0:3:e0::36e:9001"),
 			),
-			5: derpRegion(5, "syd",
+			5: derpRegion(5, "syd", "Sydney",
 				derpNode("a", "103.43.75.49", "2001:19f0:5801:10b7:5400:2ff:feaa:284c"),
 			),
+			6: derpRegion(6, "blr", "Bangalore",
+				derpNode("a", "68.183.90.120", "2400:6180:100:d0::982:d001"),
+			),
+			7: derpRegion(7, "tok", "Tokyo",
+				derpNode("a", "167.179.89.145", "2401:c080:1000:467f:5400:2ff:feee:22aa"),
+			),
+			8: derpRegion(8, "lhr", "London",
+				derpNode("a", "167.71.139.179", "2a03:b0c0:1:e0::3cc:e001"),
+			),
+			9: derpRegion(9, "dfw", "Dallas",
+				derpNode("a", "207.148.3.137", "2001:19f0:6401:1d9c:5400:2ff:feef:bb82"),
+			),
+			10: derpRegion(10, "sea", "Seattle",
+				derpNode("a", "137.220.36.168", "2001:19f0:8001:2d9:5400:2ff:feef:bbb1"),
+			),
 		},
 	}
 }
--- a/go.mod
+++ b/go.mod
@@ -3,6 +3,7 @@ module tailscale.com
 go 1.14

 require (
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
 	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
 	github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29
 	github.com/coreos/go-iptables v0.4.5
@@ -11,27 +12,28 @@ require (
 	github.com/go-ole/go-ole v1.2.4
 	github.com/godbus/dbus/v5 v5.0.3
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
-	github.com/google/go-cmp v0.4.0
+	github.com/google/go-cmp v0.5.0
 	github.com/goreleaser/nfpm v1.1.10
 	github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4
 	github.com/klauspost/compress v1.10.10
-	github.com/kr/pty v1.1.1
+	github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1
 	github.com/mdlayher/netlink v1.1.0
 	github.com/miekg/dns v1.1.30
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
 	github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f
-	github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a
+	github.com/tailscale/wireguard-go v0.0.0-20200902185615-1997cf6f9fe4
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20200706164138-185c595c3ecc
-	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
-	golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/net v0.0.0-20200625001655-4c5254603344
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
-	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
+	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+	golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
-	golang.org/x/tools v0.0.0-20191216052735-49a3e744a425
+	golang.org/x/tools v0.0.0-20200707200213-416e8f4faf8a
+	gvisor.dev/gvisor v0.0.0-20200903175658-a842a338ecd9
 	honnef.co/go/tools v0.0.1-2020.1.4
 	inet.af/netaddr v0.0.0-20200810144936-56928fe48a98
 	rsc.io/goversion v1.2.0
--- a/go.sum
+++ b/go.sum
@@ -1,14 +1,32 @@
+bazil.org/fuse v0.0.0-20160811212531-371fbbdaa898/go.mod h1:Xbm+BRKSBEpa4q4hTSxohYNQpsxXPbPry4JJWOB3LB8=
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.52.1-0.20200122224058-0482b626c726/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Masterminds/semver/v3 v3.0.3 h1:znjIyLfpXEDQjOIEWh+ehwpTU14UzUPub3c3sm36u14=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/Microsoft/go-winio v0.4.15-0.20190919025122-fc70bd9a86b5/go.mod h1:tTuCMEN+UleMWgg9dVx4Hu52b1bJo+59jBh3ajtinzw=
+github.com/Microsoft/hcsshim v0.8.6/go.mod h1:Op3hHsoHPAvb6lceZHDtd9OkTew38wNoXnJs8iY7rUg=
 github.com/alecthomas/kingpin v2.2.6+incompatible h1:5svnBTFgJjZvGKyYBtMB0+m5wvrbUHiqye8wRJMlnYI=
 github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d h1:UQZhZ2O0vMHr2cI+DC1Mbh0TJxzA3RcLoMsFw+aXw7E=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 h1:P5U+E4x5OkVEKQDklVPmzs71WM56RTTRqV4OrDC//Y4=
+github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5/go.mod h1:976q2ETgjT2snVCf2ZaBnyBbVoPERGjUz+0sofzEfro=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29 h1:muXWUcay7DDy1/hEQWrYlBy+g0EuwT70sBHg65SeUc4=
@@ -19,44 +37,139 @@ github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb h1:m935MPodAbYS46DG4
 github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb/go.mod h1:PkYb9DJNAwrSvRx5DYA+gUcOIgTGVMNkfSCbZM8cWpI=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
+github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422 h1:8eZxmY1yvxGHzdzTEhI09npjMVGzNAdrqzruTX6jcK4=
+github.com/cenkalti/backoff v1.1.1-0.20190506075156-2146c9339422/go.mod h1:b6Nc7NRH5C4aCISLry0tLnTjcuTEvoiqcWDdsU0sOGM=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/containerd/cgroups v0.0.0-20181219155423-39b18af02c41 h1:5yg0k8gqOssNLsjjCtXIADoPbAtUtQZJfC8hQ4r2oFY=
+github.com/containerd/cgroups v0.0.0-20181219155423-39b18af02c41/go.mod h1:X9rLEHIqSf/wfK8NsPqxJmeZgW4pcfzdXITDrUSJ6uI=
+github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e h1:GdiIYd8ZDOrT++e1NjhSD4rGt9zaJukHm4rt5F4mRQc=
+github.com/containerd/console v0.0.0-20191206165004-02ecf6a7291e/go.mod h1:8Pf4gM6VEbTNRIT26AyyU7hxdQU3MvAvxVI0sc00XBE=
+github.com/containerd/containerd v1.3.4 h1:3o0smo5SKY7H6AJCmJhsnCjR2/V2T8VmiHt7seN2/kI=
+github.com/containerd/containerd v1.3.4/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
+github.com/containerd/continuity v0.0.0-20200710164510-efbc4488d8fe/go.mod h1:cECdGN1O8G9bgKTlLhuPJimka6Xb/Gg7vYzCTNVxhvo=
+github.com/containerd/fifo v0.0.0-20191213151349-ff969a566b00 h1:lsjC5ENBl+Zgf38+B0ymougXFp0BaubeIVETltYZTQw=
+github.com/containerd/fifo v0.0.0-20191213151349-ff969a566b00/go.mod h1:jPQ2IAeZRCYxpS/Cm1495vGFww6ecHmMk1YJH2Q5ln0=
+github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328 h1:PRTagVMbJcCezLcHXe8UJvR1oBzp2lG3CEumeFOLOds=
+github.com/containerd/go-runc v0.0.0-20200220073739-7016d3ce2328/go.mod h1:PpyHrqVs8FTi9vpyHwPwiNEGaACDxT/N/pLcvMSRA9g=
+github.com/containerd/ttrpc v0.0.0-20200121165050-0be804eadb15 h1:+jgiLE5QylzgADj0Yldb4id1NQNRrDOROj7KDvY9PEc=
+github.com/containerd/ttrpc v0.0.0-20200121165050-0be804eadb15/go.mod h1:UAxOpgT9ziI0gJrmKvgcZivgxOp8iFPSk8httJEt98Y=
+github.com/containerd/typeurl v0.0.0-20200205145503-b45ef1f1f737 h1:HovfQDS/K3Mr7eyS0QJLxE1CbVUhjZCl6g3OhFJgP1o=
+github.com/containerd/typeurl v0.0.0-20200205145503-b45ef1f1f737/go.mod h1:TB1hUtrpaiO88KEK56ijojHS1+NeF0izUACaJW2mdXg=
 github.com/coreos/go-iptables v0.4.5 h1:DpHb9vJrZQEFMcVLFKAAGMUVX0XoRC0ptCthinRYm38=
 github.com/coreos/go-iptables v0.4.5/go.mod h1:/mVI274lEDI2ns62jHCDnCyBF9Iwsmekav8Dbxlm1MU=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/docker/distribution v2.7.1-0.20190205005809-0d3efadf0154+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v1.4.2-0.20191028175130-9e7d5ac5ea55/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/go-connections v0.3.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
+github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
+github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw=
+github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
+github.com/dpjacques/clockwork v0.1.1-0.20190114191937-d864eecc357b/go.mod h1:D8mP2A8vVT2GkXqPorSBmhnshhkFBYgzhA90KmJt25Y=
+github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjrss6TZTdY2VfCqZPbv5k3iBFa2ZQ=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
+github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e h1:BWhy2j3IXJhjCbC68FptL43tDKIq8FladmaTs3Xs7Z8=
+github.com/godbus/dbus v0.0.0-20190422162347-ade71ed3457e/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gofrs/flock v0.6.1-0.20180915234121-886344bea079 h1:JFTFz3HZTGmgMz4E1TabNBNJljROSYgja1b4l50FNVs=
+github.com/gofrs/flock v0.6.1-0.20180915234121-886344bea079/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
+github.com/gogo/googleapis v1.4.0/go.mod h1:5YRNX2z1oM5gXdAkurHa942MDgEJyk02w4OecKY87+c=
+github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-github/v28 v28.1.2-0.20191108005307-e555eab49ce8/go.mod h1:g82e6OHbJ0WYrYeOrid1MMfHAtqjxBz+N74tfAt9KrQ=
+github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0 h1:BW6OvS3kpT5UEPbCZ+KyX/OB4Ks9/MNMhWjqPPkZxsE=
 github.com/google/rpmpack v0.0.0-20191226140753-aa36bfddb3a0/go.mod h1:RaTPr0KUf2K7fnZYLNDrr8rxAamWs3iNywJLtQ2AzBg=
+github.com/google/subcommands v1.0.2-0.20190508160503-636abe8753b8 h1:8nlgEAjIalk6uj/CGKCdOO8CQqTeysvcW4RFZ6HbkGM=
+github.com/google/subcommands v1.0.2-0.20190508160503-636abe8753b8/go.mod h1:ZjhPrFU+Olkh9WazFPsl27BQ4UPiG37m3yTrtFlrHVk=
+github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/goreleaser/nfpm v1.1.10 h1:0nwzKUJTcygNxTzVKq2Dh9wpVP1W2biUH6SNKmoxR3w=
 github.com/goreleaser/nfpm v1.1.10/go.mod h1:oOcoGRVwvKIODz57NUfiRwFWGfn00NXdgnn6MrYtO5k=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.8 h1:CGgOkSJeqMRmt0D9XLWExdT4m4F1vd3FV3VPt+0VxkQ=
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4 h1:nwOc1YaOrYJ37sEBrtWZrdqzK22hiJs3GpDmP3sR2Yw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.10 h1:a/y8CglcM7gLGYmlbP/stPE5sR3hbhFRUjCBfd/0B3I=
 github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1 h1:zc0R6cOw98cMengLA0fvU55mqbnN7sd/tBMLzSejp+M=
+github.com/kr/pty v1.1.4-0.20190131011033-7dc38fb350b1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mattn/go-zglob v0.0.1 h1:xsEx/XUoVlI6yXjqBK062zYhRTZltCNmYPx6v+8DNaY=
@@ -67,108 +180,282 @@ github.com/mdlayher/netlink v1.1.0 h1:mpdLgm+brq10nI9zM1BpX1kpDbh3NLl3RSnVq6ZSkf
 github.com/mdlayher/netlink v1.1.0/go.mod h1:H4WCitaheIsdF9yOYu8CFmCgQthAPIWZmcKp9uZHgmY=
 github.com/miekg/dns v1.1.30 h1:Qww6FseFn8PRfw07jueqIXqodm0JKiiKuK0DeXSqfyo=
 github.com/miekg/dns v1.1.30/go.mod h1:KNUDUusw/aVsxyTYZM1oqvCicbwhgbNgztCETuNZ7xM=
+github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9 h1:Sha2bQdoWE5YQPTlJOL31rmce94/tYi113SlFo1xQ2c=
+github.com/mohae/deepcopy v0.0.0-20170308212314-bb9b5e7adda9/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
+github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
+github.com/opencontainers/runc v0.1.1 h1:GlxAyO6x8rfZYN9Tt0Kti5a/cP41iuiO2yYT0IJGY8Y=
+github.com/opencontainers/runc v0.1.1/go.mod h1:qT5XzbpPznkRYVz/mWwUaVBUv2rmF59PVA73FjuZG0U=
+github.com/opencontainers/runtime-spec v1.0.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/runtime-spec v1.0.2-0.20181111125026-1722abf79c2f h1:Pyp2f/uuhJIcUgnIeZaAbwOcyNz8TBlEe6mPpC8kXq8=
+github.com/opencontainers/runtime-spec v1.0.2-0.20181111125026-1722abf79c2f/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3 h1:YtFkrqsMEj7YqpIhRteVxJxCeC3jJBieuLr0d4C4rSA=
 github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
+github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
 github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
 github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
+github.com/pkg/errors v0.8.1-0.20171018195549-f15c970de5b7/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
+github.com/sirupsen/logrus v1.0.4-0.20170822132746-89742aefa4b2/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
+github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/spf13/cobra v0.0.2-0.20171109065643-2da4a54c5cee/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/pflag v1.0.1-0.20171106142849-4c012f6dcd95/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2 h1:b6uOv7YOFK0TYG7HtkIgExQo+2RdLuwRft63jn2HWj8=
+github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f h1:uFj5bslHsMzxIM8UTjAhq4VXeo6GfNW91rpoh/WMJaY=
 github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f/go.mod h1:x880GWw5fvrl2DVTQ04ttXQD4DuppTt1Yz6wLibbjNE=
-github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a h1:dQEgNpoOJf+8MswlvXJicb8ZDQqZAGe8f/WfzbDMvtE=
-github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
+github.com/tailscale/wireguard-go v0.0.0-20200902185615-1997cf6f9fe4 h1:UiTXdZChEWxxci7bx+jS9OyHQx2IA8zmMWQqp5wfP7c=
+github.com/tailscale/wireguard-go v0.0.0-20200902185615-1997cf6f9fe4/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
 github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
+github.com/urfave/cli v0.0.0-20171014202726-7bc6a0acffa5/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86 h1:7SWt9pGCMaw+N1ZhRsaLKaYNviFhxambdoaoYlDqz1w=
+github.com/vishvananda/netlink v1.0.1-0.20190930145447-2ec5bdc52b86/go.mod h1:+SR5DhBJrl6ZM7CoCKvpw5BKroDKQ+PJqOg65H/2ktk=
+github.com/vishvananda/netns v0.0.0-20200520041808-52d707b772fe h1:mjAZxE1nh8yvuwhGHpdDqdhtNu2dgbpk93TwoXuk5so=
+github.com/vishvananda/netns v0.0.0-20200520041808-52d707b772fe/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.uber.org/atomic v1.6.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
+go.uber.org/multierr v1.2.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go4.org/mem v0.0.0-20200706164138-185c595c3ecc h1:paujszgN6SpsO/UsXC7xax3gQAKz/XQKCYZLQdU34Tw=
 go4.org/mem v0.0.0-20200706164138-185c595c3ecc/go.mod h1:NEYvpHWemiG/E5UWfaN5QAIGZeT1sa0Z2UNk6oeMb/k=
+golang.org/x/crypto v0.0.0-20171113213409-9f005a07e0d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79 h1:IaQbIIB2X/Mp/DKctl6ROxz1KyMlKp4uyvL6+kQ7C88=
 golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5 h1:WQ8q63x+f/zpC8Ac1s9wLElVoHhm32p6tudrU72n1QA=
 golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344 h1:vGXIOMxbNfDTk/aXCmfdLgkrSV+Z2tcbze+pEc3v5W4=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190310054646-10058d7d4faa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191210023423-ac6580df4449/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200120151820-655fe14d7479/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200217220822-9197077df867/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w=
 golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d h1:QQrM/CCYEzTs91GZylDCQjGHudbPTxF/1fvXdVh5lMo=
+golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d h1:/iIZNFGxc/a7C3yWjGcnboV+Tkc7mxr+p6fDztwoxuM=
 golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425 h1:VvQyQJN0tSuecqgcIxMWnnfG5kSmgy9KZR9sW3W5QeA=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200707200213-416e8f4faf8a h1:YAl/dx/kLsMMIWGqfhFHW9ckqGhmq7Ki0dfoKAgvFTE=
+golang.org/x/tools v0.0.0-20200707200213-416e8f4faf8a/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5 h1:tycE03LOZYQNhDpS27tcQdAzLCVMaj7QT2SXxebnpCM=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24 h1:wDju+RU97qa0FZT0QnZDg9Uc2dH0Ql513kFvHocz+WM=
+google.golang.org/genproto v0.0.0-20200117163144-32f20d992d24/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.29.0 h1:2pJjwYOdkZ9HlN4sWRYBg9ttH5bCOlsueaM+b/oYjwo=
+google.golang.org/grpc v1.29.0/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
+gvisor.dev/gvisor v0.0.0-20200903175658-a842a338ecd9 h1:w2M4YLwjhea3cX8qp7pOvMg97svEgPzpAcGZHb7BVwc=
+gvisor.dev/gvisor v0.0.0-20200903175658-a842a338ecd9/go.mod h1:n17AP1iZxpRCzqyHLJdpa2e1SzY1rNZ9tt3/MePxlGs=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c h1:si3Owrfem175Ry6gKqnh59eOXxDojyBTIHxUKuvK/Eo=
-inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
 inet.af/netaddr v0.0.0-20200810144936-56928fe48a98 h1:bWyWDZP0l6VnQ1TDKf6yNwuiEDV6Q3q1Mv34m+lzT1I=
 inet.af/netaddr v0.0.0-20200810144936-56928fe48a98/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
 rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -62,6 +62,7 @@ type Notify struct {
 	Status        *ipnstate.Status          // full status
 	BrowseToURL   *string                   // UI should open a browser right now
 	BackendLogID  *string                   // public logtail id used by backend
+	PingResult    *ipnstate.PingResult

 	// LocalTCPPort, if non-nil, informs the UI frontend which
 	// (non-zero) localhost TCP port it's listening on.
@@ -143,6 +144,9 @@ type Backend interface {
 	// WantRunning. This may cause the wireguard engine to
 	// reconfigure or stop.
 	SetPrefs(*Prefs)
+	// SetWantRunning is like SetPrefs but sets only the
+	// WantRunning field.
+	SetWantRunning(wantRunning bool)
 	// RequestEngineStatus polls for an update from the wireguard
 	// engine. Only needed if you want to display byte
 	// counts. Connection events are emitted automatically without
@@ -156,4 +160,8 @@ type Backend interface {
 	// make sure they react properly with keys that are going to
 	// expire.
 	FakeExpireAfter(x time.Duration)
+	// Ping attempts to start connecting to the given IP and sends a Notify
+	// with its PingResult. If the host is down, there might never
+	// be a PingResult sent. The cmd/tailscale CLI client adds a timeout.
+	Ping(ip string)
 }
--- a/ipn/fake_test.go
+++ b/ipn/fake_test.go
@@ -79,6 +79,10 @@ func (b *FakeBackend) SetPrefs(new *Prefs) {
 	}
 }

+func (b *FakeBackend) SetWantRunning(v bool) {
+	b.SetPrefs(&Prefs{WantRunning: v})
+}
+
 func (b *FakeBackend) RequestEngineStatus() {
 	b.notify(Notify{Engine: &EngineStatus{}})
 }
@@ -90,3 +94,7 @@ func (b *FakeBackend) RequestStatus() {
 func (b *FakeBackend) FakeExpireAfter(x time.Duration) {
 	b.notify(Notify{NetMap: &controlclient.NetworkMap{}})
 }
+
+func (b *FakeBackend) Ping(ip string) {
+	b.notify(Notify{PingResult: &ipnstate.PingResult{}})
+}
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -27,8 +27,10 @@ import (
 type Status struct {
 	BackendState string
 	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node
-	Peer         map[key.Public]*PeerStatus
-	User         map[tailcfg.UserID]tailcfg.UserProfile
+	Self         *PeerStatus
+
+	Peer map[key.Public]*PeerStatus
+	User map[tailcfg.UserID]tailcfg.UserProfile
 }

 func (s *Status) Peers() []key.Public {
@@ -43,6 +45,7 @@ func (s *Status) Peers() []key.Public {
 type PeerStatus struct {
 	PublicKey key.Public
 	HostName  string // HostInfo's Hostname (not a DNS name or necessarily unique)
+	DNSName   string
 	OS        string // HostInfo.OS
 	UserID    tailcfg.UserID

@@ -88,6 +91,12 @@ type StatusBuilder struct {
 	st     Status
 }

+func (sb *StatusBuilder) SetBackendState(v string) {
+	sb.mu.Lock()
+	defer sb.mu.Unlock()
+	sb.st.BackendState = v
+}
+
 func (sb *StatusBuilder) Status() *Status {
 	sb.mu.Lock()
 	defer sb.mu.Unlock()
@@ -95,6 +104,13 @@ func (sb *StatusBuilder) Status() *Status {
 	return &sb.st
 }

+// SetSelfStatus sets the status of the local machine.
+func (sb *StatusBuilder) SetSelfStatus(ss *PeerStatus) {
+	sb.mu.Lock()
+	defer sb.mu.Unlock()
+	sb.st.Self = ss
+}
+
 // AddUser adds a user profile to the status.
 func (sb *StatusBuilder) AddUser(id tailcfg.UserID, up tailcfg.UserProfile) {
 	sb.mu.Lock()
@@ -151,6 +167,9 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if v := st.HostName; v != "" {
 		e.HostName = v
 	}
+	if v := st.DNSName; v != "" {
+		e.DNSName = v
+	}
 	if v := st.Relay; v != "" {
 		e.Relay = v
 	}
@@ -322,3 +341,21 @@ func osEmoji(os string) string {
 	}
 	return "👽"
 }
+
+// PingResult contains response information for the "tailscale ping" subcommand,
+// saying how Tailscale can reach a Tailscale IP or subnet-routed IP.
+type PingResult struct {
+	IP       string // ping destination
+	NodeIP   string // Tailscale IP of node handling IP (different for subnet routers)
+	NodeName string // DNS name base or (possibly not unique) hostname
+
+	Err            string
+	LatencySeconds float64
+
+	Endpoint string // ip:port if direct UDP was used
+
+	DERPRegionID   int    // non-zero if DERP was used
+	DERPRegionCode string // three-letter airport/region code if DERP was used
+
+	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
+}
--- a/ipn/local.go
+++ b/ipn/local.go
@@ -19,6 +19,7 @@ import (
 	"tailscale.com/internal/deepprint"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/portlist"
 	"tailscale.com/tailcfg"
@@ -109,11 +110,23 @@ func NewLocalBackend(logf logger.Logf, logid string, store StateStore, e wgengin
 		state:        NoState,
 		portpoll:     portpoll,
 	}
+	e.SetLinkChangeCallback(b.linkChange)
 	b.statusChanged = sync.NewCond(&b.statusLock)

 	return b, nil
 }

+func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {
+	// TODO(bradfitz): on a major link change, ask controlclient
+	// whether its host (e.g. login.tailscale.com) is reachable.
+	// If not, down the world and poll for a bit. Windows' WinHTTP
+	// service might be unable to resolve its WPAD PAC URL if we
+	// have DNS/routes configured. So we need to remove that DNS
+	// and those routes to let it figure out its proxy
+	// settings. Once it's back up and happy, then we can resume
+	// and our connection to the control server would work again.
+}
+
 // Shutdown halts the backend and all its sub-components. The backend
 // can no longer be used after Shutdown returns.
 func (b *LocalBackend) Shutdown() {
@@ -144,6 +157,8 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 	b.mu.Lock()
 	defer b.mu.Unlock()

+	sb.SetBackendState(b.state.String())
+
 	// TODO: hostinfo, and its networkinfo
 	// TODO: EngineStatus copy (and deprecate it?)
 	if b.netMap != nil {
@@ -164,6 +179,7 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 				UserID:       p.User,
 				TailAddr:     tailAddr,
 				HostName:     p.Hostinfo.Hostname,
+				DNSName:      p.Name,
 				OS:           p.Hostinfo.OS,
 				KeepAlive:    p.KeepAlive,
 				Created:      p.Created,
@@ -550,7 +566,7 @@ func (b *LocalBackend) updateDNSMap(netMap *controlclient.NetworkMap) {
 	}
 	set(netMap.Name, netMap.Addresses)

-	dnsMap := tsdns.NewMap(nameToIP)
+	dnsMap := tsdns.NewMap(nameToIP, domainsForProxying(netMap))
 	// map diff will be logged in tsdns.Resolver.SetMap.
 	b.e.SetDNSMap(dnsMap)
 }
@@ -745,6 +761,17 @@ func (b *LocalBackend) FakeExpireAfter(x time.Duration) {
 	b.send(Notify{NetMap: b.netMap})
 }

+func (b *LocalBackend) Ping(ipStr string) {
+	ip, err := netaddr.ParseIP(ipStr)
+	if err != nil {
+		b.logf("ignoring Ping request to invalid IP %q", ipStr)
+		return
+	}
+	b.e.Ping(ip, func(pr *ipnstate.PingResult) {
+		b.send(Notify{PingResult: pr})
+	})
+}
+
 func (b *LocalBackend) parseWgStatus(s *wgengine.Status) (ret EngineStatus) {
 	var (
 		peerStats []string
@@ -765,7 +792,9 @@ func (b *LocalBackend) parseWgStatus(s *wgengine.Status) (ret EngineStatus) {
 		ret.WBytes += p.TxBytes
 	}
 	if len(peerStats) > 0 {
+		// [GRINDER STATS LINE] - please don't remove (used for log parsing)
 		b.keyLogf("peer keys: %s", strings.Join(peerKeys, " "))
+		// [GRINDER STATS LINE] - please don't remove (used for log parsing)
 		b.logf("v%v peers: %v", version.LONG, strings.Join(peerStats, " "))
 	}
 	return ret
@@ -783,6 +812,18 @@ func (b *LocalBackend) shieldsAreUp() bool {
 	return b.prefs.ShieldsUp
 }

+func (b *LocalBackend) SetWantRunning(wantRunning bool) {
+	b.mu.Lock()
+	new := b.prefs.Clone()
+	b.mu.Unlock()
+	if new.WantRunning == wantRunning {
+		return
+	}
+	new.WantRunning = wantRunning
+	b.logf("SetWantRunning: %v", wantRunning)
+	b.SetPrefs(new)
+}
+
 // SetPrefs saves new user preferences and propagates them throughout
 // the system. Implements Backend.
 func (b *LocalBackend) SetPrefs(new *Prefs) {
@@ -816,6 +857,7 @@ func (b *LocalBackend) SetPrefs(new *Prefs) {
 		}
 	}

+	// [GRINDER STATS LINE] - please don't remove (used for log parsing)
 	b.logf("SetPrefs: %v", new.Pretty())

 	if old.ShieldsUp != new.ShieldsUp || hostInfoChanged {
--- a/ipn/loglines_test.go
+++ b/ipn/loglines_test.go
@@ -0,0 +1,107 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipn
+
+import (
+	"testing"
+	"time"
+
+	"tailscale.com/control/controlclient"
+	"tailscale.com/logtail"
+	"tailscale.com/tailcfg"
+	"tailscale.com/tstest"
+	"tailscale.com/types/key"
+	"tailscale.com/wgengine"
+)
+
+// TestLocalLogLines tests to make sure that the log lines required for log parsing are
+// being logged by the expected functions. Update these tests if moving log lines between
+// functions.
+func TestLocalLogLines(t *testing.T) {
+	logListen := tstest.ListenFor(t.Logf, []string{
+		"SetPrefs: %v",
+		"peer keys: %s",
+		"v%v peers: %v",
+	})
+
+	logid := func(hex byte) logtail.PublicID {
+		var ret logtail.PublicID
+		for i := 0; i < len(ret); i++ {
+			ret[i] = hex
+		}
+		return ret
+	}
+	idA := logid(0xaa)
+
+	// set up a LocalBackend, super bare bones. No functional data.
+	store := &MemoryStore{
+		cache: make(map[StateKey][]byte),
+	}
+	e, err := wgengine.NewFakeUserspaceEngine(logListen.Logf, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lb, err := NewLocalBackend(logListen.Logf, idA.String(), store, e)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// custom adjustments for required non-nil fields
+	lb.prefs = NewPrefs()
+	lb.hostinfo = &tailcfg.Hostinfo{}
+	// hacky manual override of the usual log-on-change behaviour of keylogf
+	lb.keyLogf = logListen.Logf
+
+	// testing infrastructure
+	type linesTest struct {
+		name string
+		want []string
+	}
+
+	tests := []linesTest{
+		{
+			name: "after prefs",
+			want: []string{
+				"peer keys: %s",
+				"v%v peers: %v",
+			},
+		},
+		{
+			name: "after peers",
+			want: []string{},
+		},
+	}
+
+	testLogs := func(want linesTest) func(t *testing.T) {
+		return func(t *testing.T) {
+			if linesLeft := logListen.Check(); len(linesLeft) != len(want.want) {
+				t.Errorf("got %v, expected %v", linesLeft, want)
+			}
+		}
+	}
+
+	// log prefs line
+	persist := &controlclient.Persist{}
+	prefs := NewPrefs()
+	prefs.Persist = persist
+	lb.SetPrefs(prefs)
+
+	t.Run(tests[0].name, testLogs(tests[0]))
+
+	// log peers, peer keys
+	status := &wgengine.Status{
+		Peers: []wgengine.PeerStatus{wgengine.PeerStatus{
+			TxBytes:       10,
+			RxBytes:       10,
+			LastHandshake: time.Now(),
+			NodeKey:       tailcfg.NodeKey(key.NewPrivate()),
+		}},
+		LocalAddrs: []string{"idk an address"},
+	}
+	lb.parseWgStatus(status)
+
+	t.Run(tests[1].name, testLogs(tests[1]))
+}
--- a/ipn/message.go
+++ b/ipn/message.go
@@ -33,6 +33,10 @@ type FakeExpireAfterArgs struct {
 	Duration time.Duration
 }

+type PingArgs struct {
+	IP string
+}
+
 // Command is a command message that is JSON encoded and sent by a
 // frontend to a backend.
 type Command struct {
@@ -53,9 +57,11 @@ type Command struct {
 	Login                 *oauth2.Token
 	Logout                *NoArgs
 	SetPrefs              *SetPrefsArgs
+	SetWantRunning        *bool
 	RequestEngineStatus   *NoArgs
 	RequestStatus         *NoArgs
 	FakeExpireAfter       *FakeExpireAfterArgs
+	Ping                  *PingArgs
 }

 type BackendServer struct {
@@ -139,6 +145,9 @@ func (bs *BackendServer) GotCommand(cmd *Command) error {
 	} else if c := cmd.SetPrefs; c != nil {
 		bs.b.SetPrefs(c.New)
 		return nil
+	} else if c := cmd.SetWantRunning; c != nil {
+		bs.b.SetWantRunning(*c)
+		return nil
 	} else if c := cmd.RequestEngineStatus; c != nil {
 		bs.b.RequestEngineStatus()
 		return nil
@@ -148,6 +157,9 @@ func (bs *BackendServer) GotCommand(cmd *Command) error {
 	} else if c := cmd.FakeExpireAfter; c != nil {
 		bs.b.FakeExpireAfter(c.Duration)
 		return nil
+	} else if c := cmd.Ping; c != nil {
+		bs.b.Ping(c.IP)
+		return nil
 	} else {
 		return fmt.Errorf("BackendServer.Do: no command specified")
 	}
@@ -254,6 +266,14 @@ func (bc *BackendClient) FakeExpireAfter(x time.Duration) {
 	bc.send(Command{FakeExpireAfter: &FakeExpireAfterArgs{Duration: x}})
 }

+func (bc *BackendClient) Ping(ip string) {
+	bc.send(Command{Ping: &PingArgs{IP: ip}})
+}
+
+func (bc *BackendClient) SetWantRunning(v bool) {
+	bc.send(Command{SetWantRunning: &v})
+}
+
 // MaxMessageSize is the maximum message size, in bytes.
 const MaxMessageSize = 10 << 20

--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -31,6 +31,8 @@ import (
 	"tailscale.com/logtail/filch"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/paths"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
@@ -103,12 +105,23 @@ func (l logWriter) Write(buf []byte) (int, error) {
 // logsDir returns the directory to use for log configuration and
 // buffer storage.
 func logsDir(logf logger.Logf) string {
+	// STATE_DIRECTORY is set by systemd 240+ but we support older
+	// systems-d. For example, Ubuntu 18.04 (Bionic Beaver) is 237.
 	systemdStateDir := os.Getenv("STATE_DIRECTORY")
 	if systemdStateDir != "" {
 		logf("logpolicy: using $STATE_DIRECTORY, %q", systemdStateDir)
 		return systemdStateDir
 	}

+	// Default to e.g. /var/lib/tailscale or /var/db/tailscale on Unix.
+	if d := paths.DefaultTailscaledStateFile(); d != "" {
+		d = filepath.Dir(d) // directory of e.g. "/var/lib/tailscale/tailscaled.state"
+		if err := os.MkdirAll(d, 0700); err == nil {
+			logf("logpolicy: using system state directory %q", d)
+			return d
+		}
+	}
+
 	cacheDir, err := os.UserCacheDir()
 	if err == nil {
 		d := filepath.Join(cacheDir, "Tailscale")
@@ -419,6 +432,9 @@ func newLogtailTransport(host string) *http.Transport {
 	// Start with a copy of http.DefaultTransport and tweak it a bit.
 	tr := http.DefaultTransport.(*http.Transport).Clone()

+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
+
 	// We do our own zstd compression on uploads, and responses never contain any payload,
 	// so don't send "Accept-Encoding: gzip" to save a few bytes on the wire, since there
 	// will never be any body to decompress:
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -8,13 +8,19 @@ package interfaces
 import (
 	"fmt"
 	"net"
+	"net/http"
 	"reflect"
 	"strings"

 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
+	"tailscale.com/net/tshttpproxy"
 )

+// LoginEndpointForProxyDetermination is the URL used for testing
+// which HTTP proxy the system should use.
+var LoginEndpointForProxyDetermination = "https://login.tailscale.com/"
+
 // Tailscale returns the current machine's Tailscale interface, if any.
 // If none is found, all zero values are returned.
 // A non-nil error is only returned on a problem listing the system interfaces.
@@ -43,7 +49,8 @@ func Tailscale() (net.IP, *net.Interface, error) {
 // maybeTailscaleInterfaceName reports whether s is an interface
 // name that might be used by Tailscale.
 func maybeTailscaleInterfaceName(s string) bool {
-	return strings.HasPrefix(s, "wg") ||
+	return s == "Tailscale" ||
+		strings.HasPrefix(s, "wg") ||
 		strings.HasPrefix(s, "ts") ||
 		strings.HasPrefix(s, "tailscale") ||
 		strings.HasPrefix(s, "utun")
@@ -163,6 +170,13 @@ type State struct {
 	// considered "expensive", which currently means LTE/etc
 	// instead of Wifi. This field is not populated by GetState.
 	IsExpensive bool
+
+	// DefaultRouteInterface is the interface name for the machine's default route.
+	// It is not yet populated on all OSes.
+	DefaultRouteInterface string
+
+	// HTTPProxy is the HTTP proxy to use.
+	HTTPProxy string
 }

 func (s *State) Equal(s2 *State) bool {
@@ -175,7 +189,8 @@ func (s *State) Equal(s2 *State) bool {
 // /^tailscale/)
 func (s *State) RemoveTailscaleInterfaces() {
 	for name := range s.InterfaceIPs {
-		if strings.HasPrefix(name, "tailscale") { // TODO: use --tun flag value, etc; see TODO in method doc
+		if name == "Tailscale" || // as it is on Windows
+			strings.HasPrefix(name, "tailscale") { // TODO: use --tun flag value, etc; see TODO in method doc
 			delete(s.InterfaceIPs, name)
 			delete(s.InterfaceUp, name)
 		}
@@ -198,6 +213,16 @@ func GetState() (*State, error) {
 	}); err != nil {
 		return nil, err
 	}
+	s.DefaultRouteInterface, _ = DefaultRouteInterface()
+
+	req, err := http.NewRequest("GET", LoginEndpointForProxyDetermination, nil)
+	if err != nil {
+		return nil, err
+	}
+	if u, err := tshttpproxy.ProxyFromEnvironment(req); err == nil && u != nil {
+		s.HTTPProxy = u.String()
+	}
+
 	return s, nil
 }

--- a/net/interfaces/interfaces_darwin_cgo.go
+++ b/net/interfaces/interfaces_darwin_cgo.go
@@ -105,8 +105,6 @@ import "C"

 import (
 	"encoding/binary"
-	"fmt"
-	"os"

 	"inet.af/netaddr"
 )
@@ -117,7 +115,6 @@ func init() {

 func likelyHomeRouterIPDarwinSyscall() (ret netaddr.IP, ok bool) {
 	ip := C.privateGatewayIP()
-	fmt.Fprintln(os.Stderr, "likelyHomeRouterIPDarwinSyscall", ip)
 	if ip < 255 {
 		return netaddr.IP{}, false
 	}
--- a/net/interfaces/interfaces_defaultrouteif_todo.go
+++ b/net/interfaces/interfaces_defaultrouteif_todo.go
@@ -0,0 +1,15 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !linux
+
+package interfaces
+
+import "errors"
+
+var errTODO = errors.New("TODO")
+
+func DefaultRouteInterface() (string, error) {
+	return "TODO", errTODO
+}
--- a/net/interfaces/interfaces_linux.go
+++ b/net/interfaces/interfaces_linux.go
@@ -5,10 +5,15 @@
 package interfaces

 import (
+	"bufio"
 	"bytes"
+	"errors"
+	"io"
 	"log"
+	"os"
 	"os/exec"
 	"runtime"
+	"strings"

 	"go4.org/mem"
 	"inet.af/netaddr"
@@ -115,3 +120,91 @@ func likelyHomeRouterIPAndroid() (ret netaddr.IP, ok bool) {
 	cmd.Wait()
 	return ret, !ret.IsZero()
 }
+
+// DefaultRouteInterface returns the name of the network interface that owns
+// the default route, not including any tailscale interfaces.
+func DefaultRouteInterface() (string, error) {
+	v, err := defaultRouteInterfaceProcNet()
+	if err == nil {
+		return v, nil
+	}
+	if runtime.GOOS == "android" {
+		return defaultRouteInterfaceAndroidIPRoute()
+	}
+	return v, err
+}
+
+var zeroRouteBytes = []byte("00000000")
+
+func defaultRouteInterfaceProcNet() (string, error) {
+	f, err := os.Open("/proc/net/route")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	br := bufio.NewReaderSize(f, 128)
+	for {
+		line, err := br.ReadSlice('\n')
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return "", err
+		}
+		if !bytes.Contains(line, zeroRouteBytes) {
+			continue
+		}
+		fields := strings.Fields(string(line))
+		ifc := fields[0]
+		ip := fields[1]
+		netmask := fields[7]
+
+		if strings.HasPrefix(ifc, "tailscale") ||
+			strings.HasPrefix(ifc, "wg") {
+			continue
+		}
+		if ip == "00000000" && netmask == "00000000" {
+			// default route
+			return ifc, nil // interface name
+		}
+	}
+
+	return "", errors.New("no default routes found")
+
+}
+
+// defaultRouteInterfaceAndroidIPRoute tries to find the machine's default route interface name
+// by parsing the "ip route" command output. We use this on Android where /proc/net/route
+// can be missing entries or have locked-down permissions.
+// See also comments in https://github.com/tailscale/tailscale/pull/666.
+func defaultRouteInterfaceAndroidIPRoute() (ifname string, err error) {
+	cmd := exec.Command("/system/bin/ip", "route", "show", "table", "0")
+	out, err := cmd.StdoutPipe()
+	if err != nil {
+		return "", err
+	}
+	if err := cmd.Start(); err != nil {
+		log.Printf("interfaces: running /system/bin/ip: %v", err)
+		return "", err
+	}
+	// Search for line like "default via 10.0.2.2 dev radio0 table 1016 proto static mtu 1500 "
+	lineread.Reader(out, func(line []byte) error {
+		const pfx = "default via "
+		if !mem.HasPrefix(mem.B(line), mem.S(pfx)) {
+			return nil
+		}
+		ff := strings.Fields(string(line))
+		for i, v := range ff {
+			if i > 0 && ff[i-1] == "dev" && ifname == "" {
+				ifname = v
+			}
+		}
+		return nil
+	})
+	cmd.Process.Kill()
+	cmd.Wait()
+	if ifname == "" {
+		return "", errors.New("no default routes found")
+	}
+	return ifname, nil
+}
--- a/net/interfaces/interfaces_linux_test.go
+++ b/net/interfaces/interfaces_linux_test.go
@@ -0,0 +1,16 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package interfaces
+
+import "testing"
+
+func BenchmarkDefaultRouteInterface(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		if _, err := DefaultRouteInterface(); err != nil {
+			b.Fatal(err)
+		}
+	}
+}
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -171,6 +171,15 @@ type STUNConn interface {
 	ReadFrom([]byte) (int, net.Addr, error)
 }

+func (c *Client) enoughRegions() int {
+	if c.Verbose {
+		// Abuse verbose a bit here so netcheck can show all region latencies
+		// in verbose mode.
+		return 100
+	}
+	return 3
+}
+
 func (c *Client) logf(format string, a ...interface{}) {
 	if c.Logf != nil {
 		c.Logf(format, a...)
@@ -615,12 +624,13 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort
 	ret.UDP = true
 	updateLatency(ret.RegionLatency, node.RegionID, d)

-	// Once we've heard from 3 regions, start a timer to give up
-	// on the other ones.  The timer's duration is a function of
-	// whether this is our initial full probe or an incremental
-	// one. For incremental ones, wait for the duration of the
-	// slowest region. For initial ones, double that.
-	if len(ret.RegionLatency) == 3 {
+	// Once we've heard from enough regions (3), start a timer to
+	// give up on the other ones. The timer's duration is a
+	// function of whether this is our initial full probe or an
+	// incremental one. For incremental ones, wait for the
+	// duration of the slowest region. For initial ones, double
+	// that.
+	if len(ret.RegionLatency) == rs.c.enoughRegions() {
 		timeout := maxDurationValue(ret.RegionLatency)
 		if !rs.incremental {
 			timeout *= 2
--- a/net/netns/netns_linux.go
+++ b/net/netns/netns_linux.go
@@ -5,19 +5,15 @@
 package netns

 import (
-	"bufio"
-	"bytes"
-	"errors"
 	"flag"
 	"fmt"
-	"io"
 	"os"
 	"os/exec"
-	"strings"
 	"sync"
 	"syscall"

 	"golang.org/x/sys/unix"
+	"tailscale.com/net/interfaces"
 )

 // tailscaleBypassMark is the mark indicating that packets originating
@@ -43,47 +39,6 @@ func ipRuleAvailable() bool {
 	return ipRuleOnce.v
 }

-var zeroRouteBytes = []byte("00000000")
-
-// defaultRouteInterface returns the name of the network interface that owns
-// the default route, not including any tailscale interfaces. We only use
-// this in SO_BINDTODEVICE mode.
-func defaultRouteInterface() (string, error) {
-	f, err := os.Open("/proc/net/route")
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	br := bufio.NewReaderSize(f, 128)
-	for {
-		line, err := br.ReadSlice('\n')
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return "", err
-		}
-		if !bytes.Contains(line, zeroRouteBytes) {
-			continue
-		}
-		fields := strings.Fields(string(line))
-		ifc := fields[0]
-		ip := fields[1]
-		netmask := fields[7]
-
-		if strings.HasPrefix(ifc, "tailscale") ||
-			strings.HasPrefix(ifc, "wg") {
-			continue
-		}
-		if ip == "00000000" && netmask == "00000000" {
-			// default route
-			return ifc, nil // interface name
-		}
-	}
-
-	return "", errors.New("no default routes found")
-}
-
 // ignoreErrors returns true if we should ignore setsocketopt errors in
 // this instance.
 func ignoreErrors() bool {
@@ -133,7 +88,7 @@ func setBypassMark(fd uintptr) error {
 }

 func bindToDevice(fd uintptr) error {
-	ifc, err := defaultRouteInterface()
+	ifc, err := interfaces.DefaultRouteInterface()
 	if err != nil {
 		// Make sure we bind to *some* interface,
 		// or we could get a routing loop.
--- a/net/netns/netns_linux_test.go
+++ b/net/netns/netns_linux_test.go
@@ -49,12 +49,3 @@ func TestBypassMarkInSync(t *testing.T) {
 	}
 	t.Errorf("tailscaleBypassMark not found in router_linux.go")
 }
-
-func BenchmarkDefaultRouteInterface(b *testing.B) {
-	b.ReportAllocs()
-	for i := 0; i < b.N; i++ {
-		if _, err := defaultRouteInterface(); err != nil {
-			b.Fatal(err)
-		}
-	}
-}
--- a/net/stun/stun.go
+++ b/net/stun/stun.go
@@ -137,15 +137,15 @@ func foreachAttr(b []byte, fn func(attrType uint16, a []byte) error) error {
 		}
 		attrType := binary.BigEndian.Uint16(b[:2])
 		attrLen := int(binary.BigEndian.Uint16(b[2:4]))
-		attrLenPad := attrLen % 4
+		attrLenWithPad := (attrLen + 3) &^ 3
 		b = b[4:]
-		if attrLen+attrLenPad > len(b) {
+		if attrLenWithPad > len(b) {
 			return ErrMalformedAttrs
 		}
 		if err := fn(attrType, b[:attrLen]); err != nil {
 			return err
 		}
-		b = b[attrLen+attrLenPad:]
+		b = b[attrLenWithPad:]
 	}
 	return nil
 }
--- a/net/stun/stun_test.go
+++ b/net/stun/stun_test.go
@@ -140,6 +140,41 @@ var responseTests = []struct {
 		wantAddr: net.ParseIP("2602:d1:b4cf:c100:38b2:31ff:feef:96f6"),
 		wantPort: 37070,
 	},
+
+	// Testing STUN attribute padding rules using STUN software attribute
+	// with values of 1 & 3 length respectively before the XorMappedAddress attribute
+	{
+		name: "software-a",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x14, 0x21, 0x12, 0xa4, 0x42,
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e, 0x80, 0x22, 0x00, 0x01,
+			0x61, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x08,
+			0x00, 0x01, 0xce, 0x66, 0x5e, 0x12, 0xa4, 0x43,
+		},
+		wantTID: []byte{
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e,
+		},
+		wantAddr: []byte{127, 0, 0, 1},
+		wantPort: 61300,
+	},
+	{
+		name: "software-abc",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x14, 0x21, 0x12, 0xa4, 0x42,
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e, 0x80, 0x22, 0x00, 0x03,
+			0x61, 0x62, 0x63, 0x00, 0x00, 0x20, 0x00, 0x08,
+			0x00, 0x01, 0xce, 0x66, 0x5e, 0x12, 0xa4, 0x43,
+		},
+		wantTID: []byte{
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e,
+		},
+		wantAddr: []byte{127, 0, 0, 1},
+		wantPort: 61300,
+	},
 }

 func TestParseResponse(t *testing.T) {
--- a/net/tshttpproxy/tshttpproxy.go
+++ b/net/tshttpproxy/tshttpproxy.go
@@ -0,0 +1,60 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package tshttpproxy contains Tailscale additions to httpproxy not available
+// in golang.org/x/net/http/httpproxy. Notably, it aims to support Windows better.
+package tshttpproxy
+
+import (
+	"net/http"
+	"net/url"
+	"os"
+)
+
+// sysProxyFromEnv, if non-nil, specifies a platform-specific ProxyFromEnvironment
+// func to use if http.ProxyFromEnvironment doesn't return a proxy.
+// For example, WPAD PAC files on Windows.
+var sysProxyFromEnv func(*http.Request) (*url.URL, error)
+
+func ProxyFromEnvironment(req *http.Request) (*url.URL, error) {
+	u, err := http.ProxyFromEnvironment(req)
+	if u != nil && err == nil {
+		return u, nil
+	}
+
+	if sysProxyFromEnv != nil {
+		u, err := sysProxyFromEnv(req)
+		if u != nil && err == nil {
+			return u, nil
+		}
+	}
+
+	return nil, err
+}
+
+var sysAuthHeader func(*url.URL) (string, error)
+
+// GetAuthHeader returns the Authorization header value to send to proxy u.
+func GetAuthHeader(u *url.URL) (string, error) {
+	if fake := os.Getenv("TS_DEBUG_FAKE_PROXY_AUTH"); fake != "" {
+		return fake, nil
+	}
+	if sysAuthHeader != nil {
+		return sysAuthHeader(u)
+	}
+	return "", nil
+}
+
+var condSetTransportGetProxyConnectHeader func(*http.Transport)
+
+// SetTarnsportGetProxyConnectHeader sets the provided Transport's
+// GetProxyConnectHeader field, if the current build of Go supports
+// it.
+//
+// See https://github.com/golang/go/issues/41048.
+func SetTransportGetProxyConnectHeader(tr *http.Transport) {
+	if f := condSetTransportGetProxyConnectHeader; f != nil {
+		f(tr)
+	}
+}
--- a/net/tshttpproxy/tshttpproxy_future.go
+++ b/net/tshttpproxy/tshttpproxy_future.go
@@ -0,0 +1,45 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build tailscale_go
+
+// We want to use https://github.com/golang/go/issues/41048 but it's only in the
+// Tailscale Go tree for now. Hence the build tag above.
+
+package tshttpproxy
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"net/url"
+)
+
+const proxyAuthHeader = "Proxy-Authorization"
+
+func init() {
+	condSetTransportGetProxyConnectHeader = func(tr *http.Transport) {
+		tr.GetProxyConnectHeader = func(ctx context.Context, proxyURL *url.URL, target string) (http.Header, error) {
+			v, err := GetAuthHeader(proxyURL)
+			if err != nil {
+				log.Printf("failed to get proxy Auth header for %v; ignoring: %v", proxyURL, err)
+				return nil, nil
+			}
+			if v == "" {
+				return nil, nil
+			}
+			return http.Header{proxyAuthHeader: []string{v}}, nil
+		}
+		tr.OnProxyConnectResponse = func(ctx context.Context, proxyURL *url.URL, connectReq *http.Request, res *http.Response) error {
+			auth := connectReq.Header.Get(proxyAuthHeader)
+			const truncLen = 20
+			if len(auth) > truncLen {
+				auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
+			}
+			log.Printf("tshttpproxy: CONNECT response from %v for target %q (auth %q): %v", proxyURL, connectReq.Host, auth, res.Status)
+			return nil
+		}
+	}
+}
--- a/net/tshttpproxy/tshttpproxy_windows.go
+++ b/net/tshttpproxy/tshttpproxy_windows.go
@@ -0,0 +1,213 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tshttpproxy
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/alexbrainman/sspi/negotiate"
+	"golang.org/x/sys/windows"
+)
+
+var (
+	winHTTP            = windows.NewLazySystemDLL("winhttp.dll")
+	httpOpenProc       = winHTTP.NewProc("WinHttpOpen")
+	closeHandleProc    = winHTTP.NewProc("WinHttpCloseHandle")
+	getProxyForUrlProc = winHTTP.NewProc("WinHttpGetProxyForUrl")
+)
+
+func init() {
+	sysProxyFromEnv = proxyFromWinHTTPOrCache
+	sysAuthHeader = sysAuthHeaderWindows
+}
+
+var cachedProxy struct {
+	sync.Mutex
+	val *url.URL
+}
+
+func proxyFromWinHTTPOrCache(req *http.Request) (*url.URL, error) {
+	if req.URL == nil {
+		return nil, nil
+	}
+	urlStr := req.URL.String()
+
+	ctx, cancel := context.WithTimeout(req.Context(), 5*time.Second)
+	defer cancel()
+
+	type result struct {
+		proxy *url.URL
+		err   error
+	}
+	resc := make(chan result, 1)
+	go func() {
+		proxy, err := proxyFromWinHTTP(ctx, urlStr)
+		resc <- result{proxy, err}
+	}()
+
+	select {
+	case res := <-resc:
+		err := res.err
+		if err == nil {
+			cachedProxy.Lock()
+			defer cachedProxy.Unlock()
+			if was, now := fmt.Sprint(cachedProxy.val), fmt.Sprint(res.proxy); was != now {
+				log.Printf("tshttpproxy: winhttp: updating cached proxy setting from %v to %v", was, now)
+			}
+			cachedProxy.val = res.proxy
+			return res.proxy, nil
+		}
+
+		// See https://docs.microsoft.com/en-us/windows/win32/winhttp/error-messages
+		const ERROR_WINHTTP_AUTODETECTION_FAILED = 12180
+		if err == syscall.Errno(ERROR_WINHTTP_AUTODETECTION_FAILED) {
+			return nil, nil
+		}
+		log.Printf("tshttpproxy: winhttp: GetProxyForURL(%q): %v/%#v", urlStr, err, err)
+		return nil, err
+	case <-ctx.Done():
+		cachedProxy.Lock()
+		defer cachedProxy.Unlock()
+		log.Printf("tshttpproxy: winhttp: GetProxyForURL(%q): timeout; using cached proxy %v", urlStr, cachedProxy.val)
+		return cachedProxy.val, nil
+	}
+}
+
+func proxyFromWinHTTP(ctx context.Context, urlStr string) (proxy *url.URL, err error) {
+	whi, err := winHTTPOpen()
+	if err != nil {
+		log.Printf("winhttp: Open: %v", err)
+		return nil, err
+	}
+	defer whi.Close()
+
+	t0 := time.Now()
+	v, err := whi.GetProxyForURL(urlStr)
+	td := time.Since(t0).Round(time.Millisecond)
+	if err := ctx.Err(); err != nil {
+		log.Printf("tshttpproxy: winhttp: context canceled, ignoring GetProxyForURL(%q) after %v", urlStr, td)
+		return nil, err
+	}
+	if err != nil {
+		return nil, err
+	}
+	if v == "" {
+		return nil, nil
+	}
+	// Discard all but first proxy value for now.
+	if i := strings.Index(v, ";"); i != -1 {
+		v = v[:i]
+	}
+	if !strings.HasPrefix(v, "https://") {
+		v = "http://" + v
+	}
+	return url.Parse(v)
+}
+
+var userAgent = windows.StringToUTF16Ptr("Tailscale")
+
+const (
+	winHTTP_ACCESS_TYPE_AUTOMATIC_PROXY = 4
+	winHTTP_AUTOPROXY_ALLOW_AUTOCONFIG  = 0x00000100
+	winHTTP_AUTOPROXY_AUTO_DETECT       = 1
+	winHTTP_AUTO_DETECT_TYPE_DHCP       = 0x00000001
+	winHTTP_AUTO_DETECT_TYPE_DNS_A      = 0x00000002
+)
+
+func winHTTPOpen() (winHTTPInternet, error) {
+	if err := httpOpenProc.Find(); err != nil {
+		return 0, err
+	}
+	r, _, err := httpOpenProc.Call(
+		uintptr(unsafe.Pointer(userAgent)),
+		winHTTP_ACCESS_TYPE_AUTOMATIC_PROXY,
+		0, /* WINHTTP_NO_PROXY_NAME */
+		0, /* WINHTTP_NO_PROXY_BYPASS */
+		0)
+	if r == 0 {
+		return 0, err
+	}
+	return winHTTPInternet(r), nil
+}
+
+type winHTTPInternet windows.Handle
+
+func (hi winHTTPInternet) Close() error {
+	if err := closeHandleProc.Find(); err != nil {
+		return err
+	}
+	r, _, err := closeHandleProc.Call(uintptr(hi))
+	if r == 1 {
+		return nil
+	}
+	return err
+}
+
+// WINHTTP_AUTOPROXY_OPTIONS
+// https://docs.microsoft.com/en-us/windows/win32/api/winhttp/ns-winhttp-winhttp_autoproxy_options
+type autoProxyOptions struct {
+	DwFlags                uint32
+	DwAutoDetectFlags      uint32
+	AutoConfigUrl          *uint16
+	_                      uintptr
+	_                      uint32
+	FAutoLogonIfChallenged bool
+}
+
+// WINHTTP_PROXY_INFO
+// https://docs.microsoft.com/en-us/windows/win32/api/winhttp/ns-winhttp-winhttp_proxy_info
+type winHTTPProxyInfo struct {
+	AccessType  uint16
+	Proxy       *uint16
+	ProxyBypass *uint16
+}
+
+var proxyForURLOpts = &autoProxyOptions{
+	DwFlags:           winHTTP_AUTOPROXY_ALLOW_AUTOCONFIG | winHTTP_AUTOPROXY_AUTO_DETECT,
+	DwAutoDetectFlags: winHTTP_AUTO_DETECT_TYPE_DHCP, // | winHTTP_AUTO_DETECT_TYPE_DNS_A,
+}
+
+func (hi winHTTPInternet) GetProxyForURL(urlStr string) (string, error) {
+	if err := getProxyForUrlProc.Find(); err != nil {
+		return "", err
+	}
+	var out winHTTPProxyInfo
+	r, _, err := getProxyForUrlProc.Call(
+		uintptr(hi),
+		uintptr(unsafe.Pointer(windows.StringToUTF16Ptr(urlStr))),
+		uintptr(unsafe.Pointer(proxyForURLOpts)),
+		uintptr(unsafe.Pointer(&out)))
+	if r == 1 {
+		return windows.UTF16PtrToString(out.Proxy), nil
+	}
+	return "", err
+}
+
+func sysAuthHeaderWindows(u *url.URL) (string, error) {
+	spn := "HTTP/" + u.Hostname()
+	creds, err := negotiate.AcquireCurrentUserCredentials()
+	if err != nil {
+		return "", fmt.Errorf("negotiate.AcquireCurrentUserCredentials: %w", err)
+	}
+	defer creds.Release()
+
+	secCtx, token, err := negotiate.NewClientContext(creds, spn)
+	if err != nil {
+		return "", fmt.Errorf("negotiate.NewClientContext: %w", err)
+	}
+	defer secCtx.Release()
+
+	return "Negotiate " + base64.StdEncoding.EncodeToString(token), nil
+}
--- a/portlist/netstat.go
+++ b/portlist/netstat.go
@@ -41,6 +41,10 @@ func parsePort(s string) int {
 	return int(port)
 }

+func isLoopbackAddr(s string) bool {
+	return strings.HasPrefix(s, "127.0.0.1:") || strings.HasPrefix(s, "127.0.0.1.")
+}
+
 type nothing struct{}

 // Lowest common denominator parser for "netstat -na" format.
@@ -74,7 +78,7 @@ func parsePortsNetstat(output string) List {
 				// not interested in non-listener sockets
 				continue
 			}
-			if strings.HasPrefix(laddr, "127.0.0.1:") || strings.HasPrefix(laddr, "127.0.0.1.") {
+			if isLoopbackAddr(laddr) {
 				// not interested in loopback-bound listeners
 				continue
 			}
@@ -85,7 +89,7 @@ func parsePortsNetstat(output string) List {
 			proto = "udp"
 			laddr = cols[len(cols)-2]
 			raddr = cols[len(cols)-1]
-			if strings.HasPrefix(laddr, "127.0.0.1:") || strings.HasPrefix(laddr, "127.0.0.1.") {
+			if isLoopbackAddr(laddr) {
 				// not interested in loopback-bound listeners
 				continue
 			}
--- a/portlist/portlist_macos.go
+++ b/portlist/portlist_macos.go
@@ -95,9 +95,12 @@ func addProcesses(pl []Port) ([]Port, error) {
 			if port > 0 {
 				pp := ProtoPort{proto, uint16(port)}
 				p := m[pp]
-				if p != nil {
+				switch {
+				case p != nil:
 					p.Process = cmd
-				} else {
+				case isLoopbackAddr(val):
+					// ignore
+				default:
 					fmt.Fprintf(os.Stderr, "weird: missing %v\n", pp)
 				}
 			}
--- a/tailcfg/derpmap.go
+++ b/tailcfg/derpmap.go
@@ -51,6 +51,10 @@ type DERPRegion struct {
 	// "fra", etc.
 	RegionCode string

+	// RegionName is a long English name for the region: "New York City",
+	// "San Francisco", "Singapore", "Frankfurt", etc.
+	RegionName string
+
 	// Nodes are the DERP nodes running in this region, in
 	// priority order for the current client. Client TLS
 	// connections should ideally only go to the first entry
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -4,7 +4,7 @@

 package tailcfg

-//go:generate go run tailscale.com/cmd/cloner -type=User,Node,Hostinfo,NetInfo -output=tailcfg_clone.go
+//go:generate go run tailscale.com/cmd/cloner -type=User,Node,Hostinfo,NetInfo,Group,Role,Capability -output=tailcfg_clone.go

 import (
 	"bytes"
@@ -496,10 +496,18 @@ var FilterAllowAll = []FilterRule{

 // DNSConfig is the DNS configuration.
 type DNSConfig struct {
+	// Nameservers are the IP addresses of the nameservers to use.
 	Nameservers []netaddr.IP `json:",omitempty"`
-	Domains     []string     `json:",omitempty"`
-	PerDomain   bool
-	Proxied     bool
+	// Domains are the search domains to use.
+	Domains []string `json:",omitempty"`
+	// PerDomain indicates whether it is preferred to use Nameservers
+	// only for DNS queries for subdomains of Domains.
+	// Some OSes and OS configurations don't support per-domain DNS configuration,
+	// in which case Nameservers applies to all DNS requests regardless of PerDomain's value.
+	PerDomain bool
+	// Proxied indicates whether DNS requests are proxied through a tsdns.Resolver.
+	// This enables Magic DNS. It is togglable independently of PerDomain.
+	Proxied bool
 }

 type MapResponse struct {
@@ -563,6 +571,17 @@ type Debug struct {
 	// always do its background STUN queries (see magicsock's
 	// periodicReSTUN), regardless of inactivity.
 	ForceBackgroundSTUN bool `json:",omitempty"`
+
+	// DERPRoute controls whether the DERP reverse path
+	// optimization (see Issue 150) should be enabled or
+	// disabled. The environment variable in magicsock is the
+	// highest priority (if set), then this (if set), then the
+	// binary default value.
+	DERPRoute opt.Bool `json:",omitempty"`
+
+	// TrimWGConfig controls whether Tailscale does lazy, on-demand
+	// wireguard configuration of peers.
+	TrimWGConfig opt.Bool `json:",omitempty"`
 }

 func (k MachineKey) String() string                   { return fmt.Sprintf("mkey:%x", k[:]) }
@@ -628,6 +647,7 @@ func (n *Node) Equal(n2 *Node) bool {
 		eqCIDRs(n.Addresses, n2.Addresses) &&
 		eqCIDRs(n.AllowedIPs, n2.AllowedIPs) &&
 		eqStrings(n.Endpoints, n2.Endpoints) &&
+		n.DERP == n2.DERP &&
 		n.Hostinfo.Equal(&n2.Hostinfo) &&
 		n.Created.Equal(n2.Created) &&
 		eqTimePtr(n.LastSeen, n2.LastSeen) &&
--- a/tailcfg/tailcfg_clone.go
+++ b/tailcfg/tailcfg_clone.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Code generated by tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo; DO NOT EDIT.
+// Code generated by tailscale.com/cmd/cloner -type User,Node,Hostinfo,NetInfo,Group,Role,Capability; DO NOT EDIT.

 package tailcfg

@@ -73,3 +73,38 @@ func (src *NetInfo) Clone() *NetInfo {
 	}
 	return dst
 }
+
+// Clone makes a deep copy of Group.
+// The result aliases no memory with the original.
+func (src *Group) Clone() *Group {
+	if src == nil {
+		return nil
+	}
+	dst := new(Group)
+	*dst = *src
+	dst.Members = append(src.Members[:0:0], src.Members...)
+	return dst
+}
+
+// Clone makes a deep copy of Role.
+// The result aliases no memory with the original.
+func (src *Role) Clone() *Role {
+	if src == nil {
+		return nil
+	}
+	dst := new(Role)
+	*dst = *src
+	dst.Capabilities = append(src.Capabilities[:0:0], src.Capabilities...)
+	return dst
+}
+
+// Clone makes a deep copy of Capability.
+// The result aliases no memory with the original.
+func (src *Capability) Clone() *Capability {
+	if src == nil {
+		return nil
+	}
+	dst := new(Capability)
+	*dst = *src
+	return dst
+}
--- a/tailcfg/tailcfg_test.go
+++ b/tailcfg/tailcfg_test.go
@@ -315,6 +315,11 @@ func TestNodeEqual(t *testing.T) {
 			&Node{LastSeen: &now},
 			true,
 		},
+		{
+			&Node{DERP: "foo"},
+			&Node{DERP: "bar"},
+			false,
+		},
 	}
 	for i, tt := range tests {
 		got := tt.a.Equal(tt.b)
--- a/tstest/log.go
+++ b/tstest/log.go
@@ -7,7 +7,10 @@ package tstest
 import (
 	"log"
 	"os"
+	"sync"
 	"testing"
+
+	"tailscale.com/types/logger"
 )

 type testLogWriter struct {
@@ -41,3 +44,48 @@ func (panicLogWriter) Write(b []byte) (int, error) {
 func PanicOnLog() {
 	log.SetOutput(panicLogWriter{})
 }
+
+// ListenFor produces a LogListener wrapping a given logf with the given logStrings
+func ListenFor(logf logger.Logf, logStrings []string) *LogListener {
+	ret := LogListener{
+		logf:      logf,
+		listenFor: logStrings,
+		seen:      make(map[string]bool),
+	}
+	for _, line := range logStrings {
+		ret.seen[line] = false
+	}
+	return &ret
+}
+
+// LogListener takes a list of log lines to listen for
+type LogListener struct {
+	logf      logger.Logf
+	listenFor []string
+
+	mu   sync.Mutex
+	seen map[string]bool
+}
+
+// Logf records and logs a given line
+func (ll *LogListener) Logf(format string, args ...interface{}) {
+	ll.mu.Lock()
+	if _, ok := ll.seen[format]; ok {
+		ll.seen[format] = true
+	}
+	ll.mu.Unlock()
+	ll.logf(format, args)
+}
+
+// Check returns which lines haven't been logged yet
+func (ll *LogListener) Check() []string {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+	var notSeen []string
+	for _, line := range ll.listenFor {
+		if !ll.seen[line] {
+			notSeen = append(notSeen, line)
+		}
+	}
+	return notSeen
+}
--- a/tstest/log_test.go
+++ b/tstest/log_test.go
@@ -0,0 +1,46 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tstest
+
+import "testing"
+
+func TestLogListener(t *testing.T) {
+	var (
+		l1 = "line 1: %s"
+		l2 = "line 2: %s"
+		l3 = "line 3: %s"
+
+		lineList = []string{l1, l2}
+	)
+
+	ll := ListenFor(t.Logf, lineList)
+
+	if len(ll.Check()) != len(lineList) {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
+	}
+
+	ll.Logf(l3, "hi")
+
+	if len(ll.Check()) != len(lineList) {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
+	}
+
+	ll.Logf(l1, "hi")
+
+	if len(ll.Check()) != len(lineList)-1 {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
+	}
+
+	ll.Logf(l1, "bye")
+
+	if len(ll.Check()) != len(lineList)-1 {
+		t.Errorf("expected %v, got %v", lineList, ll.Check())
+	}
+
+	ll.Logf(l2, "hi")
+	if ll.Check() != nil {
+		t.Errorf("expected empty list, got ll.Check()")
+	}
+}
--- a/tsweb/jsonhandler.go
+++ b/tsweb/jsonhandler.go
@@ -7,7 +7,6 @@ package tsweb
 import (
 	"encoding/json"
 	"net/http"
-	"reflect"
 )

 type response struct {
@@ -16,119 +15,59 @@ type response struct {
 	Data   interface{} `json:"data,omitempty"`
 }

-func responseSuccess(data interface{}) *response {
-	return &response{
-		Status: "success",
-		Data:   data,
-	}
-}
+// TODO: Header

-func responseError(e string) *response {
-	return &response{
-		Status: "error",
-		Error:  e,
-	}
-}
+// JSONHandlerFunc only take *http.Request as argument to avoid any misuse of http.ResponseWriter.
+// The function's results must be (status int, data interface{}, err error).
+// Return a HTTPError to show an error message, otherwise JSONHandler will only show "internal server error".
+type JSONHandlerFunc func(r *http.Request) (status int, data interface{}, err error)

-func writeResponse(w http.ResponseWriter, s int, resp *response) {
-	b, _ := json.Marshal(resp)
+// ServeHTTP calls the JSONHandlerFunc and automatically marshals http responses.
+//
+// Use the following code to unmarshal the request body
+//	body := new(DataType)
+//	if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+//	  return http.StatusBadRequest, nil, err
+//	}
+//
+// Check jsonhandler_text.go for examples
+func (fn JSONHandlerFunc) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(s)
+	var resp *response
+	status, data, err := fn(r)
+	if status == 0 {
+		status = http.StatusInternalServerError
+		resp = &response{
+			Status: "error",
+			Error:  "internal server error",
+		}
+	} else if err == nil {
+		resp = &response{
+			Status: "success",
+			Data:   data,
+		}
+	} else {
+		if werr, ok := err.(HTTPError); ok {
+			resp = &response{
+				Status: "error",
+				Error:  werr.Msg,
+				Data:   data,
+			}
+		} else {
+			resp = &response{
+				Status: "error",
+				Error:  "internal server error",
+			}
+		}
+	}
+
+	b, err := json.Marshal(resp)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		w.Write([]byte(`{"status":"error","error":"json marshal error"}`))
+		return
+	}
+
+	w.WriteHeader(status)
 	w.Write(b)
 }
-
-func checkFn(t reflect.Type) {
-	h := reflect.TypeOf(http.HandlerFunc(nil))
-	switch t.NumIn() {
-	case 2, 3:
-		if !t.In(0).AssignableTo(h.In(0)) {
-			panic("first argument must be http.ResponseWriter")
-		}
-		if !t.In(1).AssignableTo(h.In(1)) {
-			panic("second argument must be *http.Request")
-		}
-	default:
-		panic("JSONHandler: number of input parameter should be 2 or 3")
-	}
-
-	switch t.NumOut() {
-	case 1:
-		if !t.Out(0).Implements(reflect.TypeOf((*error)(nil)).Elem()) {
-			panic("return value must be error")
-		}
-	case 2:
-		if !t.Out(1).Implements(reflect.TypeOf((*error)(nil)).Elem()) {
-			panic("second return value must be error")
-		}
-	default:
-		panic("JSONHandler: number of return values should be 1 or 2")
-	}
-}
-
-// JSONHandler wraps an HTTP handler function with a version that automatically
-// unmarshals and marshals requests and responses respectively into fn's arguments
-// and results.
-//
-// The fn parameter is a function. It must take two or three input arguments.
-// The first two arguments must be http.ResponseWriter and *http.Request.
-// The optional third argument can be of any type representing the JSON input.
-// The function's results can be either (error) or (T, error), where T is the
-// JSON-marshalled result type.
-//
-// For example:
-// fn := func(w http.ResponseWriter, r *http.Request, in *Req) (*Res, error) { ... }
-func JSONHandler(fn interface{}) http.Handler {
-	v := reflect.ValueOf(fn)
-	t := v.Type()
-	checkFn(t)
-
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		wv := reflect.ValueOf(w)
-		rv := reflect.ValueOf(r)
-		var vs []reflect.Value
-
-		switch t.NumIn() {
-		case 2:
-			vs = v.Call([]reflect.Value{wv, rv})
-		case 3:
-			dv := reflect.New(t.In(2))
-			err := json.NewDecoder(r.Body).Decode(dv.Interface())
-			if err != nil {
-				writeResponse(w, http.StatusBadRequest, responseError("bad json"))
-				return
-			}
-			vs = v.Call([]reflect.Value{wv, rv, dv.Elem()})
-		default:
-			panic("JSONHandler: number of input parameter should be 2 or 3")
-		}
-
-		var e reflect.Value
-		switch len(vs) {
-		case 1:
-			// todo support other error types
-			if vs[0].IsZero() {
-				writeResponse(w, http.StatusOK, responseSuccess(nil))
-				return
-			}
-			e = vs[0]
-		case 2:
-			if vs[1].IsZero() {
-				if !vs[0].IsZero() {
-					writeResponse(w, http.StatusOK, responseSuccess(vs[0].Interface()))
-				}
-				return
-			}
-			e = vs[1]
-		default:
-			panic("JSONHandler: number of return values should be 1 or 2")
-		}
-
-		if e.Type().AssignableTo(reflect.TypeOf(HTTPError{})) {
-			err := e.Interface().(HTTPError)
-			writeResponse(w, err.Code, responseError(err.Error()))
-		} else {
-			err := e.Interface().(error)
-			writeResponse(w, http.StatusBadRequest, responseError(err.Error()))
-		}
-	})
-}
--- a/tsweb/jsonhandler_test.go
+++ b/tsweb/jsonhandler_test.go
@@ -5,9 +5,8 @@
 package tsweb

 import (
-	"bytes"
 	"encoding/json"
-	"errors"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"strings"
@@ -26,7 +25,7 @@ type Response struct {
 }

 func TestNewJSONHandler(t *testing.T) {
-	checkStatus := func(w *httptest.ResponseRecorder, status string) *Response {
+	checkStatus := func(w *httptest.ResponseRecorder, status string, code int) *Response {
 		d := &Response{
 			Data: &Data{},
 		}
@@ -44,6 +43,10 @@ func TestNewJSONHandler(t *testing.T) {
 			t.Fatalf("wrong status: %s %s", d.Status, status)
 		}

+		if w.Code != code {
+			t.Fatalf("wrong status code: %d %d", w.Code, code)
+		}
+
 		if w.Header().Get("Content-Type") != "application/json" {
 			t.Fatalf("wrong content type: %s", w.Header().Get("Content-Type"))
 		}
@@ -51,163 +54,139 @@ func TestNewJSONHandler(t *testing.T) {
 		return d
 	}

-	// 2 1
-	h21 := JSONHandler(func(w http.ResponseWriter, r *http.Request) error {
-		return nil
+	h21 := JSONHandlerFunc(func(r *http.Request) (int, interface{}, error) {
+		return http.StatusOK, nil, nil
 	})

-	t.Run("2 1 simple", func(t *testing.T) {
+	t.Run("200 simple", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("GET", "/", nil)
 		h21.ServeHTTP(w, r)
-		checkStatus(w, "success")
+		checkStatus(w, "success", http.StatusOK)
 	})

-	t.Run("2 1 HTTPError", func(t *testing.T) {
-		h := JSONHandler(func(w http.ResponseWriter, r *http.Request) HTTPError {
-			return Error(http.StatusForbidden, "forbidden", nil)
+	t.Run("403 HTTPError", func(t *testing.T) {
+		h := JSONHandlerFunc(func(r *http.Request) (int, interface{}, error) {
+			return http.StatusForbidden, nil, fmt.Errorf("forbidden")
 		})

 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("GET", "/", nil)
 		h.ServeHTTP(w, r)
-		if w.Code != http.StatusForbidden {
-			t.Fatalf("wrong code: %d %d", w.Code, http.StatusForbidden)
-		}
+		checkStatus(w, "error", http.StatusForbidden)
 	})

-	// 2 2
-	h22 := JSONHandler(func(w http.ResponseWriter, r *http.Request) (*Data, error) {
-		return &Data{Name: "tailscale"}, nil
+	h22 := JSONHandlerFunc(func(r *http.Request) (int, interface{}, error) {
+		return http.StatusOK, &Data{Name: "tailscale"}, nil
 	})
-	t.Run("2 2 get data", func(t *testing.T) {
+
+	t.Run("200 get data", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("GET", "/", nil)
 		h22.ServeHTTP(w, r)
-		checkStatus(w, "success")
+		checkStatus(w, "success", http.StatusOK)
 	})

-	// 3 1
-	h31 := JSONHandler(func(w http.ResponseWriter, r *http.Request, d *Data) error {
-		if d.Name == "" {
-			return errors.New("name is empty")
+	h31 := JSONHandlerFunc(func(r *http.Request) (int, interface{}, error) {
+		body := new(Data)
+		if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+			return http.StatusBadRequest, nil, err
 		}

-		return nil
+		if body.Name == "" {
+			return http.StatusBadRequest, nil, Error(http.StatusBadGateway, "name is empty", nil)
+		}
+
+		return http.StatusOK, nil, nil
 	})
-	t.Run("3 1 post data", func(t *testing.T) {
+	t.Run("200 post data", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Name": "tailscale"}`))
 		h31.ServeHTTP(w, r)
-		checkStatus(w, "success")
+		checkStatus(w, "success", http.StatusOK)
 	})

-	t.Run("3 1 bad json", func(t *testing.T) {
+	t.Run("400 bad json", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{`))
 		h31.ServeHTTP(w, r)
-		checkStatus(w, "error")
+		checkStatus(w, "error", http.StatusBadRequest)
 	})

-	t.Run("3 1 post data error", func(t *testing.T) {
+	t.Run("400 post data error", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{}`))
 		h31.ServeHTTP(w, r)
-		resp := checkStatus(w, "error")
+		resp := checkStatus(w, "error", http.StatusBadRequest)
 		if resp.Error != "name is empty" {
 			t.Fatalf("wrong error")
 		}
 	})

-	// 3 2
-	h32 := JSONHandler(func(w http.ResponseWriter, r *http.Request, d *Data) (*Data, error) {
-		if d.Price == 0 {
-			return nil, errors.New("price is empty")
+	h32 := JSONHandlerFunc(func(r *http.Request) (int, interface{}, error) {
+		body := new(Data)
+		if err := json.NewDecoder(r.Body).Decode(body); err != nil {
+			return http.StatusBadRequest, nil, err
+		}
+		if body.Name == "root" {
+			return http.StatusInternalServerError, nil, fmt.Errorf("invalid name")
+		}
+		if body.Price == 0 {
+			return http.StatusBadRequest, nil, Error(http.StatusBadGateway, "price is empty", nil)
 		}

-		return &Data{Price: d.Price * 2}, nil
+		return http.StatusOK, &Data{Price: body.Price * 2}, nil
 	})
-	t.Run("3 2 post data", func(t *testing.T) {
+
+	t.Run("200 post data", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Price": 10}`))
 		h32.ServeHTTP(w, r)
-		resp := checkStatus(w, "success")
+		resp := checkStatus(w, "success", http.StatusOK)
 		t.Log(resp.Data)
 		if resp.Data.Price != 20 {
 			t.Fatalf("wrong price: %d %d", resp.Data.Price, 10)
 		}
 	})

-	t.Run("3 2 post data error", func(t *testing.T) {
+	t.Run("400 post data error", func(t *testing.T) {
 		w := httptest.NewRecorder()
 		r := httptest.NewRequest("POST", "/", strings.NewReader(`{}`))
 		h32.ServeHTTP(w, r)
-		resp := checkStatus(w, "error")
+		resp := checkStatus(w, "error", http.StatusBadRequest)
 		if resp.Error != "price is empty" {
 			t.Fatalf("wrong error")
 		}
 	})

-	// fn check
-	shouldPanic := func() {
-		r := recover()
-		if r == nil {
-			t.Fatalf("should panic")
-		}
-		t.Log(r)
-	}
-
-	t.Run("2 0 panic", func(t *testing.T) {
-		defer shouldPanic()
-		JSONHandler(func(w http.ResponseWriter, r *http.Request) {})
-	})
-
-	t.Run("2 1 panic return value", func(t *testing.T) {
-		defer shouldPanic()
-		JSONHandler(func(w http.ResponseWriter, r *http.Request) string {
-			return ""
-		})
-	})
-
-	t.Run("2 1 panic arguments", func(t *testing.T) {
-		defer shouldPanic()
-		JSONHandler(func(r *http.Request, w http.ResponseWriter) error {
-			return nil
-		})
-	})
-
-	t.Run("3 1 panic arguments", func(t *testing.T) {
-		defer shouldPanic()
-		JSONHandler(func(name string, r *http.Request, w http.ResponseWriter) error {
-			return nil
-		})
-	})
-
-	t.Run("3 2 panic return value", func(t *testing.T) {
-		defer shouldPanic()
-		//lint:ignore ST1008 intentional
-		JSONHandler(func(name string, r *http.Request, w http.ResponseWriter) (error, string) {
-			return nil, "panic"
-		})
-	})
-
-	t.Run("2 2 forbidden", func(t *testing.T) {
-		code := http.StatusForbidden
-		body := []byte("forbidden")
-		h := JSONHandler(func(w http.ResponseWriter, r *http.Request) (*Data, error) {
-			w.WriteHeader(code)
-			w.Write(body)
-			return nil, nil
-		})
-
+	t.Run("500 internal server error", func(t *testing.T) {
 		w := httptest.NewRecorder()
-		r := httptest.NewRequest("GET", "/", nil)
-		h.ServeHTTP(w, r)
-		if w.Code != http.StatusForbidden {
-			t.Fatalf("wrong code: %d %d", w.Code, code)
+		r := httptest.NewRequest("POST", "/", strings.NewReader(`{"Name": "root"}`))
+		h32.ServeHTTP(w, r)
+		resp := checkStatus(w, "error", http.StatusInternalServerError)
+		if resp.Error != "internal server error" {
+			t.Fatalf("wrong error")
 		}
-		if !bytes.Equal(w.Body.Bytes(), []byte("forbidden")) {
-			t.Fatalf("wrong body: %s %s", w.Body.Bytes(), body)
+	})
+
+	t.Run("500 misuse", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("POST", "/", nil)
+		JSONHandlerFunc(func(r *http.Request) (int, interface{}, error) {
+			return http.StatusOK, make(chan int), nil
+		}).ServeHTTP(w, r)
+		resp := checkStatus(w, "error", http.StatusInternalServerError)
+		if resp.Error != "json marshal error" {
+			t.Fatalf("wrong error")
 		}
 	})
+
+	t.Run("500 empty status code", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("POST", "/", nil)
+		JSONHandlerFunc(func(r *http.Request) (status int, data interface{}, err error) {
+			return
+		}).ServeHTTP(w, r)
+		checkStatus(w, "error", http.StatusInternalServerError)
+	})
 }
--- a/types/key/key.go
+++ b/types/key/key.go
@@ -28,6 +28,8 @@ func NewPrivate() Private {
 	if _, err := io.ReadFull(crand.Reader, p[:]); err != nil {
 		panic(err)
 	}
+	p[0] &= 248
+	p[31] = (p[31] & 127) | 64
 	return p
 }

--- a/types/key/key_test.go
+++ b/types/key/key_test.go
@@ -6,6 +6,8 @@ package key

 import (
 	"testing"
+
+	"github.com/tailscale/wireguard-go/wgcfg"
 )

 func TestTextUnmarshal(t *testing.T) {
@@ -22,3 +24,31 @@ func TestTextUnmarshal(t *testing.T) {
 		t.Fatalf("mismatch; got %x want %x", p2, p)
 	}
 }
+
+func TestClamping(t *testing.T) {
+	t.Run("NewPrivate", func(t *testing.T) { testClamping(t, NewPrivate) })
+
+	// Also test the wgcfg package, as their behavior should match.
+	t.Run("wgcfg", func(t *testing.T) {
+		testClamping(t, func() Private {
+			k, err := wgcfg.NewPrivateKey()
+			if err != nil {
+				t.Fatal(err)
+			}
+			return Private(k)
+		})
+	})
+}
+
+func testClamping(t *testing.T, newKey func() Private) {
+	for i := 0; i < 100; i++ {
+		k := newKey()
+		if k[0]&0b111 != 0 {
+			t.Fatalf("Bogus clamping in first byte: %#08b", k[0])
+			return
+		}
+		if k[31]>>6 != 1 {
+			t.Fatalf("Bogus clamping in last byte: %#08b", k[0])
+		}
+	}
+}
--- a/version/version.go
+++ b/version/version.go
@@ -7,5 +7,5 @@
 // Package version provides the version that the binary was built at.
 package version

-const LONG = "date.20200806"
+const LONG = "date.20200820"
 const SHORT = LONG
--- a/wgengine/filter/filter.go
+++ b/wgengine/filter/filter.go
@@ -7,11 +7,13 @@ package filter

 import (
 	"fmt"
+	"net"
 	"sync"
 	"time"

 	"github.com/golang/groupcache/lru"
 	"golang.org/x/time/rate"
+	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/wgengine/packet"
 )
@@ -129,6 +131,79 @@ func maybeHexdump(flag RunFlags, b []byte) string {
 	return packet.Hexdump(b) + "\n"
 }

+// MatchesFromFilterRules parse a number of wire-format FilterRule values into
+// the Matches format.
+// If an error is returned, the Matches result is still valid, containing the rules that
+// were successfully converted.
+func MatchesFromFilterRules(pf []tailcfg.FilterRule) (Matches, error) {
+	mm := make([]Match, 0, len(pf))
+	var erracc error
+
+	for _, r := range pf {
+		m := Match{}
+
+		for i, s := range r.SrcIPs {
+			bits := 32
+			if len(r.SrcBits) > i {
+				bits = r.SrcBits[i]
+			}
+			net, err := parseIP(s, bits)
+			if err != nil && erracc == nil {
+				erracc = err
+				continue
+			}
+			m.Srcs = append(m.Srcs, net)
+		}
+
+		for _, d := range r.DstPorts {
+			bits := 32
+			if d.Bits != nil {
+				bits = *d.Bits
+			}
+			net, err := parseIP(d.IP, bits)
+			if err != nil && erracc == nil {
+				erracc = err
+				continue
+			}
+			m.Dsts = append(m.Dsts, NetPortRange{
+				Net: net,
+				Ports: PortRange{
+					First: d.Ports.First,
+					Last:  d.Ports.Last,
+				},
+			})
+		}
+
+		mm = append(mm, m)
+	}
+	return mm, erracc
+}
+
+func parseIP(host string, defaultBits int) (Net, error) {
+	ip := net.ParseIP(host)
+	if ip != nil && ip.IsUnspecified() {
+		// For clarity, reject 0.0.0.0 as an input
+		return NetNone, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", host)
+	} else if ip == nil && host == "*" {
+		// User explicitly requested wildcard dst ip
+		return NetAny, nil
+	} else {
+		if ip != nil {
+			ip = ip.To4()
+		}
+		if ip == nil || len(ip) != 4 {
+			return NetNone, fmt.Errorf("ports=%#v: invalid IPv4 address", host)
+		}
+		if len(ip) == 4 && (defaultBits < 0 || defaultBits > 32) {
+			return NetNone, fmt.Errorf("invalid CIDR size %d for host %q", defaultBits, host)
+		}
+		return Net{
+			IP:   NewIP(ip),
+			Mask: Netmask(defaultBits),
+		}, nil
+	}
+}
+
 // TODO(apenwarr): use a bigger bucket for specifically TCP SYN accept logging?
 //   Logging is a quick way to record every newly opened TCP connection, but
 //   we have to be cautious about flooding the logs vs letting people use
--- a/wgengine/filter/filter_test.go
+++ b/wgengine/filter/filter_test.go
@@ -8,6 +8,7 @@ import (
 	"encoding/binary"
 	"encoding/hex"
 	"encoding/json"
+	"net"
 	"strings"
 	"testing"

@@ -162,6 +163,35 @@ func TestNoAllocs(t *testing.T) {
 	}
 }

+func TestParseIP(t *testing.T) {
+	tests := []struct {
+		host    string
+		bits    int
+		want    Net
+		wantErr string
+	}{
+		{"8.8.8.8", 24, Net{IP: packet.NewIP(net.ParseIP("8.8.8.8")), Mask: packet.NewIP(net.ParseIP("255.255.255.0"))}, ""},
+		{"8.8.8.8", 33, Net{}, `invalid CIDR size 33 for host "8.8.8.8"`},
+		{"8.8.8.8", -1, Net{}, `invalid CIDR size -1 for host "8.8.8.8"`},
+		{"0.0.0.0", 24, Net{}, `ports="0.0.0.0": to allow all IP addresses, use *:port, not 0.0.0.0:port`},
+		{"*", 24, NetAny, ""},
+		{"fe80::1", 128, NetNone, `ports="fe80::1": invalid IPv4 address`},
+	}
+	for _, tt := range tests {
+		got, err := parseIP(tt.host, tt.bits)
+		if err != nil {
+			if err.Error() == tt.wantErr {
+				continue
+			}
+			t.Errorf("parseIP(%q, %v) error: %v; want error %q", tt.host, tt.bits, err, tt.wantErr)
+		}
+		if got != tt.want {
+			t.Errorf("parseIP(%q, %v) = %#v; want %#v", tt.host, tt.bits, got, tt.want)
+			continue
+		}
+	}
+}
+
 func BenchmarkFilter(b *testing.B) {
 	acl := newFilter(b.Logf)

--- a/wgengine/magicsock/magicsock.go
+++ b/wgengine/magicsock/magicsock.go
@@ -70,7 +70,8 @@ var (
 	// debugUseDerpRoute temporarily (2020-03-22) controls whether DERP
 	// reverse routing is enabled (Issue 150). It will become always true
 	// later.
-	debugUseDerpRoute, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_ENABLE_DERP_ROUTE"))
+	debugUseDerpRouteEnv = os.Getenv("TS_DEBUG_ENABLE_DERP_ROUTE")
+	debugUseDerpRoute, _ = strconv.ParseBool(debugUseDerpRouteEnv)
 	// logDerpVerbose logs all received DERP packets, including their
 	// full payload.
 	logDerpVerbose, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_DERP"))
@@ -81,6 +82,19 @@ var (
 	debugReSTUNStopOnIdle, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_RESTUN_STOP_ON_IDLE"))
 )

+// useDerpRoute reports whether magicsock should enable the DERP
+// return path optimization (Issue 150).
+func useDerpRoute() bool {
+	if debugUseDerpRouteEnv != "" {
+		return debugUseDerpRoute
+	}
+	ob := controlclient.DERPRouteFlag()
+	if v, ok := ob.Get(); ok {
+		return v
+	}
+	return false
+}
+
 // inTest reports whether the running program is a test that set the
 // IN_TS_TEST environment variable.
 //
@@ -99,6 +113,7 @@ type Conn struct {
 	pconn4           *RebindingUDPConn
 	pconn6           *RebindingUDPConn // non-nil if IPv6 available
 	epFunc           func(endpoints []string)
+	derpActiveFunc   func()
 	logf             logger.Logf
 	sendLogLimit     *rate.Limiter
 	netChecker       *netcheck.Client
@@ -267,6 +282,10 @@ type Options struct {
 	// endpoints change. The called func does not own the slice.
 	EndpointsFunc func(endpoint []string)

+	// DERPActiveFunc optionally provides a func to be called when
+	// a connection is made to a DERP server.
+	DERPActiveFunc func()
+
 	// IdleFunc optionally provides a func to return how long
 	// it's been since a TUN packet was sent or received.
 	IdleFunc func() time.Duration
@@ -303,6 +322,13 @@ func (o *Options) endpointsFunc() func([]string) {
 	return o.EndpointsFunc
 }

+func (o *Options) derpActiveFunc() func() {
+	if o == nil || o.DERPActiveFunc == nil {
+		return func() {}
+	}
+	return o.DERPActiveFunc
+}
+
 // newConn is the error-free, network-listening-side-effect-free based
 // of NewConn. Mostly for tests.
 func newConn() *Conn {
@@ -332,6 +358,7 @@ func NewConn(opts Options) (*Conn, error) {
 	c.pconnPort = opts.Port
 	c.logf = opts.logf()
 	c.epFunc = opts.endpointsFunc()
+	c.derpActiveFunc = opts.derpActiveFunc()
 	c.idleFunc = opts.IdleFunc
 	c.packetListener = opts.PacketListener
 	c.noteRecvActivity = opts.NoteRecvActivity
@@ -567,6 +594,107 @@ func (c *Conn) SetNetInfoCallback(fn func(*tailcfg.NetInfo)) {
 	}
 }

+// peerForIP returns the Node in nm that's responsible for
+// handling the given IP address.
+func peerForIP(nm *controlclient.NetworkMap, ip netaddr.IP) (n *tailcfg.Node, ok bool) {
+	if nm == nil {
+		return nil, false
+	}
+	wgIP := wgcfg.IP{Addr: ip.As16()}
+	// Check for exact matches before looking for subnet matches.
+	for _, p := range nm.Peers {
+		for _, a := range p.Addresses {
+			if a.IP == wgIP {
+				return p, true
+			}
+		}
+	}
+	for _, p := range nm.Peers {
+		for _, cidr := range p.AllowedIPs {
+			if cidr.Contains(wgIP) {
+				return p, true
+			}
+		}
+	}
+	return nil, false
+}
+
+// Ping handles a "tailscale ping" CLI query.
+func (c *Conn) Ping(ip netaddr.IP, cb func(*ipnstate.PingResult)) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	res := &ipnstate.PingResult{IP: ip.String()}
+	if c.privateKey.IsZero() {
+		res.Err = "local tailscaled stopped"
+		cb(res)
+		return
+	}
+	peer, ok := peerForIP(c.netMap, ip)
+	if !ok {
+		res.Err = "no matching peer"
+		cb(res)
+		return
+	}
+	if len(peer.Addresses) > 0 {
+		res.NodeIP = peer.Addresses[0].IP.String()
+	}
+	res.NodeName = peer.Name // prefer DNS name
+	if res.NodeName == "" {
+		res.NodeName = peer.Hostinfo.Hostname // else hostname
+	} else {
+		if i := strings.Index(res.NodeName, "."); i != -1 {
+			res.NodeName = res.NodeName[:i]
+		}
+	}
+
+	dk, ok := c.discoOfNode[peer.Key]
+	if !ok {
+		res.Err = "no discovery key for peer (pre 0.100?)"
+		cb(res)
+		return
+	}
+	de, ok := c.endpointOfDisco[dk]
+	if !ok {
+		c.mu.Unlock() // temporarily release
+		if c.noteRecvActivity != nil {
+			c.noteRecvActivity(dk)
+		}
+		c.mu.Lock() // re-acquire
+
+		// re-check at least basic invariant:
+		if c.privateKey.IsZero() {
+			res.Err = "local tailscaled stopped"
+			cb(res)
+			return
+		}
+
+		de, ok = c.endpointOfDisco[dk]
+		if !ok {
+			res.Err = "internal error: failed to create endpoint for discokey"
+			cb(res)
+			return
+		}
+		c.logf("magicsock: started peer %v for ping to %v", dk.ShortString(), peer.Key.ShortString())
+	}
+	de.cliPing(res, cb)
+}
+
+// c.mu must be held
+func (c *Conn) populateCLIPingResponseLocked(res *ipnstate.PingResult, latency time.Duration, ep netaddr.IPPort) {
+	res.LatencySeconds = latency.Seconds()
+	if ep.IP != derpMagicIPAddr {
+		res.Endpoint = ep.String()
+		return
+	}
+	regionID := int(ep.Port)
+	res.DERPRegionID = regionID
+	if c.derpMap != nil {
+		if dr, ok := c.derpMap.Regions[regionID]; ok {
+			res.DERPRegionCode = dr.RegionCode
+		}
+	}
+}
+
 // DiscoPublicKey returns the discovery public key.
 func (c *Conn) DiscoPublicKey() tailcfg.DiscoKey {
 	c.mu.Lock()
@@ -1010,7 +1138,7 @@ func (c *Conn) derpWriteChanOfAddr(addr netaddr.IPPort, peer key.Public) chan<-
 	// perhaps peer's home is Frankfurt, but they dialed our home DERP
 	// node in SF to reach us, so we can reply to them using our
 	// SF connection rather than dialing Frankfurt. (Issue 150)
-	if !peer.IsZero() && debugUseDerpRoute {
+	if !peer.IsZero() && useDerpRoute() {
 		if r, ok := c.derpRoute[peer]; ok {
 			if ad, ok := c.activeDerp[r.derpID]; ok && ad.c == r.dc {
 				c.setPeerLastDerpLocked(peer, r.derpID, regionID)
@@ -1091,6 +1219,7 @@ func (c *Conn) derpWriteChanOfAddr(addr netaddr.IPPort, peer key.Public) chan<-

 	go c.runDerpReader(ctx, addr, dc, wg, startGate)
 	go c.runDerpWriter(ctx, dc, ch, wg, startGate)
+	go c.derpActiveFunc()

 	return ad.writeCh
 }
@@ -1636,6 +1765,7 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) bool {
 		needsRecvActivityCall = de.isFirstRecvActivityInAwhile()
 	}
 	if needsRecvActivityCall && c.noteRecvActivity != nil {
+		c.logf("magicsock: got disco message from idle peer, starting lazy conf for %v, %v", peerNode.Key.ShortString(), sender.ShortString())
 		// We can't hold Conn.mu while calling noteRecvActivity.
 		// noteRecvActivity acquires userspaceEngine.wgLock (and per our
 		// lock ordering rules: wgLock must come first), and also calls
@@ -1724,27 +1854,21 @@ func (c *Conn) handleDiscoMessage(msg []byte, src netaddr.IPPort) bool {
 	return true
 }

-// de may be nil
 func (c *Conn) handlePingLocked(dm *disco.Ping, de *discoEndpoint, src netaddr.IPPort, sender tailcfg.DiscoKey, peerNode *tailcfg.Node) {
 	if peerNode == nil {
 		c.logf("magicsock: disco: [unexpected] ignoring ping from unknown peer Node")
 		return
 	}
-	likelyHeartBeat := de != nil && src == de.lastPingFrom && time.Since(de.lastPingTime) < 5*time.Second
-	var discoShort string
-	if de != nil {
-		discoShort = de.discoShort
-		de.lastPingFrom = src
-		de.lastPingTime = time.Now()
-	} else {
-		discoShort = sender.ShortString()
-	}
+	likelyHeartBeat := src == de.lastPingFrom && time.Since(de.lastPingTime) < 5*time.Second
+	de.lastPingFrom = src
+	de.lastPingTime = time.Now()
 	if !likelyHeartBeat || debugDisco {
-		c.logf("magicsock: disco: %v<-%v (%v, %v)  got ping tx=%x", c.discoShort, discoShort, peerNode.Key.ShortString(), src, dm.TxID[:6])
+		c.logf("magicsock: disco: %v<-%v (%v, %v)  got ping tx=%x", c.discoShort, de.discoShort, peerNode.Key.ShortString(), src, dm.TxID[:6])
 	}

 	// Remember this route if not present.
 	c.setAddrToDiscoLocked(src, sender, nil)
+	de.addCandidateEndpoint(src)

 	ipDst := src
 	discoDest := sender
@@ -2658,7 +2782,7 @@ func (c *Conn) CreateBind(uint16) (conn.Bind, uint16, error) {
 //
 // The key is the public key of the peer and addrs is either:
 //
-//  1) a comma-separated list of UDP ip:ports (the the peer doesn't have a discovery key)
+//  1) a comma-separated list of UDP ip:ports (the peer doesn't have a discovery key)
 //  2) "<hex-discovery-key>.disco.tailscale:12345", a magic value that means the peer
 //     is running code that supports active discovery, so CreateEndpoint returns
 //     a discoEndpoint.
@@ -2911,6 +3035,21 @@ func (c *Conn) UpdateStatus(sb *ipnstate.StatusBuilder) {
 	c.mu.Lock()
 	defer c.mu.Unlock()

+	ss := &ipnstate.PeerStatus{
+		PublicKey: c.privateKey.Public(),
+		Addrs:     c.lastEndpoints,
+	}
+	if c.netMap != nil {
+		ss.HostName = c.netMap.Hostinfo.Hostname
+		ss.OS = c.netMap.Hostinfo.OS
+	}
+	if c.derpMap != nil {
+		derpRegion, ok := c.derpMap.Regions[c.myDerp]
+		if ok {
+			ss.Relay = derpRegion.RegionCode
+		}
+	}
+
 	if c.netMap != nil {
 		for _, addr := range c.netMap.Addresses {
 			if (addr.IP.Is4() && addr.Mask != 32) || (addr.IP.Is6() && addr.Mask != 128) {
@@ -2918,9 +3057,11 @@ func (c *Conn) UpdateStatus(sb *ipnstate.StatusBuilder) {
 			}
 			if ip, ok := netaddr.FromStdIP(addr.IP.IP()); ok {
 				sb.AddTailscaleIP(ip)
+				ss.TailAddr = ip.String()
 			}
 		}
 	}
+	sb.SetSelfStatus(ss)

 	for dk, n := range c.nodeOfDisco {
 		ps := &ipnstate.PeerStatus{InMagicSock: true}
@@ -2987,6 +3128,13 @@ type discoEndpoint struct {
 	trustBestAddrUntil time.Time // time when bestAddr expires
 	sentPing           map[stun.TxID]sentPing
 	endpointState      map[netaddr.IPPort]*endpointState
+
+	pendingCLIPings []pendingCLIPing // any outstanding "tailscale ping" commands running
+}
+
+type pendingCLIPing struct {
+	res *ipnstate.PingResult
+	cb  func(*ipnstate.PingResult)
 }

 const (
@@ -3025,11 +3173,44 @@ const (
 // a discoEndpoint. (The subject is the discoEndpoint.endpointState
 // map key)
 type endpointState struct {
-	// all fields guarded by discoEndpoint.mu:
-	lastPing    time.Time
+	// all fields guarded by discoEndpoint.mu
+
+	// lastPing is the last (outgoing) ping time.
+	lastPing time.Time
+
+	// lastGotPing, if non-zero, means that this was an endpoint
+	// that we learned about at runtime (from an incoming ping)
+	// and that is not in the network map. If so, we keep the time
+	// updated and use it to discard old candidates.
+	lastGotPing time.Time
+
 	recentPongs []pongReply // ring buffer up to pongHistoryCount entries
-	recentPong  uint16      // index into recentPongs of most recent; older , wrapped
-	index       int16       // index in nodecfg.Node.Endpoints
+	recentPong  uint16      // index into recentPongs of most recent; older before, wrapped
+
+	index int16 // index in nodecfg.Node.Endpoints; meaningless if lastGotPing non-zero
+}
+
+// indexSentinelDeleted is the temporary value that endpointState.index takes while
+// a discoEndpoint's endpoints are being updated from a new network map.
+const indexSentinelDeleted = -1
+
+// shouldDeleteLocked reports whether we should delete this endpoint.
+func (st *endpointState) shouldDeleteLocked() bool {
+	switch {
+	case st.lastGotPing.IsZero():
+		// This was an endpoint from the network map. Is it still in the network map?
+		return st.index == indexSentinelDeleted
+	default:
+		// Thiw was an endpoint discovered at runtime.
+		return time.Since(st.lastGotPing) > sessionActiveTimeout
+	}
+}
+
+func (de *discoEndpoint) deleteEndpointLocked(ep netaddr.IPPort) {
+	delete(de.endpointState, ep)
+	if de.bestAddr == ep {
+		de.bestAddr = netaddr.IPPort{}
+	}
 }

 // pongHistoryCount is how many pongReply values we keep per endpointState
@@ -3186,6 +3367,33 @@ func (de *discoEndpoint) noteActiveLocked() {
 	}
 }

+// cliPing starts a ping for the "tailscale ping" command. res is value to call cb with,
+// already partially filled.
+func (de *discoEndpoint) cliPing(res *ipnstate.PingResult, cb func(*ipnstate.PingResult)) {
+	de.mu.Lock()
+	defer de.mu.Unlock()
+
+	de.pendingCLIPings = append(de.pendingCLIPings, pendingCLIPing{res, cb})
+
+	now := time.Now()
+	udpAddr, derpAddr := de.addrForSendLocked(now)
+	if !derpAddr.IsZero() {
+		de.startPingLocked(derpAddr, now, pingCLI)
+	}
+	if !udpAddr.IsZero() && now.Before(de.trustBestAddrUntil) {
+		// Already have an active session, so just ping the address we're using.
+		// Otherwise "tailscale ping" results to a node on the local network
+		// can look like they're bouncing between, say 10.0.0.0/9 and the peer's
+		// IPv6 address, both 1ms away, and it's random who replies first.
+		de.startPingLocked(udpAddr, now, pingCLI)
+	} else {
+		for ep := range de.endpointState {
+			de.startPingLocked(ep, now, pingCLI)
+		}
+	}
+	de.noteActiveLocked()
+}
+
 func (de *discoEndpoint) send(b []byte) error {
 	now := time.Now()

@@ -3265,17 +3473,23 @@ const (
 	// pingHeartbeat means that purpose of a ping was whether a
 	// peer was still there.
 	pingHeartbeat
+
+	// pingCLI means that the user is running "tailscale ping"
+	// from the CLI. These types of pings can go over DERP.
+	pingCLI
 )

 func (de *discoEndpoint) startPingLocked(ep netaddr.IPPort, now time.Time, purpose discoPingPurpose) {
-	st, ok := de.endpointState[ep]
-	if !ok {
-		// Shouldn't happen. But don't ping an endpoint that's
-		// not active for us.
-		de.c.logf("magicsock: disco: [unexpected] attempt to ping no longer live endpoint %v", ep)
-		return
+	if purpose != pingCLI {
+		st, ok := de.endpointState[ep]
+		if !ok {
+			// Shouldn't happen. But don't ping an endpoint that's
+			// not active for us.
+			de.c.logf("magicsock: disco: [unexpected] attempt to ping no longer live endpoint %v", ep)
+			return
+		}
+		st.lastPing = now
 	}
-	st.lastPing = now

 	txid := stun.NewTxID()
 	de.sentPing[txid] = sentPing{
@@ -3295,7 +3509,10 @@ func (de *discoEndpoint) sendPingsLocked(now time.Time, sendCallMeMaybe bool) {
 	de.lastFullPing = now
 	var sentAny bool
 	for ep, st := range de.endpointState {
-		ep := ep
+		if st.shouldDeleteLocked() {
+			de.deleteEndpointLocked(ep)
+			continue
+		}
 		if !st.lastPing.IsZero() && now.Sub(st.lastPing) < discoPingInterval {
 			continue
 		}
@@ -3340,7 +3557,7 @@ func (de *discoEndpoint) updateFromNode(n *tailcfg.Node) {
 	}

 	for _, st := range de.endpointState {
-		st.index = -1 // assume deleted until updated in next loop
+		st.index = indexSentinelDeleted // assume deleted until updated in next loop
 	}
 	for i, epStr := range n.Endpoints {
 		if i > math.MaxInt16 {
@@ -3358,14 +3575,49 @@ func (de *discoEndpoint) updateFromNode(n *tailcfg.Node) {
 			de.endpointState[ipp] = &endpointState{index: int16(i)}
 		}
 	}
-	// Now delete anything that wasn't updated.
-	for ipp, st := range de.endpointState {
-		if st.index == -1 {
-			delete(de.endpointState, ipp)
-			if de.bestAddr == ipp {
-				de.bestAddr = netaddr.IPPort{}
+
+	// Now delete anything unless it's still in the network map or
+	// was a recently discovered endpoint.
+	for ep, st := range de.endpointState {
+		if st.shouldDeleteLocked() {
+			de.deleteEndpointLocked(ep)
+		}
+	}
+}
+
+// addCandidateEndpoint adds ep as an endpoint to which we should send
+// future pings.
+//
+// This is called once we've already verified that we got a valid
+// discovery message from de via ep.
+func (de *discoEndpoint) addCandidateEndpoint(ep netaddr.IPPort) {
+	de.mu.Lock()
+	defer de.mu.Unlock()
+
+	if st, ok := de.endpointState[ep]; ok {
+		if st.lastGotPing.IsZero() {
+			// Already-known endpoint from the network map.
+			return
+		}
+		st.lastGotPing = time.Now()
+		return
+	}
+
+	// Newly discovered endpoint. Exciting!
+	de.c.logf("magicsock: disco: adding %v as candidate endpoint for %v (%s)", ep, de.discoShort, de.publicKey.ShortString())
+	de.endpointState[ep] = &endpointState{
+		lastGotPing: time.Now(),
+	}
+
+	// If for some reason this gets very large, do some cleanup.
+	if size := len(de.endpointState); size > 100 {
+		for ep, st := range de.endpointState {
+			if st.shouldDeleteLocked() {
+				de.deleteEndpointLocked(ep)
 			}
 		}
+		size2 := len(de.endpointState)
+		de.c.logf("magicsock: disco: addCandidateEndpoint pruned %v candidate set from %v to %v entries", size, size2)
 	}
 }

@@ -3385,14 +3637,7 @@ func (de *discoEndpoint) handlePongConnLocked(m *disco.Pong, src netaddr.IPPort)
 	de.mu.Lock()
 	defer de.mu.Unlock()

-	if src.IP == derpMagicIPAddr {
-		// We might support pinging a node via DERP in the
-		// future to see if it's still there, but we don't
-		// yet. We shouldn't ever get here, but bail out early
-		// in case we do in the future. (In which case, hi!,
-		// you'll be modifying this code.)
-		return
-	}
+	isDerp := src.IP == derpMagicIPAddr

 	sp, ok := de.sentPing[m.TxID]
 	if !ok {
@@ -3401,23 +3646,25 @@ func (de *discoEndpoint) handlePongConnLocked(m *disco.Pong, src netaddr.IPPort)
 	}
 	de.removeSentPingLocked(m.TxID, sp)

-	st, ok := de.endpointState[sp.to]
-	if !ok {
-		// This is no longer an endpoint we care about.
-		return
-	}
-
-	de.c.setAddrToDiscoLocked(src, de.discoKey, de)
-
 	now := time.Now()
 	latency := now.Sub(sp.at)

-	st.addPongReplyLocked(pongReply{
-		latency: latency,
-		pongAt:  now,
-		from:    src,
-		pongSrc: m.Src,
-	})
+	if !isDerp {
+		st, ok := de.endpointState[sp.to]
+		if !ok {
+			// This is no longer an endpoint we care about.
+			return
+		}
+
+		de.c.setAddrToDiscoLocked(src, de.discoKey, de)
+
+		st.addPongReplyLocked(pongReply{
+			latency: latency,
+			pongAt:  now,
+			from:    src,
+			pongSrc: m.Src,
+		})
+	}

 	if sp.purpose != pingHeartbeat {
 		de.c.logf("magicsock: disco: %v<-%v (%v, %v)  got pong tx=%x latency=%v pong.src=%v%v", de.c.discoShort, de.discoShort, de.publicKey.ShortString(), src, m.TxID[:6], latency.Round(time.Millisecond), m.Src, logger.ArgWriter(func(bw *bufio.Writer) {
@@ -3427,18 +3674,26 @@ func (de *discoEndpoint) handlePongConnLocked(m *disco.Pong, src netaddr.IPPort)
 		}))
 	}

+	for _, pp := range de.pendingCLIPings {
+		de.c.populateCLIPingResponseLocked(pp.res, latency, sp.to)
+		go pp.cb(pp.res)
+	}
+	de.pendingCLIPings = nil
+
 	// Promote this pong response to our current best address if it's lower latency.
 	// TODO(bradfitz): decide how latency vs. preference order affects decision
-	if de.bestAddr.IsZero() || latency < de.bestAddrLatency {
-		if de.bestAddr != sp.to {
-			de.c.logf("magicsock: disco: node %v %v now using %v", de.publicKey.ShortString(), de.discoShort, sp.to)
-			de.bestAddr = sp.to
+	if !isDerp {
+		if de.bestAddr.IsZero() || latency < de.bestAddrLatency {
+			if de.bestAddr != sp.to {
+				de.c.logf("magicsock: disco: node %v %v now using %v", de.publicKey.ShortString(), de.discoShort, sp.to)
+				de.bestAddr = sp.to
+			}
+		}
+		if de.bestAddr == sp.to {
+			de.bestAddrLatency = latency
+			de.bestAddrAt = now
+			de.trustBestAddrUntil = now.Add(trustUDPAddrDuration)
 		}
-	}
-	if de.bestAddr == sp.to {
-		de.bestAddrLatency = latency
-		de.bestAddrAt = now
-		de.trustBestAddrUntil = now.Add(trustUDPAddrDuration)
 	}
 }

@@ -3517,6 +3772,7 @@ func (de *discoEndpoint) stopAndReset() {
 		de.heartBeatTimer.Stop()
 		de.heartBeatTimer = nil
 	}
+	de.pendingCLIPings = nil
 }

 // ippCache is a cache of *net.UDPAddr => netaddr.IPPort mappings.
@@ -3561,3 +3817,33 @@ type ippCacheKey struct {

 // derpStr replaces DERP IPs in s with "derp-".
 func derpStr(s string) string { return strings.ReplaceAll(s, "127.3.3.40:", "derp-") }
+
+// XXXX temporary hack for demo
+func (c *Conn) WhoIs(ip netaddr.IP) string {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.netMap == nil || !ip.Is4() {
+		return ""
+	}
+	nodeHasIP := func(n *tailcfg.Node) bool {
+		for _, a := range n.Addresses {
+			if a.Mask == 32 && a.IP.Addr == ip.As16() {
+				return true
+			}
+		}
+		return false
+	}
+	for _, p := range c.netMap.Peers {
+		if nodeHasIP(p) {
+			userProfile, ok := c.netMap.UserProfiles[p.User]
+			if ok {
+				if name := userProfile.DisplayName; name != "" {
+					return name + " from " + p.Hostinfo.Hostname
+				}
+				return userProfile.LoginName + " from " + p.Hostinfo.Hostname
+			}
+			return fmt.Sprintf("%s from %s", ip, p.Hostinfo.Hostname)
+		}
+	}
+	return fmt.Sprintf("mysterious person %v", ip)
+}
--- a/wgengine/monitor/monitor.go
+++ b/wgengine/monitor/monitor.go
@@ -110,7 +110,7 @@ func (m *Mon) pump() {
 			default:
 			}
 			// Keep retrying while we're not closed.
-			m.logf("error receiving from connection: %v", err)
+			m.logf("error from link monitor: %v", err)
 			time.Sleep(time.Second)
 			continue
 		}
--- a/wgengine/monitor/monitor_freebsd.go
+++ b/wgengine/monitor/monitor_freebsd.go
@@ -30,9 +30,6 @@ func newOSMon(logf logger.Logf) (osMon, error) {
 	if err != nil {
 		return nil, fmt.Errorf("devd dial error: %v", err)
 	}
-	if err != nil {
-		return nil, fmt.Errorf("dialing devd socket: %v", err)
-	}
 	return &devdConn{conn}, nil
 }

--- a/wgengine/monitor/monitor_linux.go
+++ b/wgengine/monitor/monitor_linux.go
@@ -87,28 +87,39 @@ func (c *nlConn) Receive() (message, error) {
 			Addr:   netaddrIP(rmsg.Attributes.Local),
 			Delete: msg.Header.Type == unix.RTM_DELADDR,
 		}, nil
-	case unix.RTM_NEWROUTE:
+	case unix.RTM_NEWROUTE, unix.RTM_DELROUTE:
+		typeStr := "RTM_NEWROUTE"
+		if msg.Header.Type == unix.RTM_DELROUTE {
+			typeStr = "RTM_DELROUTE"
+		}
 		var rmsg rtnetlink.RouteMessage
 		if err := rmsg.UnmarshalBinary(msg.Data); err != nil {
-			c.logf("RTM_NEWROUTE: failed to parse: %v", err)
+			c.logf("%s: failed to parse: %v", typeStr, err)
+			return unspecifiedMessage{}, nil
+		}
+		src := netaddrIPPrefix(rmsg.Attributes.Src, rmsg.SrcLength)
+		dst := netaddrIPPrefix(rmsg.Attributes.Dst, rmsg.DstLength)
+		gw := netaddrIP(rmsg.Attributes.Gateway)
+
+		if msg.Header.Type == unix.RTM_NEWROUTE && rmsg.Table == tsTable && rmsg.DstLength == 32 {
+			// Don't log. Spammy and normal to see a bunch of these on start-up,
+			// which we make ourselves.
+		} else {
+			c.logf("%s: src=%v, dst=%v, gw=%v, outif=%v, table=%v", typeStr,
+				condNetAddrPrefix(src), condNetAddrPrefix(dst), condNetAddrIP(gw),
+				rmsg.Attributes.OutIface, rmsg.Attributes.Table)
+		}
+		if msg.Header.Type == unix.RTM_DELROUTE {
+			// Just logging it for now.
+			// (Debugging https://github.com/tailscale/tailscale/issues/643)
 			return unspecifiedMessage{}, nil
 		}
 		return &newRouteMessage{
 			Table:   rmsg.Table,
-			Src:     netaddrIP(rmsg.Attributes.Src),
-			Dst:     netaddrIP(rmsg.Attributes.Dst),
-			Gateway: netaddrIP(rmsg.Attributes.Gateway),
+			Src:     src,
+			Dst:     dst,
+			Gateway: gw,
 		}, nil
-	case unix.RTM_DELROUTE:
-		var rmsg rtnetlink.RouteMessage
-		if err := rmsg.UnmarshalBinary(msg.Data); err != nil {
-			c.logf("RTM_DELROUTE: failed to parse: %v", err)
-			return unspecifiedMessage{}, nil
-		}
-		// Just log it for now, but don't bubble it up.
-		// (Debugging https://github.com/tailscale/tailscale/issues/643)
-		c.logf("RTM_DELROUTE: %+v", rmsg)
-		return unspecifiedMessage{}, nil
 	default:
 		c.logf("unhandled netlink msg type %+v, %q", msg.Header, msg.Data)
 		return unspecifiedMessage{}, nil
@@ -120,14 +131,36 @@ func netaddrIP(std net.IP) netaddr.IP {
 	return ip
 }

-// newRouteMessage is a message for a new route being added.
-type newRouteMessage struct {
-	Src, Dst, Gateway netaddr.IP
-	Table             uint8
+func netaddrIPPrefix(std net.IP, bits uint8) netaddr.IPPrefix {
+	ip, _ := netaddr.FromStdIP(std)
+	return netaddr.IPPrefix{IP: ip, Bits: bits}
 }

+func condNetAddrPrefix(ipp netaddr.IPPrefix) string {
+	if ipp.IP.IsZero() {
+		return ""
+	}
+	return ipp.String()
+}
+
+func condNetAddrIP(ip netaddr.IP) string {
+	if ip.IsZero() {
+		return ""
+	}
+	return ip.String()
+}
+
+// newRouteMessage is a message for a new route being added.
+type newRouteMessage struct {
+	Src, Dst netaddr.IPPrefix
+	Gateway  netaddr.IP
+	Table    uint8
+}
+
+const tsTable = 52
+
 func (m *newRouteMessage) ignore() bool {
-	return m.Table == 88 || tsaddr.IsTailscaleIP(m.Dst)
+	return m.Table == tsTable || tsaddr.IsTailscaleIP(m.Dst.IP)
 }

 // newAddrMessage is a message for a new address being added.
--- a/wgengine/monitor/monitor_unsupported.go
+++ b/wgengine/monitor/monitor_unsupported.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// +build !linux,!freebsd android
+// +build !linux,!freebsd,!windows android

 package monitor

--- a/wgengine/monitor/monitor_windows.go
+++ b/wgengine/monitor/monitor_windows.go
@@ -0,0 +1,212 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package monitor
+
+import (
+	"context"
+	"errors"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+	"tailscale.com/net/interfaces"
+	"tailscale.com/types/logger"
+)
+
+const (
+	pollIntervalSlow = 15 * time.Second
+	pollIntervalFast = 3 * time.Second
+	pollFastFor      = 30 * time.Second
+)
+
+var (
+	iphlpapi              = syscall.NewLazyDLL("iphlpapi.dll")
+	notifyAddrChangeProc  = iphlpapi.NewProc("NotifyAddrChange")
+	notifyRouteChangeProc = iphlpapi.NewProc("NotifyRouteChange")
+)
+
+type unspecifiedMessage struct{}
+
+func (unspecifiedMessage) ignore() bool { return false }
+
+type pollStateChangedMessage struct{}
+
+func (pollStateChangedMessage) ignore() bool { return false }
+
+type messageOrError struct {
+	message
+	error
+}
+
+type winMon struct {
+	ctx        context.Context
+	cancel     context.CancelFunc
+	messagec   chan messageOrError
+	logf       logger.Logf
+	pollTicker *time.Ticker
+	lastState  *interfaces.State
+
+	mu            sync.Mutex
+	event         windows.Handle
+	lastNetChange time.Time
+	inFastPoll    bool // recent net change event made us go into fast polling mode (to detect proxy changes)
+}
+
+func newOSMon(logf logger.Logf) (osMon, error) {
+	ctx, cancel := context.WithCancel(context.Background())
+	m := &winMon{
+		logf:       logf,
+		ctx:        ctx,
+		cancel:     cancel,
+		messagec:   make(chan messageOrError, 1),
+		pollTicker: time.NewTicker(pollIntervalSlow),
+	}
+	go m.awaitIPAndRouteChanges()
+	return m, nil
+}
+
+func (m *winMon) Close() error {
+	m.cancel()
+	m.pollTicker.Stop()
+
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	if h := m.event; h != 0 {
+		// Wake up any reader blocked in Receive.
+		windows.SetEvent(h)
+	}
+
+	return nil
+}
+
+var errClosed = errors.New("closed")
+
+func (m *winMon) Receive() (message, error) {
+	for {
+		select {
+		case <-m.ctx.Done():
+			return nil, errClosed
+		case me := <-m.messagec:
+			return me.message, me.error
+		case <-m.pollTicker.C:
+			if m.stateChanged() {
+				m.logf("interface state changed (on poll)")
+				return pollStateChangedMessage{}, nil
+			}
+			m.mu.Lock()
+			if m.inFastPoll && time.Since(m.lastNetChange) > pollFastFor {
+				m.inFastPoll = false
+				m.pollTicker.Reset(pollIntervalSlow)
+			}
+			m.mu.Unlock()
+		}
+	}
+}
+
+func (m *winMon) stateChanged() bool {
+	st, err := interfaces.GetState()
+	if err != nil {
+		return false
+	}
+	changed := !st.Equal(m.lastState)
+	m.lastState = st
+	return changed
+}
+
+func (m *winMon) awaitIPAndRouteChanges() {
+	for {
+		msg, err := m.getIPOrRouteChangeMessage()
+		if err == errClosed {
+			return
+		}
+		select {
+		case m.messagec <- messageOrError{msg, err}:
+		case <-m.ctx.Done():
+			return
+		}
+	}
+}
+
+func (m *winMon) getIPOrRouteChangeMessage() (message, error) {
+	if m.ctx.Err() != nil {
+		return nil, errClosed
+	}
+
+	var o windows.Overlapped
+	h, err := windows.CreateEvent(nil, 1 /* true*/, 0 /* unsignaled */, nil /* no name */)
+	if err != nil {
+		m.logf("CreateEvent: %v", err)
+		return nil, err
+	}
+	defer windows.CloseHandle(h)
+
+	m.mu.Lock()
+	m.event = h
+	m.mu.Unlock()
+
+	o.HEvent = h
+
+	err = notifyAddrChange(&h, &o)
+	if err != nil {
+		m.logf("notifyAddrChange: %v", err)
+		return nil, err
+	}
+	err = notifyRouteChange(&h, &o)
+	if err != nil {
+		m.logf("notifyRouteChange: %v", err)
+		return nil, err
+	}
+
+	t0 := time.Now()
+	_, err = windows.WaitForSingleObject(o.HEvent, windows.INFINITE)
+	if m.ctx.Err() != nil {
+		return nil, errClosed
+	}
+	if err != nil {
+		m.logf("waitForSingleObject: %v", err)
+		return nil, err
+	}
+	d := time.Since(t0)
+	m.logf("got windows change event after %v", d)
+
+	m.mu.Lock()
+	{
+		m.lastNetChange = time.Now()
+		m.event = 0
+
+		// Something changed, so assume Windows is about to
+		// discover its new proxy settings from WPAD, which
+		// seems to take a bit. Poll heavily for awhile.
+		m.logf("starting quick poll, waiting for WPAD change")
+		m.inFastPoll = true
+		m.pollTicker.Reset(pollIntervalFast)
+	}
+	m.mu.Unlock()
+
+	return unspecifiedMessage{}, nil
+}
+
+func notifyAddrChange(h *windows.Handle, o *windows.Overlapped) error {
+	return callNotifyProc(notifyAddrChangeProc, h, o)
+}
+
+func notifyRouteChange(h *windows.Handle, o *windows.Overlapped) error {
+	return callNotifyProc(notifyAddrChangeProc, h, o)
+}
+
+func callNotifyProc(p *syscall.LazyProc, h *windows.Handle, o *windows.Overlapped) error {
+	r1, _, e1 := p.Call(uintptr(unsafe.Pointer(h)), uintptr(unsafe.Pointer(o)))
+	expect := uintptr(0)
+	if h != nil || o != nil {
+		const ERROR_IO_PENDING = 997
+		expect = ERROR_IO_PENDING
+	}
+	if r1 == expect {
+		return nil
+	}
+	return e1
+}
--- a/wgengine/netstack/netstack.go
+++ b/wgengine/netstack/netstack.go
@@ -0,0 +1,137 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package netstack wires up gVisor's netstack into Tailscale.
+package netstack
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net"
+	"strings"
+
+	"gvisor.dev/gvisor/pkg/tcpip"
+	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
+	"gvisor.dev/gvisor/pkg/tcpip/buffer"
+	"gvisor.dev/gvisor/pkg/tcpip/header"
+	"gvisor.dev/gvisor/pkg/tcpip/link/channel"
+	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
+	"gvisor.dev/gvisor/pkg/tcpip/stack"
+	"gvisor.dev/gvisor/pkg/tcpip/transport/icmp"
+	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
+	"gvisor.dev/gvisor/pkg/tcpip/transport/udp"
+	"gvisor.dev/gvisor/pkg/waiter"
+	"inet.af/netaddr"
+	"tailscale.com/types/logger"
+	"tailscale.com/wgengine"
+	"tailscale.com/wgengine/filter"
+	"tailscale.com/wgengine/magicsock"
+	"tailscale.com/wgengine/packet"
+	"tailscale.com/wgengine/tstun"
+)
+
+func Impl(logf logger.Logf, tundev *tstun.TUN, e wgengine.Engine, mc *magicsock.Conn) error {
+	ipstack := stack.New(stack.Options{
+		NetworkProtocols:   []stack.NetworkProtocol{ipv4.NewProtocol()},
+		TransportProtocols: []stack.TransportProtocol{tcp.NewProtocol(), udp.NewProtocol(), icmp.NewProtocol4()},
+	})
+
+	const mtu = 1500
+	linkEP := channel.New(512, mtu, "")
+
+	const nicID = 1
+	if err := ipstack.CreateNIC(nicID, linkEP); err != nil {
+		log.Fatal(err)
+	}
+
+	ipstack.AddAddress(nicID, ipv4.ProtocolNumber, tcpip.Address(net.ParseIP("100.96.188.101").To4()))
+
+	// Add 0.0.0.0/0 default route.
+	subnet, _ := tcpip.NewSubnet(tcpip.Address(strings.Repeat("\x00", 4)), tcpip.AddressMask(strings.Repeat("\x00", 4)))
+	ipstack.SetRouteTable([]tcpip.Route{
+		{
+			Destination: subnet,
+			NIC:         nicID,
+		},
+	})
+
+	// use Forwarder to accept any connection from stack
+	fwd := tcp.NewForwarder(ipstack, 0, 16, func(r *tcp.ForwarderRequest) {
+		logf("XXX ForwarderRequest: %v", r)
+		var wq waiter.Queue
+		ep, err := r.CreateEndpoint(&wq)
+		if err != nil {
+			r.Complete(true)
+			return
+		}
+		r.Complete(false)
+		c := gonet.NewTCPConn(&wq, ep)
+		// TCP echo
+		go echo(c, e, mc)
+
+	})
+	ipstack.SetTransportProtocolHandler(tcp.ProtocolNumber, fwd.HandlePacket)
+
+	go func() {
+		for {
+			packetInfo, ok := linkEP.ReadContext(context.Background())
+			if !ok {
+				logf("XXX ReadContext-for-write = ok=false")
+				continue
+			}
+			pkt := packetInfo.Pkt
+			hdrNetwork := pkt.NetworkHeader()
+			hdrTransport := pkt.TransportHeader()
+
+			full := make([]byte, 0, pkt.Size())
+			full = append(full, hdrNetwork.View()...)
+			full = append(full, hdrTransport.View()...)
+			full = append(full, pkt.Data.ToView()...)
+
+			logf("XXX packet Write out: % x", full)
+			if err := tundev.InjectOutbound(full); err != nil {
+				log.Printf("netstack inject outbound: %v", err)
+				return
+			}
+
+		}
+	}()
+
+	tundev.PostFilterIn = func(p *packet.ParsedPacket, t *tstun.TUN) filter.Response {
+		var pn tcpip.NetworkProtocolNumber
+		switch p.IPVersion {
+		case 4:
+			pn = header.IPv4ProtocolNumber
+		case 6:
+			pn = header.IPv6ProtocolNumber
+		}
+		logf("XXX packet in (from %v): % x", p.SrcIP, p.Buffer())
+		vv := buffer.View(append([]byte(nil), p.Buffer()...)).ToVectorisedView()
+		packetBuf := stack.NewPacketBuffer(stack.PacketBufferOptions{
+			Data: vv,
+		})
+		linkEP.InjectInbound(pn, packetBuf)
+		return filter.Accept
+	}
+	return nil
+}
+
+func echo(c *gonet.TCPConn, e wgengine.Engine, mc *magicsock.Conn) {
+	defer c.Close()
+	src, _ := netaddr.FromStdIP(c.RemoteAddr().(*net.TCPAddr).IP)
+	fmt.Fprintf(c, "Hello, %s! Thanks for connecting to me on port %v (Try other ports too!)\nEchoing...\n",
+		mc.WhoIs(src),
+		c.LocalAddr().(*net.TCPAddr).Port)
+	buf := make([]byte, 1500)
+	for {
+		n, err := c.Read(buf)
+		if err != nil {
+			log.Printf("Err: %v", err)
+			break
+		}
+		c.Write(buf[:n])
+	}
+	log.Print("Connection closed")
+}
--- a/wgengine/router/dns/config.go
+++ b/wgengine/router/dns/config.go
@@ -23,6 +23,7 @@ type Config struct {
 	// if the manager does not support per-domain settings.
 	PerDomain bool
 	// Proxied indicates whether DNS requests are proxied through a tsdns.Resolver.
+	// This enables Magic DNS.
 	Proxied bool
 }

--- a/wgengine/router/dns/manager.go
+++ b/wgengine/router/dns/manager.go
@@ -15,7 +15,7 @@ import (
 // This is particularly useful because certain conditions can cause indefinite hangs
 // (such as improper dbus auth followed by contextless dbus.Object.Call).
 // Such operations should be wrapped in a timeout context.
-const reconfigTimeout = time.Second
+const reconfigTimeout = time.Second //lint:ignore U1000 used on Linux at least, maybe others later

 type managerImpl interface {
 	// Up updates system DNS settings to match the given configuration.
--- a/wgengine/router/dns/manager_windows.go
+++ b/wgengine/router/dns/manager_windows.go
@@ -5,6 +5,7 @@
 package dns

 import (
+	"errors"
 	"fmt"
 	"strings"

@@ -13,6 +14,12 @@ import (
 	"tailscale.com/types/logger"
 )

+const (
+	ipv4RegBase = `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters`
+	ipv6RegBase = `SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters`
+	tsRegBase   = `SOFTWARE\Tailscale IPN`
+)
+
 type windowsManager struct {
 	logf logger.Logf
 	guid string
@@ -25,29 +32,88 @@ func newManager(mconfig ManagerConfig) managerImpl {
 	}
 }

-func setRegistry(path, nameservers, domains string) error {
+func setRegistryString(path, name, value string) error {
+	key, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.SET_VALUE)
+	if err != nil {
+		return fmt.Errorf("opening %s: %w", path, err)
+	}
+	defer key.Close()
+
+	err = key.SetStringValue(name, value)
+	if err != nil {
+		return fmt.Errorf("setting %s[%s]: %w", path, name, err)
+	}
+	return nil
+}
+
+func getRegistryString(path, name string) (string, error) {
+	key, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.READ)
+	if err != nil {
+		return "", fmt.Errorf("opening %s: %w", path, err)
+	}
+	defer key.Close()
+
+	value, _, err := key.GetStringValue(name)
+	if err != nil {
+		return "", fmt.Errorf("getting %s[%s]: %w", path, name, err)
+	}
+	return value, nil
+}
+
+func (m windowsManager) setNameservers(basePath string, nameservers []string) error {
+	path := fmt.Sprintf(`%s\Interfaces\%s`, basePath, m.guid)
+	value := strings.Join(nameservers, ",")
+	return setRegistryString(path, "NameServer", value)
+}
+
+func (m windowsManager) setDomains(path string, oldDomains, newDomains []string) error {
+	// We reimplement setRegistryString to ensure that we hold the key for the whole operation.
 	key, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.READ|registry.SET_VALUE)
 	if err != nil {
 		return fmt.Errorf("opening %s: %w", path, err)
 	}
 	defer key.Close()

-	err = key.SetStringValue("NameServer", nameservers)
-	if err != nil {
-		return fmt.Errorf("setting %s/NameServer: %w", path, err)
+	searchList, _, err := key.GetStringValue("SearchList")
+	if err != nil && err != registry.ErrNotExist {
+		return fmt.Errorf("getting %s[SearchList]: %w", path, err)
 	}
+	currentDomains := strings.Split(searchList, ",")

-	err = key.SetStringValue("Domain", domains)
-	if err != nil {
-		return fmt.Errorf("setting %s/Domain: %w", path, err)
+	var domainsToSet []string
+	for _, domain := range currentDomains {
+		inOld, inNew := false, false
+
+		// The number of domains should be small,
+		// so this is probaly faster than constructing a map.
+		for _, oldDomain := range oldDomains {
+			if domain == oldDomain {
+				inOld = true
+			}
+		}
+		for _, newDomain := range newDomains {
+			if domain == newDomain {
+				inNew = true
+			}
+		}
+
+		if !inNew && !inOld {
+			domainsToSet = append(domainsToSet, domain)
+		}
 	}
+	domainsToSet = append(domainsToSet, newDomains...)

+	searchList = strings.Join(domainsToSet, ",")
+	if err := key.SetStringValue("SearchList", searchList); err != nil {
+		return fmt.Errorf("setting %s[SearchList]: %w", path, err)
+	}
 	return nil
 }

 func (m windowsManager) Up(config Config) error {
 	var ipsv4 []string
 	var ipsv6 []string
+
 	for _, ip := range config.Nameservers {
 		if ip.Is4() {
 			ipsv4 = append(ipsv4, ip.String())
@@ -55,23 +121,29 @@ func (m windowsManager) Up(config Config) error {
 			ipsv6 = append(ipsv6, ip.String())
 		}
 	}
-	nsv4 := strings.Join(ipsv4, ",")
-	nsv6 := strings.Join(ipsv6, ",")

-	var domains string
-	if len(config.Domains) > 0 {
-		if len(config.Domains) > 1 {
-			m.logf("only a single search domain is supported")
-		}
-		domains = config.Domains[0]
-	}
-
-	v4Path := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + m.guid
-	if err := setRegistry(v4Path, nsv4, domains); err != nil {
+	lastSearchList, err := getRegistryString(tsRegBase, "SearchList")
+	if err != nil && !errors.Is(err, registry.ErrNotExist) {
 		return err
 	}
-	v6Path := `SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\` + m.guid
-	if err := setRegistry(v6Path, nsv6, domains); err != nil {
+	lastDomains := strings.Split(lastSearchList, ",")
+
+	if err := m.setNameservers(ipv4RegBase, ipsv4); err != nil {
+		return err
+	}
+	if err := m.setDomains(ipv4RegBase, lastDomains, config.Domains); err != nil {
+		return err
+	}
+
+	if err := m.setNameservers(ipv6RegBase, ipsv6); err != nil {
+		return err
+	}
+	if err := m.setDomains(ipv6RegBase, lastDomains, config.Domains); err != nil {
+		return err
+	}
+
+	newSearchList := strings.Join(config.Domains, ",")
+	if err := setRegistryString(tsRegBase, "SearchList", newSearchList); err != nil {
 		return err
 	}

--- a/wgengine/router/dns/nm.go
+++ b/wgengine/router/dns/nm.go
@@ -14,11 +14,25 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"unsafe"

 	"github.com/godbus/dbus/v5"
 )

-type nmConnectionSettings map[string]map[string]dbus.Variant
+var nativeEndian binary.ByteOrder
+
+func init() {
+	// TODO(dmytro): use DBus endianness flag when available.
+	// A more elegant way to do this is by looking at the first byte of a raw DBus message.
+	// However, that requires a change in godbus, which has slow maintainer response.
+	i := uint32(1)
+	p := unsafe.Pointer(&i)
+	if *(*byte)(p) == 1 {
+		nativeEndian = binary.LittleEndian
+	} else {
+		nativeEndian = binary.BigEndian
+	}
+}

 // isNMActive determines if NetworkManager is currently managing system DNS settings.
 func isNMActive() bool {
@@ -61,6 +75,8 @@ func newNMManager(mconfig ManagerConfig) managerImpl {
 	}
 }

+type nmConnectionSettings map[string]map[string]dbus.Variant
+
 // Up implements managerImpl.
 func (m nmManager) Up(config Config) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reconfigTimeout)
@@ -129,7 +145,7 @@ func (m nmManager) Up(config Config) error {
 	for _, ip := range config.Nameservers {
 		b := ip.As16()
 		if ip.Is4() {
-			dnsv4 = append(dnsv4, binary.LittleEndian.Uint32(b[12:]))
+			dnsv4 = append(dnsv4, nativeEndian.Uint32(b[12:]))
 		} else {
 			dnsv6 = append(dnsv6, b[:])
 		}
--- a/wgengine/router/ifconfig_windows.go
+++ b/wgengine/router/ifconfig_windows.go
@@ -70,7 +70,7 @@ func bindSocketRoute(family winipcfg.AddressFamily, device *device.Device, ourLu
 			return bind.BindSocketToInterface6(index, false)
 		}
 	} else {
-		log.Printf("WARNING: skipping windows socket binding.\n")
+		log.Printf("WARNING: skipping windows socket binding.")
 	}
 	return nil
 }
@@ -194,10 +194,10 @@ func setFirewall(ifcGUID *windows.GUID) (bool, error) {
 			return false, fmt.Errorf("nco.GetAdapterId: %v", err)
 		}
 		if aid != ifcGUID.String() {
-			log.Printf("skipping adapter id: %v\n", aid)
+			log.Printf("skipping adapter id: %v", aid)
 			continue
 		}
-		log.Printf("found! adapter id: %v\n", aid)
+		log.Printf("found! adapter id: %v", aid)

 		n, err := nco.GetNetwork()
 		if err != nil {
@@ -216,7 +216,7 @@ func setFirewall(ifcGUID *windows.GUID) (bool, error) {
 				return false, fmt.Errorf("SetCategory: %v", err)
 			}
 		} else {
-			log.Printf("setFirewall: already category %v\n", cat)
+			log.Printf("setFirewall: already category %v", cat)
 		}

 		return true, nil
@@ -228,7 +228,7 @@ func setFirewall(ifcGUID *windows.GUID) (bool, error) {
 func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 	const mtu = 0
 	guid := tun.GUID()
-	log.Printf("wintun GUID is %v\n", guid)
+	log.Printf("wintun GUID is %v", guid)
 	iface, err := winipcfg.InterfaceFromGUID(&guid)
 	if err != nil {
 		return err
@@ -241,7 +241,7 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 		for i := 0; i < 20; i++ {
 			found, err := setFirewall(&guid)
 			if err != nil {
-				log.Printf("setFirewall: %v\n", err)
+				log.Printf("setFirewall: %v", err)
 				// fall through anyway, this isn't fatal.
 			}
 			if found {
@@ -315,15 +315,7 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 		return err
 	}

-	sort.Slice(routes, func(i, j int) bool {
-		return (bytes.Compare(routes[i].Destination.IP, routes[j].Destination.IP) == -1 ||
-			// Narrower masks first
-			bytes.Compare(routes[i].Destination.Mask, routes[j].Destination.Mask) == 1 ||
-			// No nexthop before non-empty nexthop
-			bytes.Compare(routes[i].NextHop, routes[j].NextHop) == -1 ||
-			// Lower metrics first
-			routes[i].Metric < routes[j].Metric)
-	})
+	sort.Slice(routes, func(i, j int) bool { return routeLess(&routes[i], &routes[j]) })

 	deduplicatedRoutes := []*winipcfg.RouteData{}
 	for i := 0; i < len(routes); i++ {
@@ -336,21 +328,21 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {
 		}
 		deduplicatedRoutes = append(deduplicatedRoutes, &routes[i])
 	}
-	log.Printf("routes: %v\n", routes)
+	log.Printf("routes: %v", routes)

 	var errAcc error
 	err = iface.SyncRoutes(deduplicatedRoutes)
 	if err != nil && errAcc == nil {
-		log.Printf("setroutes: %v\n", err)
+		log.Printf("setroutes: %v", err)
 		errAcc = err
 	}

 	ipif, err := iface.GetIpInterface(winipcfg.AF_INET)
 	if err != nil {
-		log.Printf("getipif: %v\n", err)
+		log.Printf("getipif: %v", err)
 		return err
 	}
-	log.Printf("foundDefault4: %v\n", foundDefault4)
+	log.Printf("foundDefault4: %v", foundDefault4)
 	if foundDefault4 {
 		ipif.UseAutomaticMetric = false
 		ipif.Metric = 0
@@ -387,3 +379,25 @@ func configureInterface(cfg *Config, tun *tun.NativeTun) error {

 	return errAcc
 }
+
+// routeLess reports whether ri should sort before rj.
+// The actual sort order doesn't appear to matter. The caller just
+// wants them sorted to be able to de-dup.
+func routeLess(ri, rj *winipcfg.RouteData) bool {
+	if v := bytes.Compare(ri.Destination.IP, rj.Destination.IP); v != 0 {
+		return v == -1
+	}
+	if v := bytes.Compare(ri.Destination.Mask, rj.Destination.Mask); v != 0 {
+		// Narrower masks first
+		return v == 1
+	}
+	if ri.Metric != rj.Metric {
+		// Lower metrics first
+		return ri.Metric < rj.Metric
+	}
+	if v := bytes.Compare(ri.NextHop, rj.NextHop); v != 0 {
+		// No nexthop before non-empty nexthop.
+		return v == -1
+	}
+	return false
+}
--- a/wgengine/router/ifconfig_windows_test.go
+++ b/wgengine/router/ifconfig_windows_test.go
@@ -0,0 +1,97 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package router
+
+import (
+	"math/rand"
+	"net"
+	"testing"
+
+	winipcfg "github.com/tailscale/winipcfg-go"
+	"inet.af/netaddr"
+)
+
+func randIP() net.IP {
+	b := byte(rand.Intn(3))
+	return net.IP{b, b, b, b}
+}
+
+func randRouteData() *winipcfg.RouteData {
+	return &winipcfg.RouteData{
+		Destination: net.IPNet{
+			IP:   randIP(),
+			Mask: net.CIDRMask(rand.Intn(3)+1, 32),
+		},
+		NextHop: randIP(),
+		Metric:  uint32(rand.Intn(3)),
+	}
+}
+
+func TestRouteLess(t *testing.T) {
+	type D = winipcfg.RouteData
+	ipnet := func(s string) net.IPNet {
+		ipp, err := netaddr.ParseIPPrefix(s)
+		if err != nil {
+			t.Fatalf("error parsing test data %q: %v", s, err)
+		}
+		return *ipp.IPNet()
+	}
+
+	tests := []struct {
+		ri, rj *winipcfg.RouteData
+		want   bool
+	}{
+		{
+			ri:   &D{Metric: 1},
+			rj:   &D{Metric: 2},
+			want: true,
+		},
+		{
+			ri:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 2},
+			rj:   &D{Destination: ipnet("2.2.0.0/16"), Metric: 1},
+			want: true,
+		},
+		{
+			ri:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1},
+			rj:   &D{Destination: ipnet("2.2.0.0/16"), Metric: 1},
+			want: true,
+		},
+		{
+			ri:   &D{Destination: ipnet("1.1.0.0/32"), Metric: 2},
+			rj:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1},
+			want: true,
+		},
+		{
+			ri:   &D{Destination: ipnet("1.1.0.0/32"), Metric: 1},
+			rj:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1},
+			want: true,
+		},
+		{
+			ri:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1, NextHop: net.ParseIP("3.3.3.3")},
+			rj:   &D{Destination: ipnet("1.1.0.0/16"), Metric: 1, NextHop: net.ParseIP("4.4.4.4")},
+			want: true,
+		},
+	}
+	for i, tt := range tests {
+		got := routeLess(tt.ri, tt.rj)
+		if got != tt.want {
+			t.Errorf("%v. less = %v; want %v", i, got, tt.want)
+		}
+		back := routeLess(tt.rj, tt.ri)
+		if back && got {
+			t.Errorf("%v. less both ways", i)
+		}
+	}
+}
+
+func TestRouteLessConsistent(t *testing.T) {
+	for i := 0; i < 10000; i++ {
+		ri := randRouteData()
+		rj := randRouteData()
+		if routeLess(ri, rj) && routeLess(rj, ri) {
+			t.Fatalf("both compare less to each other:\n\t%#v\nand\n\t%#v", ri, rj)
+		}
+	}
+}
--- a/wgengine/router/router_openbsd.go
+++ b/wgengine/router/router_openbsd.go
@@ -50,7 +50,7 @@ func newUserspaceRouter(logf logger.Logf, _ *device.Device, tundev tun.Device) (

 func cmd(args ...string) *exec.Cmd {
 	if len(args) == 0 {
-		log.Fatalf("exec.Cmd(%#v) invalid; need argv[0]\n", args)
+		log.Fatalf("exec.Cmd(%#v) invalid; need argv[0]", args)
 	}
 	return exec.Command(args[0], args[1:]...)
 }
--- a/wgengine/router/router_userspace_bsd.go
+++ b/wgengine/router/router_userspace_bsd.go
@@ -16,6 +16,7 @@ import (
 	"github.com/tailscale/wireguard-go/tun"
 	"inet.af/netaddr"
 	"tailscale.com/types/logger"
+	"tailscale.com/version"
 	"tailscale.com/wgengine/router/dns"
 )

@@ -48,7 +49,7 @@ func newUserspaceBSDRouter(logf logger.Logf, _ *device.Device, tundev tun.Device

 func cmd(args ...string) *exec.Cmd {
 	if len(args) == 0 {
-		log.Fatalf("exec.Cmd(%#v) invalid; need argv[0]\n", args)
+		log.Fatalf("exec.Cmd(%#v) invalid; need argv[0]", args)
 	}
 	return exec.Command(args[0], args[1:]...)
 }
@@ -114,8 +115,12 @@ func (r *userspaceBSDRouter) Set(cfg *Config) error {
 			net := route.IPNet()
 			nip := net.IP.Mask(net.Mask)
 			nstr := fmt.Sprintf("%v/%d", nip, route.Bits)
+			del := "del"
+			if version.OS() == "macOS" {
+				del = "delete"
+			}
 			routedel := []string{"route", "-q", "-n",
-				"del", "-inet", nstr,
+				del, "-inet", nstr,
 				"-iface", r.tunname}
 			out, err := cmd(routedel...).CombinedOutput()
 			if err != nil {
--- a/wgengine/router/router_windows.go
+++ b/wgengine/router/router_windows.go
@@ -52,7 +52,7 @@ func (r *winRouter) Up() error {
 	var err error
 	r.routeChangeCallback, err = monitorDefaultRoutes(r.wgdev, true, r.nativeTun)
 	if err != nil {
-		log.Fatalf("MonitorDefaultRoutes: %v\n", err)
+		log.Fatalf("MonitorDefaultRoutes: %v", err)
 	}
 	return nil
 }
@@ -64,7 +64,7 @@ func (r *winRouter) Set(cfg *Config) error {

 	err := configureInterface(cfg, r.nativeTun)
 	if err != nil {
-		r.logf("ConfigureInterface: %v\n", err)
+		r.logf("ConfigureInterface: %v", err)
 		return err
 	}

--- a/wgengine/tsdns/forwarder.go
+++ b/wgengine/tsdns/forwarder.go
@@ -0,0 +1,287 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tsdns
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"hash/crc32"
+	"math/rand"
+	"net"
+	"os"
+	"sync"
+	"time"
+
+	"inet.af/netaddr"
+	"tailscale.com/types/logger"
+)
+
+// headerBytes is the number of bytes in a DNS message header.
+const headerBytes = 12
+
+// connCount is the number of UDP connections to use for forwarding.
+const connCount = 32
+
+const (
+	// cleanupInterval is the interval between purged of timed-out entries from txMap.
+	cleanupInterval = 30 * time.Second
+	// responseTimeout is the maximal amount of time to wait for a DNS response.
+	responseTimeout = 5 * time.Second
+)
+
+var errNoUpstreams = errors.New("upstream nameservers not set")
+
+var aLongTimeAgo = time.Unix(0, 1)
+
+type forwardingRecord struct {
+	src       netaddr.IPPort
+	createdAt time.Time
+}
+
+// txid identifies a DNS transaction.
+//
+// As the standard DNS Request ID is only 16 bits, we extend it:
+// the lower 32 bits are the zero-extended bits of the DNS Request ID;
+// the upper 32 bits are the CRC32 checksum of the first question in the request.
+// This makes probability of txid collision negligible.
+type txid uint64
+
+// getTxID computes the txid of the given DNS packet.
+func getTxID(packet []byte) txid {
+	if len(packet) < headerBytes {
+		return 0
+	}
+
+	dnsid := binary.BigEndian.Uint16(packet[0:2])
+	qcount := binary.BigEndian.Uint16(packet[4:6])
+	if qcount == 0 {
+		return txid(dnsid)
+	}
+
+	offset := headerBytes
+	for i := uint16(0); i < qcount; i++ {
+		// Note: this relies on the fact that names are not compressed in questions,
+		// so they are guaranteed to end with a NUL byte.
+		//
+		// Justification:
+		// RFC 1035 doesn't seem to explicitly prohibit compressing names in questions,
+		// but this is exceedingly unlikely to be done in practice. A DNS request
+		// with multiple questions is ill-defined (which questions do the header flags apply to?)
+		// and a single question would have to contain a pointer to an *answer*,
+		// which would be excessively smart, pointless (an answer can just as well refer to the question)
+		// and perhaps even prohibited: a draft RFC (draft-ietf-dnsind-local-compression-05) states:
+		//
+		// > It is important that these pointers always point backwards.
+		//
+		// This is said in summarizing RFC 1035, although that phrase does not appear in the original RFC.
+		// Additionally, (https://cr.yp.to/djbdns/notes.html) states:
+		//
+		// > The precise rule is that a name can be compressed if it is a response owner name,
+		// > the name in NS data, the name in CNAME data, the name in PTR data, the name in MX data,
+		// > or one of the names in SOA data.
+		namebytes := bytes.IndexByte(packet[offset:], 0)
+		// ... | name | NUL | type | class
+		//        ??     1      2      2
+		offset = offset + namebytes + 5
+		if len(packet) < offset {
+			// Corrupt packet; don't crash.
+			return txid(dnsid)
+		}
+	}
+
+	hash := crc32.ChecksumIEEE(packet[headerBytes:offset])
+	return (txid(hash) << 32) | txid(dnsid)
+}
+
+// forwarder forwards DNS packets to a number of upstream nameservers.
+type forwarder struct {
+	logf logger.Logf
+
+	// responses is a channel by which responses are returned.
+	responses chan Packet
+	// closed signals all goroutines to stop.
+	closed chan struct{}
+	// wg signals when all goroutines have stopped.
+	wg sync.WaitGroup
+
+	// conns are the UDP connections used for forwarding.
+	// A random one is selected for each request, regardless of the target upstream.
+	conns []*net.UDPConn
+
+	mu sync.Mutex
+	// upstreams are the nameserver addresses that should be used for forwarding.
+	upstreams []net.Addr
+	// txMap maps DNS txids to active forwarding records.
+	txMap map[txid]forwardingRecord
+}
+
+func init() {
+	rand.Seed(time.Now().UnixNano())
+}
+
+func newForwarder(logf logger.Logf, responses chan Packet) *forwarder {
+	return &forwarder{
+		logf:      logger.WithPrefix(logf, "forward: "),
+		responses: responses,
+		closed:    make(chan struct{}),
+		conns:     make([]*net.UDPConn, connCount),
+		txMap:     make(map[txid]forwardingRecord),
+	}
+}
+
+func (f *forwarder) Start() error {
+	var err error
+
+	for i := range f.conns {
+		f.conns[i], err = net.ListenUDP("udp", nil)
+		if err != nil {
+			return err
+		}
+	}
+
+	f.wg.Add(connCount + 1)
+	for idx, conn := range f.conns {
+		go f.recv(uint16(idx), conn)
+	}
+	go f.cleanMap()
+
+	return nil
+}
+
+func (f *forwarder) Close() {
+	select {
+	case <-f.closed:
+		return
+	default:
+		// continue
+	}
+	close(f.closed)
+
+	for _, conn := range f.conns {
+		conn.SetDeadline(aLongTimeAgo)
+	}
+
+	f.wg.Wait()
+
+	for _, conn := range f.conns {
+		conn.Close()
+	}
+}
+
+func (f *forwarder) setUpstreams(upstreams []net.Addr) {
+	f.mu.Lock()
+	f.upstreams = upstreams
+	f.mu.Unlock()
+}
+
+func (f *forwarder) send(packet []byte, dst net.Addr) {
+	connIdx := rand.Intn(connCount)
+	conn := f.conns[connIdx]
+	_, err := conn.WriteTo(packet, dst)
+	// Do not log errors due to expired deadline.
+	if err != nil && !errors.Is(err, os.ErrDeadlineExceeded) {
+		f.logf("send: %v", err)
+	}
+}
+
+func (f *forwarder) recv(connIdx uint16, conn *net.UDPConn) {
+	defer f.wg.Done()
+
+	for {
+		out := make([]byte, maxResponseBytes)
+		n, err := conn.Read(out)
+
+		if err != nil {
+			// Do not log errors due to expired deadline.
+			if !errors.Is(err, os.ErrDeadlineExceeded) {
+				f.logf("recv: %v", err)
+			}
+			return
+		}
+
+		if n < headerBytes {
+			f.logf("recv: packet too small (%d bytes)", n)
+		}
+
+		out = out[:n]
+		txid := getTxID(out)
+
+		f.mu.Lock()
+
+		record, found := f.txMap[txid]
+		// At most one nameserver will return a response:
+		// the first one to do so will delete txid from the map.
+		if !found {
+			f.mu.Unlock()
+			continue
+		}
+		delete(f.txMap, txid)
+
+		f.mu.Unlock()
+
+		packet := Packet{
+			Payload: out,
+			Addr:    record.src,
+		}
+		select {
+		case <-f.closed:
+			return
+		case f.responses <- packet:
+			// continue
+		}
+	}
+}
+
+// cleanMap periodically deletes timed-out forwarding records from f.txMap to bound growth.
+func (f *forwarder) cleanMap() {
+	defer f.wg.Done()
+
+	t := time.NewTicker(cleanupInterval)
+	defer t.Stop()
+
+	var now time.Time
+	for {
+		select {
+		case <-f.closed:
+			return
+		case now = <-t.C:
+			// continue
+		}
+
+		f.mu.Lock()
+		for k, v := range f.txMap {
+			if now.Sub(v.createdAt) > responseTimeout {
+				delete(f.txMap, k)
+			}
+		}
+		f.mu.Unlock()
+	}
+}
+
+// forward forwards the query to all upstream nameservers and returns the first response.
+func (f *forwarder) forward(query Packet) error {
+	txid := getTxID(query.Payload)
+
+	f.mu.Lock()
+
+	upstreams := f.upstreams
+	if len(upstreams) == 0 {
+		f.mu.Unlock()
+		return errNoUpstreams
+	}
+	f.txMap[txid] = forwardingRecord{
+		src:       query.Addr,
+		createdAt: time.Now(),
+	}
+
+	f.mu.Unlock()
+
+	for _, upstream := range upstreams {
+		f.send(query.Payload, upstream)
+	}
+
+	return nil
+}
--- a/wgengine/tsdns/map.go
+++ b/wgengine/tsdns/map.go
@@ -5,7 +5,6 @@
 package tsdns

 import (
-	"fmt"
 	"sort"
 	"strings"

@@ -21,10 +20,13 @@ type Map struct {
 	ipToName map[netaddr.IP]string
 	// names are the keys of nameToIP in sorted order.
 	names []string
+	// rootDomains are the domains whose subdomains should always
+	// be resolved locally to prevent leakage of sensitive names.
+	rootDomains []string // e.g. "user.provider.beta.tailscale.net."
 }

 // NewMap returns a new Map with name to address mapping given by nameToIP.
-func NewMap(initNameToIP map[string]netaddr.IP) *Map {
+func NewMap(initNameToIP map[string]netaddr.IP, rootDomains []string) *Map {
 	// TODO(dmytro): we have to allocate names and ipToName, but nameToIP can be avoided.
 	// It is here because control sends us names not in canonical form. Change this.
 	names := make([]string, 0, len(initNameToIP))
@@ -49,12 +51,16 @@ func NewMap(initNameToIP map[string]netaddr.IP) *Map {
 		nameToIP: nameToIP,
 		ipToName: ipToName,
 		names:    names,
+
+		rootDomains: rootDomains,
 	}
 }

 func printSingleNameIP(buf *strings.Builder, name string, ip netaddr.IP) {
-	// Output width is exactly 80 columns.
-	fmt.Fprintf(buf, "%s\t%s\n", name, ip)
+	buf.WriteString(name)
+	buf.WriteByte('\t')
+	buf.WriteString(ip.String())
+	buf.WriteByte('\n')
 }

 func (m *Map) Pretty() string {
--- a/wgengine/tsdns/map_test.go
+++ b/wgengine/tsdns/map_test.go
@@ -16,12 +16,12 @@ func TestPretty(t *testing.T) {
 		dmap *Map
 		want string
 	}{
-		{"empty", NewMap(nil), ""},
+		{"empty", NewMap(nil, nil), ""},
 		{
 			"single",
 			NewMap(map[string]netaddr.IP{
 				"hello.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
-			}),
+			}, nil),
 			"hello.ipn.dev.\t100.101.102.103\n",
 		},
 		{
@@ -29,7 +29,7 @@ func TestPretty(t *testing.T) {
 			NewMap(map[string]netaddr.IP{
 				"test1.domain.":     netaddr.IPv4(100, 101, 102, 103),
 				"test2.sub.domain.": netaddr.IPv4(100, 99, 9, 1),
-			}),
+			}, nil),
 			"test1.domain.\t100.101.102.103\ntest2.sub.domain.\t100.99.9.1\n",
 		},
 	}
@@ -57,7 +57,7 @@ func TestPrettyDiffFrom(t *testing.T) {
 			NewMap(map[string]netaddr.IP{
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
-			}),
+			}, nil),
 			"+test1.ipn.dev.\t100.101.102.103\n+test2.ipn.dev.\t100.103.102.101\n",
 		},
 		{
@@ -65,11 +65,11 @@ func TestPrettyDiffFrom(t *testing.T) {
 			NewMap(map[string]netaddr.IP{
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
-			}),
+			}, nil),
 			NewMap(map[string]netaddr.IP{
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
-			}),
+			}, nil),
 			"",
 		},
 		{
@@ -77,11 +77,11 @@ func TestPrettyDiffFrom(t *testing.T) {
 			NewMap(map[string]netaddr.IP{
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
-			}),
+			}, nil),
 			NewMap(map[string]netaddr.IP{
 				"test2.ipn.dev.": netaddr.IPv4(100, 104, 102, 101),
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
-			}),
+			}, nil),
 			"-test2.ipn.dev.\t100.103.102.101\n+test2.ipn.dev.\t100.104.102.101\n",
 		},
 		{
@@ -89,12 +89,12 @@ func TestPrettyDiffFrom(t *testing.T) {
 			NewMap(map[string]netaddr.IP{
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
-			}),
+			}, nil),
 			NewMap(map[string]netaddr.IP{
 				"test3.ipn.dev.": netaddr.IPv4(100, 105, 106, 107),
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
-			}),
+			}, nil),
 			"+test3.ipn.dev.\t100.105.106.107\n",
 		},
 		{
@@ -102,10 +102,10 @@ func TestPrettyDiffFrom(t *testing.T) {
 			NewMap(map[string]netaddr.IP{
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
-			}),
+			}, nil),
 			NewMap(map[string]netaddr.IP{
 				"test1.ipn.dev.": netaddr.IPv4(100, 101, 102, 103),
-			}),
+			}, nil),
 			"-test2.ipn.dev.\t100.103.102.101\n",
 		},
 		{
@@ -115,12 +115,12 @@ func TestPrettyDiffFrom(t *testing.T) {
 				"test4.ipn.dev.": netaddr.IPv4(100, 107, 106, 105),
 				"test5.ipn.dev.": netaddr.IPv4(100, 64, 1, 1),
 				"test2.ipn.dev.": netaddr.IPv4(100, 103, 102, 101),
-			}),
+			}, nil),
 			NewMap(map[string]netaddr.IP{
 				"test2.ipn.dev.": netaddr.IPv4(100, 104, 102, 101),
 				"test1.ipn.dev.": netaddr.IPv4(100, 100, 101, 102),
 				"test3.ipn.dev.": netaddr.IPv4(100, 64, 1, 1),
-			}),
+			}, nil),
 			"-test1.ipn.dev.\t100.101.102.103\n+test1.ipn.dev.\t100.100.101.102\n" +
 				"-test2.ipn.dev.\t100.103.102.101\n+test2.ipn.dev.\t100.104.102.101\n" +
 				"+test3.ipn.dev.\t100.64.1.1\n-test4.ipn.dev.\t100.107.106.105\n-test5.ipn.dev.\t100.64.1.1\n",
--- a/wgengine/tsdns/tsdns.go
+++ b/wgengine/tsdns/tsdns.go
@@ -7,30 +7,25 @@
 package tsdns

 import (
-	"bytes"
-	"context"
 	"encoding/hex"
 	"errors"
+	"net"
+	"strings"
 	"sync"
 	"time"

 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
-	"tailscale.com/net/netns"
 	"tailscale.com/types/logger"
 )

-// maxResponseSize is the maximum size of a response from a Resolver.
-const maxResponseSize = 512
+// maxResponseBytes is the maximum size of a response from a Resolver.
+const maxResponseBytes = 512

-// queueSize is the maximal number of DNS requests that can be pending at a time.
+// queueSize is the maximal number of DNS requests that can await polling.
 // If EnqueueRequest is called when this many requests are already pending,
 // the request will be dropped to avoid blocking the caller.
-const queueSize = 8
-
-// delegateTimeout is the maximal amount of time Resolver will wait
-// for upstream nameservers to process a query.
-const delegateTimeout = 5 * time.Second
+const queueSize = 64

 // defaultTTL is the TTL of all responses from Resolver.
 const defaultTTL = 600 * time.Second
@@ -39,12 +34,12 @@ const defaultTTL = 600 * time.Second
 var ErrClosed = errors.New("closed")

 var (
-	errAllFailed      = errors.New("all upstream nameservers failed")
 	errFullQueue      = errors.New("request queue full")
-	errNoNameservers  = errors.New("no upstream nameservers set")
 	errMapNotSet      = errors.New("domain map not set")
+	errNotForwarding  = errors.New("forwarding disabled")
 	errNotImplemented = errors.New("query type not implemented")
 	errNotQuery       = errors.New("not a DNS query")
+	errNotOurName     = errors.New("not a Tailscale DNS name")
 )

 // Packet represents a DNS payload together with the address of its origin.
@@ -63,57 +58,64 @@ type Packet struct {
 // it delegates to upstream nameservers if any are set.
 type Resolver struct {
 	logf logger.Logf
-
-	// The asynchronous interface is due to the fact that resolution may potentially
-	// block for a long time (if the upstream nameserver is slow to reach).
+	// forwarder forwards requests to upstream nameservers.
+	forwarder *forwarder

 	// queue is a buffered channel holding DNS requests queued for resolution.
 	queue chan Packet
-	// responses is an unbuffered channel to which responses are sent.
+	// responses is an unbuffered channel to which responses are returned.
 	responses chan Packet
-	// errors is an unbuffered channel to which errors are sent.
+	// errors is an unbuffered channel to which errors are returned.
 	errors chan error
-	// closed notifies the poll goroutines to stop.
+	// closed signals all goroutines to stop.
 	closed chan struct{}
-	// pollGroup signals when all poll goroutines have stopped.
-	pollGroup sync.WaitGroup
-
-	// rootDomain is <root> in <mynode>.<mydomain>.<root>.
-	rootDomain []byte
-
-	// dialer is the netns.Dialer used for delegation.
-	dialer netns.Dialer
+	// wg signals when all goroutines have stopped.
+	wg sync.WaitGroup

 	// mu guards the following fields from being updated while used.
 	mu sync.Mutex
 	// dnsMap is the map most recently received from the control server.
 	dnsMap *Map
-	// nameservers is the list of nameserver addresses that should be used
-	// if the received query is not for a Tailscale node.
-	// The addresses are strings of the form ip:port, as expected by Dial.
-	nameservers []string
+}
+
+// ResolverConfig is the set of configuration options for a Resolver.
+type ResolverConfig struct {
+	// Logf is the logger to use throughout the Resolver.
+	Logf logger.Logf
+	// Forward determines whether the resolver will forward packets to
+	// nameservers set with SetUpstreams if the domain name is not of a Tailscale node.
+	Forward bool
 }

 // NewResolver constructs a resolver associated with the given root domain.
 // The root domain must be in canonical form (with a trailing period).
-func NewResolver(logf logger.Logf, rootDomain string) *Resolver {
+func NewResolver(config ResolverConfig) *Resolver {
 	r := &Resolver{
-		logf:       logger.WithPrefix(logf, "tsdns: "),
-		queue:      make(chan Packet, queueSize),
-		responses:  make(chan Packet),
-		errors:     make(chan error),
-		closed:     make(chan struct{}),
-		rootDomain: []byte(rootDomain),
-		dialer:     netns.NewDialer(),
+		logf:      logger.WithPrefix(config.Logf, "tsdns: "),
+		queue:     make(chan Packet, queueSize),
+		responses: make(chan Packet),
+		errors:    make(chan error),
+		closed:    make(chan struct{}),
+	}
+
+	if config.Forward {
+		r.forwarder = newForwarder(r.logf, r.responses)
 	}

 	return r
 }

-func (r *Resolver) Start() {
-	// TODO(dmytro): spawn more than one goroutine? They block on delegation.
-	r.pollGroup.Add(1)
+func (r *Resolver) Start() error {
+	if r.forwarder != nil {
+		if err := r.forwarder.Start(); err != nil {
+			return err
+		}
+	}
+
+	r.wg.Add(1)
 	go r.poll()
+
+	return nil
 }

 // Close shuts down the resolver and ensures poll goroutines have exited.
@@ -126,7 +128,12 @@ func (r *Resolver) Close() {
 		// continue
 	}
 	close(r.closed)
-	r.pollGroup.Wait()
+
+	if r.forwarder != nil {
+		r.forwarder.Close()
+	}
+
+	r.wg.Wait()
 }

 // SetMap sets the resolver's DNS map, taking ownership of it.
@@ -138,14 +145,13 @@ func (r *Resolver) SetMap(m *Map) {
 	r.logf("map diff:\n%s", m.PrettyDiffFrom(oldMap))
 }

-// SetUpstreamNameservers sets the addresses of the resolver's
+// SetUpstreams sets the addresses of the resolver's
 // upstream nameservers, taking ownership of the argument.
-// The addresses should be strings of the form ip:port,
-// matching what Dial("udp", addr) expects as addr.
-func (r *Resolver) SetNameservers(nameservers []string) {
-	r.mu.Lock()
-	r.nameservers = nameservers
-	r.mu.Unlock()
+func (r *Resolver) SetUpstreams(upstreams []net.Addr) {
+	if r.forwarder != nil {
+		r.forwarder.setUpstreams(upstreams)
+	}
+	r.logf("set upstreams: %v", upstreams)
 }

 // EnqueueRequest places the given DNS request in the resolver's queue.
@@ -153,6 +159,8 @@ func (r *Resolver) SetNameservers(nameservers []string) {
 // If the queue is full, the request will be dropped and an error will be returned.
 func (r *Resolver) EnqueueRequest(request Packet) error {
 	select {
+	case <-r.closed:
+		return ErrClosed
 	case r.queue <- request:
 		return nil
 	default:
@@ -164,18 +172,19 @@ func (r *Resolver) EnqueueRequest(request Packet) error {
 // It blocks until a response is available and gives up ownership of the response payload.
 func (r *Resolver) NextResponse() (Packet, error) {
 	select {
+	case <-r.closed:
+		return Packet{}, ErrClosed
 	case resp := <-r.responses:
 		return resp, nil
 	case err := <-r.errors:
 		return Packet{}, err
-	case <-r.closed:
-		return Packet{}, ErrClosed
 	}
 }

-// Resolve maps a given domain name to the IP address of the host that owns it.
+// Resolve maps a given domain name to the IP address of the host that owns it,
+// if the IP address conforms to the DNS resource type given by tp (one of A, AAAA, ALL).
 // The domain name must be in canonical form (with a trailing period).
-func (r *Resolver) Resolve(domain string) (netaddr.IP, dns.RCode, error) {
+func (r *Resolver) Resolve(domain string, tp dns.Type) (netaddr.IP, dns.RCode, error) {
 	r.mu.Lock()
 	dnsMap := r.dnsMap
 	r.mu.Unlock()
@@ -184,11 +193,38 @@ func (r *Resolver) Resolve(domain string) (netaddr.IP, dns.RCode, error) {
 		return netaddr.IP{}, dns.RCodeServerFailure, errMapNotSet
 	}

+	anyHasSuffix := false
+	for _, rootDomain := range dnsMap.rootDomains {
+		if strings.HasSuffix(domain, rootDomain) {
+			anyHasSuffix = true
+			break
+		}
+	}
+	if !anyHasSuffix {
+		return netaddr.IP{}, dns.RCodeRefused, nil
+	}
+
 	addr, found := dnsMap.nameToIP[domain]
 	if !found {
 		return netaddr.IP{}, dns.RCodeNameError, nil
 	}
-	return addr, dns.RCodeSuccess, nil
+
+	// Refactoring note: this must happen after we check suffixes,
+	// otherwise we will respond with NOTIMP to requests that should be forwarded.
+	switch {
+	case tp == dns.TypeA || tp == dns.TypeALL:
+		if !addr.Is4() {
+			return netaddr.IP{}, dns.RCodeSuccess, nil
+		}
+		return addr, dns.RCodeSuccess, nil
+	case tp == dns.TypeAAAA || tp == dns.TypeALL:
+		if !addr.Is6() {
+			return netaddr.IP{}, dns.RCodeSuccess, nil
+		}
+		return addr, dns.RCodeSuccess, nil
+	default:
+		return netaddr.IP{}, dns.RCodeNotImplemented, errNotImplemented
+	}
 }

 // ResolveReverse returns the unique domain name that maps to the given address.
@@ -209,120 +245,56 @@ func (r *Resolver) ResolveReverse(ip netaddr.IP) (string, dns.RCode, error) {
 }

 func (r *Resolver) poll() {
-	defer r.pollGroup.Done()
+	defer r.wg.Done()

-	var (
-		packet Packet
-		err    error
-	)
+	var packet Packet
 	for {
 		select {
-		case packet = <-r.queue:
-			// continue
 		case <-r.closed:
 			return
+		case packet = <-r.queue:
+			// continue
+		}
+
+		out, err := r.respond(packet.Payload)
+
+		if err == errNotOurName {
+			if r.forwarder != nil {
+				err = r.forwarder.forward(packet)
+				if err == nil {
+					// forward will send response into r.responses, nothing to do.
+					continue
+				}
+			} else {
+				err = errNotForwarding
+			}
 		}

-		packet.Payload, err = r.respond(packet.Payload)
 		if err != nil {
 			select {
+			case <-r.closed:
+				return
 			case r.errors <- err:
 				// continue
-			case <-r.closed:
-				return
 			}
 		} else {
+			packet.Payload = out
 			select {
-			case r.responses <- packet:
-				// continue
 			case <-r.closed:
 				return
+			case r.responses <- packet:
+				// continue
 			}
 		}
 	}
 }

-// queryServer obtains a DNS response by querying the given server.
-func (r *Resolver) queryServer(ctx context.Context, server string, query []byte) ([]byte, error) {
-	conn, err := r.dialer.DialContext(ctx, "udp", server)
-	if err != nil {
-		return nil, err
-	}
-	defer conn.Close()
-
-	// Interrupt the current operation when the context is cancelled.
-	go func() {
-		<-ctx.Done()
-		conn.SetDeadline(time.Unix(1, 0))
-	}()
-
-	_, err = conn.Write(query)
-	if err != nil {
-		return nil, err
-	}
-
-	out := make([]byte, maxResponseSize)
-	n, err := conn.Read(out)
-	if err != nil {
-		return nil, err
-	}
-
-	return out[:n], nil
-}
-
-// delegate forwards the query to all upstream nameservers and returns the first response.
-func (r *Resolver) delegate(query []byte) ([]byte, error) {
-	r.mu.Lock()
-	nameservers := r.nameservers
-	r.mu.Unlock()
-
-	if len(nameservers) == 0 {
-		return nil, errNoNameservers
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), delegateTimeout)
-	defer cancel()
-
-	// Common case, don't spawn goroutines.
-	if len(nameservers) == 1 {
-		return r.queryServer(ctx, nameservers[0], query)
-	}
-
-	datach := make(chan []byte)
-	for _, server := range nameservers {
-		go func(s string) {
-			resp, err := r.queryServer(ctx, s, query)
-			// Only print errors not due to cancelation after first response.
-			if err != nil && ctx.Err() != context.Canceled {
-				r.logf("querying %s: %v", s, err)
-			}
-
-			datach <- resp
-		}(server)
-	}
-
-	var response []byte
-	for range nameservers {
-		cur := <-datach
-		if cur != nil && response == nil {
-			// Received first successful response
-			response = cur
-			cancel()
-		}
-	}
-
-	if response == nil {
-		return nil, errAllFailed
-	}
-	return response, nil
-}
-
 type response struct {
 	Header   dns.Header
 	Question dns.Question
 	// Name is the response to a PTR query.
 	Name string
-	// IP is the response to an A, AAAA, or ANY query.
+	// IP is the response to an A, AAAA, or ALL query.
 	IP netaddr.IP
 }

@@ -433,7 +405,7 @@ func marshalResponse(resp *response) ([]byte, error) {
 	case dns.TypeA, dns.TypeAAAA, dns.TypeALL:
 		if resp.IP.Is4() {
 			err = marshalARecord(resp.Question.Name, resp.IP, &builder)
-		} else {
+		} else if resp.IP.Is6() {
 			err = marshalAAAARecord(resp.Question.Name, resp.IP, &builder)
 		}
 	case dns.TypePTR:
@@ -446,19 +418,34 @@ func marshalResponse(resp *response) ([]byte, error) {
 	return builder.Finish()
 }

-var (
-	rdnsv4Suffix = []byte(".in-addr.arpa.")
-	rdnsv6Suffix = []byte(".ip6.arpa.")
+const (
+	rdnsv4Suffix = ".in-addr.arpa."
+	rdnsv6Suffix = ".ip6.arpa."
 )

+// rawNameToLower converts a raw DNS name to a string, lowercasing it.
+func rawNameToLower(name []byte) string {
+	var sb strings.Builder
+	sb.Grow(len(name))
+
+	for _, b := range name {
+		if 'A' <= b && b <= 'Z' {
+			b = b - 'A' + 'a'
+		}
+		sb.WriteByte(b)
+	}
+
+	return sb.String()
+}
+
 // ptrNameToIPv4 transforms a PTR name representing an IPv4 address to said address.
 // Such names are IPv4 labels in reverse order followed by .in-addr.arpa.
 // For example,
 //   4.3.2.1.in-addr.arpa
 // is transformed to
 //   1.2.3.4
-func rdnsNameToIPv4(name []byte) (ip netaddr.IP, ok bool) {
-	name = bytes.TrimSuffix(name, rdnsv4Suffix)
+func rdnsNameToIPv4(name string) (ip netaddr.IP, ok bool) {
+	name = strings.TrimSuffix(name, rdnsv4Suffix)
 	ip, err := netaddr.ParseIP(string(name))
 	if err != nil {
 		return netaddr.IP{}, false
@@ -476,11 +463,11 @@ func rdnsNameToIPv4(name []byte) (ip netaddr.IP, ok bool) {
 //   b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 // is transformed to
 //   2001:db8::567:89ab
-func rdnsNameToIPv6(name []byte) (ip netaddr.IP, ok bool) {
+func rdnsNameToIPv6(name string) (ip netaddr.IP, ok bool) {
 	var b [32]byte
 	var ipb [16]byte

-	name = bytes.TrimSuffix(name, rdnsv6Suffix)
+	name = strings.TrimSuffix(name, rdnsv6Suffix)
 	// 32 nibbles and 31 dots between them.
 	if len(name) != 63 {
 		return netaddr.IP{}, false
@@ -514,53 +501,39 @@ func rdnsNameToIPv6(name []byte) (ip netaddr.IP, ok bool) {

 // respondReverse returns a DNS response to a PTR query.
 // It is assumed that resp.Question is populated by respond before this is called.
-func (r *Resolver) respondReverse(query []byte, resp *response) ([]byte, error) {
-	name := resp.Question.Name.Data[:resp.Question.Name.Length]
-
-	shouldDelegate := false
-
+func (r *Resolver) respondReverse(query []byte, name string, resp *response) ([]byte, error) {
 	var ip netaddr.IP
 	var ok bool
 	var err error
 	switch {
-	case bytes.HasSuffix(name, rdnsv4Suffix):
+	case strings.HasSuffix(name, rdnsv4Suffix):
 		ip, ok = rdnsNameToIPv4(name)
-	case bytes.HasSuffix(name, rdnsv6Suffix):
+	case strings.HasSuffix(name, rdnsv6Suffix):
 		ip, ok = rdnsNameToIPv6(name)
 	default:
-		shouldDelegate = true
+		return nil, errNotOurName
 	}

 	// It is more likely that we failed in parsing the name than that it is actually malformed.
 	// To avoid frustrating users, just log and delegate.
 	if !ok {
-		// Without this conversion, escape analysis rules that resp escapes.
-		r.logf("parsing rdns: malformed name: %s", resp.Question.Name.String())
-		shouldDelegate = true
+		r.logf("parsing rdns: malformed name: %s", name)
+		return nil, errNotOurName
 	}

-	if !shouldDelegate {
-		resp.Name, resp.Header.RCode, err = r.ResolveReverse(ip)
-		if err != nil {
-			r.logf("resolving rdns: %v", ip, err)
-		}
-		shouldDelegate = (resp.Header.RCode == dns.RCodeNameError)
+	resp.Name, resp.Header.RCode, err = r.ResolveReverse(ip)
+	if err != nil {
+		r.logf("resolving rdns: %v", ip, err)
 	}
-
-	if shouldDelegate {
-		out, err := r.delegate(query)
-		if err != nil {
-			r.logf("delegating rdns: %v", err)
-			resp.Header.RCode = dns.RCodeServerFailure
-			return marshalResponse(resp)
-		}
-		return out, nil
+	if resp.Header.RCode == dns.RCodeNameError {
+		return nil, errNotOurName
 	}

 	return marshalResponse(resp)
 }

-// respond returns a DNS response to query.
+// respond returns a DNS response to query if it can be resolved locally.
+// Otherwise, it returns errNotOurName.
 func (r *Resolver) respond(query []byte) ([]byte, error) {
 	resp := new(response)

@@ -574,35 +547,22 @@ func (r *Resolver) respond(query []byte) ([]byte, error) {
 		resp.Header.RCode = dns.RCodeFormatError
 		return marshalResponse(resp)
 	}
+	rawName := resp.Question.Name.Data[:resp.Question.Name.Length]
+	name := rawNameToLower(rawName)

 	// Always try to handle reverse lookups; delegate inside when not found.
 	// This way, queries for exitent nodes do not leak,
 	// but we behave gracefully if non-Tailscale nodes exist in CGNATRange.
 	if resp.Question.Type == dns.TypePTR {
-		return r.respondReverse(query, resp)
+		return r.respondReverse(query, name, resp)
 	}

-	// Delegate forward lookups when not a subdomain of rootDomain.
-	// We do this on bytes because Name.String() allocates.
-	rawName := resp.Question.Name.Data[:resp.Question.Name.Length]
-	if !bytes.HasSuffix(rawName, r.rootDomain) {
-		out, err := r.delegate(query)
-		if err != nil {
-			r.logf("delegating: %v", err)
-			resp.Header.RCode = dns.RCodeServerFailure
-			return marshalResponse(resp)
-		}
-		return out, nil
+	resp.IP, resp.Header.RCode, err = r.Resolve(name, resp.Question.Type)
+	// This return code is special: it requests forwarding.
+	if resp.Header.RCode == dns.RCodeRefused {
+		return nil, errNotOurName
 	}

-	switch resp.Question.Type {
-	case dns.TypeA, dns.TypeAAAA, dns.TypeALL:
-		name := resp.Question.Name.String()
-		resp.IP, resp.Header.RCode, err = r.Resolve(name)
-	default:
-		resp.Header.RCode = dns.RCodeNotImplemented
-		err = errNotImplemented
-	}
 	// We will not return this error: it is the sender's fault.
 	if err != nil {
 		r.logf("resolving: %v", err)
--- a/wgengine/tsdns/tsdns_server_test.go
+++ b/wgengine/tsdns/tsdns_server_test.go
@@ -16,9 +16,10 @@ import (
 var dnsHandleFunc = dns.HandleFunc

 // resolveToIP returns a handler function which responds
-// to queries of type A it receives with an A record containing ipv4
-// and to queries of type AAAA with an AAAA records containing ipv6.
-func resolveToIP(ipv4, ipv6 netaddr.IP) dns.HandlerFunc {
+// to queries of type A it receives with an A record containing ipv4,
+// to queries of type AAAA with an AAAA record containing ipv6,
+// to queries of type NS with an NS record containg name.
+func resolveToIP(ipv4, ipv6 netaddr.IP, ns string) dns.HandlerFunc {
 	return func(w dns.ResponseWriter, req *dns.Msg) {
 		m := new(dns.Msg)
 		m.SetReply(req)
@@ -29,7 +30,8 @@ func resolveToIP(ipv4, ipv6 netaddr.IP) dns.HandlerFunc {
 		question := req.Question[0]

 		var ans dns.RR
-		if question.Qtype == dns.TypeA {
+		switch question.Qtype {
+		case dns.TypeA:
 			ans = &dns.A{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,
@@ -38,7 +40,7 @@ func resolveToIP(ipv4, ipv6 netaddr.IP) dns.HandlerFunc {
 				},
 				A: ipv4.IPAddr().IP,
 			}
-		} else {
+		case dns.TypeAAAA:
 			ans = &dns.AAAA{
 				Hdr: dns.RR_Header{
 					Name:   question.Name,
@@ -47,9 +49,18 @@ func resolveToIP(ipv4, ipv6 netaddr.IP) dns.HandlerFunc {
 				},
 				AAAA: ipv6.IPAddr().IP,
 			}
+		case dns.TypeNS:
+			ans = &dns.NS{
+				Hdr: dns.RR_Header{
+					Name:   question.Name,
+					Rrtype: dns.TypeNS,
+					Class:  dns.ClassINET,
+				},
+				Ns: ns,
+			}
 		}
-		m.Answer = append(m.Answer, ans)

+		m.Answer = append(m.Answer, ans)
 		w.WriteMsg(m)
 	}
 }
--- a/wgengine/tsdns/tsdns_test.go
+++ b/wgengine/tsdns/tsdns_test.go
@@ -7,11 +7,13 @@ package tsdns
 import (
 	"bytes"
 	"errors"
+	"net"
 	"sync"
 	"testing"

 	dns "golang.org/x/net/dns/dnsmessage"
 	"inet.af/netaddr"
+	"tailscale.com/tstest"
 )

 var testipv4 = netaddr.IPv4(1, 2, 3, 4)
@@ -24,9 +26,10 @@ var testipv6 = netaddr.IPv6Raw([16]byte{

 var dnsMap = NewMap(
 	map[string]netaddr.IP{
-		"test1.ipn.dev": testipv4,
-		"test2.ipn.dev": testipv6,
+		"test1.ipn.dev.": testipv4,
+		"test2.ipn.dev.": testipv6,
 	},
+	[]string{"ipn.dev."},
 )

 func dnspacket(domain string, tp dns.Type) []byte {
@@ -45,49 +48,64 @@ func dnspacket(domain string, tp dns.Type) []byte {
 	return payload
 }

-func extractipcode(response []byte) (netaddr.IP, dns.RCode, error) {
-	var ip netaddr.IP
+type dnsResponse struct {
+	ip    netaddr.IP
+	name  string
+	rcode dns.RCode
+}
+
+func unpackResponse(payload []byte) (dnsResponse, error) {
+	var response dnsResponse
 	var parser dns.Parser

-	h, err := parser.Start(response)
+	h, err := parser.Start(payload)
 	if err != nil {
-		return ip, 0, err
+		return response, err
 	}

 	if !h.Response {
-		return ip, 0, errors.New("not a response")
+		return response, errors.New("not a response")
 	}
-	if h.RCode != dns.RCodeSuccess {
-		return ip, h.RCode, nil
+
+	response.rcode = h.RCode
+	if response.rcode != dns.RCodeSuccess {
+		return response, nil
 	}

 	err = parser.SkipAllQuestions()
 	if err != nil {
-		return ip, 0, err
+		return response, err
 	}

 	ah, err := parser.AnswerHeader()
 	if err != nil {
-		return ip, 0, err
+		return response, err
 	}
+
 	switch ah.Type {
 	case dns.TypeA:
 		res, err := parser.AResource()
 		if err != nil {
-			return ip, 0, err
+			return response, err
 		}
-		ip = netaddr.IPv4(res.A[0], res.A[1], res.A[2], res.A[3])
+		response.ip = netaddr.IPv4(res.A[0], res.A[1], res.A[2], res.A[3])
 	case dns.TypeAAAA:
 		res, err := parser.AAAAResource()
 		if err != nil {
-			return ip, 0, err
+			return response, err
 		}
-		ip = netaddr.IPv6Raw(res.AAAA)
+		response.ip = netaddr.IPv6Raw(res.AAAA)
+	case dns.TypeNS:
+		res, err := parser.NSResource()
+		if err != nil {
+			return response, err
+		}
+		response.name = res.NS.String()
 	default:
-		return ip, 0, errors.New("type not in {A, AAAA}")
+		return response, errors.New("type not in {A, AAAA, NS}")
 	}

-	return ip, h.RCode, nil
+	return response, nil
 }

 func syncRespond(r *Resolver, query []byte) ([]byte, error) {
@@ -120,8 +138,7 @@ func TestRDNSNameToIPv4(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			name := []byte(tt.input)
-			ip, ok := rdnsNameToIPv4(name)
+			ip, ok := rdnsNameToIPv4(tt.input)
 			if ok != tt.wantOK {
 				t.Errorf("ok = %v; want %v", ok, tt.wantOK)
 			} else if ok && ip != tt.wantIP {
@@ -166,8 +183,7 @@ func TestRDNSNameToIPv6(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			name := []byte(tt.input)
-			ip, ok := rdnsNameToIPv6(name)
+			ip, ok := rdnsNameToIPv6(tt.input)
 			if ok != tt.wantOK {
 				t.Errorf("ok = %v; want %v", ok, tt.wantOK)
 			} else if ok && ip != tt.wantIP {
@@ -178,25 +194,31 @@ func TestRDNSNameToIPv6(t *testing.T) {
 }

 func TestResolve(t *testing.T) {
-	r := NewResolver(t.Logf, "ipn.dev")
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
 	r.SetMap(dnsMap)
-	r.Start()
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	tests := []struct {
-		name   string
-		domain string
-		ip     netaddr.IP
-		code   dns.RCode
+		name  string
+		qname string
+		qtype dns.Type
+		ip    netaddr.IP
+		code  dns.RCode
 	}{
-		{"ipv4", "test1.ipn.dev.", testipv4, dns.RCodeSuccess},
-		{"ipv6", "test2.ipn.dev.", testipv6, dns.RCodeSuccess},
-		{"nxdomain", "test3.ipn.dev.", netaddr.IP{}, dns.RCodeNameError},
-		{"foreign domain", "google.com.", netaddr.IP{}, dns.RCodeNameError},
+		{"ipv4", "test1.ipn.dev.", dns.TypeA, testipv4, dns.RCodeSuccess},
+		{"ipv6", "test2.ipn.dev.", dns.TypeAAAA, testipv6, dns.RCodeSuccess},
+		{"no-ipv6", "test1.ipn.dev.", dns.TypeAAAA, netaddr.IP{}, dns.RCodeSuccess},
+		{"nxdomain", "test3.ipn.dev.", dns.TypeA, netaddr.IP{}, dns.RCodeNameError},
+		{"foreign domain", "google.com.", dns.TypeA, netaddr.IP{}, dns.RCodeRefused},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			ip, code, err := r.Resolve(tt.domain)
+			ip, code, err := r.Resolve(tt.qname, tt.qtype)
 			if err != nil {
 				t.Errorf("err = %v; want nil", err)
 			}
@@ -212,9 +234,13 @@ func TestResolve(t *testing.T) {
 }

 func TestResolveReverse(t *testing.T) {
-	r := NewResolver(t.Logf, "ipn.dev")
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
 	r.SetMap(dnsMap)
-	r.Start()
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	tests := []struct {
 		name string
@@ -244,7 +270,10 @@ func TestResolveReverse(t *testing.T) {
 }

 func TestDelegate(t *testing.T) {
-	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6))
+	rc := tstest.NewResourceCheck()
+	defer rc.Assert(t)
+
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
 	dnsHandleFunc("nxdomain.site.", resolveToNXDOMAIN)

 	v4server, v4errch := serveDNS("127.0.0.1:0")
@@ -271,49 +300,157 @@ func TestDelegate(t *testing.T) {
 		return
 	}

-	r := NewResolver(t.Logf, "ipn.dev")
-	r.SetNameservers([]string{
-		v4server.PacketConn.LocalAddr().String(),
-		v6server.PacketConn.LocalAddr().String(),
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: true})
+	r.SetMap(dnsMap)
+	r.SetUpstreams([]net.Addr{
+		v4server.PacketConn.LocalAddr(),
+		v6server.PacketConn.LocalAddr(),
 	})
-	r.Start()
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	tests := []struct {
-		name  string
-		query []byte
-		ip    netaddr.IP
-		code  dns.RCode
+		title    string
+		query    []byte
+		response dnsResponse
 	}{
-		{"ipv4", dnspacket("test.site.", dns.TypeA), testipv4, dns.RCodeSuccess},
-		{"ipv6", dnspacket("test.site.", dns.TypeAAAA), testipv6, dns.RCodeSuccess},
-		{"nxdomain", dnspacket("nxdomain.site.", dns.TypeA), netaddr.IP{}, dns.RCodeNameError},
+		{
+			"ipv4",
+			dnspacket("test.site.", dns.TypeA),
+			dnsResponse{ip: testipv4, rcode: dns.RCodeSuccess},
+		},
+		{
+			"ipv6",
+			dnspacket("test.site.", dns.TypeAAAA),
+			dnsResponse{ip: testipv6, rcode: dns.RCodeSuccess},
+		},
+		{
+			"ns",
+			dnspacket("test.site.", dns.TypeNS),
+			dnsResponse{name: "dns.test.site.", rcode: dns.RCodeSuccess},
+		},
+		{
+			"nxdomain",
+			dnspacket("nxdomain.site.", dns.TypeA),
+			dnsResponse{rcode: dns.RCodeNameError},
+		},
 	}

 	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			resp, err := syncRespond(r, tt.query)
+		t.Run(tt.title, func(t *testing.T) {
+			payload, err := syncRespond(r, tt.query)
 			if err != nil {
 				t.Errorf("err = %v; want nil", err)
 				return
 			}
-			ip, code, err := extractipcode(resp)
+			response, err := unpackResponse(payload)
 			if err != nil {
-				t.Errorf("extract: err = %v; want nil (in %x)", err, resp)
+				t.Errorf("extract: err = %v; want nil (in %x)", err, payload)
 				return
 			}
-			if code != tt.code {
-				t.Errorf("code = %v; want %v", code, tt.code)
+			if response.rcode != tt.response.rcode {
+				t.Errorf("rcode = %v; want %v", response.rcode, tt.response.rcode)
 			}
-			if ip != tt.ip {
-				t.Errorf("ip = %v; want %v", ip, tt.ip)
+			if response.ip != tt.response.ip {
+				t.Errorf("ip = %v; want %v", response.ip, tt.response.ip)
+			}
+			if response.name != tt.response.name {
+				t.Errorf("name = %v; want %v", response.name, tt.response.name)
 			}
 		})
 	}
 }

+func TestDelegateCollision(t *testing.T) {
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+
+	server, errch := serveDNS("127.0.0.1:0")
+	defer func() {
+		if err := <-errch; err != nil {
+			t.Errorf("server error: %v", err)
+		}
+	}()
+
+	if server == nil {
+		return
+	}
+	defer server.Shutdown()
+
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: true})
+	r.SetMap(dnsMap)
+	r.SetUpstreams([]net.Addr{server.PacketConn.LocalAddr()})
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()
+
+	packets := []struct {
+		qname string
+		qtype dns.Type
+		addr  netaddr.IPPort
+	}{
+		{"test.site.", dns.TypeA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1001}},
+		{"test.site.", dns.TypeAAAA, netaddr.IPPort{IP: netaddr.IPv4(1, 1, 1, 1), Port: 1002}},
+	}
+
+	// packets will have the same dns txid.
+	for _, p := range packets {
+		payload := dnspacket(p.qname, p.qtype)
+		req := Packet{Payload: payload, Addr: p.addr}
+		err := r.EnqueueRequest(req)
+		if err != nil {
+			t.Error(err)
+		}
+	}
+
+	// Despite the txid collision, the answer(s) should still match the query.
+	resp, err := r.NextResponse()
+	if err != nil {
+		t.Error(err)
+	}
+
+	var p dns.Parser
+	_, err = p.Start(resp.Payload)
+	if err != nil {
+		t.Error(err)
+	}
+	err = p.SkipAllQuestions()
+	if err != nil {
+		t.Error(err)
+	}
+	ans, err := p.AllAnswers()
+	if err != nil {
+		t.Error(err)
+	}
+
+	var wantType dns.Type
+	switch ans[0].Body.(type) {
+	case *dns.AResource:
+		wantType = dns.TypeA
+	case *dns.AAAAResource:
+		wantType = dns.TypeAAAA
+	default:
+		t.Errorf("unexpected answer type: %T", ans[0].Body)
+	}
+
+	for _, p := range packets {
+		if p.qtype == wantType && p.addr != resp.Addr {
+			t.Errorf("addr = %v; want %v", resp.Addr, p.addr)
+		}
+	}
+}
+
 func TestConcurrentSetMap(t *testing.T) {
-	r := NewResolver(t.Logf, "ipn.dev.")
-	r.Start()
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	// This is purely to ensure that Resolve does not race with SetMap.
 	var wg sync.WaitGroup
@@ -324,22 +461,41 @@ func TestConcurrentSetMap(t *testing.T) {
 	}()
 	go func() {
 		defer wg.Done()
-		r.Resolve("test1.ipn.dev")
+		r.Resolve("test1.ipn.dev", dns.TypeA)
 	}()
 	wg.Wait()
 }

-func TestConcurrentSetNameservers(t *testing.T) {
-	r := NewResolver(t.Logf, "ipn.dev.")
-	r.Start()
-	packet := dnspacket("google.com.", dns.TypeA)
+func TestConcurrentSetUpstreams(t *testing.T) {
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))

-	// This is purely to ensure that delegation does not race with SetNameservers.
+	server, errch := serveDNS("127.0.0.1:0")
+	defer func() {
+		if err := <-errch; err != nil {
+			t.Errorf("server error: %v", err)
+		}
+	}()
+
+	if server == nil {
+		return
+	}
+	defer server.Shutdown()
+
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: true})
+	r.SetMap(dnsMap)
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()
+
+	packet := dnspacket("test.site.", dns.TypeA)
+	// This is purely to ensure that delegation does not race with SetUpstreams.
 	var wg sync.WaitGroup
 	wg.Add(2)
 	go func() {
 		defer wg.Done()
-		r.SetNameservers([]string{"9.9.9.9:53"})
+		r.SetUpstreams([]net.Addr{server.PacketConn.LocalAddr()})
 	}()
 	go func() {
 		defer wg.Done()
@@ -348,7 +504,24 @@ func TestConcurrentSetNameservers(t *testing.T) {
 	wg.Wait()
 }

-var validIPv4Response = []byte{
+var allResponse = []byte{
+	0x00, 0x00, // transaction id: 0
+	0x84, 0x00, // flags: response, authoritative, no error
+	0x00, 0x01, // one question
+	0x00, 0x01, // one answer
+	0x00, 0x00, 0x00, 0x00, // no authority or additional RRs
+	// Question:
+	0x05, 0x74, 0x65, 0x73, 0x74, 0x31, 0x03, 0x69, 0x70, 0x6e, 0x03, 0x64, 0x65, 0x76, 0x00, // name
+	0x00, 0xff, 0x00, 0x01, // type ALL, class IN
+	// Answer:
+	0x05, 0x74, 0x65, 0x73, 0x74, 0x31, 0x03, 0x69, 0x70, 0x6e, 0x03, 0x64, 0x65, 0x76, 0x00, // name
+	0x00, 0x01, 0x00, 0x01, // type A, class IN
+	0x00, 0x00, 0x02, 0x58, // TTL: 600
+	0x00, 0x04, // length: 4 bytes
+	0x01, 0x02, 0x03, 0x04, // A: 1.2.3.4
+}
+
+var ipv4Response = []byte{
 	0x00, 0x00, // transaction id: 0
 	0x84, 0x00, // flags: response, authoritative, no error
 	0x00, 0x01, // one question
@@ -365,7 +538,7 @@ var validIPv4Response = []byte{
 	0x01, 0x02, 0x03, 0x04, // A: 1.2.3.4
 }

-var validIPv6Response = []byte{
+var ipv6Response = []byte{
 	0x00, 0x00, // transaction id: 0
 	0x84, 0x00, // flags: response, authoritative, no error
 	0x00, 0x01, // one question
@@ -383,7 +556,24 @@ var validIPv6Response = []byte{
 	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0xb, 0xc, 0xd, 0xe, 0xf,
 }

-var validPTRResponse = []byte{
+var ipv4UppercaseResponse = []byte{
+	0x00, 0x00, // transaction id: 0
+	0x84, 0x00, // flags: response, authoritative, no error
+	0x00, 0x01, // one question
+	0x00, 0x01, // one answer
+	0x00, 0x00, 0x00, 0x00, // no authority or additional RRs
+	// Question:
+	0x05, 0x54, 0x45, 0x53, 0x54, 0x31, 0x03, 0x49, 0x50, 0x4e, 0x03, 0x44, 0x45, 0x56, 0x00, // name
+	0x00, 0x01, 0x00, 0x01, // type A, class IN
+	// Answer:
+	0x05, 0x54, 0x45, 0x53, 0x54, 0x31, 0x03, 0x49, 0x50, 0x4e, 0x03, 0x44, 0x45, 0x56, 0x00, // name
+	0x00, 0x01, 0x00, 0x01, // type A, class IN
+	0x00, 0x00, 0x02, 0x58, // TTL: 600
+	0x00, 0x04, // length: 4 bytes
+	0x01, 0x02, 0x03, 0x04, // A: 1.2.3.4
+}
+
+var ptrResponse = []byte{
 	0x00, 0x00, // transaction id: 0
 	0x84, 0x00, // flags: response, authoritative, no error
 	0x00, 0x01, // one question
@@ -414,10 +604,25 @@ var nxdomainResponse = []byte{
 	0x00, 0x01, 0x00, 0x01, // type A, class IN
 }

+var emptyResponse = []byte{
+	0x00, 0x00, // transaction id: 0
+	0x84, 0x00, // flags: response, authoritative, no error
+	0x00, 0x01, // one question
+	0x00, 0x00, // no answers
+	0x00, 0x00, 0x00, 0x00, // no authority or additional RRs
+	// Question:
+	0x05, 0x74, 0x65, 0x73, 0x74, 0x31, 0x03, 0x69, 0x70, 0x6e, 0x03, 0x64, 0x65, 0x76, 0x00, // name
+	0x00, 0x1c, 0x00, 0x01, // type AAAA, class IN
+}
+
 func TestFull(t *testing.T) {
-	r := NewResolver(t.Logf, "ipn.dev.")
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
 	r.SetMap(dnsMap)
-	r.Start()
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	// One full packet and one error packet
 	tests := []struct {
@@ -425,10 +630,13 @@ func TestFull(t *testing.T) {
 		request  []byte
 		response []byte
 	}{
-		{"ipv4", dnspacket("test1.ipn.dev.", dns.TypeA), validIPv4Response},
-		{"ipv6", dnspacket("test2.ipn.dev.", dns.TypeAAAA), validIPv6Response},
-		{"ptr", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR), validPTRResponse},
-		{"error", dnspacket("test3.ipn.dev.", dns.TypeA), nxdomainResponse},
+		{"all", dnspacket("test1.ipn.dev.", dns.TypeALL), allResponse},
+		{"ipv4", dnspacket("test1.ipn.dev.", dns.TypeA), ipv4Response},
+		{"ipv6", dnspacket("test2.ipn.dev.", dns.TypeAAAA), ipv6Response},
+		{"no-ipv6", dnspacket("test1.ipn.dev.", dns.TypeAAAA), emptyResponse},
+		{"upper", dnspacket("TEST1.IPN.DEV.", dns.TypeA), ipv4UppercaseResponse},
+		{"ptr", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR), ptrResponse},
+		{"nxdomain", dnspacket("test3.ipn.dev.", dns.TypeA), nxdomainResponse},
 	}

 	for _, tt := range tests {
@@ -445,9 +653,13 @@ func TestFull(t *testing.T) {
 }

 func TestAllocs(t *testing.T) {
-	r := NewResolver(t.Logf, "ipn.dev.")
+	r := NewResolver(ResolverConfig{Logf: t.Logf, Forward: false})
 	r.SetMap(dnsMap)
-	r.Start()
+
+	if err := r.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	// It is seemingly pointless to test allocs in the delegate path,
 	// as dialer.Dial -> Read -> Write alone comprise 12 allocs.
@@ -456,8 +668,8 @@ func TestAllocs(t *testing.T) {
 		query []byte
 		want  int
 	}{
-		// The only alloc is the slice created by dns.NewBuilder.
-		{"forward", dnspacket("test1.ipn.dev.", dns.TypeA), 1},
+		// Name lowercasing and response slice created by dns.NewBuilder.
+		{"forward", dnspacket("test1.ipn.dev.", dns.TypeA), 2},
 		// 3 extra allocs in rdnsNameToIPv4 and one in marshalPTRRecord (dns.NewName).
 		{"reverse", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR), 5},
 	}
@@ -473,9 +685,28 @@ func TestAllocs(t *testing.T) {
 }

 func BenchmarkFull(b *testing.B) {
-	r := NewResolver(b.Logf, "ipn.dev.")
+	dnsHandleFunc("test.site.", resolveToIP(testipv4, testipv6, "dns.test.site."))
+
+	server, errch := serveDNS("127.0.0.1:0")
+	defer func() {
+		if err := <-errch; err != nil {
+			b.Errorf("server error: %v", err)
+		}
+	}()
+
+	if server == nil {
+		return
+	}
+	defer server.Shutdown()
+
+	r := NewResolver(ResolverConfig{Logf: b.Logf, Forward: true})
 	r.SetMap(dnsMap)
-	r.Start()
+	r.SetUpstreams([]net.Addr{server.PacketConn.LocalAddr()})
+
+	if err := r.Start(); err != nil {
+		b.Fatalf("start: %v", err)
+	}
+	defer r.Close()

 	tests := []struct {
 		name    string
@@ -483,7 +714,7 @@ func BenchmarkFull(b *testing.B) {
 	}{
 		{"forward", dnspacket("test1.ipn.dev.", dns.TypeA)},
 		{"reverse", dnspacket("4.3.2.1.in-addr.arpa.", dns.TypePTR)},
-		{"nxdomain", dnspacket("test3.ipn.dev.", dns.TypeA)},
+		{"delegated", dnspacket("test.site.", dns.TypeA)},
 	}

 	for _, tt := range tests {
--- a/wgengine/userspace.go
+++ b/wgengine/userspace.go
@@ -61,9 +61,6 @@ const (
 	magicDNSPort = 53
 )

-// magicDNSDomain is the parent domain for Tailscale nodes.
-const magicDNSDomain = "b.tailscale.net."
-
 // Lazy wireguard-go configuration parameters.
 const (
 	// lazyPeerIdleThreshold is the idle duration after
@@ -108,16 +105,18 @@ type userspaceEngine struct {
 	lastEngineSigFull   string // of full wireguard config
 	lastEngineSigTrim   string // of trimmed wireguard config
 	recvActivityAt      map[tailcfg.DiscoKey]time.Time
-	sentActivityAt      map[packet.IP]*int64 // value is atomic int64 of unixtime
+	trimmedDisco        map[tailcfg.DiscoKey]bool // set of disco keys of peers currently excluded from wireguard config
+	sentActivityAt      map[packet.IP]*int64      // value is atomic int64 of unixtime
 	destIPActivityFuncs map[packet.IP]func()

-	mu             sync.Mutex // guards following; see lock order comment below
-	closing        bool       // Close was called (even if we're still closing)
-	statusCallback StatusCallback
-	peerSequence   []wgcfg.Key
-	endpoints      []string
-	pingers        map[wgcfg.Key]*pinger // legacy pingers for pre-discovery peers
-	linkState      *interfaces.State
+	mu                 sync.Mutex // guards following; see lock order comment below
+	closing            bool       // Close was called (even if we're still closing)
+	statusCallback     StatusCallback
+	linkChangeCallback func(major bool, newState *interfaces.State)
+	peerSequence       []wgcfg.Key
+	endpoints          []string
+	pingers            map[wgcfg.Key]*pinger // legacy pingers for pre-discovery peers
+	linkState          *interfaces.State

 	// Lock ordering: magicsock.Conn.mu, wgLock, then mu.
 }
@@ -138,6 +137,13 @@ type EngineConfig struct {
 	// Fake determines whether this engine is running in fake mode,
 	// which disables such features as DNS configuration and unrestricted ICMP Echo responses.
 	Fake bool
+
+	// FakeImpl, if non-nil, specifies which type of fake implementation to
+	// use. Two values are typical: nil, for a basic ping-only fake
+	// implementation, and netstack.Impl, which brings in gvisor's netstack
+	// to the binary. The desire to keep that out of some binaries is why
+	// this func exists, so wgengine need not depend on gvisor.
+	FakeImpl FakeImplFunc
 }

 type Loggify struct {
@@ -149,7 +155,9 @@ func (l *Loggify) Write(b []byte) (int, error) {
 	return len(b), nil
 }

-func NewFakeUserspaceEngine(logf logger.Logf, listenPort uint16) (Engine, error) {
+type FakeImplFunc func(logger.Logf, *tstun.TUN, Engine, *magicsock.Conn) error
+
+func NewFakeUserspaceEngine(logf logger.Logf, listenPort uint16, impl FakeImplFunc) (Engine, error) {
 	logf("Starting userspace wireguard engine (FAKE tuntap device).")
 	conf := EngineConfig{
 		Logf:       logf,
@@ -157,6 +165,7 @@ func NewFakeUserspaceEngine(logf logger.Logf, listenPort uint16) (Engine, error)
 		RouterGen:  router.NewFake,
 		ListenPort: listenPort,
 		Fake:       true,
+		FakeImpl:   impl,
 	}
 	return NewUserspaceEngineAdvanced(conf)
 }
@@ -201,23 +210,22 @@ func NewUserspaceEngineAdvanced(conf EngineConfig) (Engine, error) {
 func newUserspaceEngineAdvanced(conf EngineConfig) (_ Engine, reterr error) {
 	logf := conf.Logf

+	rconf := tsdns.ResolverConfig{
+		Logf:    conf.Logf,
+		Forward: true,
+	}
 	e := &userspaceEngine{
 		timeNow:  time.Now,
 		logf:     logf,
 		reqCh:    make(chan struct{}, 1),
 		waitCh:   make(chan struct{}),
 		tundev:   tstun.WrapTUN(logf, conf.TUN),
-		resolver: tsdns.NewResolver(logf, magicDNSDomain),
+		resolver: tsdns.NewResolver(rconf),
 		pingers:  make(map[wgcfg.Key]*pinger),
 	}
 	e.localAddrs.Store(map[packet.IP]bool{})
 	e.linkState, _ = getLinkState()
-
-	// Respond to all pings only in fake mode.
-	if conf.Fake {
-		e.tundev.PostFilterIn = echoRespondToAll
-	}
-	e.tundev.PreFilterOut = e.handleLocalPackets
+	logf("link state: %+v", e.linkState)

 	mon, err := monitor.New(logf, func() { e.LinkChange(false) })
 	if err != nil {
@@ -237,6 +245,7 @@ func newUserspaceEngineAdvanced(conf EngineConfig) (_ Engine, reterr error) {
 		Logf:             logf,
 		Port:             conf.ListenPort,
 		EndpointsFunc:    endpointsFn,
+		DERPActiveFunc:   e.RequestStatus,
 		IdleFunc:         e.tundev.IdleDuration,
 		NoteRecvActivity: e.noteReceiveActivity,
 	}
@@ -246,6 +255,18 @@ func newUserspaceEngineAdvanced(conf EngineConfig) (_ Engine, reterr error) {
 		return nil, fmt.Errorf("wgengine: %v", err)
 	}

+	if conf.Fake {
+		if impl := conf.FakeImpl; impl != nil {
+			if err := impl(logf, e.tundev, e, e.magicConn); err != nil {
+				return nil, err
+			}
+		} else {
+			// Respond to all pings only in fake mode.
+			e.tundev.PostFilterIn = echoRespondToAll
+		}
+	}
+	e.tundev.PreFilterOut = e.handleLocalPackets
+
 	// flags==0 because logf is already nested in another logger.
 	// The outer one can display the preferred log prefixes, etc.
 	dlog := log.New(&Loggify{logf}, "", 0)
@@ -568,7 +589,10 @@ func (e *userspaceEngine) pinger(peerKey wgcfg.Key, ips []wgcfg.IP) {
 	p.run(ctx, peerKey, ips, srcIP)
 }

-var debugTrimWireguard, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_TRIM_WIREGUARD"))
+var (
+	debugTrimWireguardEnv = os.Getenv("TS_DEBUG_TRIM_WIREGUARD")
+	debugTrimWireguard, _ = strconv.ParseBool(debugTrimWireguardEnv)
+)

 // forceFullWireguardConfig reports whether we should give wireguard
 // our full network map, even for inactive peers
@@ -578,9 +602,13 @@ var debugTrimWireguard, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_TRIM_WIREGUARD
 // and we haven't got enough time testing it.
 func forceFullWireguardConfig(numPeers int) bool {
 	// Did the user explicitly enable trimmming via the environment variable knob?
-	if debugTrimWireguard {
-		return false
+	if debugTrimWireguardEnv != "" {
+		return !debugTrimWireguard
 	}
+	if opt := controlclient.TrimWGConfig(); opt != "" {
+		return !opt.EqualBool(true)
+	}
+
 	// On iOS with large networks, it's critical, so turn on trimming.
 	// Otherwise we run out of memory from wireguard-go goroutine stacks+buffers.
 	// This will be the default later for all platforms and network sizes.
@@ -588,7 +616,7 @@ func forceFullWireguardConfig(numPeers int) bool {
 	if iOS && numPeers > 50 {
 		return false
 	}
-	return true
+	return false
 }

 // isTrimmablePeer reports whether p is a peer that we can trim out of the
@@ -626,9 +654,11 @@ func (e *userspaceEngine) noteReceiveActivity(dk tailcfg.DiscoKey) {
 	e.wgLock.Lock()
 	defer e.wgLock.Unlock()

-	was, ok := e.recvActivityAt[dk]
-	if !ok {
+	if _, ok := e.recvActivityAt[dk]; !ok {
 		// Not a trimmable peer we care about tracking. (See isTrimmablePeer)
+		if e.trimmedDisco[dk] {
+			e.logf("wgengine: [unexpected] noteReceiveActivity called on idle discokey %v that's not in recvActivityAt", dk.ShortString())
+		}
 		return
 	}
 	now := e.timeNow()
@@ -640,7 +670,8 @@ func (e *userspaceEngine) noteReceiveActivity(dk tailcfg.DiscoKey) {
 	// lazyPeerIdleThreshold without the divide by 2, but
 	// maybeReconfigWireguardLocked is cheap enough to call every
 	// couple minutes (just not on every packet).
-	if was.IsZero() || now.Sub(was) > lazyPeerIdleThreshold/2 {
+	if e.trimmedDisco[dk] {
+		e.logf("wgengine: idle peer %v now active, reconfiguring wireguard", dk.ShortString())
 		e.maybeReconfigWireguardLocked()
 	}
 }
@@ -708,6 +739,8 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked() error {
 	trackDisco := make([]tailcfg.DiscoKey, 0, len(full.Peers))
 	trackIPs := make([]wgcfg.IP, 0, len(full.Peers))

+	trimmedDisco := map[tailcfg.DiscoKey]bool{} // TODO: don't re-alloc this map each time
+
 	for i := range full.Peers {
 		p := &full.Peers[i]
 		if !isTrimmablePeer(p, len(full.Peers)) {
@@ -720,6 +753,8 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked() error {
 		trackIPs = append(trackIPs, tsIP)
 		if e.isActiveSince(dk, tsIP, activeCutoff) {
 			min.Peers = append(min.Peers, *p)
+		} else {
+			trimmedDisco[dk] = true
 		}
 	}

@@ -728,6 +763,8 @@ func (e *userspaceEngine) maybeReconfigWireguardLocked() error {
 		return nil
 	}

+	e.trimmedDisco = trimmedDisco
+
 	e.updateActivityMapsLocked(trackDisco, trackIPs)

 	e.logf("wgengine: Reconfig: configuring userspace wireguard config (with %d/%d peers)", len(min.Peers), len(full.Peers))
@@ -848,11 +885,16 @@ func (e *userspaceEngine) Reconfig(cfg *wgcfg.Config, routerCfg *router.Config)
 	if routerChanged {
 		if routerCfg.DNS.Proxied {
 			ips := routerCfg.DNS.Nameservers
-			nameservers := make([]string, len(ips))
+			upstreams := make([]net.Addr, len(ips))
 			for i, ip := range ips {
-				nameservers[i] = net.JoinHostPort(ip.String(), "53")
+				stdIP := ip.IPAddr()
+				upstreams[i] = &net.UDPAddr{
+					IP:   stdIP.IP,
+					Port: 53,
+					Zone: stdIP.Zone,
+				}
 			}
-			e.resolver.SetNameservers(nameservers)
+			e.resolver.SetUpstreams(upstreams)
 			routerCfg.DNS.Nameservers = []netaddr.IP{tsaddr.TailscaleServiceIP()}
 		}
 		e.logf("wgengine: Reconfig: configuring router")
@@ -1085,15 +1127,15 @@ func (e *userspaceEngine) Wait() {
 	<-e.waitCh
 }

-func (e *userspaceEngine) setLinkState(st *interfaces.State) (changed bool) {
+func (e *userspaceEngine) setLinkState(st *interfaces.State) (changed bool, cb func(major bool, newState *interfaces.State)) {
 	if st == nil {
-		return false
+		return false, nil
 	}
 	e.mu.Lock()
 	defer e.mu.Unlock()
 	changed = e.linkState == nil || !st.Equal(e.linkState)
 	e.linkState = st
-	return changed
+	return changed, e.linkChangeCallback
 }

 func (e *userspaceEngine) LinkChange(isExpensive bool) {
@@ -1103,9 +1145,13 @@ func (e *userspaceEngine) LinkChange(isExpensive bool) {
 		return
 	}
 	cur.IsExpensive = isExpensive
-	needRebind := e.setLinkState(cur)
+	needRebind, linkChangeCallback := e.setLinkState(cur)

-	e.logf("LinkChange(isExpensive=%v); needsRebind=%v", isExpensive, needRebind)
+	if needRebind {
+		e.logf("LinkChange: major, rebinding. New state: %+v", cur)
+	} else {
+		e.logf("LinkChange: minor")
+	}

 	why := "link-change-minor"
 	if needRebind {
@@ -1113,6 +1159,15 @@ func (e *userspaceEngine) LinkChange(isExpensive bool) {
 		e.magicConn.Rebind()
 	}
 	e.magicConn.ReSTUN(why)
+	if linkChangeCallback != nil {
+		go linkChangeCallback(needRebind, cur)
+	}
+}
+
+func (e *userspaceEngine) SetLinkChangeCallback(cb func(major bool, newState *interfaces.State)) {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+	e.linkChangeCallback = cb
 }

 func getLinkState() (*interfaces.State, error) {
@@ -1157,6 +1212,10 @@ func (e *userspaceEngine) UpdateStatus(sb *ipnstate.StatusBuilder) {
 	e.magicConn.UpdateStatus(sb)
 }

+func (e *userspaceEngine) Ping(ip netaddr.IP, cb func(*ipnstate.PingResult)) {
+	e.magicConn.Ping(ip, cb)
+}
+
 // diagnoseTUNFailure is called if tun.CreateTUN fails, to poke around
 // the system and log some diagnostic info that might help debug why
 // TUN failed. Because TUN's already failed and things the program's
--- a/wgengine/userspace_test.go
+++ b/wgengine/userspace_test.go
@@ -17,7 +17,6 @@ import (

 func TestNoteReceiveActivity(t *testing.T) {
 	now := time.Unix(1, 0)
-	tick := func(d time.Duration) { now = now.Add(d) }
 	var logBuf bytes.Buffer

 	confc := make(chan bool, 1)
@@ -37,6 +36,7 @@ func TestNoteReceiveActivity(t *testing.T) {
 		},
 		tundev:                new(tstun.TUN),
 		testMaybeReconfigHook: func() { confc <- true },
+		trimmedDisco:          map[tailcfg.DiscoKey]bool{},
 	}
 	ra := e.recvActivityAt

@@ -51,7 +51,7 @@ func TestNoteReceiveActivity(t *testing.T) {
 		t.Fatalf("unexpected log write (and thus activity): %s", logBuf.Bytes())
 	}

-	// Now track it and expect updates.
+	// Now track it, but don't mark it trimmed, so shouldn't update.
 	ra[dk] = time.Time{}
 	e.noteReceiveActivity(dk)
 	if len(ra) != 1 {
@@ -60,29 +60,20 @@ func TestNoteReceiveActivity(t *testing.T) {
 	if got := ra[dk]; got != now {
 		t.Fatalf("time in map = %v; want %v", got, now)
 	}
+	if gotConf() {
+		t.Fatalf("unexpected reconfig")
+	}
+
+	// Now mark it trimmed and expect an update.
+	e.trimmedDisco[dk] = true
+	e.noteReceiveActivity(dk)
+	if len(ra) != 1 {
+		t.Fatalf("unexpected growth in map: now has %d keys; want 1", len(ra))
+	}
+	if got := ra[dk]; got != now {
+		t.Fatalf("time in map = %v; want %v", got, now)
+	}
 	if !gotConf() {
 		t.Fatalf("didn't get expected reconfig")
 	}
-
-	// With updates 1 second apart, don't expect a reconfig.
-	for i := 0; i < 300; i++ {
-		tick(time.Second)
-		e.noteReceiveActivity(dk)
-		if len(ra) != 1 {
-			t.Fatalf("map len = %d; want 1", len(ra))
-		}
-		if got := ra[dk]; got != now {
-			t.Fatalf("time in map = %v; want %v", got, now)
-		}
-		if gotConf() {
-			t.Fatalf("unexpected reconfig")
-		}
-	}
-
-	// But if there's a big jump it should get an update.
-	tick(3 * time.Minute)
-	e.noteReceiveActivity(dk)
-	if !gotConf() {
-		t.Fatalf("expected config")
-	}
 }
--- a/wgengine/watchdog.go
+++ b/wgengine/watchdog.go
@@ -13,8 +13,10 @@ import (
 	"time"

 	"github.com/tailscale/wireguard-go/wgcfg"
+	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/tailcfg"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -99,6 +101,9 @@ func (e *watchdogEngine) RequestStatus() {
 func (e *watchdogEngine) LinkChange(isExpensive bool) {
 	e.watchdog("LinkChange", func() { e.wrap.LinkChange(isExpensive) })
 }
+func (e *watchdogEngine) SetLinkChangeCallback(cb func(major bool, newState *interfaces.State)) {
+	e.watchdog("SetLinkChangeCallback", func() { e.wrap.SetLinkChangeCallback(cb) })
+}
 func (e *watchdogEngine) SetDERPMap(m *tailcfg.DERPMap) {
 	e.watchdog("SetDERPMap", func() { e.wrap.SetDERPMap(m) })
 }
@@ -109,6 +114,9 @@ func (e *watchdogEngine) DiscoPublicKey() (k tailcfg.DiscoKey) {
 	e.watchdog("DiscoPublicKey", func() { k = e.wrap.DiscoPublicKey() })
 	return k
 }
+func (e *watchdogEngine) Ping(ip netaddr.IP, cb func(*ipnstate.PingResult)) {
+	e.watchdog("Ping", func() { e.wrap.Ping(ip, cb) })
+}
 func (e *watchdogEngine) Close() {
 	e.watchdog("Close", e.wrap.Close)
 }
--- a/wgengine/wgengine.go
+++ b/wgengine/wgengine.go
@@ -9,8 +9,10 @@ import (
 	"time"

 	"github.com/tailscale/wireguard-go/wgcfg"
+	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/tailcfg"
 	"tailscale.com/wgengine/filter"
 	"tailscale.com/wgengine/router"
@@ -116,6 +118,10 @@ type Engine interface {
 	// new NetInfo summary is available.
 	SetNetInfoCallback(NetInfoCallback)

+	// SetLinkChangeCallback sets the function to call when the
+	// link state changes.
+	SetLinkChangeCallback(func(major bool, newState *interfaces.State))
+
 	// DiscoPublicKey gets the public key used for path discovery
 	// messages.
 	DiscoPublicKey() tailcfg.DiscoKey
@@ -123,4 +129,8 @@ type Engine interface {
 	// UpdateStatus populates the network state using the provided
 	// status builder.
 	UpdateStatus(*ipnstate.StatusBuilder)
+
+	// Ping is a request to start a discovery ping with the peer handling
+	// the given IP and then call cb with its ping latency & method.
+	Ping(ip netaddr.IP, cb func(*ipnstate.PingResult))
 }