VERSION.txt: this is 1.2.7.

Signed-off-by: David Anderson <danderson@tailscale.com>

.github/workflows/cross-darwin.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/cross-freebsd.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/cross-openbsd.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/cross-windows.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/depaware.yml

@@ -0,0 +1,28 @@
+name: depaware
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.15
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: depaware tailscaled
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+
+    - name: depaware tailscale
+      run: go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale

.github/workflows/license.yml

@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
 
     - name: Check out code
       uses: actions/checkout@v1

.github/workflows/linux.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/linux32.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
       id: go
 
     - name: Check out code into the Go module directory

.github/workflows/staticcheck.yml

@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v1
       with:
-        go-version: 1.14
+        go-version: 1.15
 
     - name: Check out code
       uses: actions/checkout@v1

.github/workflows/windows.yml

@@ -0,0 +1,52 @@
+name: Windows
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    runs-on: windows-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Install Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.15.x
+
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - name: Restore Cache
+      uses: actions/cache@v2
+      with:
+        path: ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Test
+      run: go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+

.gitignore

@@ -1,5 +1,6 @@
 # Binaries for programs and plugins
 *~
+*.tmp
 *.exe
 *.dll
 *.so

Makefile

@@ -1,7 +1,18 @@
 usage:
 	echo "See Makefile"
 
-check: staticcheck
+vet:
+	go vet ./...
+
+updatedeps:
+	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscaled
+	go run github.com/tailscale/depaware --update tailscale.com/cmd/tailscale
+
+depaware:
+	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscaled
+	go run github.com/tailscale/depaware --check tailscale.com/cmd/tailscale
+
+check: staticcheck vet depaware
 
 staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)

README.md

@@ -30,8 +30,20 @@ wrappers that are not open source.
 go install tailscale.com/cmd/tailscale{,d}
 ```
 
+If you're packaging Tailscale for distribution, use `build_dist.sh`
+instead, to burn commit IDs and version info into the binaries:
+
+```
+./build_dist.sh tailscale.com/cmd/tailscale
+./build_dist.sh tailscale.com/cmd/tailscaled
+```
+
+If your distro has conventions that preclude the use of
+`build_dist.sh`, please do the equivalent of what it does in your
+distro's way, so that bug reports contain useful version information.
+
 We only guarantee to support the latest Go release and any Go beta or
-release candidate builds (currently Go 1.14) in module mode. It might
+release candidate builds (currently Go 1.15) in module mode. It might
 work in earlier Go versions or in GOPATH mode, but we're making no
 effort to keep those working.
 

VERSION.txt

@@ -0,0 +1 @@
+1.2.7

build_dist.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+#
+# Runs `go build` with flags configured for binary distribution. All
+# it does differently from `go build` is burn git commit and version
+# information into the binaries, so that we can track down user
+# issues.
+#
+# If you're packaging Tailscale for a distro, please consider using
+# this script, or executing equivalent commands in your
+# distro-specific build system.
+
+set -eu
+
+eval $(./version/version.sh)
+
+exec go build -tags xversion -ldflags "-X tailscale.com/version.Long=${VERSION_LONG} -X tailscale.com/version.Short=${VERSION_SHORT} -X tailscale.com/version.GitCommit=${VERSION_GIT_HASH}" "$@"

cmd/cloner/cloner.go

@@ -33,6 +33,7 @@ var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
 	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
+	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )
 
 func main() {
@@ -86,8 +87,8 @@ func main() {
 					}
 					pkg := typeNameObj.Pkg()
 					gen(buf, imports, typeName, typ, pkg)
+					found = true
 				}
-				found = true
 			}
 		}
 		if !found {
@@ -95,6 +96,31 @@ func main() {
 		}
 	}
 
+	w := func(format string, args ...interface{}) {
+		fmt.Fprintf(buf, format+"\n", args...)
+	}
+	if *flagCloneFunc {
+		w("// Clone duplicates src into dst and reports whether it succeeded.")
+		w("// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,")
+		w("// where T is one of %s.", *flagTypes)
+		w("func Clone(dst, src interface{}) bool {")
+		w("	switch src := src.(type) {")
+		for _, typeName := range typeNames {
+			w("	case *%s:", typeName)
+			w("		switch dst := dst.(type) {")
+			w("		case *%s:", typeName)
+			w("			*dst = *src.Clone()")
+			w("			return true")
+			w("		case **%s:", typeName)
+			w("			*dst = src.Clone()")
+			w("			return true")
+			w("		}")
+		}
+		w("	}")
+		w("	return false")
+		w("}")
+	}
+
 	contents := new(bytes.Buffer)
 	fmt.Fprintf(contents, header, *flagTypes, pkg.Name)
 	fmt.Fprintf(contents, "import (\n")
@@ -143,7 +169,19 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 
 	switch t := typ.Underlying().(type) {
 	case *types.Struct:
-		_ = t
+		// We generate two bits of code simultaneously while we walk the struct.
+		// One is the Clone method itself, which we write directly to buf.
+		// The other is a variable assignment that will fail if the struct
+		// changes without the Clone method getting regenerated.
+		// We write that to regenBuf, and then append it to buf at the end.
+		regenBuf := new(bytes.Buffer)
+		writeRegen := func(format string, args ...interface{}) {
+			fmt.Fprintf(regenBuf, format+"\n", args...)
+		}
+		writeRegen("// A compilation failure here means this code must be regenerated, with command:")
+		writeRegen("//   tailscale.com/cmd/cloner -type %s", *flagTypes)
+		writeRegen("var _%sNeedsRegeneration = %s(struct {", name, name)
+
 		name := typ.Obj().Name()
 		fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
 		fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
@@ -159,6 +197,9 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 		for i := 0; i < t.NumFields(); i++ {
 			fname := t.Field(i).Name()
 			ft := t.Field(i).Type()
+
+			writeRegen("\t%s %s", fname, importedName(ft))
+
 			if !containsPointers(ft) {
 				continue
 			}
@@ -220,6 +261,10 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types
 		}
 		writef("return dst")
 		fmt.Fprintf(buf, "}\n\n")
+
+		writeRegen("}{})\n")
+
+		buf.Write(regenBuf.Bytes())
 	}
 }
 

cmd/derper/derper.go

@@ -7,11 +7,13 @@ package main // import "tailscale.com/cmd/derper"
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"expvar"
 	"flag"
 	"fmt"
+	"html"
 	"io"
 	"io/ioutil"
 	"log"
@@ -61,7 +63,7 @@ func loadConfig() config {
 	}
 	b, err := ioutil.ReadFile(*configPath)
 	switch {
-	case os.IsNotExist(err):
+	case errors.Is(err, os.ErrNotExist):
 		return writeNewConfig()
 	case err != nil:
 		log.Fatal(err)
@@ -185,6 +187,15 @@ func main() {
 			certManager.Email = "security@tailscale.com"
 		}
 		httpsrv.TLSConfig = certManager.TLSConfig()
+		letsEncryptGetCert := httpsrv.TLSConfig.GetCertificate
+		httpsrv.TLSConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			cert, err := letsEncryptGetCert(hi)
+			if err != nil {
+				return nil, err
+			}
+			cert.Certificate = append(cert.Certificate, s.MetaCert())
+			return cert, nil
+		}
 		go func() {
 			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 			if err != nil {
@@ -219,10 +230,10 @@ func debugHandler(s *derp.Server) http.Handler {
 <h1>DERP debug</h1>
 <ul>
 `)
-		f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+		f("<li><b>Hostname:</b> %v</li>\n", html.EscapeString(*hostname))
 		f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
 		f("<li><b>Mesh Key:</b> %v</li>\n", s.HasMeshKey())
-		f("<li><b>Version:</b> %v</li>\n", version.LONG)
+		f("<li><b>Version:</b> %v</li>\n", html.EscapeString(version.Long))
 
 		f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
    <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>

cmd/microproxy/microproxy.go

@@ -19,6 +19,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
@@ -33,6 +34,7 @@ var (
 	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
 	nodeExporter  = flag.String("node-exporter", "http://localhost:9100", "URL of the local prometheus node exporter")
 	goVarsURL     = flag.String("go-vars-url", "http://localhost:8383/debug/vars", "URL of a local Go server's /debug/vars endpoint")
+	insecure      = flag.Bool("insecure", false, "serve over http, for development")
 )
 
 func main() {
@@ -65,12 +67,15 @@ func main() {
 	httpsrv := &http.Server{
 		Addr:    *addr,
 		Handler: mux,
-		TLSConfig: &tls.Config{
-			GetCertificate: ch.GetCertificate,
-		},
 	}
 
-	if err := httpsrv.ListenAndServeTLS("", ""); err != nil && err != http.ErrServerClosed {
+	if !*insecure {
+		httpsrv.TLSConfig = &tls.Config{GetCertificate: ch.GetCertificate}
+		err = httpsrv.ListenAndServeTLS("", "")
+	} else {
+		err = httpsrv.ListenAndServe()
+	}
+	if err != nil && err != http.ErrServerClosed {
 		log.Fatal(err)
 	}
 }
@@ -88,7 +93,16 @@ func promPrint(w io.Writer, prefix string, obj map[string]interface{}) {
 		case map[string]interface{}:
 			promPrint(w, k, v)
 		case float64:
-			fmt.Fprintf(w, "%s %f\n", k, v)
+			const saveConfigReject = "control_save_config_rejected_"
+			const saveConfig = "control_save_config_"
+			switch {
+			case strings.HasPrefix(k, saveConfigReject):
+				fmt.Fprintf(w, "control_save_config_rejected{reason=%q} %f\n", k[len(saveConfigReject):], v)
+			case strings.HasPrefix(k, saveConfig):
+				fmt.Fprintf(w, "control_save_config{reason=%q} %f\n", k[len(saveConfig):], v)
+			default:
+				fmt.Fprintf(w, "%s %f\n", k, v)
+			}
 		default:
 			fmt.Fprintf(w, "# Skipping key %q, unhandled type %T\n", k, v)
 		}

cmd/tailscale/cli/cli.go

@@ -31,7 +31,8 @@ func ActLikeCLI() bool {
 		return false
 	}
 	switch os.Args[1] {
-	case "up", "status", "netcheck", "version",
+	case "up", "down", "status", "netcheck", "ping", "version",
+		"debug",
 		"-V", "--version", "-h", "--help":
 		return true
 	}
@@ -57,14 +58,21 @@ change in the future.
 `),
 		Subcommands: []*ffcli.Command{
 			upCmd,
+			downCmd,
 			netcheckCmd,
 			statusCmd,
+			pingCmd,
 			versionCmd,
 		},
 		FlagSet: rootfs,
 		Exec:    func(context.Context, []string) error { return flag.ErrHelp },
 	}
 
+	// Don't advertise the debug command, but it exists.
+	if strSliceContains(args, "debug") {
+		rootCmd.Subcommands = append(rootCmd.Subcommands, debugCmd)
+	}
+
 	if err := rootCmd.Parse(args); err != nil {
 		return err
 	}
@@ -126,3 +134,12 @@ func pump(ctx context.Context, bc *ipn.BackendClient, conn net.Conn) {
 		bc.GotNotifyMsg(msg)
 	}
 }
+
+func strSliceContains(ss []string, s string) bool {
+	for _, v := range ss {
+		if v == s {
+			return true
+		}
+	}
+	return false
+}

cmd/tailscale/cli/debug.go

@@ -0,0 +1,175 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"flag"
+	"fmt"
+	"log"
+	"net/http"
+	"net/http/httptrace"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/derp/derphttp"
+	"tailscale.com/derp/derpmap"
+	"tailscale.com/net/interfaces"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+	"tailscale.com/wgengine/monitor"
+)
+
+var debugCmd = &ffcli.Command{
+	Name: "debug",
+	Exec: runDebug,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("debug", flag.ExitOnError)
+		fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
+		fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
+		fs.StringVar(&debugArgs.derpCheck, "derp", "", "if non-empty, test a DERP ping via named region code")
+		return fs
+	})(),
+}
+
+var debugArgs struct {
+	monitor   bool
+	getURL    string
+	derpCheck string
+}
+
+func runDebug(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		return errors.New("unknown arguments")
+	}
+	if debugArgs.derpCheck != "" {
+		return checkDerp(ctx, debugArgs.derpCheck)
+	}
+	if debugArgs.monitor {
+		return runMonitor(ctx)
+	}
+	if debugArgs.getURL != "" {
+		return getURL(ctx, debugArgs.getURL)
+	}
+	return errors.New("only --monitor is available at the moment")
+}
+
+func runMonitor(ctx context.Context) error {
+	dump := func() {
+		st, err := interfaces.GetState()
+		if err != nil {
+			log.Printf("error getting state: %v", err)
+			return
+		}
+		j, _ := json.MarshalIndent(st, "", "    ")
+		os.Stderr.Write(j)
+	}
+	mon, err := monitor.New(log.Printf, func() {
+		log.Printf("Link monitor fired. State:")
+		dump()
+	})
+	if err != nil {
+		return err
+	}
+	log.Printf("Starting link change monitor; initial state:")
+	dump()
+	mon.Start()
+	log.Printf("Started link change monitor; waiting...")
+	select {}
+}
+
+func getURL(ctx context.Context, urlStr string) error {
+	if urlStr == "login" {
+		urlStr = "https://login.tailscale.com"
+	}
+	log.SetOutput(os.Stdout)
+	ctx = httptrace.WithClientTrace(ctx, &httptrace.ClientTrace{
+		GetConn:           func(hostPort string) { log.Printf("GetConn(%q)", hostPort) },
+		GotConn:           func(info httptrace.GotConnInfo) { log.Printf("GotConn: %+v", info) },
+		DNSStart:          func(info httptrace.DNSStartInfo) { log.Printf("DNSStart: %+v", info) },
+		DNSDone:           func(info httptrace.DNSDoneInfo) { log.Printf("DNSDoneInfo: %+v", info) },
+		TLSHandshakeStart: func() { log.Printf("TLSHandshakeStart") },
+		TLSHandshakeDone:  func(cs tls.ConnectionState, err error) { log.Printf("TLSHandshakeDone: %+v, %v", cs, err) },
+		WroteRequest:      func(info httptrace.WroteRequestInfo) { log.Printf("WroteRequest: %+v", info) },
+	})
+	req, err := http.NewRequestWithContext(ctx, "GET", urlStr, nil)
+	if err != nil {
+		return fmt.Errorf("http.NewRequestWithContext: %v", err)
+	}
+	proxyURL, err := tshttpproxy.ProxyFromEnvironment(req)
+	if err != nil {
+		return fmt.Errorf("tshttpproxy.ProxyFromEnvironment: %v", err)
+	}
+	log.Printf("proxy: %v", proxyURL)
+	tr := &http.Transport{
+		Proxy:              func(*http.Request) (*url.URL, error) { return proxyURL, nil },
+		ProxyConnectHeader: http.Header{},
+		DisableKeepAlives:  true,
+	}
+	if proxyURL != nil {
+		auth, err := tshttpproxy.GetAuthHeader(proxyURL)
+		if err == nil && auth != "" {
+			tr.ProxyConnectHeader.Set("Proxy-Authorization", auth)
+		}
+		const truncLen = 20
+		if len(auth) > truncLen {
+			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
+		}
+		log.Printf("tshttpproxy.GetAuthHeader(%v) for Proxy-Auth: = %q, %v", proxyURL, auth, err)
+	}
+	res, err := tr.RoundTrip(req)
+	if err != nil {
+		return fmt.Errorf("Transport.RoundTrip: %v", err)
+	}
+	defer res.Body.Close()
+	return res.Write(os.Stdout)
+}
+
+func checkDerp(ctx context.Context, derpRegion string) error {
+	dmap := derpmap.Prod()
+	getRegion := func() *tailcfg.DERPRegion {
+		for _, r := range dmap.Regions {
+			if r.RegionCode == derpRegion {
+				return r
+			}
+		}
+		for _, r := range dmap.Regions {
+			log.Printf("Known region: %q", r.RegionCode)
+		}
+		log.Fatalf("unknown region %q", derpRegion)
+		panic("unreachable")
+	}
+
+	priv1 := key.NewPrivate()
+	priv2 := key.NewPrivate()
+
+	c1 := derphttp.NewRegionClient(priv1, log.Printf, getRegion)
+	c2 := derphttp.NewRegionClient(priv2, log.Printf, getRegion)
+
+	c2.NotePreferred(true) // just to open it
+
+	m, err := c2.Recv()
+	log.Printf("c2 got %T, %v", m, err)
+
+	t0 := time.Now()
+	if err := c1.Send(priv2.Public(), []byte("hello")); err != nil {
+		return err
+	}
+	fmt.Println(time.Since(t0))
+
+	m, err = c2.Recv()
+	log.Printf("c2 got %T, %v", m, err)
+	if err != nil {
+		return err
+	}
+	log.Printf("ok")
+	return err
+}

cmd/tailscale/cli/down.go

@@ -0,0 +1,66 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"log"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+)
+
+var downCmd = &ffcli.Command{
+	Name:       "down",
+	ShortUsage: "down",
+	ShortHelp:  "Disconnect from Tailscale",
+
+	Exec: runDown,
+}
+
+func runDown(ctx context.Context, args []string) error {
+	if len(args) > 0 {
+		log.Fatalf("too many non-flag arguments: %q", args)
+	}
+
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	timer := time.AfterFunc(5*time.Second, func() {
+		log.Fatalf("timeout running stop")
+	})
+	defer timer.Stop()
+
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if n.Status != nil {
+			cur := n.Status.BackendState
+			switch cur {
+			case "Stopped":
+				log.Printf("already stopped")
+				cancel()
+			default:
+				log.Printf("was in state %q", cur)
+			}
+			return
+		}
+		if n.State != nil {
+			log.Printf("now in state %q", *n.State)
+			if *n.State == ipn.Stopped {
+				cancel()
+			}
+			return
+		}
+	})
+
+	bc.RequestStatus()
+	bc.SetWantRunning(false)
+	pump(ctx, bc, c)
+
+	return nil
+}

cmd/tailscale/cli/netcheck.go

@@ -125,20 +125,35 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	if len(report.RegionLatency) == 0 {
 		fmt.Printf("\t* Nearest DERP: unknown (no response to latency probes)\n")
 	} else {
-		fmt.Printf("\t* Nearest DERP: %v (%v)\n", report.PreferredDERP, dm.Regions[report.PreferredDERP].RegionCode)
+		fmt.Printf("\t* Nearest DERP: %v\n", dm.Regions[report.PreferredDERP].RegionName)
 		fmt.Printf("\t* DERP latency:\n")
 		var rids []int
 		for rid := range dm.Regions {
 			rids = append(rids, rid)
 		}
-		sort.Ints(rids)
+		sort.Slice(rids, func(i, j int) bool {
+			l1, ok1 := report.RegionLatency[rids[i]]
+			l2, ok2 := report.RegionLatency[rids[j]]
+			if ok1 != ok2 {
+				return ok1 // defined things sort first
+			}
+			if !ok1 {
+				return rids[i] < rids[j]
+			}
+			return l1 < l2
+		})
 		for _, rid := range rids {
 			d, ok := report.RegionLatency[rid]
 			var latency string
 			if ok {
 				latency = d.Round(time.Millisecond / 10).String()
 			}
-			fmt.Printf("\t\t- %v, %3s = %s\n", rid, dm.Regions[rid].RegionCode, latency)
+			r := dm.Regions[rid]
+			var derpNum string
+			if netcheckArgs.verbose {
+				derpNum = fmt.Sprintf("derp%d, ", rid)
+			}
+			fmt.Printf("\t\t- %3s: %-7s (%s%s)\n", r.RegionCode, latency, derpNum, r.RegionName)
 		}
 	}
 	return nil

cmd/tailscale/cli/ping.go

@@ -0,0 +1,130 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package cli
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"log"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/peterbourgon/ff/v2/ffcli"
+	"tailscale.com/ipn"
+	"tailscale.com/ipn/ipnstate"
+)
+
+var pingCmd = &ffcli.Command{
+	Name:       "ping",
+	ShortUsage: "ping <hostname-or-IP>",
+	ShortHelp:  "Ping a host at the Tailscale layer, see how it routed",
+	LongHelp: strings.TrimSpace(`
+
+The 'tailscale ping' command pings a peer node at the Tailscale layer
+and reports which route it took for each response. The first ping or
+so will likely go over DERP (Tailscale's TCP relay protocol) while NAT
+traversal finds a direct path through.
+
+If 'tailscale ping' works but a normal ping does not, that means one
+side's operating system firewall is blocking packets; 'tailscale ping'
+does not inject packets into either side's TUN devices.
+
+By default, 'tailscale ping' stops after 10 pings or once a direct
+(non-DERP) path has been established, whichever comes first.
+
+The provided hostname must resolve to or be a Tailscale IP
+(e.g. 100.x.y.z) or a subnet IP advertised by a Tailscale
+relay node.
+
+`),
+	Exec: runPing,
+	FlagSet: (func() *flag.FlagSet {
+		fs := flag.NewFlagSet("ping", flag.ExitOnError)
+		fs.BoolVar(&pingArgs.verbose, "verbose", false, "verbose output")
+		fs.BoolVar(&pingArgs.untilDirect, "until-direct", true, "stop once a direct path is established")
+		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
+		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
+		return fs
+	})(),
+}
+
+var pingArgs struct {
+	num         int
+	untilDirect bool
+	verbose     bool
+	timeout     time.Duration
+}
+
+func runPing(ctx context.Context, args []string) error {
+	c, bc, ctx, cancel := connect(ctx)
+	defer cancel()
+
+	if len(args) != 1 {
+		return errors.New("usage: ping <hostname-or-IP>")
+	}
+	hostOrIP := args[0]
+	var ip string
+	var res net.Resolver
+	if addrs, err := res.LookupHost(ctx, hostOrIP); err != nil {
+		return fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
+	} else if len(addrs) == 0 {
+		return fmt.Errorf("no IPs found for %q", hostOrIP)
+	} else {
+		ip = addrs[0]
+	}
+	if pingArgs.verbose && ip != hostOrIP {
+		log.Printf("lookup %q => %q", hostOrIP, ip)
+	}
+
+	ch := make(chan *ipnstate.PingResult, 1)
+	bc.SetNotifyCallback(func(n ipn.Notify) {
+		if n.ErrMessage != nil {
+			log.Fatal(*n.ErrMessage)
+		}
+		if pr := n.PingResult; pr != nil && pr.IP == ip {
+			ch <- pr
+		}
+	})
+	go pump(ctx, bc, c)
+
+	n := 0
+	anyPong := false
+	for {
+		n++
+		bc.Ping(ip)
+		timer := time.NewTimer(pingArgs.timeout)
+		select {
+		case <-timer.C:
+			fmt.Printf("timeout waiting for ping reply\n")
+		case pr := <-ch:
+			timer.Stop()
+			if pr.Err != "" {
+				return errors.New(pr.Err)
+			}
+			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
+			via := pr.Endpoint
+			if pr.DERPRegionID != 0 {
+				via = fmt.Sprintf("DERP(%s)", pr.DERPRegionCode)
+			}
+			anyPong = true
+			fmt.Printf("pong from %s (%s) via %v in %v\n", pr.NodeName, pr.NodeIP, via, latency)
+			if pr.Endpoint != "" && pingArgs.untilDirect {
+				return nil
+			}
+			time.Sleep(time.Second)
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+		if n == pingArgs.num {
+			if !anyPong {
+				return errors.New("no reply")
+			}
+			return nil
+		}
+	}
+}

cmd/tailscale/cli/status.go

@@ -33,6 +33,7 @@ var statusCmd = &ffcli.Command{
 		fs.BoolVar(&statusArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
 		fs.BoolVar(&statusArgs.web, "web", false, "run webserver with HTML showing status")
 		fs.BoolVar(&statusArgs.active, "active", false, "filter output to only peers with active sessions (not applicable to web mode)")
+		fs.BoolVar(&statusArgs.self, "self", true, "show status of local machine")
 		fs.StringVar(&statusArgs.listen, "listen", "127.0.0.1:8384", "listen address; use port 0 for automatic")
 		fs.BoolVar(&statusArgs.browser, "browser", true, "Open a browser in web mode")
 		return fs
@@ -45,6 +46,7 @@ var statusArgs struct {
 	listen  string // in web mode, webserver address to listen on, empty means auto
 	browser bool   // in web mode, whether to open browser
 	active  bool   // in CLI mode, filter output to only peers with active sessions
+	self    bool   // in CLI mode, show status of local machine
 }
 
 func runStatus(ctx context.Context, args []string) error {
@@ -125,16 +127,17 @@ func runStatus(ctx context.Context, args []string) error {
 		return err
 	}
 
+	if st.BackendState == ipn.Stopped.String() {
+		fmt.Println("Tailscale is stopped.")
+		os.Exit(1)
+	}
+
 	var buf bytes.Buffer
 	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
-	for _, peer := range st.Peers() {
-		ps := st.Peer[peer]
+	printPS := func(ps *ipnstate.PeerStatus) {
 		active := peerActive(ps)
-		if statusArgs.active && !active {
-			continue
-		}
 		f("%s %-7s %-15s %-18s tx=%8d rx=%8d ",
-			peer.ShortString(),
+			ps.PublicKey.ShortString(),
 			ps.OS,
 			ps.TailAddr,
 			ps.SimpleHostName(),
@@ -160,6 +163,18 @@ func runStatus(ctx context.Context, args []string) error {
 		}
 		f("\n")
 	}
+
+	if statusArgs.self && st.Self != nil {
+		printPS(st.Self)
+	}
+	for _, peer := range st.Peers() {
+		ps := st.Peer[peer]
+		active := peerActive(ps)
+		if statusArgs.active && !active {
+			continue
+		}
+		printPS(ps)
+	}
 	os.Stdout.Write(buf.Bytes())
 	return nil
 }

cmd/tailscale/cli/up.go

@@ -7,6 +7,7 @@ package cli
 import (
 	"bytes"
 	"context"
+	"errors"
 	"flag"
 	"fmt"
 	"log"
@@ -15,6 +16,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"
 
 	"github.com/peterbourgon/ff/v2/ffcli"
 	"github.com/tailscale/wireguard-go/wgcfg"
@@ -22,18 +24,10 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
 	"tailscale.com/version"
+	"tailscale.com/version/distro"
 	"tailscale.com/wgengine/router"
 )
 
-// globalStateKey is the ipn.StateKey that tailscaled loads on
-// startup.
-//
-// We have to support multiple state keys for other OSes (Windows in
-// particular), but right now Unix daemons run with a single
-// node-global state. To keep open the option of having per-user state
-// later, the global state key doesn't look like a username.
-const globalStateKey = "_daemon"
-
 var upCmd = &ffcli.Command{
 	Name:       "up",
 	ShortUsage: "up [flags]",
@@ -53,31 +47,38 @@ specify any flags, options are reset to their default.
 		upf.BoolVar(&upArgs.acceptDNS, "accept-dns", true, "accept DNS configuration from the admin panel")
 		upf.BoolVar(&upArgs.singleRoutes, "host-routes", true, "install host routes to other Tailscale nodes")
 		upf.BoolVar(&upArgs.shieldsUp, "shields-up", false, "don't allow incoming connections")
+		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication")
 		upf.StringVar(&upArgs.advertiseTags, "advertise-tags", "", "ACL tags to request (comma-separated, e.g. eng,montreal,ssh)")
 		upf.StringVar(&upArgs.authKey, "authkey", "", "node authorization key")
 		upf.StringVar(&upArgs.hostname, "hostname", "", "hostname to use instead of the one provided by the OS")
-		upf.BoolVar(&upArgs.enableDERP, "enable-derp", true, "enable the use of DERP servers")
 		if runtime.GOOS == "linux" || isBSD(runtime.GOOS) || version.OS() == "macOS" {
 			upf.StringVar(&upArgs.advertiseRoutes, "advertise-routes", "", "routes to advertise to other nodes (comma-separated, e.g. 10.0.0.0/8,192.168.0.0/24)")
 		}
 		if runtime.GOOS == "linux" {
-			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with -advertise-routes")
-			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", "on", "netfilter mode (one of on, nodivert, off)")
+			upf.BoolVar(&upArgs.snat, "snat-subnet-routes", true, "source NAT traffic to local routes advertised with --advertise-routes")
+			upf.StringVar(&upArgs.netfilterMode, "netfilter-mode", defaultNetfilterMode(), "netfilter mode (one of on, nodivert, off)")
 		}
 		return upf
 	})(),
 	Exec: runUp,
 }
 
+func defaultNetfilterMode() string {
+	if distro.Get() == distro.Synology {
+		return "off"
+	}
+	return "on"
+}
+
 var upArgs struct {
 	server          string
 	acceptRoutes    bool
 	acceptDNS       bool
 	singleRoutes    bool
 	shieldsUp       bool
+	forceReauth     bool
 	advertiseRoutes string
 	advertiseTags   string
-	enableDERP      bool
 	snat            bool
 	netfilterMode   string
 	authKey         string
@@ -148,6 +149,19 @@ func runUp(ctx context.Context, args []string) error {
 		log.Fatalf("too many non-flag arguments: %q", args)
 	}
 
+	if distro.Get() == distro.Synology {
+		notSupported := "not yet supported on Synology; see https://github.com/tailscale/tailscale/issues/451"
+		if upArgs.advertiseRoutes != "" {
+			return errors.New("--advertise-routes is " + notSupported)
+		}
+		if upArgs.acceptRoutes {
+			return errors.New("--accept-routes is " + notSupported)
+		}
+		if upArgs.netfilterMode != "off" {
+			return errors.New("--netfilter-mode values besides \"off\" " + notSupported)
+		}
+	}
+
 	var routes []wgcfg.CIDR
 	if upArgs.advertiseRoutes != "" {
 		advroutes := strings.Split(upArgs.advertiseRoutes, ",")
@@ -181,7 +195,6 @@ func runUp(ctx context.Context, args []string) error {
 	}
 
 	// TODO(apenwarr): fix different semantics between prefs and uflags
-	// TODO(apenwarr): allow setting/using CorpDNS
 	prefs := ipn.NewPrefs()
 	prefs.ControlURL = upArgs.server
 	prefs.WantRunning = true
@@ -192,8 +205,9 @@ func runUp(ctx context.Context, args []string) error {
 	prefs.AdvertiseRoutes = routes
 	prefs.AdvertiseTags = tags
 	prefs.NoSNAT = !upArgs.snat
-	prefs.DisableDERP = !upArgs.enableDERP
 	prefs.Hostname = upArgs.hostname
+	prefs.ForceDaemon = (runtime.GOOS == "windows")
+
 	if runtime.GOOS == "linux" {
 		switch upArgs.netfilterMode {
 		case "on":
@@ -213,10 +227,13 @@ func runUp(ctx context.Context, args []string) error {
 	defer cancel()
 
 	var printed bool
+	var loginOnce sync.Once
+	startLoginInteractive := func() { loginOnce.Do(func() { bc.StartLoginInteractive() }) }
 
 	bc.SetPrefs(prefs)
+
 	opts := ipn.Options{
-		StateKey: globalStateKey,
+		StateKey: ipn.GlobalDaemonStateKey,
 		AuthKey:  upArgs.authKey,
 		Notify: func(n ipn.Notify) {
 			if n.ErrMessage != nil {
@@ -226,7 +243,7 @@ func runUp(ctx context.Context, args []string) error {
 				switch *s {
 				case ipn.NeedsLogin:
 					printed = true
-					bc.StartLoginInteractive()
+					startLoginInteractive()
 				case ipn.NeedsMachineAuth:
 					printed = true
 					fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s/admin/machines\n\n", upArgs.server)
@@ -244,6 +261,22 @@ func runUp(ctx context.Context, args []string) error {
 			}
 		},
 	}
+
+	// On Windows, we still run in mostly the "legacy" way that
+	// predated the server's StateStore. That is, we send an empty
+	// StateKey and send the prefs directly. Although the Windows
+	// supports server mode, though, the transition to StateStore
+	// is only half complete. Only server mode uses it, and the
+	// Windows service (~tailscaled) is the one that computes the
+	// StateKey based on the connection idenity. So for now, just
+	// do as the Windows GUI's always done:
+	if runtime.GOOS == "windows" {
+		// The Windows service will set this as needed based
+		// on our connection's identity.
+		opts.StateKey = ""
+		opts.Prefs = prefs
+	}
+
 	// We still have to Start right now because it's the only way to
 	// set up notifications and whatnot. This causes a bunch of churn
 	// every time the CLI touches anything.
@@ -252,6 +285,10 @@ func runUp(ctx context.Context, args []string) error {
 	// ephemeral frontends that read/modify/write state, once
 	// Windows/Mac state is moved into backend.
 	bc.Start(opts)
+	if upArgs.forceReauth {
+		printed = true
+		startLoginInteractive()
+	}
 	pump(ctx, bc, c)
 
 	return nil

cmd/tailscale/cli/version.go

@@ -36,10 +36,11 @@ func runVersion(ctx context.Context, args []string) error {
 		log.Fatalf("too many non-flag arguments: %q", args)
 	}
 	if !versionArgs.daemon {
-		fmt.Println(version.LONG)
+		fmt.Println(version.String())
 		return nil
 	}
-	fmt.Printf("Client: %s\n", version.LONG)
+
+	fmt.Printf("Client: %s\n", version.String())
 
 	c, bc, ctx, cancel := connect(ctx)
 	defer cancel()

cmd/tailscale/depaware.txt

@@ -0,0 +1,211 @@
+tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/depaware)
+
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/apenwarr/fixconsole                               from tailscale.com/cmd/tailscale
+   W 💣 github.com/apenwarr/w32                                      from github.com/apenwarr/fixconsole
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+  LW    github.com/go-multierror/multierror                          from tailscale.com/wgengine/router
+   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
+   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
+   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
+        github.com/golang/groupcache/lru                             from tailscale.com/wgengine/filter+
+   L    github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
+        github.com/peterbourgon/ff/v2/ffcli                          from tailscale.com/cmd/tailscale/cli
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+        github.com/tailscale/wireguard-go/device/tokenbucket         from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/iphlpapi        from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/namespaceapi    from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/nci             from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/registry        from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/setupapi        from github.com/tailscale/wireguard-go/tun/wintun
+        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/conn+
+        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
+        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
+     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
+        rsc.io/goversion/version                                     from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
+        tailscale.com/control/controlclient                          from tailscale.com/ipn+
+        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
+        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/derp/derpmap                                   from tailscale.com/cmd/tailscale/cli
+        tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/internal/deepprint                             from tailscale.com/ipn+
+        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/ipn/policy                                     from tailscale.com/ipn
+        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
+        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
+        tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/net/dnscache                                   from tailscale.com/cmd/tailscale/cli+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
+        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
+        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
+        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli
+        tailscale.com/portlist                                       from tailscale.com/ipn
+        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli
+     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
+  DW    tailscale.com/tempfork/osexec                                from tailscale.com/portlist
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
+        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
+        tailscale.com/types/key                                      from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
+        tailscale.com/types/strbuilder                               from tailscale.com/wgengine/packet
+        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+   W    tailscale.com/util/endian                                    from tailscale.com/net/netns
+        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
+        tailscale.com/version                                        from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/wgengine                                       from tailscale.com/ipn
+        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/wgengine
+     💣 tailscale.com/wgengine/monitor                               from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/wgengine/packet                                from tailscale.com/wgengine+
+        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscale/cli+
+     💣 tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
+        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
+        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
+   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/context/ctxhttp                             from golang.org/x/oauth2/internal
+        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
+        golang.org/x/net/proxy                                       from tailscale.com/net/netns
+   D    golang.org/x/net/route                                       from net
+        golang.org/x/oauth2                                          from tailscale.com/control/controlclient+
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp
+        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
+   W    golang.org/x/sys/windows/registry                            from github.com/tailscale/wireguard-go/tun/wintun+
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from github.com/tailscale/wireguard-go/tun/wintun+
+        golang.org/x/time/rate                                       from tailscale.com/types/logger+
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        compress/flate                                               from compress/gzip+
+        compress/gzip                                                from net/http+
+        compress/zlib                                                from debug/elf+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdsa+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
+        crypto/x509                                                  from crypto/tls+
+        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from tailscale.com/derp+
+        flag                                                         from github.com/peterbourgon/ff/v2+
+        fmt                                                          from compress/flate+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
+        hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from tailscale.com/wgengine/magicsock
+        html                                                         from tailscale.com/ipn/ipnstate
+        io                                                           from bufio+
+        io/ioutil                                                    from crypto/tls+
+        log                                                          from expvar+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from github.com/mdlayher/netlink+
+        mime                                                         from golang.org/x/oauth2/internal+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
+        net/http/internal                                            from net/http
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/exec                                                      from github.com/coreos/go-iptables/iptables+
+        os/signal                                                    from tailscale.com/cmd/tailscale/cli
+   L    os/user                                                      from github.com/godbus/dbus/v5
+        path                                                         from debug/dwarf+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from github.com/coreos/go-iptables/iptables+
+        regexp/syntax                                                from regexp
+        runtime/pprof                                                from tailscale.com/log/logheap+
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from github.com/peterbourgon/ff/v2/ffcli+
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from encoding/asn1+
+        unicode/utf8                                                 from bufio+

cmd/tailscaled/depaware.txt

@@ -0,0 +1,227 @@
+tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/depaware)
+
+   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate
+   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
+        github.com/apenwarr/fixconsole                               from tailscale.com/cmd/tailscaled
+   W 💣 github.com/apenwarr/w32                                      from github.com/apenwarr/fixconsole
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
+  LW    github.com/go-multierror/multierror                          from tailscale.com/wgengine/router
+   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
+   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
+   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/wgengine/router/dns
+        github.com/golang/groupcache/lru                             from tailscale.com/wgengine/filter+
+   L    github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
+   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
+        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
+        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/snappy                         from github.com/klauspost/compress/zstd
+        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
+        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
+   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
+   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
+     💣 github.com/tailscale/wireguard-go/conn                       from github.com/tailscale/wireguard-go/device+
+     💣 github.com/tailscale/wireguard-go/device                     from tailscale.com/wgengine+
+        github.com/tailscale/wireguard-go/device/tokenbucket         from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/ipc                        from github.com/tailscale/wireguard-go/device
+   W 💣 github.com/tailscale/wireguard-go/ipc/winpipe                from github.com/tailscale/wireguard-go/ipc
+        github.com/tailscale/wireguard-go/ratelimiter                from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/replay                     from github.com/tailscale/wireguard-go/device
+        github.com/tailscale/wireguard-go/rwcancel                   from github.com/tailscale/wireguard-go/device+
+        github.com/tailscale/wireguard-go/tai64n                     from github.com/tailscale/wireguard-go/device
+     💣 github.com/tailscale/wireguard-go/tun                        from github.com/tailscale/wireguard-go/device+
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun                 from github.com/tailscale/wireguard-go/tun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/iphlpapi        from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/namespaceapi    from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/nci             from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/registry        from github.com/tailscale/wireguard-go/tun/wintun
+   W 💣 github.com/tailscale/wireguard-go/tun/wintun/setupapi        from github.com/tailscale/wireguard-go/tun/wintun
+        github.com/tailscale/wireguard-go/wgcfg                      from github.com/tailscale/wireguard-go/conn+
+        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
+     💣 go4.org/mem                                                  from tailscale.com/control/controlclient+
+   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
+        inet.af/netaddr                                              from tailscale.com/control/controlclient+
+        rsc.io/goversion/version                                     from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+        tailscale.com/control/controlclient                          from tailscale.com/ipn+
+        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
+        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
+        tailscale.com/disco                                          from tailscale.com/derp+
+        tailscale.com/internal/deepprint                             from tailscale.com/ipn+
+        tailscale.com/ipn                                            from tailscale.com/ipn/ipnserver
+        tailscale.com/ipn/ipnserver                                  from tailscale.com/cmd/tailscaled
+        tailscale.com/ipn/ipnstate                                   from tailscale.com/ipn+
+        tailscale.com/ipn/policy                                     from tailscale.com/ipn
+        tailscale.com/log/filelogger                                 from tailscale.com/ipn/ipnserver
+        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
+        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled
+        tailscale.com/logtail                                        from tailscale.com/logpolicy
+        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
+        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
+        tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
+     💣 tailscale.com/net/interfaces                                 from tailscale.com/ipn+
+        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
+        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
+     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
+        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
+        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
+        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
+     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
+        tailscale.com/portlist                                       from tailscale.com/ipn
+        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver
+        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
+     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
+  DW    tailscale.com/tempfork/osexec                                from tailscale.com/portlist
+   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
+        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
+        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
+        tailscale.com/types/key                                      from tailscale.com/derp+
+        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscaled+
+        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
+        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
+        tailscale.com/types/strbuilder                               from tailscale.com/wgengine/packet
+        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
+   W    tailscale.com/util/endian                                    from tailscale.com/net/netns+
+        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
+        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
+        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
+        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
+        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
+        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
+        tailscale.com/wgengine/magicsock                             from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/wgengine/monitor                               from tailscale.com/wgengine
+        tailscale.com/wgengine/packet                                from tailscale.com/wgengine+
+        tailscale.com/wgengine/router                                from tailscale.com/cmd/tailscaled+
+     💣 tailscale.com/wgengine/router/dns                            from tailscale.com/ipn+
+        tailscale.com/wgengine/tsdns                                 from tailscale.com/ipn+
+        tailscale.com/wgengine/tstun                                 from tailscale.com/wgengine
+   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
+        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
+        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
+        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
+        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
+        golang.org/x/crypto/curve25519                               from crypto/tls+
+        golang.org/x/crypto/hkdf                                     from crypto/tls
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
+        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
+        golang.org/x/crypto/poly1305                                 from github.com/tailscale/wireguard-go/device+
+        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
+        golang.org/x/crypto/ssh/terminal                             from tailscale.com/logpolicy
+        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
+        golang.org/x/net/context/ctxhttp                             from golang.org/x/oauth2/internal
+        golang.org/x/net/dns/dnsmessage                              from net+
+        golang.org/x/net/http/httpguts                               from net/http
+        golang.org/x/net/http/httpproxy                              from net/http
+        golang.org/x/net/http2/hpack                                 from net/http
+        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
+        golang.org/x/net/ipv4                                        from github.com/tailscale/wireguard-go/device
+        golang.org/x/net/ipv6                                        from github.com/tailscale/wireguard-go/device+
+        golang.org/x/net/proxy                                       from tailscale.com/net/netns
+   D    golang.org/x/net/route                                       from net
+        golang.org/x/oauth2                                          from tailscale.com/control/controlclient+
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2
+        golang.org/x/sync/errgroup                                   from tailscale.com/derp
+        golang.org/x/sync/singleflight                               from tailscale.com/net/dnscache
+        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
+  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
+   W    golang.org/x/sys/windows                                     from github.com/apenwarr/fixconsole+
+   W    golang.org/x/sys/windows/registry                            from github.com/tailscale/wireguard-go/tun/wintun+
+        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
+        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
+        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
+        golang.org/x/text/unicode/norm                               from github.com/tailscale/wireguard-go/tun/wintun+
+        golang.org/x/time/rate                                       from tailscale.com/types/logger+
+        bufio                                                        from compress/flate+
+        bytes                                                        from bufio+
+        compress/flate                                               from compress/gzip+
+        compress/gzip                                                from internal/profile+
+        compress/zlib                                                from debug/elf+
+        container/list                                               from crypto/tls+
+        context                                                      from crypto/tls+
+        crypto                                                       from crypto/ecdsa+
+        crypto/aes                                                   from crypto/ecdsa+
+        crypto/cipher                                                from crypto/aes+
+        crypto/des                                                   from crypto/tls+
+        crypto/dsa                                                   from crypto/x509
+        crypto/ecdsa                                                 from crypto/tls+
+        crypto/ed25519                                               from crypto/tls+
+        crypto/elliptic                                              from crypto/ecdsa+
+        crypto/hmac                                                  from crypto/tls+
+        crypto/md5                                                   from crypto/tls+
+        crypto/rand                                                  from crypto/ed25519+
+        crypto/rc4                                                   from crypto/tls
+        crypto/rsa                                                   from crypto/tls+
+        crypto/sha1                                                  from crypto/tls+
+        crypto/sha256                                                from crypto/tls+
+        crypto/sha512                                                from crypto/ecdsa+
+        crypto/subtle                                                from crypto/aes+
+        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
+        crypto/x509                                                  from crypto/tls+
+        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
+        encoding                                                     from encoding/json+
+        encoding/asn1                                                from crypto/x509+
+        encoding/base64                                              from encoding/json+
+        encoding/binary                                              from compress/gzip+
+        encoding/hex                                                 from crypto/x509+
+        encoding/json                                                from expvar+
+        encoding/pem                                                 from crypto/tls+
+        errors                                                       from bufio+
+        expvar                                                       from tailscale.com/derp+
+        flag                                                         from tailscale.com/cmd/tailscaled+
+        fmt                                                          from compress/flate+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
+        hash/crc32                                                   from compress/gzip+
+        hash/fnv                                                     from tailscale.com/wgengine/magicsock
+        html                                                         from html/template+
+        html/template                                                from net/http/pprof
+        io                                                           from bufio+
+        io/ioutil                                                    from crypto/tls+
+        log                                                          from expvar+
+        math                                                         from compress/flate+
+        math/big                                                     from crypto/dsa+
+        math/bits                                                    from compress/flate+
+        math/rand                                                    from github.com/mdlayher/netlink+
+        mime                                                         from golang.org/x/oauth2/internal+
+        mime/multipart                                               from net/http
+        mime/quotedprintable                                         from mime/multipart
+        net                                                          from crypto/tls+
+        net/http                                                     from expvar+
+        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
+        net/http/internal                                            from net/http
+        net/http/pprof                                               from tailscale.com/cmd/tailscaled
+        net/textproto                                                from golang.org/x/net/http/httpguts+
+        net/url                                                      from crypto/x509+
+        os                                                           from crypto/rand+
+        os/exec                                                      from github.com/coreos/go-iptables/iptables+
+        os/signal                                                    from tailscale.com/cmd/tailscaled+
+        os/user                                                      from github.com/godbus/dbus/v5+
+        path                                                         from debug/dwarf+
+        path/filepath                                                from crypto/x509+
+        reflect                                                      from crypto/x509+
+        regexp                                                       from github.com/coreos/go-iptables/iptables+
+        regexp/syntax                                                from regexp
+        runtime/debug                                                from github.com/klauspost/compress/zstd+
+        runtime/pprof                                                from net/http/pprof+
+        runtime/trace                                                from net/http/pprof
+        sort                                                         from compress/flate+
+        strconv                                                      from compress/flate+
+        strings                                                      from bufio+
+        sync                                                         from compress/flate+
+        sync/atomic                                                  from context+
+        syscall                                                      from crypto/rand+
+        text/tabwriter                                               from runtime/pprof
+        text/template                                                from html/template
+        text/template/parse                                          from html/template+
+        time                                                         from compress/gzip+
+        unicode                                                      from bytes+
+        unicode/utf16                                                from encoding/asn1+
+        unicode/utf8                                                 from bufio+

cmd/tailscaled/tailscaled.go

@@ -11,6 +11,8 @@ package main // import "tailscale.com/cmd/tailscaled"
 
 import (
 	"context"
+	"flag"
+	"fmt"
 	"log"
 	"net/http"
 	"net/http/pprof"
@@ -18,15 +20,17 @@ import (
 	"os/signal"
 	"runtime"
 	"runtime/debug"
+	"strconv"
 	"syscall"
 	"time"
 
 	"github.com/apenwarr/fixconsole"
-	"github.com/pborman/getopt/v2"
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
 	"tailscale.com/paths"
+	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
+	"tailscale.com/version"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/magicsock"
 	"tailscale.com/wgengine/router"
@@ -71,28 +75,29 @@ func main() {
 		debug.SetGCPercent(10)
 	}
 
-	// Set default values for getopt.
-	args.tunname = defaultTunName()
-	args.port = magicsock.DefaultPort
-	args.statepath = paths.DefaultTailscaledStateFile()
-	args.socketpath = paths.DefaultTailscaledSocket()
-
-	getopt.FlagLong(&args.cleanup, "cleanup", 0, "clean up system state and exit")
-	getopt.FlagLong(&args.fake, "fake", 0, "fake tunnel+routing instead of tuntap")
-	getopt.FlagLong(&args.debug, "debug", 0, "address of debug server")
-	getopt.FlagLong(&args.tunname, "tun", 0, "tunnel interface name")
-	getopt.FlagLong(&args.port, "port", 'p', "WireGuard port (0=autoselect)")
-	getopt.FlagLong(&args.statepath, "state", 0, "path of state file")
-	getopt.FlagLong(&args.socketpath, "socket", 's', "path of the service unix socket")
+	printVersion := false
+	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
+	flag.BoolVar(&args.fake, "fake", false, "use userspace fake tunnel+routing instead of kernel TUN interface")
+	flag.StringVar(&args.debug, "debug", "", "listen address ([ip]:port) of optional debug server")
+	flag.StringVar(&args.tunname, "tun", defaultTunName(), "tunnel interface name")
+	flag.Var(flagtype.PortValue(&args.port, magicsock.DefaultPort), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
+	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "path of state file")
+	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
+	flag.BoolVar(&printVersion, "version", false, "print version information and exit")
 
 	err := fixconsole.FixConsoleIfNeeded()
 	if err != nil {
 		log.Fatalf("fixConsoleOutput: %v", err)
 	}
 
-	getopt.Parse()
-	if len(getopt.Args()) > 0 {
-		log.Fatalf("too many non-flag arguments: %#v", getopt.Args()[0])
+	flag.Parse()
+	if flag.NArg() > 0 {
+		log.Fatalf("tailscaled does not take non-flag arguments: %q", flag.Args())
+	}
+
+	if printVersion {
+		fmt.Println(version.String())
+		os.Exit(0)
 	}
 
 	if args.statepath == "" {
@@ -120,7 +125,10 @@ func run() error {
 		pol.Shutdown(ctx)
 	}()
 
-	logf := wgengine.RusagePrefixLog(log.Printf)
+	var logf logger.Logf = log.Printf
+	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_MEMORY")); v {
+		logf = logger.RusagePrefixLog(logf)
+	}
 	logf = logger.RateLimitedFn(logf, 5*time.Second, 5, 100)
 
 	if args.cleanup {
@@ -136,7 +144,7 @@ func run() error {
 
 	var e wgengine.Engine
 	if args.fake {
-		e, err = wgengine.NewFakeUserspaceEngine(logf, 0)
+		e, err = wgengine.NewFakeUserspaceEngine(logf, args.port)
 	} else {
 		e, err = wgengine.NewUserspaceEngine(logf, args.tunname, args.port)
 	}

cmd/tailscaled/tailscaled.service

@@ -6,6 +6,7 @@ After=network-pre.target
 
 [Service]
 EnvironmentFile=/etc/default/tailscaled
+ExecStartPre=/usr/sbin/tailscaled --cleanup
 ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
 ExecStopPost=/usr/sbin/tailscaled --cleanup
 

control/controlclient/auto.go

@@ -288,7 +288,7 @@ func (c *Client) authRoutine() {
 			// don't send status updates for context errors,
 			// since context cancelation is always on purpose.
 			if ctx.Err() == nil {
-				c.sendStatus("authRoutine1", err, "", nil)
+				c.sendStatus("authRoutine-report", err, "", nil)
 			}
 		}
 
@@ -353,7 +353,7 @@ func (c *Client) authRoutine() {
 			c.synced = false
 			c.mu.Unlock()
 
-			c.sendStatus("authRoutine2", nil, "", nil)
+			c.sendStatus("authRoutine-wantout", nil, "", nil)
 			bo.BackOff(ctx, nil)
 		} else { // ie. goal.wantLoggedIn
 			c.mu.Lock()
@@ -394,7 +394,7 @@ func (c *Client) authRoutine() {
 				c.synced = false
 				c.mu.Unlock()
 
-				c.sendStatus("authRoutine3", err, url, nil)
+				c.sendStatus("authRoutine-url", err, url, nil)
 				bo.BackOff(ctx, err)
 				continue
 			}
@@ -406,7 +406,7 @@ func (c *Client) authRoutine() {
 			c.state = StateAuthenticated
 			c.mu.Unlock()
 
-			c.sendStatus("authRoutine4", nil, "", nil)
+			c.sendStatus("authRoutine-success", nil, "", nil)
 			c.cancelMapSafely()
 			bo.BackOff(ctx, nil)
 		}
@@ -528,7 +528,7 @@ func (c *Client) mapRoutine() {
 
 				c.logf("mapRoutine: netmap received: %s", state)
 				if stillAuthed {
-					c.sendStatus("mapRoutine2", nil, "", nm)
+					c.sendStatus("mapRoutine-got-netmap", nil, "", nm)
 				}
 			})
 

control/controlclient/direct.go

@@ -13,6 +13,7 @@ import (
 	"encoding/binary"
 	"encoding/json"
 	"errors"
+	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -20,12 +21,14 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"os/exec"
 	"reflect"
 	"runtime"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/tailscale/wireguard-go/wgcfg"
@@ -35,15 +38,28 @@ import (
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
+	"tailscale.com/types/opt"
 	"tailscale.com/types/structs"
 	"tailscale.com/version"
 )
 
 type Persist struct {
-	_                 structs.Incomparable
-	PrivateMachineKey wgcfg.PrivateKey
+	_ structs.Incomparable
+
+	// LegacyFrontendPrivateMachineKey is here temporarily
+	// (starting 2020-09-28) during migration of Windows users'
+	// machine keys from frontend storage to the backend. On the
+	// first LocalBackend.Start call, the backend will initialize
+	// the real (backend-owned) machine key from the frontend's
+	// provided value (if non-zero), picking a new random one if
+	// needed. This field should be considered read-only from GUI
+	// frontends. The real value should not be written back in
+	// this field, lest the frontend persist it to disk.
+	LegacyFrontendPrivateMachineKey wgcfg.PrivateKey `json:"PrivateMachineKey"`
+
 	PrivateNodeKey    wgcfg.PrivateKey
 	OldPrivateNodeKey wgcfg.PrivateKey // needed to request key rotation
 	Provider          string
@@ -58,7 +74,7 @@ func (p *Persist) Equals(p2 *Persist) bool {
 		return false
 	}
 
-	return p.PrivateMachineKey.Equal(p2.PrivateMachineKey) &&
+	return p.LegacyFrontendPrivateMachineKey.Equal(p2.LegacyFrontendPrivateMachineKey) &&
 		p.PrivateNodeKey.Equal(p2.PrivateNodeKey) &&
 		p.OldPrivateNodeKey.Equal(p2.OldPrivateNodeKey) &&
 		p.Provider == p2.Provider &&
@@ -67,8 +83,8 @@ func (p *Persist) Equals(p2 *Persist) bool {
 
 func (p *Persist) Pretty() string {
 	var mk, ok, nk wgcfg.Key
-	if !p.PrivateMachineKey.IsZero() {
-		mk = p.PrivateMachineKey.Public()
+	if !p.LegacyFrontendPrivateMachineKey.IsZero() {
+		mk = p.LegacyFrontendPrivateMachineKey.Public()
 	}
 	if !p.OldPrivateNodeKey.IsZero() {
 		ok = p.OldPrivateNodeKey.Public()
@@ -76,9 +92,14 @@ func (p *Persist) Pretty() string {
 	if !p.PrivateNodeKey.IsZero() {
 		nk = p.PrivateNodeKey.Public()
 	}
-	return fmt.Sprintf("Persist{m=%v, o=%v, n=%v u=%#v}",
-		mk.ShortString(), ok.ShortString(), nk.ShortString(),
-		p.LoginName)
+	ss := func(k wgcfg.Key) string {
+		if k.IsZero() {
+			return ""
+		}
+		return k.ShortString()
+	}
+	return fmt.Sprintf("Persist{lm=%v, o=%v, n=%v u=%#v}",
+		ss(mk), ss(ok), ss(nk), p.LoginName)
 }
 
 // Direct is the client that connects to a tailcontrol server for a node.
@@ -91,6 +112,8 @@ type Direct struct {
 	keepAlive       bool
 	logf            logger.Logf
 	discoPubKey     tailcfg.DiscoKey
+	machinePrivKey  wgcfg.PrivateKey
+	debugFlags      []string
 
 	mu           sync.Mutex // mutex guards the following fields
 	serverKey    wgcfg.Key
@@ -99,22 +122,25 @@ type Direct struct {
 	tryingNewKey wgcfg.PrivateKey
 	expiry       *time.Time
 	// hostinfo is mutated in-place while mu is held.
-	hostinfo  *tailcfg.Hostinfo // always non-nil
-	endpoints []string
-	localPort uint16 // or zero to mean auto
+	hostinfo      *tailcfg.Hostinfo // always non-nil
+	endpoints     []string
+	everEndpoints bool   // whether we've ever had non-empty endpoints
+	localPort     uint16 // or zero to mean auto
 }
 
 type Options struct {
-	Persist         Persist           // initial persistent data
-	ServerURL       string            // URL of the tailcontrol server
-	AuthKey         string            // optional node auth key for auto registration
-	TimeNow         func() time.Time  // time.Now implementation used by Client
-	Hostinfo        *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
-	DiscoPublicKey  tailcfg.DiscoKey
-	NewDecompressor func() (Decompressor, error)
-	KeepAlive       bool
-	Logf            logger.Logf
-	HTTPTestClient  *http.Client // optional HTTP client to use (for tests only)
+	Persist           Persist           // initial persistent data
+	MachinePrivateKey wgcfg.PrivateKey  // the machine key to use
+	ServerURL         string            // URL of the tailcontrol server
+	AuthKey           string            // optional node auth key for auto registration
+	TimeNow           func() time.Time  // time.Now implementation used by Client
+	Hostinfo          *tailcfg.Hostinfo // non-nil passes ownership, nil means to use default using os.Hostname, etc
+	DiscoPublicKey    tailcfg.DiscoKey
+	NewDecompressor   func() (Decompressor, error)
+	KeepAlive         bool
+	Logf              logger.Logf
+	HTTPTestClient    *http.Client // optional HTTP client to use (for tests only)
+	DebugFlags        []string     // debug settings to send to control
 }
 
 type Decompressor interface {
@@ -127,6 +153,9 @@ func NewDirect(opts Options) (*Direct, error) {
 	if opts.ServerURL == "" {
 		return nil, errors.New("controlclient.New: no server URL specified")
 	}
+	if opts.MachinePrivateKey.IsZero() {
+		return nil, errors.New("controlclient.New: no MachinePrivateKey specified")
+	}
 	opts.ServerURL = strings.TrimRight(opts.ServerURL, "/")
 	serverURL, err := url.Parse(opts.ServerURL)
 	if err != nil {
@@ -145,6 +174,8 @@ func NewDirect(opts Options) (*Direct, error) {
 	if httpc == nil {
 		dialer := netns.NewDialer()
 		tr := http.DefaultTransport.(*http.Transport).Clone()
+		tr.Proxy = tshttpproxy.ProxyFromEnvironment
+		tshttpproxy.SetTransportGetProxyConnectHeader(tr)
 		tr.DialContext = dialer.DialContext
 		tr.ForceAttemptHTTP2 = true
 		tr.TLSClientConfig = tlsdial.Config(serverURL.Host, tr.TLSClientConfig)
@@ -153,6 +184,7 @@ func NewDirect(opts Options) (*Direct, error) {
 
 	c := &Direct{
 		httpc:           httpc,
+		machinePrivKey:  opts.MachinePrivateKey,
 		serverURL:       opts.ServerURL,
 		timeNow:         opts.TimeNow,
 		logf:            opts.Logf,
@@ -161,6 +193,7 @@ func NewDirect(opts Options) (*Direct, error) {
 		persist:         opts.Persist,
 		authKey:         opts.AuthKey,
 		discoPubKey:     opts.DiscoPublicKey,
+		debugFlags:      opts.DebugFlags,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(NewHostinfo())
@@ -179,7 +212,7 @@ func NewHostinfo() *tailcfg.Hostinfo {
 		osv = osVersion()
 	}
 	return &tailcfg.Hostinfo{
-		IPNVersion: version.LONG,
+		IPNVersion: version.Long,
 		Hostname:   hostname,
 		OS:         version.OS(),
 		OSVersion:  osv,
@@ -200,6 +233,8 @@ func (c *Direct) SetHostinfo(hi *tailcfg.Hostinfo) bool {
 		return false
 	}
 	c.hostinfo = hi.Clone()
+	j, _ := json.Marshal(c.hostinfo)
+	c.logf("HostInfo: %s", j)
 	return true
 }
 
@@ -244,16 +279,14 @@ func (c *Direct) TryLogout(ctx context.Context) error {
 
 	// TODO(crawshaw): Tell the server. This node key should be
 	// immediately invalidated.
-	//if c.persist.PrivateNodeKey != (wgcfg.PrivateKey{}) {
+	//if !c.persist.PrivateNodeKey.IsZero() {
 	//}
-	c.persist = Persist{
-		PrivateMachineKey: c.persist.PrivateMachineKey,
-	}
+	c.persist = Persist{}
 	return nil
 }
 
 func (c *Direct) TryLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags) (url string, err error) {
-	c.logf("direct.TryLogin(%v, %v)", t != nil, flags)
+	c.logf("direct.TryLogin(token=%v, flags=%v)", t != nil, flags)
 	return c.doLoginOrRegen(ctx, t, flags, false, "")
 }
 
@@ -284,13 +317,8 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	expired := c.expiry != nil && !c.expiry.IsZero() && c.expiry.Before(c.timeNow())
 	c.mu.Unlock()
 
-	if persist.PrivateMachineKey == (wgcfg.PrivateKey{}) {
-		c.logf("Generating a new machinekey.")
-		mkey, err := wgcfg.NewPrivateKey()
-		if err != nil {
-			log.Fatal(err)
-		}
-		persist.PrivateMachineKey = mkey
+	if c.machinePrivKey.IsZero() {
+		return false, "", errors.New("controlclient.Direct requires a machine private key")
 	}
 
 	if expired {
@@ -317,7 +345,7 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 
 	var oldNodeKey wgcfg.Key
 	if url != "" {
-	} else if regen || persist.PrivateNodeKey == (wgcfg.PrivateKey{}) {
+	} else if regen || persist.PrivateNodeKey.IsZero() {
 		c.logf("Generating a new nodekey.")
 		persist.OldPrivateNodeKey = persist.PrivateNodeKey
 		key, err := wgcfg.NewPrivateKey()
@@ -330,11 +358,11 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 		// Try refreshing the current key first
 		tryingNewKey = persist.PrivateNodeKey
 	}
-	if persist.OldPrivateNodeKey != (wgcfg.PrivateKey{}) {
+	if !persist.OldPrivateNodeKey.IsZero() {
 		oldNodeKey = persist.OldPrivateNodeKey.Public()
 	}
 
-	if tryingNewKey == (wgcfg.PrivateKey{}) {
+	if tryingNewKey.IsZero() {
 		log.Fatalf("tryingNewKey is empty, give up")
 	}
 	if backendLogID == "" {
@@ -355,13 +383,13 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	request.Auth.Provider = persist.Provider
 	request.Auth.LoginName = persist.LoginName
 	request.Auth.AuthKey = authKey
-	bodyData, err := encode(request, &serverKey, &persist.PrivateMachineKey)
+	bodyData, err := encode(request, &serverKey, &c.machinePrivKey)
 	if err != nil {
 		return regen, url, err
 	}
 	body := bytes.NewReader(bodyData)
 
-	u := fmt.Sprintf("%s/machine/%s", c.serverURL, persist.PrivateMachineKey.Public().HexString())
+	u := fmt.Sprintf("%s/machine/%s", c.serverURL, c.machinePrivKey.Public().HexString())
 	req, err := http.NewRequest("POST", u, body)
 	if err != nil {
 		return regen, url, err
@@ -372,11 +400,20 @@ func (c *Direct) doLogin(ctx context.Context, t *oauth2.Token, flags LoginFlags,
 	if err != nil {
 		return regen, url, fmt.Errorf("register request: %v", err)
 	}
-	c.logf("RegisterReq: returned.")
+	if res.StatusCode != 200 {
+		msg, _ := ioutil.ReadAll(res.Body)
+		res.Body.Close()
+		return regen, url, fmt.Errorf("register request: http %d: %.200s",
+			res.StatusCode, strings.TrimSpace(string(msg)))
+	}
 	resp := tailcfg.RegisterResponse{}
-	if err := decode(res, &resp, &serverKey, &persist.PrivateMachineKey); err != nil {
+	if err := decode(res, &resp, &serverKey, &c.machinePrivKey); err != nil {
+		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, c.machinePrivKey.Public(), err)
 		return regen, url, fmt.Errorf("register request: %v", err)
 	}
+	// Log without PII:
+	c.logf("RegisterReq: got response; nodeKeyExpired=%v, machineAuthorized=%v; authURL=%v",
+		resp.NodeKeyExpired, resp.MachineAuthorized, resp.AuthURL != "")
 
 	if resp.NodeKeyExpired {
 		if regen {
@@ -452,6 +489,9 @@ func (c *Direct) newEndpoints(localPort uint16, endpoints []string) (changed boo
 	c.logf("client.newEndpoints(%v, %v)", localPort, endpoints)
 	c.localPort = localPort
 	c.endpoints = append(c.endpoints[:0], endpoints...)
+	if len(endpoints) > 0 {
+		c.everEndpoints = true
+	}
 	return true // changed
 }
 
@@ -464,6 +504,13 @@ func (c *Direct) SetEndpoints(localPort uint16, endpoints []string) (changed boo
 	return c.newEndpoints(localPort, endpoints)
 }
 
+func inTest() bool { return flag.Lookup("test.v") != nil }
+
+// PollNetMap makes a /map request to download the network map, calling cb with
+// each new netmap.
+//
+// maxPolls is how many network maps to download; common values are 1
+// or -1 (to keep a long-poll query open to the server).
 func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkMap)) error {
 	c.mu.Lock()
 	persist := c.persist
@@ -473,6 +520,7 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	backendLogID := hostinfo.BackendLogID
 	localPort := c.localPort
 	ep := append([]string(nil), c.endpoints...)
+	everEndpoints := c.everEndpoints
 	c.mu.Unlock()
 
 	if backendLogID == "" {
@@ -480,7 +528,7 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	}
 
 	allowStream := maxPolls != 1
-	c.logf("PollNetMap: stream=%v :%v %v", maxPolls, localPort, ep)
+	c.logf("PollNetMap: stream=%v :%v ep=%v", allowStream, localPort, ep)
 
 	vlogf := logger.Discard
 	if Debug.NetMap {
@@ -488,36 +536,51 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	}
 
 	request := tailcfg.MapRequest{
-		Version:         4,
-		IncludeIPv6:     true,
-		DeltaPeers:      true,
-		KeepAlive:       c.keepAlive,
-		NodeKey:         tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
-		DiscoKey:        c.discoPubKey,
-		Endpoints:       ep,
-		Stream:          allowStream,
-		Hostinfo:        hostinfo,
-		DebugForceDisco: Debug.ForceDisco,
+		Version:    5,
+		KeepAlive:  c.keepAlive,
+		NodeKey:    tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
+		DiscoKey:   c.discoPubKey,
+		Endpoints:  ep,
+		Stream:     allowStream,
+		Hostinfo:   hostinfo,
+		DebugFlags: c.debugFlags,
+	}
+	if hostinfo != nil && ipForwardingBroken(hostinfo.RoutableIPs) {
+		old := request.DebugFlags
+		request.DebugFlags = append(old[:len(old):len(old)], "warn-ip-forwarding-off")
 	}
 	if c.newDecompressor != nil {
 		request.Compress = "zstd"
 	}
+	// On initial startup before we know our endpoints, set the ReadOnly flag
+	// to tell the control server not to distribute out our (empty) endpoints to peers.
+	// Presumably we'll learn our endpoints in a half second and do another post
+	// with useful results. The first POST just gets us the DERP map which we
+	// need to do the STUN queries to discover our endpoints.
+	// TODO(bradfitz): we skip this optimization in tests, though,
+	// because the e2e tests are currently hyperspecific about the
+	// ordering of things. The e2e tests need love.
+	if len(ep) == 0 && !everEndpoints && !inTest() {
+		request.ReadOnly = true
+	}
 
-	bodyData, err := encode(request, &serverKey, &persist.PrivateMachineKey)
+	bodyData, err := encode(request, &serverKey, &c.machinePrivKey)
 	if err != nil {
 		vlogf("netmap: encode: %v", err)
 		return err
 	}
 
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	machinePubKey := tailcfg.MachineKey(c.machinePrivKey.Public())
 	t0 := time.Now()
-	u := fmt.Sprintf("%s/machine/%s/map", serverURL, persist.PrivateMachineKey.Public().HexString())
-	req, err := http.NewRequest("POST", u, bytes.NewReader(bodyData))
+	u := fmt.Sprintf("%s/machine/%s/map", serverURL, machinePubKey.HexString())
+
+	req, err := http.NewRequestWithContext(ctx, "POST", u, bytes.NewReader(bodyData))
 	if err != nil {
 		return err
 	}
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-	req = req.WithContext(ctx)
 
 	res, err := c.httpc.Do(req)
 	if err != nil {
@@ -528,7 +591,7 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	if res.StatusCode != 200 {
 		msg, _ := ioutil.ReadAll(res.Body)
 		res.Body.Close()
-		return fmt.Errorf("initial fetch failed %d: %s",
+		return fmt.Errorf("initial fetch failed %d: %.200s",
 			res.StatusCode, strings.TrimSpace(string(msg)))
 	}
 	defer res.Body.Close()
@@ -567,6 +630,7 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 	}()
 
 	var lastDERPMap *tailcfg.DERPMap
+	var lastUserProfile = map[tailcfg.UserID]tailcfg.UserProfile{}
 
 	// If allowStream, then the server will use an HTTP long poll to
 	// return incremental results. There is always one response right
@@ -616,13 +680,20 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 
 		undeltaPeers(&resp, previousPeers)
 		previousPeers = cloneNodes(resp.Peers) // defensive/lazy clone, since this escapes to who knows where
+		for _, up := range resp.UserProfiles {
+			lastUserProfile[up.ID] = up
+		}
 
 		if resp.DERPMap != nil {
 			vlogf("netmap: new map contains DERP map")
 			lastDERPMap = resp.DERPMap
 		}
-		if resp.Debug != nil && resp.Debug.LogHeapPprof {
-			go logheap.LogHeap(resp.Debug.LogHeapURL)
+		if resp.Debug != nil {
+			if resp.Debug.LogHeapPprof {
+				go logheap.LogHeap(resp.Debug.LogHeapURL)
+			}
+			setControlAtomic(&controlUseDERPRoute, resp.Debug.DERPRoute)
+			setControlAtomic(&controlTrimWGConfig, resp.Debug.TrimWGConfig)
 		}
 		// Temporarily (2020-06-29) support removing all but
 		// discovery-supporting nodes during development, for
@@ -640,6 +711,7 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 		nm := &NetworkMap{
 			NodeKey:      tailcfg.NodeKey(persist.PrivateNodeKey.Public()),
 			PrivateKey:   persist.PrivateNodeKey,
+			MachineKey:   machinePubKey,
 			Expiry:       resp.Node.KeyExpiry,
 			Name:         resp.Node.Name,
 			Addresses:    resp.Node.Addresses,
@@ -648,15 +720,24 @@ func (c *Direct) PollNetMap(ctx context.Context, maxPolls int, cb func(*NetworkM
 			User:         resp.Node.User,
 			UserProfiles: make(map[tailcfg.UserID]tailcfg.UserProfile),
 			Domain:       resp.Domain,
-			Roles:        resp.Roles,
 			DNS:          resp.DNSConfig,
 			Hostinfo:     resp.Node.Hostinfo,
 			PacketFilter: c.parsePacketFilter(resp.PacketFilter),
 			DERPMap:      lastDERPMap,
 			Debug:        resp.Debug,
 		}
-		for _, profile := range resp.UserProfiles {
-			nm.UserProfiles[profile.ID] = profile
+		addUserProfile := func(userID tailcfg.UserID) {
+			if _, dup := nm.UserProfiles[userID]; dup {
+				// Already populated it from a previous peer.
+				return
+			}
+			if up, ok := lastUserProfile[userID]; ok {
+				nm.UserProfiles[userID] = up
+			}
+		}
+		addUserProfile(nm.User)
+		for _, peer := range resp.Peers {
+			addUserProfile(peer.User)
 		}
 		if resp.Node.MachineAuthorized {
 			nm.MachineStatus = tailcfg.MachineAuthorized
@@ -708,13 +789,16 @@ func decode(res *http.Response, v interface{}, serverKey *wgcfg.Key, mkey *wgcfg
 	return decodeMsg(msg, v, serverKey, mkey)
 }
 
+var debugMap, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_MAP"))
+
+var jsonEscapedZero = []byte(`\u0000`)
+
 func (c *Direct) decodeMsg(msg []byte, v interface{}) error {
 	c.mu.Lock()
-	mkey := c.persist.PrivateMachineKey
 	serverKey := c.serverKey
 	c.mu.Unlock()
 
-	decrypted, err := decryptMsg(msg, &serverKey, &mkey)
+	decrypted, err := decryptMsg(msg, &serverKey, &c.machinePrivKey)
 	if err != nil {
 		return err
 	}
@@ -732,6 +816,15 @@ func (c *Direct) decodeMsg(msg []byte, v interface{}) error {
 			return err
 		}
 	}
+	if debugMap {
+		var buf bytes.Buffer
+		json.Indent(&buf, b, "", "    ")
+		log.Printf("MapResponse: %s", buf.Bytes())
+	}
+
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in controlclient.Direct.decodeMsg into %T: %q", v, b)
+	}
 	if err := json.Unmarshal(b, v); err != nil {
 		return fmt.Errorf("response: %v", err)
 	}
@@ -744,6 +837,9 @@ func decodeMsg(msg []byte, v interface{}, serverKey *wgcfg.Key, mkey *wgcfg.Priv
 	if err != nil {
 		return err
 	}
+	if bytes.Contains(decrypted, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in controlclient decodeMsg into %T: %q", v, decrypted)
+	}
 	if err := json.Unmarshal(decrypted, v); err != nil {
 		return fmt.Errorf("response: %v", err)
 	}
@@ -761,7 +857,7 @@ func decryptMsg(msg []byte, serverKey *wgcfg.Key, mkey *wgcfg.PrivateKey) ([]byt
 	pub, pri := (*[32]byte)(serverKey), (*[32]byte)(mkey)
 	decrypted, ok := box.Open(nil, msg, &nonce, pub, pri)
 	if !ok {
-		return nil, fmt.Errorf("cannot decrypt response")
+		return nil, fmt.Errorf("cannot decrypt response (len %d + nonce %d = %d)", len(msg), len(nonce), len(msg)+len(nonce))
 	}
 	return decrypted, nil
 }
@@ -771,8 +867,7 @@ func encode(v interface{}, serverKey *wgcfg.Key, mkey *wgcfg.PrivateKey) ([]byte
 	if err != nil {
 		return nil, err
 	}
-	const debugMapRequests = false
-	if debugMapRequests {
+	if debugMap {
 		if _, ok := v.(tailcfg.MapRequest); ok {
 			log.Printf("MapRequest: %s", b)
 		}
@@ -827,25 +922,20 @@ func wgIPToNetaddr(ips []wgcfg.IP) (ret []netaddr.IP) {
 var Debug = initDebug()
 
 type debug struct {
-	NetMap     bool
-	ProxyDNS   bool
-	OnlyDisco  bool
-	Disco      bool
-	ForceDisco bool // ask control server to not filter out our disco key
+	NetMap    bool
+	ProxyDNS  bool
+	OnlyDisco bool
+	Disco     bool
 }
 
 func initDebug() debug {
-	d := debug{
-		NetMap:     envBool("TS_DEBUG_NETMAP"),
-		ProxyDNS:   envBool("TS_DEBUG_PROXY_DNS"),
-		OnlyDisco:  os.Getenv("TS_DEBUG_USE_DISCO") == "only",
-		ForceDisco: os.Getenv("TS_DEBUG_USE_DISCO") == "only" || envBool("TS_DEBUG_USE_DISCO"),
+	use := os.Getenv("TS_DEBUG_USE_DISCO")
+	return debug{
+		NetMap:    envBool("TS_DEBUG_NETMAP"),
+		ProxyDNS:  envBool("TS_DEBUG_PROXY_DNS"),
+		OnlyDisco: use == "only",
+		Disco:     use == "only" || use == "" || envBool("TS_DEBUG_USE_DISCO"),
 	}
-	if d.ForceDisco || os.Getenv("TS_DEBUG_USE_DISCO") == "" {
-		// This is now defaults to on.
-		d.Disco = true
-	}
-	return d
 }
 
 func envBool(k string) bool {
@@ -953,3 +1043,61 @@ func cloneNodes(v1 []*tailcfg.Node) []*tailcfg.Node {
 	}
 	return v2
 }
+
+// opt.Bool configs from control.
+var (
+	controlUseDERPRoute atomic.Value
+	controlTrimWGConfig atomic.Value
+)
+
+func setControlAtomic(dst *atomic.Value, v opt.Bool) {
+	old, ok := dst.Load().(opt.Bool)
+	if !ok || old != v {
+		dst.Store(v)
+	}
+}
+
+// DERPRouteFlag reports the last reported value from control for whether
+// DERP route optimization (Issue 150) should be enabled.
+func DERPRouteFlag() opt.Bool {
+	v, _ := controlUseDERPRoute.Load().(opt.Bool)
+	return v
+}
+
+// TrimWGConfig reports the last reported value from control for whether
+// we should do lazy wireguard configuration.
+func TrimWGConfig() opt.Bool {
+	v, _ := controlTrimWGConfig.Load().(opt.Bool)
+	return v
+}
+
+// ipForwardingBroken reports whether the system's IP forwarding is disabled
+// and will definitely not work for the routes provided.
+//
+// It should not return false positives.
+func ipForwardingBroken(routes []wgcfg.CIDR) bool {
+	if len(routes) == 0 {
+		// Nothing to route, so no need to warn.
+		return false
+	}
+	if runtime.GOOS != "linux" {
+		// We only do subnet routing on Linux for now.
+		// It might work on darwin/macOS when building from source, so
+		// don't return true for other OSes. We can OS-based warnings
+		// already in the admin panel.
+		return false
+	}
+	out, err := ioutil.ReadFile("/proc/sys/net/ipv4/ip_forward")
+	if err != nil {
+		// Try another way.
+		out, err = exec.Command("sysctl", "-n", "net.ipv4.ip_forward").Output()
+	}
+	if err != nil {
+		// Oh well, we tried. This is just for debugging.
+		// We don't want false positives.
+		// TODO: maybe we want a different warning for inability to check?
+		return false
+	}
+	return strings.TrimSpace(string(out)) == "0"
+	// TODO: also check IPv6 if 'routes' contains any IPv6 routes
+}

control/controlclient/filter.go

@@ -5,80 +5,16 @@
 package controlclient
 
 import (
-	"fmt"
-	"net"
 	"tailscale.com/tailcfg"
 	"tailscale.com/wgengine/filter"
 )
 
-func parseIP(host string, defaultBits int) (filter.Net, error) {
-	ip := net.ParseIP(host)
-	if ip != nil && ip.IsUnspecified() {
-		// For clarity, reject 0.0.0.0 as an input
-		return filter.NetNone, fmt.Errorf("ports=%#v: to allow all IP addresses, use *:port, not 0.0.0.0:port", host)
-	} else if ip == nil && host == "*" {
-		// User explicitly requested wildcard dst ip
-		return filter.NetAny, nil
-	} else {
-		if ip != nil {
-			ip = ip.To4()
-		}
-		if ip == nil || len(ip) != 4 {
-			return filter.NetNone, fmt.Errorf("ports=%#v: invalid IPv4 address", host)
-		}
-		return filter.Net{
-			IP:   filter.NewIP(ip),
-			Mask: filter.Netmask(defaultBits),
-		}, nil
-	}
-}
-
 // Parse a backward-compatible FilterRule used by control's wire format,
 // producing the most current filter.Matches format.
 func (c *Direct) parsePacketFilter(pf []tailcfg.FilterRule) filter.Matches {
-	mm := make([]filter.Match, 0, len(pf))
-	var erracc error
-
-	for _, r := range pf {
-		m := filter.Match{}
-
-		for i, s := range r.SrcIPs {
-			bits := 32
-			if len(r.SrcBits) > i {
-				bits = r.SrcBits[i]
-			}
-			net, err := parseIP(s, bits)
-			if err != nil && erracc == nil {
-				erracc = err
-				continue
-			}
-			m.Srcs = append(m.Srcs, net)
-		}
-
-		for _, d := range r.DstPorts {
-			bits := 32
-			if d.Bits != nil {
-				bits = *d.Bits
-			}
-			net, err := parseIP(d.IP, bits)
-			if err != nil && erracc == nil {
-				erracc = err
-				continue
-			}
-			m.Dsts = append(m.Dsts, filter.NetPortRange{
-				Net: net,
-				Ports: filter.PortRange{
-					First: d.Ports.First,
-					Last:  d.Ports.Last,
-				},
-			})
-		}
-
-		mm = append(mm, m)
-	}
-
-	if erracc != nil {
-		c.logf("parsePacketFilter: %s\n", erracc)
+	mm, err := filter.MatchesFromFilterRules(pf)
+	if err != nil {
+		c.logf("parsePacketFilter: %s\n", err)
 	}
 	return mm
 }

control/controlclient/hostinfo_linux.go

@@ -16,6 +16,7 @@ import (
 
 	"go4.org/mem"
 	"tailscale.com/util/lineread"
+	"tailscale.com/version/distro"
 )
 
 func init() {
@@ -23,13 +24,22 @@ func init() {
 }
 
 func osVersionLinux() string {
+	dist := distro.Get()
+	propFile := "/etc/os-release"
+	switch dist {
+	case distro.Synology:
+		propFile = "/etc.defaults/VERSION"
+	case distro.OpenWrt:
+		propFile = "/etc/openwrt_release"
+	}
+
 	m := map[string]string{}
-	lineread.File("/etc/os-release", func(line []byte) error {
+	lineread.File(propFile, func(line []byte) error {
 		eq := bytes.IndexByte(line, '=')
 		if eq == -1 {
 			return nil
 		}
-		k, v := string(line[:eq]), strings.Trim(string(line[eq+1:]), `"`)
+		k, v := string(line[:eq]), strings.Trim(string(line[eq+1:]), `"'`)
 		m[k] = v
 		return nil
 	})
@@ -71,6 +81,12 @@ func osVersionLinux() string {
 			return fmt.Sprintf("%s%s", v, attr)
 		}
 	}
+	switch dist {
+	case distro.Synology:
+		return fmt.Sprintf("Synology %s%s", m["productversion"], attr)
+	case distro.OpenWrt:
+		return fmt.Sprintf("OpenWrt %s%s", m["DISTRIB_RELEASE"], attr)
+	}
 	return fmt.Sprintf("Other%s", attr)
 }
 

control/controlclient/hostinfo_windows.go

@@ -21,6 +21,10 @@ func osVersionWindows() string {
 	s := strings.TrimSpace(string(out))
 	s = strings.TrimPrefix(s, "Microsoft Windows [")
 	s = strings.TrimSuffix(s, "]")
-	s = strings.TrimPrefix(s, "Version ") // is this localized? do it last in case.
-	return s                              // "10.0.19041.388", ideally
+
+	// "Version 10.x.y.z", with "Version" localized. Keep only stuff after the space.
+	if sp := strings.Index(s, " "); sp != -1 {
+		s = s[sp+1:]
+	}
+	return s // "10.0.19041.388", ideally
 }

control/controlclient/netmap.go

@@ -30,6 +30,7 @@ type NetworkMap struct {
 	Addresses     []wgcfg.CIDR
 	LocalPort     uint16 // used for debugging
 	MachineStatus tailcfg.MachineStatus
+	MachineKey    tailcfg.MachineKey
 	Peers         []*tailcfg.Node // sorted by Node.ID
 	DNS           tailcfg.DNSConfig
 	Hostinfo      tailcfg.Hostinfo
@@ -49,7 +50,6 @@ type NetworkMap struct {
 	// TODO(crawshaw): reduce UserProfiles to []tailcfg.UserProfile?
 	// There are lots of ways to slice this data, leave it up to users.
 	UserProfiles map[tailcfg.UserID]tailcfg.UserProfile
-	Roles        []tailcfg.Role
 	// TODO(crawshaw): Groups       []tailcfg.Group
 	// TODO(crawshaw): Capabilities []tailcfg.Capability
 }
@@ -75,6 +75,15 @@ func (nm *NetworkMap) Concise() string {
 func (nm *NetworkMap) printConciseHeader(buf *strings.Builder) {
 	fmt.Fprintf(buf, "netmap: self: %v auth=%v",
 		nm.NodeKey.ShortString(), nm.MachineStatus)
+	login := nm.UserProfiles[nm.User].LoginName
+	if login == "" {
+		if nm.User.IsZero() {
+			login = "?"
+		} else {
+			login = fmt.Sprint(nm.User)
+		}
+	}
+	fmt.Fprintf(buf, " u=%s", login)
 	if nm.LocalPort != 0 {
 		fmt.Fprintf(buf, " port=%v", nm.LocalPort)
 	}
@@ -92,6 +101,7 @@ func (a *NetworkMap) equalConciseHeader(b *NetworkMap) bool {
 	if a.NodeKey != b.NodeKey ||
 		a.MachineStatus != b.MachineStatus ||
 		a.LocalPort != b.LocalPort ||
+		a.User != b.User ||
 		len(a.Addresses) != len(b.Addresses) {
 		return false
 	}
@@ -219,7 +229,6 @@ const (
 	AllowSingleHosts WGConfigFlags = 1 << iota
 	AllowSubnetRoutes
 	AllowDefaultRoute
-	HackDefaultRoute
 )
 
 // EndpointDiscoSuffix is appended to the hex representation of a peer's discovery key
@@ -274,11 +283,7 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 					logf("wgcfg: %v skipping default route", peer.Key.ShortString())
 					continue
 				}
-				if (flags & HackDefaultRoute) != 0 {
-					allowedIP = wgcfg.CIDR{IP: wgcfg.IPv4(10, 0, 0, 0), Mask: 8}
-					logf("wgcfg: %v converting default route => %v", peer.Key.ShortString(), allowedIP.String())
-				}
-			} else if allowedIP.Mask < 32 {
+			} else if cidrIsSubnet(peer, allowedIP) {
 				if (flags & AllowSubnetRoutes) == 0 {
 					logf("wgcfg: %v skipping subnet route", peer.Key.ShortString())
 					continue
@@ -291,6 +296,29 @@ func (nm *NetworkMap) WGCfg(logf logger.Logf, flags WGConfigFlags) (*wgcfg.Confi
 	return cfg, nil
 }
 
+// cidrIsSubnet reports whether cidr is a non-default-route subnet
+// exported by node that is not one of its own self addresses.
+func cidrIsSubnet(node *tailcfg.Node, cidr wgcfg.CIDR) bool {
+	if cidr.Mask == 0 {
+		return false
+	}
+	if cidr.Mask < 32 {
+		// Fast path for IPv4, to avoid loop below.
+		//
+		// TODO: if cidr.IP is an IPv6 address, we could do "< 128"
+		// to avoid the range over node.Addresses. Or we could
+		// just remove this fast path and unconditionally do the range
+		// loop.
+		return true
+	}
+	for _, selfCIDR := range node.Addresses {
+		if cidr == selfCIDR {
+			return false
+		}
+	}
+	return true
+}
+
 func appendEndpoint(peer *wgcfg.Peer, epStr string) error {
 	if epStr == "" {
 		return nil

control/controlclient/netmap_test.go

@@ -51,7 +51,7 @@ func TestNetworkMapConcise(t *testing.T) {
 					},
 				},
 			},
-			want: "netmap: self: [AQEBA] auth=machine-unknown []\n [AgICA] D2                 :    192.168.0.100:12     192.168.0.100:12354\n [AwMDA] D4                 :       10.2.0.100:12        10.1.0.100:12345\n",
+			want: "netmap: self: [AQEBA] auth=machine-unknown u=? []\n [AgICA] D2                 :    192.168.0.100:12     192.168.0.100:12354\n [AwMDA] D4                 :       10.2.0.100:12        10.1.0.100:12345\n",
 		},
 		{
 			name: "debug_non_nil",
@@ -59,7 +59,7 @@ func TestNetworkMapConcise(t *testing.T) {
 				NodeKey: testNodeKey(1),
 				Debug:   &tailcfg.Debug{},
 			},
-			want: "netmap: self: [AQEBA] auth=machine-unknown debug={} []\n",
+			want: "netmap: self: [AQEBA] auth=machine-unknown u=? debug={} []\n",
 		},
 		{
 			name: "debug_values",
@@ -67,7 +67,7 @@ func TestNetworkMapConcise(t *testing.T) {
 				NodeKey: testNodeKey(1),
 				Debug:   &tailcfg.Debug{LogHeapPprof: true},
 			},
-			want: "netmap: self: [AQEBA] auth=machine-unknown debug={\"LogHeapPprof\":true} []\n",
+			want: "netmap: self: [AQEBA] auth=machine-unknown u=? debug={\"LogHeapPprof\":true} []\n",
 		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
@@ -135,7 +135,7 @@ func TestConciseDiffFrom(t *testing.T) {
 					},
 				},
 			},
-			want: "-netmap: self: [AQEBA] auth=machine-unknown []\n+netmap: self: [AgICA] auth=machine-unknown []\n",
+			want: "-netmap: self: [AQEBA] auth=machine-unknown u=? []\n+netmap: self: [AgICA] auth=machine-unknown u=? []\n",
 		},
 		{
 			name: "peer_add",

control/controlclient/persist_test.go

@@ -12,7 +12,7 @@ import (
 )
 
 func TestPersistEqual(t *testing.T) {
-	persistHandles := []string{"PrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "Provider", "LoginName"}
+	persistHandles := []string{"LegacyFrontendPrivateMachineKey", "PrivateNodeKey", "OldPrivateNodeKey", "Provider", "LoginName"}
 	if have := fieldsOf(reflect.TypeOf(Persist{})); !reflect.DeepEqual(have, persistHandles) {
 		t.Errorf("Persist.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, persistHandles)
@@ -36,13 +36,13 @@ func TestPersistEqual(t *testing.T) {
 		{&Persist{}, &Persist{}, true},
 
 		{
-			&Persist{PrivateMachineKey: k1},
-			&Persist{PrivateMachineKey: newPrivate()},
+			&Persist{LegacyFrontendPrivateMachineKey: k1},
+			&Persist{LegacyFrontendPrivateMachineKey: newPrivate()},
 			false,
 		},
 		{
-			&Persist{PrivateMachineKey: k1},
-			&Persist{PrivateMachineKey: k1},
+			&Persist{LegacyFrontendPrivateMachineKey: k1},
+			&Persist{LegacyFrontendPrivateMachineKey: k1},
 			true,
 		},
 

derp/derp.go

@@ -39,14 +39,10 @@ const (
 	keepAlive      = 60 * time.Second
 )
 
-// protocolVersion is bumped whenever there's a wire-incompatible change.
+// ProtocolVersion is bumped whenever there's a wire-incompatible change.
 //   * version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
 //   * version 2: received packets have src addrs in frameRecvPacket at beginning
-const protocolVersion = 2
-
-const (
-	protocolSrcAddrs = 2 // protocol version at which client expects src addresses
-)
+const ProtocolVersion = 2
 
 // frameType is the one byte frame type at the beginning of the frame
 // header.  The second field is a big-endian uint32 describing the
@@ -108,16 +104,31 @@ var bin = binary.BigEndian
 func writeUint32(bw *bufio.Writer, v uint32) error {
 	var b [4]byte
 	bin.PutUint32(b[:], v)
-	_, err := bw.Write(b[:])
-	return err
+	// Writing a byte at a time is a bit silly,
+	// but it causes b not to escape,
+	// which more than pays for the silliness.
+	for _, c := range &b {
+		err := bw.WriteByte(c)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func readUint32(br *bufio.Reader) (uint32, error) {
-	b := make([]byte, 4)
-	if _, err := io.ReadFull(br, b); err != nil {
-		return 0, err
+	var b [4]byte
+	// Reading a byte at a time is a bit silly,
+	// but it causes b not to escape,
+	// which more than pays for the silliness.
+	for i := range &b {
+		c, err := br.ReadByte()
+		if err != nil {
+			return 0, err
+		}
+		b[i] = c
 	}
-	return bin.Uint32(b), nil
+	return bin.Uint32(b[:]), nil
 }
 
 func readFrameTypeHeader(br *bufio.Reader, wantType frameType) (frameLen uint32, err error) {
@@ -194,13 +205,6 @@ func writeFrame(bw *bufio.Writer, t frameType, b []byte) error {
 	return bw.Flush()
 }
 
-func minInt(a, b int) int {
-	if a < b {
-		return a
-	}
-	return b
-}
-
 func minUint32(a, b uint32) uint32 {
 	if a < b {
 		return a

derp/derp_client.go

@@ -21,14 +21,13 @@ import (
 
 // Client is a DERP client.
 type Client struct {
-	serverKey    key.Public // of the DERP server; not a machine or node key
-	privateKey   key.Private
-	publicKey    key.Public // of privateKey
-	protoVersion int        // min of server+client
-	logf         logger.Logf
-	nc           Conn
-	br           *bufio.Reader
-	meshKey      string
+	serverKey  key.Public // of the DERP server; not a machine or node key
+	privateKey key.Private
+	publicKey  key.Public // of privateKey
+	logf       logger.Logf
+	nc         Conn
+	br         *bufio.Reader
+	meshKey    string
 
 	wmu sync.Mutex // hold while writing to bw
 	bw  *bufio.Writer
@@ -49,7 +48,8 @@ func (f clientOptFunc) update(o *clientOpt) { f(o) }
 
 // clientOpt are the options passed to newClient.
 type clientOpt struct {
-	MeshKey string
+	MeshKey   string
+	ServerPub key.Public
 }
 
 // MeshKey returns a ClientOpt to pass to the DERP server during connect to get
@@ -58,6 +58,12 @@ type clientOpt struct {
 // An empty key means to not use a mesh key.
 func MeshKey(key string) ClientOpt { return clientOptFunc(func(o *clientOpt) { o.MeshKey = key }) }
 
+// ServerPublicKey returns a ClientOpt to declare that the server's DERP public key is known.
+// If key is the zero value, the returned ClientOpt is a no-op.
+func ServerPublicKey(key key.Public) ClientOpt {
+	return clientOptFunc(func(o *clientOpt) { o.ServerPub = key })
+}
+
 func NewClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logger.Logf, opts ...ClientOpt) (*Client, error) {
 	var opt clientOpt
 	for _, o := range opts {
@@ -79,17 +85,16 @@ func newClient(privateKey key.Private, nc Conn, brw *bufio.ReadWriter, logf logg
 		bw:         brw.Writer,
 		meshKey:    opt.MeshKey,
 	}
-	if err := c.recvServerKey(); err != nil {
-		return nil, fmt.Errorf("derp.Client: failed to receive server key: %v", err)
+	if opt.ServerPub.IsZero() {
+		if err := c.recvServerKey(); err != nil {
+			return nil, fmt.Errorf("derp.Client: failed to receive server key: %v", err)
+		}
+	} else {
+		c.serverKey = opt.ServerPub
 	}
 	if err := c.sendClientKey(); err != nil {
 		return nil, fmt.Errorf("derp.Client: failed to send client key: %v", err)
 	}
-	info, err := c.recvServerInfo()
-	if err != nil {
-		return nil, fmt.Errorf("derp.Client: failed to receive server info: %v", err)
-	}
-	c.protoVersion = minInt(protocolVersion, info.Version)
 	return c, nil
 }
 
@@ -110,12 +115,9 @@ func (c *Client) recvServerKey() error {
 	return nil
 }
 
-func (c *Client) recvServerInfo() (*serverInfo, error) {
-	fl, err := readFrameTypeHeader(c.br, frameServerInfo)
-	if err != nil {
-		return nil, err
-	}
+func (c *Client) parseServerInfo(b []byte) (*serverInfo, error) {
 	const maxLength = nonceLen + maxInfoLen
+	fl := len(b)
 	if fl < nonceLen {
 		return nil, fmt.Errorf("short serverInfo frame")
 	}
@@ -124,33 +126,27 @@ func (c *Client) recvServerInfo() (*serverInfo, error) {
 	}
 	// TODO: add a read-nonce-and-box helper
 	var nonce [nonceLen]byte
-	if _, err := io.ReadFull(c.br, nonce[:]); err != nil {
-		return nil, fmt.Errorf("nonce: %v", err)
-	}
-	msgLen := fl - nonceLen
-	msgbox := make([]byte, msgLen)
-	if _, err := io.ReadFull(c.br, msgbox); err != nil {
-		return nil, fmt.Errorf("msgbox: %v", err)
-	}
+	copy(nonce[:], b)
+	msgbox := b[nonceLen:]
 	msg, ok := box.Open(nil, msgbox, &nonce, c.serverKey.B32(), c.privateKey.B32())
 	if !ok {
-		return nil, fmt.Errorf("msgbox: cannot open len=%d with server key %x", msgLen, c.serverKey[:])
+		return nil, fmt.Errorf("failed to open naclbox from server key %x", c.serverKey[:])
 	}
 	info := new(serverInfo)
 	if err := json.Unmarshal(msg, info); err != nil {
-		return nil, fmt.Errorf("msg: %v", err)
+		return nil, fmt.Errorf("invalid JSON: %v", err)
 	}
 	return info, nil
 }
 
 type clientInfo struct {
-	Version int // `json:"version,omitempty"`
+	Version int `json:"version,omitempty"`
 
 	// MeshKey optionally specifies a pre-shared key used by
 	// trusted clients.  It's required to subscribe to the
 	// connection list & forward packets. It's empty for regular
 	// users.
-	MeshKey string // `json:"meshKey,omitempty"`
+	MeshKey string `json:"meshKey,omitempty"`
 }
 
 func (c *Client) sendClientKey() error {
@@ -159,7 +155,7 @@ func (c *Client) sendClientKey() error {
 		return err
 	}
 	msg, err := json.Marshal(clientInfo{
-		Version: protocolVersion,
+		Version: ProtocolVersion,
 		MeshKey: c.meshKey,
 	})
 	if err != nil {
@@ -318,6 +314,11 @@ type PeerPresentMessage key.Public
 
 func (PeerPresentMessage) msg() {}
 
+// ServerInfoMessage is sent by the server upon first connect.
+type ServerInfoMessage struct{}
+
+func (ServerInfoMessage) msg() {}
+
 // Recv reads a message from the DERP server.
 //
 // The returned message may alias memory owned by the Client; it
@@ -364,7 +365,7 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 		// If the frame fits in our bufio.Reader buffer, just use it.
 		// In practice it's 4KB (from derphttp.Client's bufio.NewReader(httpConn)) and
 		// in practive, WireGuard packets (and thus DERP frames) are under 1.5KB.
-		// So This is the common path.
+		// So this is the common path.
 		if int(n) <= c.br.Size() {
 			b, err = c.br.Peek(int(n))
 			c.peeked = int(n)
@@ -382,6 +383,19 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 		switch t {
 		default:
 			continue
+		case frameServerInfo:
+			// Server sends this at start-up. Currently unused.
+			// Just has a JSON message saying "version: 2",
+			// but the protocol seems extensible enough as-is without
+			// needing to wait an RTT to discover the version at startup.
+			// We'd prefer to give the connection to the client (magicsock)
+			// to start writing as soon as possible.
+			_, err := c.parseServerInfo(b)
+			if err != nil {
+				return nil, fmt.Errorf("invalid server info frame: %v", err)
+			}
+			// TODO: add the results of parseServerInfo to ServerInfoMessage if we ever need it.
+			return ServerInfoMessage{}, nil
 		case frameKeepAlive:
 			// TODO: eventually we'll have server->client pings that
 			// require ack pongs.
@@ -406,16 +420,12 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 
 		case frameRecvPacket:
 			var rp ReceivedPacket
-			if c.protoVersion < protocolSrcAddrs {
-				rp.Data = b[:n]
-			} else {
-				if n < keyLen {
-					c.logf("[unexpected] dropping short packet from DERP server")
-					continue
-				}
-				copy(rp.Source[:], b[:keyLen])
-				rp.Data = b[keyLen:n]
+			if n < keyLen {
+				c.logf("[unexpected] dropping short packet from DERP server")
+				continue
 			}
+			copy(rp.Source[:], b[:keyLen])
+			rp.Data = b[keyLen:n]
 			return rp, nil
 		}
 	}

derp/derp_server.go

@@ -9,14 +9,19 @@ package derp
 import (
 	"bufio"
 	"context"
+	"crypto/ed25519"
 	crand "crypto/rand"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
 	"errors"
 	"expvar"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"math/big"
+	"math/rand"
 	"os"
 	"runtime"
 	"strconv"
@@ -24,8 +29,10 @@ import (
 	"sync"
 	"time"
 
+	"go4.org/mem"
 	"golang.org/x/crypto/nacl/box"
 	"golang.org/x/sync/errgroup"
+	"tailscale.com/disco"
 	"tailscale.com/metrics"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -34,6 +41,29 @@ import (
 
 var debug, _ = strconv.ParseBool(os.Getenv("DERP_DEBUG_LOGS"))
 
+// verboseDropKeys is the set of destination public keys that should
+// verbosely log whenever DERP drops a packet.
+var verboseDropKeys = map[key.Public]bool{}
+
+func init() {
+	keys := os.Getenv("TS_DEBUG_VERBOSE_DROPS")
+	if keys == "" {
+		return
+	}
+	for _, keyStr := range strings.Split(keys, ",") {
+		k, err := key.NewPublicFromHexMem(mem.S(keyStr))
+		if err != nil {
+			log.Printf("ignoring invalid debug key %q: %v", keyStr, err)
+		} else {
+			verboseDropKeys[k] = true
+		}
+	}
+}
+
+func init() {
+	rand.Seed(time.Now().UnixNano())
+}
+
 const (
 	perClientSendQueueDepth = 32 // packets buffered for sending
 	writeTimeout            = 2 * time.Second
@@ -52,16 +82,22 @@ type Server struct {
 	// before failing when writing to a client.
 	WriteTimeout time.Duration
 
-	privateKey key.Private
-	publicKey  key.Public
-	logf       logger.Logf
-	memSys0    uint64 // runtime.MemStats.Sys at start (or early-ish)
-	meshKey    string
+	privateKey  key.Private
+	publicKey   key.Public
+	logf        logger.Logf
+	memSys0     uint64 // runtime.MemStats.Sys at start (or early-ish)
+	meshKey     string
+	limitedLogf logger.Logf
+	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate
 
 	// Counters:
 	_                        [pad32bit]byte
 	packetsSent, bytesSent   expvar.Int
 	packetsRecv, bytesRecv   expvar.Int
+	packetsRecvByKind        metrics.LabelMap
+	packetsRecvDisco         *expvar.Int
+	packetsRecvOther         *expvar.Int
+	_                        [pad32bit]byte
 	packetsDropped           expvar.Int
 	packetsDroppedReason     metrics.LabelMap
 	packetsDroppedUnknown    *expvar.Int // unknown dst pubkey
@@ -136,6 +172,8 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		privateKey:           privateKey,
 		publicKey:            privateKey.Public(),
 		logf:                 logf,
+		limitedLogf:          logger.RateLimitedFn(logf, 30*time.Second, 5, 100),
+		packetsRecvByKind:    metrics.LabelMap{Label: "kind"},
 		packetsDroppedReason: metrics.LabelMap{Label: "reason"},
 		clients:              map[key.Public]*sclient{},
 		clientsEver:          map[key.Public]bool{},
@@ -145,6 +183,9 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		watchers:             map[*sclient]bool{},
 		sentTo:               map[key.Public]map[key.Public]int64{},
 	}
+	s.initMetacert()
+	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
+	s.packetsRecvOther = s.packetsRecvByKind.Get("other")
 	s.packetsDroppedUnknown = s.packetsDroppedReason.Get("unknown_dest")
 	s.packetsDroppedFwdUnknown = s.packetsDroppedReason.Get("unknown_dest_on_fwd")
 	s.packetsDroppedGone = s.packetsDroppedReason.Get("gone")
@@ -236,6 +277,50 @@ func (s *Server) Accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string) {
 	}
 }
 
+// initMetacert initialized s.metaCert with a self-signed x509 cert
+// encoding this server's public key and protocol version. cmd/derper
+// then sends this after the Let's Encrypt leaf + intermediate certs
+// after the ServerHello (encrypted in TLS 1.3, not that it matters
+// much).
+//
+// Then the client can save a round trip getting that and can start
+// speaking DERP right away. (We don't use ALPN because that's sent in
+// the clear and we're being paranoid to not look too weird to any
+// middleboxes, given that DERP is an ultimate fallback path). But
+// since the post-ServerHello certs are encrypted we can have the
+// client also use them as a signal to be able to start speaking DERP
+// right away, starting with its identity proof, encrypted to the
+// server's public key.
+//
+// This RTT optimization fails where there's a corp-mandated
+// TLS proxy with corp-mandated root certs on employee machines and
+// and TLS proxy cleans up unnecessary certs. In that case we just fall
+// back to the extra RTT.
+func (s *Server) initMetacert() {
+	pub, priv, err := ed25519.GenerateKey(crand.Reader)
+	if err != nil {
+		log.Fatal(err)
+	}
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(ProtocolVersion),
+		Subject: pkix.Name{
+			CommonName: fmt.Sprintf("derpkey%x", s.publicKey[:]),
+		},
+		// Windows requires NotAfter and NotBefore set:
+		NotAfter:  time.Now().Add(30 * 24 * time.Hour),
+		NotBefore: time.Now().Add(-30 * 24 * time.Hour),
+	}
+	cert, err := x509.CreateCertificate(crand.Reader, tmpl, tmpl, pub, priv)
+	if err != nil {
+		log.Fatalf("CreateCertificate: %v", err)
+	}
+	s.metaCert = cert
+}
+
+// MetaCert returns the server metadata cert that can be sent by the
+// TLS server to let the client skip a round trip during start-up.
+func (s *Server) MetaCert() []byte { return s.metaCert }
+
 // registerClient notes that client c is now authenticated and ready for packets.
 // If c's public key was already connected with a different connection, the prior one is closed.
 func (s *Server) registerClient(c *sclient) {
@@ -580,10 +665,8 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	}
 
 	p := pkt{
-		bs: contents,
-	}
-	if dst.info.Version >= protocolSrcAddrs {
-		p.src = c.key
+		bs:  contents,
+		src: c.key,
 	}
 	return c.sendPkt(dst, p)
 }
@@ -616,6 +699,12 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		case <-dst.sendQueue:
 			s.packetsDropped.Add(1)
 			s.packetsDroppedQueueHead.Add(1)
+			if verboseDropKeys[dstKey] {
+				// Generate a full string including src and dst, so
+				// the limiter kicks in once per src.
+				msg := fmt.Sprintf("tail drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
+				c.s.limitedLogf(msg)
+			}
 			if debug {
 				c.logf("dropping packet from client %x queue head", dstKey)
 			}
@@ -627,6 +716,12 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 	// this case to keep reader unblocked.
 	s.packetsDropped.Add(1)
 	s.packetsDroppedQueueTail.Add(1)
+	if verboseDropKeys[dstKey] {
+		// Generate a full string including src and dst, so
+		// the limiter kicks in once per src.
+		msg := fmt.Sprintf("head drop %s -> %s", p.src.ShortString(), dstKey.ShortString())
+		c.s.limitedLogf(msg)
+	}
 	if debug {
 		c.logf("dropping packet from client %x queue tail", dstKey)
 	}
@@ -668,7 +763,7 @@ func (s *Server) sendServerKey(bw *bufio.Writer) error {
 }
 
 type serverInfo struct {
-	Version int // `json:"version,omitempty"`
+	Version int `json:"version,omitempty"`
 }
 
 func (s *Server) sendServerInfo(bw *bufio.Writer, clientKey key.Public) error {
@@ -676,7 +771,7 @@ func (s *Server) sendServerInfo(bw *bufio.Writer, clientKey key.Public) error {
 	if _, err := crand.Read(nonce[:]); err != nil {
 		return err
 	}
-	msg, err := json.Marshal(serverInfo{Version: protocolVersion})
+	msg, err := json.Marshal(serverInfo{Version: ProtocolVersion})
 	if err != nil {
 		return err
 	}
@@ -738,7 +833,7 @@ func (s *Server) recvPacket(br *bufio.Reader, frameLen uint32) (dstKey key.Publi
 	if frameLen < keyLen {
 		return zpub, nil, errors.New("short send packet frame")
 	}
-	if _, err := io.ReadFull(br, dstKey[:]); err != nil {
+	if err := readPublicKey(br, &dstKey); err != nil {
 		return zpub, nil, err
 	}
 	packetLen := frameLen - keyLen
@@ -751,6 +846,11 @@ func (s *Server) recvPacket(br *bufio.Reader, frameLen uint32) (dstKey key.Publi
 	}
 	s.packetsRecv.Add(1)
 	s.bytesRecv.Add(int64(len(contents)))
+	if disco.LooksLikeDiscoWrapper(contents) {
+		s.packetsRecvDisco.Add(1)
+	} else {
+		s.packetsRecvOther.Add(1)
+	}
 	return dstKey, contents, nil
 }
 
@@ -880,11 +980,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		}
 	}()
 
-	jitterMs, err := crand.Int(crand.Reader, big.NewInt(5000))
-	if err != nil {
-		panic(err)
-	}
-	jitter := time.Duration(jitterMs.Int64()) * time.Millisecond
+	jitter := time.Duration(rand.Intn(5000)) * time.Millisecond
 	keepAliveTick := time.NewTicker(keepAlive + jitter)
 	defer keepAliveTick.Stop()
 
@@ -1040,7 +1136,8 @@ func (c *sclient) sendPacket(srcKey key.Public, contents []byte) (err error) {
 		return err
 	}
 	if withKey {
-		if _, err = c.bw.Write(srcKey[:]); err != nil {
+		err := writePublicKey(c.bw, &srcKey)
+		if err != nil {
 			return err
 		}
 	}
@@ -1181,6 +1278,7 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("bytes_sent", &s.bytesSent)
 	m.Set("packets_dropped", &s.packetsDropped)
 	m.Set("counter_packets_dropped_reason", &s.packetsDroppedReason)
+	m.Set("counter_packets_received_kind", &s.packetsRecvByKind)
 	m.Set("packets_sent", &s.packetsSent)
 	m.Set("packets_received", &s.packetsRecv)
 	m.Set("unknown_frames", &s.unknownFrames)
@@ -1193,7 +1291,7 @@ func (s *Server) ExpVar() expvar.Var {
 	m.Set("multiforwarder_deleted", &s.multiForwarderDeleted)
 	m.Set("packet_forwarder_delete_other_value", &s.removePktForwardOther)
 	var expvarVersion expvar.String
-	expvarVersion.Set(version.LONG)
+	expvarVersion.Set(version.Long)
 	m.Set("version", &expvarVersion)
 	return m
 }
@@ -1236,3 +1334,34 @@ func (s *Server) ConsistencyCheck() error {
 	}
 	return errors.New(strings.Join(errs, ", "))
 }
+
+// readPublicKey reads key from br.
+// It is ~4x slower than io.ReadFull(br, key),
+// but it prevents key from escaping and thus being allocated.
+// If io.ReadFull(br, key) does not cause key to escape, use that instead.
+func readPublicKey(br *bufio.Reader, key *key.Public) error {
+	// Do io.ReadFull(br, key), but one byte at a time, to avoid allocation.
+	for i := range key {
+		b, err := br.ReadByte()
+		if err != nil {
+			return err
+		}
+		key[i] = b
+	}
+	return nil
+}
+
+// writePublicKey writes key to bw.
+// It is ~3x slower than bw.Write(key[:]),
+// but it prevents key from escaping and thus being allocated.
+// If bw.Write(key[:]) does not cause key to escape, use that instead.
+func writePublicKey(bw *bufio.Writer, key *key.Public) error {
+	// Do bw.Write(key[:]), but one byte at a time to avoid allocation.
+	for _, b := range key {
+		err := bw.WriteByte(b)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

derp/derp_test.go

@@ -8,10 +8,14 @@ import (
 	"bufio"
 	"context"
 	crand "crypto/rand"
+	"crypto/x509"
+	"encoding/json"
 	"errors"
 	"expvar"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"log"
 	"net"
 	"reflect"
 	"sync"
@@ -31,6 +35,22 @@ func newPrivateKey(tb testing.TB) (k key.Private) {
 	return
 }
 
+func TestClientInfoUnmarshal(t *testing.T) {
+	for i, in := range []string{
+		`{"Version":5,"MeshKey":"abc"}`,
+		`{"version":5,"meshKey":"abc"}`,
+	} {
+		var got clientInfo
+		if err := json.Unmarshal([]byte(in), &got); err != nil {
+			t.Fatalf("[%d]: %v", i, err)
+		}
+		want := clientInfo{Version: 5, MeshKey: "abc"}
+		if got != want {
+			t.Errorf("[%d]: got %+v; want %+v", i, got, want)
+		}
+	}
+}
+
 func TestSendRecv(t *testing.T) {
 	serverPrivateKey := newPrivateKey(t)
 	s := NewServer(serverPrivateKey, t.Logf)
@@ -79,6 +99,8 @@ func TestSendRecv(t *testing.T) {
 		if err != nil {
 			t.Fatalf("client %d: %v", i, err)
 		}
+		waitConnect(t, c)
+
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))
 		t.Logf("Connected client %d.", i)
@@ -118,7 +140,7 @@ func TestSendRecv(t *testing.T) {
 			if got := string(b); got != want {
 				t.Errorf("client1.Recv=%q, want %q", got, want)
 			}
-		case <-time.After(1 * time.Second):
+		case <-time.After(5 * time.Second):
 			t.Errorf("client%d.Recv, got nothing, want %q", i, want)
 		}
 	}
@@ -224,6 +246,7 @@ func TestSendFreeze(t *testing.T) {
 		if err != nil {
 			t.Fatal(err)
 		}
+		waitConnect(t, c)
 		return c, c2
 	}
 
@@ -502,7 +525,13 @@ func newTestClient(t *testing.T, ts *testServer, name string, newClient func(net
 func newRegularClient(t *testing.T, ts *testServer, name string) *testClient {
 	return newTestClient(t, ts, name, func(nc net.Conn, priv key.Private, logf logger.Logf) (*Client, error) {
 		brw := bufio.NewReadWriter(bufio.NewReader(nc), bufio.NewWriter(nc))
-		return NewClient(priv, nc, brw, logf)
+		c, err := NewClient(priv, nc, brw, logf)
+		if err != nil {
+			return nil, err
+		}
+		waitConnect(t, c)
+		return c, nil
+
 	})
 }
 
@@ -513,6 +542,7 @@ func newTestWatcher(t *testing.T, ts *testServer, name string) *testClient {
 		if err != nil {
 			return nil, err
 		}
+		waitConnect(t, c)
 		if err := c.WatchConnectionChanges(); err != nil {
 			return nil, err
 		}
@@ -743,6 +773,24 @@ func TestForwarderRegistration(t *testing.T) {
 	})
 }
 
+func TestMetaCert(t *testing.T) {
+	priv := newPrivateKey(t)
+	pub := priv.Public()
+	s := NewServer(priv, t.Logf)
+
+	certBytes := s.MetaCert()
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		log.Fatal(err)
+	}
+	if fmt.Sprint(cert.SerialNumber) != fmt.Sprint(ProtocolVersion) {
+		t.Errorf("serial = %v; want %v", cert.SerialNumber, ProtocolVersion)
+	}
+	if g, w := cert.Subject.CommonName, fmt.Sprintf("derpkey%x", pub[:]); g != w {
+		t.Errorf("CommonName = %q; want %q", g, w)
+	}
+}
+
 func BenchmarkSendRecv(b *testing.B) {
 	for _, size := range []int{10, 100, 1000, 10000} {
 		b.Run(fmt.Sprintf("msgsize=%d", size), func(b *testing.B) { benchmarkSendRecvSize(b, size) })
@@ -803,3 +851,42 @@ func benchmarkSendRecvSize(b *testing.B, packetSize int) {
 		}
 	}
 }
+
+func BenchmarkWriteUint32(b *testing.B) {
+	w := bufio.NewWriter(ioutil.Discard)
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		writeUint32(w, 0x0ba3a)
+	}
+}
+
+type nopRead struct{}
+
+func (r nopRead) Read(p []byte) (int, error) {
+	return len(p), nil
+}
+
+var sinkU32 uint32
+
+func BenchmarkReadUint32(b *testing.B) {
+	r := bufio.NewReader(nopRead{})
+	var err error
+	b.ReportAllocs()
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		sinkU32, err = readUint32(r)
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+}
+
+func waitConnect(t testing.TB, c *Client) {
+	t.Helper()
+	if m, err := c.Recv(); err != nil {
+		t.Fatalf("client first Recv: %v", err)
+	} else if v, ok := m.(ServerInfoMessage); !ok {
+		t.Fatalf("client first Recv was unexpected type %T", v)
+	}
+}

derp/derphttp/derphttp_client.go

@@ -14,21 +14,27 @@ import (
 	"bufio"
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
+	"log"
 	"net"
 	"net/http"
 	"net/url"
+	"os"
+	"strings"
 	"sync"
 	"time"
 
+	"go4.org/mem"
 	"inet.af/netaddr"
 	"tailscale.com/derp"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -252,14 +258,41 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 		}
 	}()
 
-	var httpConn net.Conn // a TCP conn or a TLS conn; what we speak HTTP to
+	var httpConn net.Conn    // a TCP conn or a TLS conn; what we speak HTTP to
+	var serverPub key.Public // or zero if unknown (if not using TLS or TLS middlebox eats it)
+	var serverProtoVersion int
 	if c.useHTTPS() {
-		httpConn = c.tlsClient(tcpConn, node)
+		tlsConn := c.tlsClient(tcpConn, node)
+		httpConn = tlsConn
+
+		// Force a handshake now (instead of waiting for it to
+		// be done implicitly on read/write) so we can check
+		// the ConnectionState.
+		if err := tlsConn.Handshake(); err != nil {
+			return nil, 0, err
+		}
+
+		// We expect to be using TLS 1.3 to our own servers, and only
+		// starting at TLS 1.3 are the server's returned certificates
+		// encrypted, so only look for and use our "meta cert" if we're
+		// using TLS 1.3. If we're not using TLS 1.3, it might be a user
+		// running cmd/derper themselves with a different configuration,
+		// in which case we can avoid this fast-start optimization.
+		// (If a corporate proxy is MITM'ing TLS 1.3 connections with
+		// corp-mandated TLS root certs than all bets are off anyway.)
+		// Note that we're not specifically concerned about TLS downgrade
+		// attacks. TLS handles that fine:
+		// https://blog.gypsyengineer.com/en/security/how-does-tls-1-3-protect-against-downgrade-attacks.html
+		connState := tlsConn.ConnectionState()
+		if connState.Version >= tls.VersionTLS13 {
+			serverPub, serverProtoVersion = parseMetaCert(connState.PeerCertificates)
+		}
 	} else {
 		httpConn = tcpConn
 	}
 
 	brw := bufio.NewReadWriter(bufio.NewReader(httpConn), bufio.NewWriter(httpConn))
+	var derpClient *derp.Client
 
 	req, err := http.NewRequest("GET", c.urlString(node), nil)
 	if err != nil {
@@ -268,24 +301,39 @@ func (c *Client) connect(ctx context.Context, caller string) (client *derp.Clien
 	req.Header.Set("Upgrade", "DERP")
 	req.Header.Set("Connection", "Upgrade")
 
-	if err := req.Write(brw); err != nil {
-		return nil, 0, err
-	}
-	if err := brw.Flush(); err != nil {
-		return nil, 0, err
-	}
+	if !serverPub.IsZero() && serverProtoVersion != 0 {
+		// parseMetaCert found the server's public key (no TLS
+		// middlebox was in the way), so skip the HTTP upgrade
+		// exchange.  See https://github.com/tailscale/tailscale/issues/693
+		// for an overview. We still send the HTTP request
+		// just to get routed into the server's HTTP Handler so it
+		// can Hijack the request, but we signal with a special header
+		// that we don't want to deal with its HTTP response.
+		req.Header.Set(fastStartHeader, "1") // suppresses the server's HTTP response
+		if err := req.Write(brw); err != nil {
+			return nil, 0, err
+		}
+		// No need to flush the HTTP request. the derp.Client's initial
+		// client auth frame will flush it.
+	} else {
+		if err := req.Write(brw); err != nil {
+			return nil, 0, err
+		}
+		if err := brw.Flush(); err != nil {
+			return nil, 0, err
+		}
 
-	resp, err := http.ReadResponse(brw.Reader, req)
-	if err != nil {
-		return nil, 0, err
+		resp, err := http.ReadResponse(brw.Reader, req)
+		if err != nil {
+			return nil, 0, err
+		}
+		if resp.StatusCode != http.StatusSwitchingProtocols {
+			b, _ := ioutil.ReadAll(resp.Body)
+			resp.Body.Close()
+			return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
+		}
 	}
-	if resp.StatusCode != http.StatusSwitchingProtocols {
-		b, _ := ioutil.ReadAll(resp.Body)
-		resp.Body.Close()
-		return nil, 0, fmt.Errorf("GET failed: %v: %s", err, b)
-	}
-
-	derpClient, err := derp.NewClient(c.privateKey, httpConn, brw, c.logf, derp.MeshKey(c.MeshKey))
+	derpClient, err = derp.NewClient(c.privateKey, httpConn, brw, c.logf, derp.MeshKey(c.MeshKey), derp.ServerPublicKey(serverPub))
 	if err != nil {
 		return nil, 0, err
 	}
@@ -364,6 +412,14 @@ func (c *Client) tlsClient(nc net.Conn, node *tailcfg.DERPNode) *tls.Conn {
 			tlsdial.SetConfigExpectedCert(tlsConf, node.CertName)
 		}
 	}
+	if n := os.Getenv("SSLKEYLOGFILE"); n != "" {
+		f, err := os.OpenFile(n, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
+		if err != nil {
+			log.Fatal(err)
+		}
+		log.Printf("WARNING: writing to SSLKEYLOGFILE %v", n)
+		tlsConf.KeyLogWriter = f
+	}
 	return tls.Client(nc, tlsConf)
 }
 
@@ -420,6 +476,19 @@ const dialNodeTimeout = 1500 * time.Millisecond
 // TODO(bradfitz): longer if no options remain perhaps? ...  Or longer
 // overall but have dialRegion start overlapping races?
 func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, error) {
+	// First see if we need to use an HTTP proxy.
+	proxyReq := &http.Request{
+		Method: "GET", // doesn't really matter
+		URL: &url.URL{
+			Scheme: "https",
+			Host:   c.tlsServerName(n),
+			Path:   "/", // unused
+		},
+	}
+	if proxyURL, err := tshttpproxy.ProxyFromEnvironment(proxyReq); err == nil && proxyURL != nil {
+		return c.dialNodeUsingProxy(ctx, n, proxyURL)
+	}
+
 	type res struct {
 		c   net.Conn
 		err error
@@ -480,6 +549,77 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 	}
 }
 
+func firstStr(a, b string) string {
+	if a != "" {
+		return a
+	}
+	return b
+}
+
+// dialNodeUsingProxy connects to n using a CONNECT to the HTTP(s) proxy in proxyURL.
+func (c *Client) dialNodeUsingProxy(ctx context.Context, n *tailcfg.DERPNode, proxyURL *url.URL) (proxyConn net.Conn, err error) {
+	pu := proxyURL
+	if pu.Scheme == "https" {
+		var d tls.Dialer
+		proxyConn, err = d.DialContext(ctx, "tcp", net.JoinHostPort(pu.Hostname(), firstStr(pu.Port(), "443")))
+	} else {
+		var d net.Dialer
+		proxyConn, err = d.DialContext(ctx, "tcp", net.JoinHostPort(pu.Hostname(), firstStr(pu.Port(), "80")))
+	}
+	defer func() {
+		if err != nil && proxyConn != nil {
+			// In a goroutine in case it's a *tls.Conn (that can block on Close)
+			// TODO(bradfitz): track the underlying tcp.Conn and just close that instead.
+			go proxyConn.Close()
+		}
+	}()
+	if err != nil {
+		return nil, err
+	}
+
+	done := make(chan struct{})
+	defer close(done)
+	go func() {
+		select {
+		case <-done:
+			return
+		case <-ctx.Done():
+			proxyConn.Close()
+		}
+	}()
+
+	target := net.JoinHostPort(n.HostName, "443")
+
+	var authHeader string
+	if v, err := tshttpproxy.GetAuthHeader(pu); err != nil {
+		c.logf("derphttp: error getting proxy auth header for %v: %v", proxyURL, err)
+	} else if v != "" {
+		authHeader = fmt.Sprintf("Proxy-Authorization: %s\r\n", v)
+	}
+
+	if _, err := fmt.Fprintf(proxyConn, "CONNECT %s HTTP/1.1\r\nHost: %s\r\n%s\r\n", target, pu.Hostname(), authHeader); err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+		return nil, err
+	}
+
+	br := bufio.NewReader(proxyConn)
+	res, err := http.ReadResponse(br, nil)
+	if err != nil {
+		if ctx.Err() != nil {
+			return nil, ctx.Err()
+		}
+		c.logf("derphttp: CONNECT dial to %s: %v", target, err)
+		return nil, err
+	}
+	c.logf("derphttp: CONNECT dial to %s: %v", target, res.Status)
+	if res.StatusCode != 200 {
+		return nil, fmt.Errorf("invalid response status from HTTP proxy %s on CONNECT to %s: %v", pu, target, res.Status)
+	}
+	return proxyConn, nil
+}
+
 func (c *Client) Send(dstKey key.Public, b []byte) error {
 	client, _, err := c.connect(context.TODO(), "derphttp.Client.Send")
 	if err != nil {
@@ -614,3 +754,16 @@ func (c *Client) closeForReconnect(brokenClient *derp.Client) {
 }
 
 var ErrClientClosed = errors.New("derphttp.Client closed")
+
+func parseMetaCert(certs []*x509.Certificate) (serverPub key.Public, serverProtoVersion int) {
+	for _, cert := range certs {
+		if cn := cert.Subject.CommonName; strings.HasPrefix(cn, "derpkey") {
+			var err error
+			serverPub, err = key.NewPublicFromHexMem(mem.S(strings.TrimPrefix(cn, "derpkey")))
+			if err == nil && cert.SerialNumber.BitLen() <= 8 { // supports up to version 255
+				return serverPub, int(cert.SerialNumber.Int64())
+			}
+		}
+	}
+	return key.Public{}, 0
+}

derp/derphttp/derphttp_server.go

@@ -5,33 +5,51 @@
 package derphttp
 
 import (
+	"fmt"
 	"log"
 	"net/http"
 
 	"tailscale.com/derp"
 )
 
+// fastStartHeader is the header (with value "1") that signals to the HTTP
+// server that the DERP HTTP client does not want the HTTP 101 response
+// headers and it will begin writing & reading the DERP protocol immediately
+// following its HTTP request.
+const fastStartHeader = "Derp-Fast-Start"
+
 func Handler(s *derp.Server) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if p := r.Header.Get("Upgrade"); p != "WebSocket" && p != "DERP" {
 			http.Error(w, "DERP requires connection upgrade", http.StatusUpgradeRequired)
 			return
 		}
-		w.Header().Set("Upgrade", "DERP")
-		w.Header().Set("Connection", "Upgrade")
-		w.WriteHeader(http.StatusSwitchingProtocols)
+		fastStart := r.Header.Get(fastStartHeader) == "1"
 
 		h, ok := w.(http.Hijacker)
 		if !ok {
 			http.Error(w, "HTTP does not support general TCP support", 500)
 			return
 		}
+
 		netConn, conn, err := h.Hijack()
 		if err != nil {
 			log.Printf("Hijack failed: %v", err)
 			http.Error(w, "HTTP does not support general TCP support", 500)
 			return
 		}
+
+		if !fastStart {
+			pubKey := s.PublicKey()
+			fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
+				"Upgrade: DERP\r\n"+
+				"Connection: Upgrade\r\n"+
+				"Derp-Version: %v\r\n"+
+				"Derp-Public-Key: %x\r\n\r\n",
+				derp.ProtocolVersion,
+				pubKey[:])
+		}
+
 		s.Accept(netConn, conn, netConn.RemoteAddr().String())
 	})
 }

derp/derphttp/derphttp_test.go

@@ -6,7 +6,6 @@ package derphttp
 
 import (
 	"context"
-	crand "crypto/rand"
 	"crypto/tls"
 	"net"
 	"net/http"
@@ -19,22 +18,15 @@ import (
 )
 
 func TestSendRecv(t *testing.T) {
+	serverPrivateKey := key.NewPrivate()
+
 	const numClients = 3
-	var serverPrivateKey key.Private
-	if _, err := crand.Read(serverPrivateKey[:]); err != nil {
-		t.Fatal(err)
-	}
 	var clientPrivateKeys []key.Private
-	for i := 0; i < numClients; i++ {
-		var key key.Private
-		if _, err := crand.Read(key[:]); err != nil {
-			t.Fatal(err)
-		}
-		clientPrivateKeys = append(clientPrivateKeys, key)
-	}
 	var clientKeys []key.Public
-	for _, privKey := range clientPrivateKeys {
-		clientKeys = append(clientKeys, privKey.Public())
+	for i := 0; i < numClients; i++ {
+		priv := key.NewPrivate()
+		clientPrivateKeys = append(clientPrivateKeys, priv)
+		clientKeys = append(clientKeys, priv.Public())
 	}
 
 	s := derp.NewServer(serverPrivateKey, t.Logf)
@@ -81,6 +73,7 @@ func TestSendRecv(t *testing.T) {
 		if err := c.Connect(context.Background()); err != nil {
 			t.Fatalf("client %d Connect: %v", i, err)
 		}
+		waitConnect(t, c)
 		clients = append(clients, c)
 		recvChs = append(recvChs, make(chan []byte))
 
@@ -95,6 +88,11 @@ func TestSendRecv(t *testing.T) {
 				}
 				m, err := c.Recv()
 				if err != nil {
+					select {
+					case <-done:
+						return
+					default:
+					}
 					t.Logf("client%d: %v", i, err)
 					break
 				}
@@ -118,7 +116,7 @@ func TestSendRecv(t *testing.T) {
 			if got := string(b); got != want {
 				t.Errorf("client1.Recv=%q, want %q", got, want)
 			}
-		case <-time.After(1 * time.Second):
+		case <-time.After(5 * time.Second):
 			t.Errorf("client%d.Recv, got nothing, want %q", i, want)
 		}
 	}
@@ -146,5 +144,13 @@ func TestSendRecv(t *testing.T) {
 	recv(2, string(msg2))
 	recvNothing(0)
 	recvNothing(1)
-
+}
+
+func waitConnect(t testing.TB, c *Client) {
+	t.Helper()
+	if m, err := c.Recv(); err != nil {
+		t.Fatalf("client first Recv: %v", err)
+	} else if v, ok := m.(derp.ServerInfoMessage); !ok {
+		t.Fatalf("client first Recv was unexpected type %T", v)
+	}
 }

derp/derpmap/derpmap.go

@@ -3,6 +3,13 @@
 // license that can be found in the LICENSE file.
 
 // Package derpmap contains information about Tailscale.com's production DERP nodes.
+//
+// This package is only used by the "tailscale netcheck" command for debugging.
+// In normal operation the Tailscale nodes get this sent to them from the control
+// server.
+//
+// TODO: remove this package and make "tailscale netcheck" get the
+// list from the control server too.
 package derpmap
 
 import (
@@ -21,9 +28,10 @@ func derpNode(suffix, v4, v6 string) *tailcfg.DERPNode {
 	}
 }
 
-func derpRegion(id int, code string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
+func derpRegion(id int, code, name string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRegion {
 	region := &tailcfg.DERPRegion{
 		RegionID:   id,
+		RegionName: name,
 		RegionCode: code,
 		Nodes:      nodes,
 	}
@@ -45,21 +53,36 @@ func derpRegion(id int, code string, nodes ...*tailcfg.DERPNode) *tailcfg.DERPRe
 func Prod() *tailcfg.DERPMap {
 	return &tailcfg.DERPMap{
 		Regions: map[int]*tailcfg.DERPRegion{
-			1: derpRegion(1, "nyc",
+			1: derpRegion(1, "nyc", "New York City",
 				derpNode("a", "159.89.225.99", "2604:a880:400:d1::828:b001"),
 			),
-			2: derpRegion(2, "sfo",
+			2: derpRegion(2, "sfo", "San Francisco",
 				derpNode("a", "167.172.206.31", "2604:a880:2:d1::c5:7001"),
 			),
-			3: derpRegion(3, "sin",
+			3: derpRegion(3, "sin", "Singapore",
 				derpNode("a", "68.183.179.66", "2400:6180:0:d1::67d:8001"),
 			),
-			4: derpRegion(4, "fra",
+			4: derpRegion(4, "fra", "Frankfurt",
 				derpNode("a", "167.172.182.26", "2a03:b0c0:3:e0::36e:9001"),
 			),
-			5: derpRegion(5, "syd",
+			5: derpRegion(5, "syd", "Sydney",
 				derpNode("a", "103.43.75.49", "2001:19f0:5801:10b7:5400:2ff:feaa:284c"),
 			),
+			6: derpRegion(6, "blr", "Bangalore",
+				derpNode("a", "68.183.90.120", "2400:6180:100:d0::982:d001"),
+			),
+			7: derpRegion(7, "tok", "Tokyo",
+				derpNode("a", "167.179.89.145", "2401:c080:1000:467f:5400:2ff:feee:22aa"),
+			),
+			8: derpRegion(8, "lhr", "London",
+				derpNode("a", "167.71.139.179", "2a03:b0c0:1:e0::3cc:e001"),
+			),
+			9: derpRegion(9, "dfw", "Dallas",
+				derpNode("a", "207.148.3.137", "2001:19f0:6401:1d9c:5400:2ff:feef:bb82"),
+			),
+			10: derpRegion(10, "sea", "Seattle",
+				derpNode("a", "137.220.36.168", "2001:19f0:8001:2d9:5400:2ff:feef:bbb1"),
+			),
 		},
 	}
 }

go.mod

@@ -3,11 +3,13 @@ module tailscale.com
 go 1.14
 
 require (
+	github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5
 	github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 // indirect
 	github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29
 	github.com/coreos/go-iptables v0.4.5
 	github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 // indirect
 	github.com/gliderlabs/ssh v0.2.2
+	github.com/go-multierror/multierror v1.0.2
 	github.com/go-ole/go-ole v1.2.4
 	github.com/godbus/dbus/v5 v5.0.3
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
@@ -20,18 +22,19 @@ require (
 	github.com/miekg/dns v1.1.30
 	github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3
 	github.com/peterbourgon/ff/v2 v2.0.0
-	github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f
-	github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a
+	github.com/tailscale/depaware v0.0.0-20201003033024-5d95aab075be
+	github.com/tailscale/wireguard-go v0.0.0-20201021041318-a6168fd06b3f
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	go4.org/mem v0.0.0-20200706164138-185c595c3ecc
-	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
-	golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5
+	golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899
+	golang.org/x/net v0.0.0-20200822124328-c89045814202
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e
-	golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3
+	golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
+	golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0
-	golang.org/x/tools v0.0.0-20191216052735-49a3e744a425
+	golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d
+	golang.zx2c4.com/wireguard/windows v0.1.2-0.20201004085714-dd60d0447f81
 	honnef.co/go/tools v0.0.1-2020.1.4
 	inet.af/netaddr v0.0.0-20200810144936-56928fe48a98
 	rsc.io/goversion v1.2.0

go.sum

@@ -3,12 +3,11 @@ github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Masterminds/semver/v3 v3.0.3 h1:znjIyLfpXEDQjOIEWh+ehwpTU14UzUPub3c3sm36u14=
 github.com/Masterminds/semver/v3 v3.0.3/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
-github.com/alecthomas/kingpin v2.2.6+incompatible h1:5svnBTFgJjZvGKyYBtMB0+m5wvrbUHiqye8wRJMlnYI=
 github.com/alecthomas/kingpin v2.2.6+incompatible/go.mod h1:59OFYbFVLKQKq+mqrL6Rw5bR0c3ACQaawgXx0QYndlE=
-github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
-github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d h1:UQZhZ2O0vMHr2cI+DC1Mbh0TJxzA3RcLoMsFw+aXw7E=
 github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho=
+github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5 h1:P5U+E4x5OkVEKQDklVPmzs71WM56RTTRqV4OrDC//Y4=
+github.com/alexbrainman/sspi v0.0.0-20180613141037-e580b900e9f5/go.mod h1:976q2ETgjT2snVCf2ZaBnyBbVoPERGjUz+0sofzEfro=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/apenwarr/fixconsole v0.0.0-20191012055117-5a9f6489cc29 h1:muXWUcay7DDy1/hEQWrYlBy+g0EuwT70sBHg65SeUc4=
@@ -28,6 +27,8 @@ github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568 h1:BHsljHzVlRcyQhjr
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/gliderlabs/ssh v0.2.2 h1:6zsha5zo/TWhRhwqCD3+EarCAgZ2yN28ipRnGPnwkI0=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
+github.com/go-multierror/multierror v1.0.2 h1:AwsKbEXkmf49ajdFJgcFXqSG0aLo0HEyAE9zk9JguJo=
+github.com/go-multierror/multierror v1.0.2/go.mod h1:U7SZR/D9jHgt2nkSj8XcbCWdmVM2igraCHQ3HC1HiKY=
 github.com/go-ole/go-ole v1.2.4 h1:nNBDSCOigTSiarFpYE9J/KtEA1IOW4CNeqT9TQDqCxI=
 github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
 github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME=
@@ -59,6 +60,8 @@ github.com/kr/pty v1.1.1 h1:VkoXIwSboBpnk99O/KFauAEILuNHv5DVFKZMBN/gUgw=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lxn/walk v0.0.0-20191128110447-55ccb3a9f5c1/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
+github.com/lxn/win v0.0.0-20191128105842-2da648fda5b4/go.mod h1:ouWl4wViUNh8tPSIwxTVMuS014WakR1hqvBc2I0bMoA=
 github.com/mattn/go-zglob v0.0.1 h1:xsEx/XUoVlI6yXjqBK062zYhRTZltCNmYPx6v+8DNaY=
 github.com/mattn/go-zglob v0.0.1/go.mod h1:9fxibJccNxU2cnpIKLRRFA7zX7qhkJIQWBb449FYHOo=
 github.com/mdlayher/netlink v0.0.0-20190409211403-11939a169225/go.mod h1:eQB3mZE4aiYnlUsyGGCOpPETfdQq4Jhsgf1fk3cwQaA=
@@ -74,6 +77,8 @@ github.com/pborman/getopt v0.0.0-20190409184431-ee0cd42419d3/go.mod h1:85jBQOZwp
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
 github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
 github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
+github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=
+github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7/go.mod h1:zO8QMzTeZd5cpnIkz/Gn6iK0jDfGicM1nynOkkPIl28=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -81,13 +86,19 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
+github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
+github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f h1:uFj5bslHsMzxIM8UTjAhq4VXeo6GfNW91rpoh/WMJaY=
-github.com/tailscale/winipcfg-go v0.0.0-20200413171540-609dcf2df55f/go.mod h1:x880GWw5fvrl2DVTQ04ttXQD4DuppTt1Yz6wLibbjNE=
-github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a h1:dQEgNpoOJf+8MswlvXJicb8ZDQqZAGe8f/WfzbDMvtE=
-github.com/tailscale/wireguard-go v0.0.0-20200806235025-91988cfbaa3a/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
+github.com/tailscale/depaware v0.0.0-20201003033024-5d95aab075be h1:ZKe3kVGbu/goUVxXcaCPbQ4b0STQ5NsCpG90CG6mw/c=
+github.com/tailscale/depaware v0.0.0-20201003033024-5d95aab075be/go.mod h1:jissDaJNHiyV2tFdr3QyNEfsZrax/i2yQiSO+CljThI=
+github.com/tailscale/wireguard-go v0.0.0-20200921221757-11a958a67bdd h1:yEWpro9EdxGgkt24NInVnONIJxRLURH5c37Ki5+06EE=
+github.com/tailscale/wireguard-go v0.0.0-20200921221757-11a958a67bdd/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
+github.com/tailscale/wireguard-go v0.0.0-20201008164108-2c83f43a9859 h1:Z7bXXCYRg/8sjSyKTk0V8Yso/gQjNvPb10DBemKuz+A=
+github.com/tailscale/wireguard-go v0.0.0-20201008164108-2c83f43a9859/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
+github.com/tailscale/wireguard-go v0.0.0-20201021041318-a6168fd06b3f h1:KMx58dbn2YCutzOvjNHgmvbwQH7nGE8H+J42Nenjl/M=
+github.com/tailscale/wireguard-go v0.0.0-20201021041318-a6168fd06b3f/go.mod h1:WXq+IkSOJGIgfF1XW+4z4oW+LX/TXzU9DcKlT5EZLi4=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
 github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
@@ -96,16 +107,22 @@ github.com/ulikunitz/xz v0.5.6 h1:jGHAfXawEGZQ3blwU5wnWKQJvAraT7Ftq9EXjnXYgt8=
 github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 h1:nIPpBwaJSVYIxUFsDv3M8ofmx9yWTog9BfvIu0q41lo=
 github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8/go.mod h1:HUYIGzjTL3rfEspMxjDjgmT5uz5wzYJKVo23qUhYTos=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go4.org/mem v0.0.0-20200706164138-185c595c3ecc h1:paujszgN6SpsO/UsXC7xax3gQAKz/XQKCYZLQdU34Tw=
 go4.org/mem v0.0.0-20200706164138-185c595c3ecc/go.mod h1:NEYvpHWemiG/E5UWfaN5QAIGZeT1sa0Z2UNk6oeMb/k=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191002192127-34f69633bfdc/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79 h1:IaQbIIB2X/Mp/DKctl6ROxz1KyMlKp4uyvL6+kQ7C88=
 golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899 h1:DZhuSZLsGlFL4CmhA8BcRA0mnthyA/nZ00AqCUo7vHg=
+golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -113,46 +130,57 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191003171128-d98b1b443823/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191007182048-72f939374954/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI=
 golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5 h1:WQ8q63x+f/zpC8Ac1s9wLElVoHhm32p6tudrU72n1QA=
 golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d h1:TzXSXBo42m9gQenoE3b9BGiEpg5IG2JkU5FkPIawgtw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4 h1:YUO/7uOKsKeq9UokNS62b8FYywz3ker1l1vDZRCRefw=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e h1:vcxGaoTs7kV8m5Np9uUNQin4BrLOthgV7252N8V+FwY=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190310054646-10058d7d4faa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190405154228-4b34438f7a67/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191003212358-c178f38b412c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5 h1:LfCXLvNmTYH9kEmVgqbnsWfruoXZIrh4YBgqVHtDvw0=
 golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3 h1:5B6i6EAiSYyejWfvc5Rc9BbI3rzIsrrXfAQBWnYfn+w=
 golang.org/x/sys v0.0.0-20200501145240-bc7a7d42d5c3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d h1:QQrM/CCYEzTs91GZylDCQjGHudbPTxF/1fvXdVh5lMo=
+golang.org/x/sys v0.0.0-20200812155832-6a926be9bd1d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d h1:/iIZNFGxc/a7C3yWjGcnboV+Tkc7mxr+p6fDztwoxuM=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216052735-49a3e744a425 h1:VvQyQJN0tSuecqgcIxMWnnfG5kSmgy9KZR9sW3W5QeA=
 golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20201001230009-b5b87423c93b/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
+golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d h1:vWQvJ/Z0Lu+9/8oQ/pAYXNzbc7CMnBl+tULGVHOy3oE=
+golang.org/x/tools v0.0.0-20201002184944-ecd9fd270d5d/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/wireguard v0.0.20200321-0.20200715051853-507f148e1c42 h1:SrR1hmxGKKarHEEDvaHxatwnqE3uT+7jvMcin6SHOkw=
+golang.zx2c4.com/wireguard v0.0.20200321-0.20200715051853-507f148e1c42/go.mod h1:GJvYs5O24/ASlwPiRklVnjMx2xQzrOic0DuU6GvYJL4=
+golang.zx2c4.com/wireguard/windows v0.1.2-0.20201004085714-dd60d0447f81 h1:cT2oWlz8v9g7bjFZclT362akxJJfGv9d7ccKu6GQUbA=
+golang.zx2c4.com/wireguard/windows v0.1.2-0.20201004085714-dd60d0447f81/go.mod h1:GaK5zcgr5XE98WaRzIDilumDBp5/yP8j2kG/LCDnvAM=
 google.golang.org/appengine v1.4.0 h1:/wp5JvzpHIxhs/dumFmF7BXTf3Z+dd4uXta4kVyO508=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -166,8 +194,6 @@ gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.1-2020.1.4 h1:UoveltGrhghAA7ePc+e+QYDHXrBps2PqFZiHkGR/xK8=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c h1:si3Owrfem175Ry6gKqnh59eOXxDojyBTIHxUKuvK/Eo=
-inet.af/netaddr v0.0.0-20200718043157-99321d6ad24c/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
 inet.af/netaddr v0.0.0-20200810144936-56928fe48a98 h1:bWyWDZP0l6VnQ1TDKf6yNwuiEDV6Q3q1Mv34m+lzT1I=
 inet.af/netaddr v0.0.0-20200810144936-56928fe48a98/go.mod h1:qqYzz/2whtrbWJvt+DNWQyvekNN4ePQZcg2xc2/Yjww=
 rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=

internal/tooldeps/tooldeps.go

@@ -0,0 +1,9 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tooldeps
+
+import (
+	_ "github.com/tailscale/depaware/depaware"
+)

ipn/backend.go

@@ -21,6 +21,7 @@ type State int
 
 const (
 	NoState = State(iota)
+	InUseOtherUser
 	NeedsLogin
 	NeedsMachineAuth
 	Stopped
@@ -33,8 +34,14 @@ const (
 const GoogleIDTokenType = "ts_android_google_login"
 
 func (s State) String() string {
-	return [...]string{"NoState", "NeedsLogin", "NeedsMachineAuth",
-		"Stopped", "Starting", "Running"}[s]
+	return [...]string{
+		"NoState",
+		"InUseOtherUser",
+		"NeedsLogin",
+		"NeedsMachineAuth",
+		"Stopped",
+		"Starting",
+		"Running"}[s]
 }
 
 // EngineStatus contains WireGuard engine stats.
@@ -53,7 +60,7 @@ type EngineStatus struct {
 type Notify struct {
 	_             structs.Incomparable
 	Version       string                    // version number of IPN backend
-	ErrMessage    *string                   // critical error message, if any
+	ErrMessage    *string                   // critical error message, if any; for InUseOtherUser, the details
 	LoginFinished *empty.Message            // event: non-nil when login process succeeded
 	State         *State                    // current IPN state has changed
 	Prefs         *Prefs                    // preferences were changed
@@ -62,6 +69,7 @@ type Notify struct {
 	Status        *ipnstate.Status          // full status
 	BrowseToURL   *string                   // UI should open a browser right now
 	BackendLogID  *string                   // public logtail id used by backend
+	PingResult    *ipnstate.PingResult
 
 	// LocalTCPPort, if non-nil, informs the UI frontend which
 	// (non-zero) localhost TCP port it's listening on.
@@ -80,14 +88,14 @@ type Notify struct {
 // shared by several consecutive users. Ideally we would just use the
 // username of the connected frontend as the StateKey.
 //
-// However, on Windows, there seems to be no safe way to figure out
-// the owning user of a process connected over IPC mechanisms
-// (sockets, named pipes). So instead, on Windows, we use a
-// capability-oriented system where the frontend generates a random
-// identifier for itself, and uses that as the StateKey when talking
-// to the backend. That way, while we can't identify an OS user by
-// name, we can tell two different users apart, because they'll have
-// different opaque state keys (and no access to each others's keys).
+// Various platforms currently set StateKey in different ways:
+//
+// * the macOS/iOS GUI apps set it to "ipn-go-bridge"
+// * the Android app sets it to "ipn-android"
+// * on Windows, it's the empty string (in client mode) or, via
+//   LocalBackend.userID, a string like "user-$USER_ID" (used in
+//   server mode).
+// * on Linux/etc, it's always "_daemon" (ipn.GlobalDaemonStateKey)
 type StateKey string
 
 type Options struct {
@@ -96,7 +104,8 @@ type Options struct {
 	// StateKey and Prefs together define the state the backend should
 	// use:
 	//  - StateKey=="" && Prefs!=nil: use Prefs for internal state,
-	//    don't persist changes in the backend.
+	//    don't persist changes in the backend, except for the machine key
+	//    for migration purposes.
 	//  - StateKey!="" && Prefs==nil: load the given backend-side
 	//    state and use/update that.
 	//  - StateKey!="" && Prefs!=nil: like the previous case, but do
@@ -143,6 +152,9 @@ type Backend interface {
 	// WantRunning. This may cause the wireguard engine to
 	// reconfigure or stop.
 	SetPrefs(*Prefs)
+	// SetWantRunning is like SetPrefs but sets only the
+	// WantRunning field.
+	SetWantRunning(wantRunning bool)
 	// RequestEngineStatus polls for an update from the wireguard
 	// engine. Only needed if you want to display byte
 	// counts. Connection events are emitted automatically without
@@ -156,4 +168,8 @@ type Backend interface {
 	// make sure they react properly with keys that are going to
 	// expire.
 	FakeExpireAfter(x time.Duration)
+	// Ping attempts to start connecting to the given IP and sends a Notify
+	// with its PingResult. If the host is down, there might never
+	// be a PingResult sent. The cmd/tailscale CLI client adds a timeout.
+	Ping(ip string)
 }

ipn/fake_test.go

@@ -79,6 +79,10 @@ func (b *FakeBackend) SetPrefs(new *Prefs) {
 	}
 }
 
+func (b *FakeBackend) SetWantRunning(v bool) {
+	b.SetPrefs(&Prefs{WantRunning: v})
+}
+
 func (b *FakeBackend) RequestEngineStatus() {
 	b.notify(Notify{Engine: &EngineStatus{}})
 }
@@ -90,3 +94,7 @@ func (b *FakeBackend) RequestStatus() {
 func (b *FakeBackend) FakeExpireAfter(x time.Duration) {
 	b.notify(Notify{NetMap: &controlclient.NetworkMap{}})
 }
+
+func (b *FakeBackend) Ping(ip string) {
+	b.notify(Notify{PingResult: &ipnstate.PingResult{}})
+}

ipn/ipnserver/server.go

@@ -7,23 +7,33 @@ package ipnserver
 import (
 	"bufio"
 	"context"
+	"errors"
 	"fmt"
+	"io"
+	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"os"
 	"os/exec"
 	"os/signal"
+	"os/user"
+	"runtime"
+	"strings"
 	"sync"
 	"syscall"
 	"time"
 
+	"inet.af/netaddr"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/ipn"
+	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail/backoff"
+	"tailscale.com/net/netstat"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/pidowner"
 	"tailscale.com/version"
 	"tailscale.com/wgengine"
 )
@@ -61,6 +71,12 @@ type Options struct {
 	// its existing state, and accepts new frontend connections. If
 	// false, the server dumps its state and becomes idle.
 	//
+	// This is effectively whether the platform is in "server
+	// mode" by default. On Linux, it's true; on Windows, it's
+	// false. But on some platforms (currently only Windows), the
+	// "server mode" can be overridden at runtime with a change in
+	// Prefs.ForceDaemon/WantRunning.
+	//
 	// To support CLI connections (notably, "tailscale status"),
 	// the actual definition of "disconnect" is when the
 	// connection count transitions from 1 to 0.
@@ -74,21 +90,185 @@ type Options struct {
 // server is an IPN backend and its set of 0 or more active connections
 // talking to an IPN backend.
 type server struct {
-	resetOnZero bool // call bs.Reset on transition from 1->0 connections
+	b    *ipn.LocalBackend
+	logf logger.Logf
+	// resetOnZero is whether to call bs.Reset on transition from
+	// 1->0 connections.  That is, this is whether the backend is
+	// being run in "client mode" that requires an active GUI
+	// connection (such as on Windows by default).  Even if this
+	// is true, the ForceDaemon pref can override this.
+	resetOnZero bool
 
 	bsMu sync.Mutex // lock order: bsMu, then mu
 	bs   *ipn.BackendServer
 
-	mu      sync.Mutex
-	clients map[net.Conn]bool
+	mu             sync.Mutex
+	serverModeUser *user.User                   // or nil if not in server mode
+	lastUserID     string                       // tracks last userid; on change, Reset state for paranoia
+	allClients     map[net.Conn]connIdentity    // HTTP or IPN
+	clients        map[net.Conn]bool            // subset of allClients; only IPN protocol
+	disconnectSub  map[chan<- struct{}]struct{} // keys are subscribers of disconnects
+}
+
+// connIdentity represents the owner of a localhost TCP connection.
+type connIdentity struct {
+	Unknown bool
+	Pid     int
+	UserID  string
+	User    *user.User
+}
+
+// getConnIdentity returns the localhost TCP connection's identity information
+// (pid, userid, user). If it's not Windows (for now), it returns a nil error
+// and a ConnIdentity with Unknown set true. It's only an error if we expected
+// to be able to map it and couldn't.
+func (s *server) getConnIdentity(c net.Conn) (ci connIdentity, err error) {
+	if runtime.GOOS != "windows" { // for now; TODO: expand to other OSes
+		return connIdentity{Unknown: true}, nil
+	}
+	la, err := netaddr.ParseIPPort(c.LocalAddr().String())
+	if err != nil {
+		return ci, fmt.Errorf("parsing local address: %w", err)
+	}
+	ra, err := netaddr.ParseIPPort(c.RemoteAddr().String())
+	if err != nil {
+		return ci, fmt.Errorf("parsing local remote: %w", err)
+	}
+	if !la.IP.IsLoopback() || !ra.IP.IsLoopback() {
+		return ci, errors.New("non-loopback connection")
+	}
+	tab, err := netstat.Get()
+	if err != nil {
+		return ci, fmt.Errorf("failed to get local connection table: %w", err)
+	}
+	pid := peerPid(tab.Entries, la, ra)
+	if pid == 0 {
+		return ci, errors.New("no local process found matching localhost connection")
+	}
+	ci.Pid = pid
+	uid, err := pidowner.OwnerOfPID(pid)
+	if err != nil {
+		var hint string
+		if runtime.GOOS == "windows" {
+			hint = " (WSL?)"
+		}
+		return ci, fmt.Errorf("failed to map connection's pid to a user%s: %w", hint, err)
+	}
+	ci.UserID = uid
+	u, err := s.lookupUserFromID(uid)
+	if err != nil {
+		return ci, fmt.Errorf("failed to look up user from userid: %w", err)
+	}
+	ci.User = u
+	return ci, nil
+}
+
+func (s *server) lookupUserFromID(uid string) (*user.User, error) {
+	u, err := user.LookupId(uid)
+	if err != nil && runtime.GOOS == "windows" && errors.Is(err, syscall.Errno(0x534)) {
+		s.logf("[warning] issue 869: os/user.LookupId failed; ignoring")
+		// Work around https://github.com/tailscale/tailscale/issues/869 for
+		// now. We don't strictly need the username. It's just a nice-to-have.
+		// So make up a *user.User if their machine is broken in this way.
+		return &user.User{
+			Uid:      uid,
+			Username: "unknown-user-" + uid,
+			Name:     "unknown user " + uid,
+		}, nil
+	}
+	return u, err
+}
+
+// blockWhileInUse blocks while until either a Read from conn fails
+// (i.e. it's closed) or until the server is able to accept ci as a
+// user.
+func (s *server) blockWhileInUse(conn io.Reader, ci connIdentity) {
+	s.logf("blocking client while server in use; connIdentity=%v", ci)
+	connDone := make(chan struct{})
+	go func() {
+		io.Copy(ioutil.Discard, conn)
+		close(connDone)
+	}()
+	ch := make(chan struct{}, 1)
+	s.registerDisconnectSub(ch, true)
+	defer s.registerDisconnectSub(ch, false)
+	for {
+		select {
+		case <-connDone:
+			s.logf("blocked client Read completed; connIdentity=%v", ci)
+			return
+		case <-ch:
+			s.mu.Lock()
+			err := s.checkConnIdentityLocked(ci)
+			s.mu.Unlock()
+			if err == nil {
+				s.logf("unblocking client, server is free; connIdentity=%v", ci)
+				// Server is now available again for a new user.
+				// TODO(bradfitz): keep this connection alive. But for
+				// now just return and have our caller close the connection
+				// (which unblocks the io.Copy goroutine we started above)
+				// and then the client (e.g. Windows) will reconnect and
+				// discover that it works.
+				return
+			}
+		}
+	}
 }
 
 func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
-	s.addConn(c)
-	logf("incoming control connection")
+	// First see if it's an HTTP request.
+	br := bufio.NewReader(c)
+	c.SetReadDeadline(time.Now().Add(time.Second))
+	peek, _ := br.Peek(4)
+	c.SetReadDeadline(time.Time{})
+	isHTTPReq := string(peek) == "GET "
+
+	ci, err := s.addConn(c, isHTTPReq)
+	if err != nil {
+		if isHTTPReq {
+			fmt.Fprintf(c, "HTTP/1.0 500 Nope\r\nContent-Type: text/plain\r\nX-Content-Type-Options: nosniff\r\n\r\n%s\n", err.Error())
+			c.Close()
+			return
+		}
+		defer c.Close()
+		serverToClient := func(b []byte) { ipn.WriteMsg(c, b) }
+		bs := ipn.NewBackendServer(logf, nil, serverToClient)
+		_, occupied := err.(inUseOtherUserError)
+		if occupied {
+			bs.SendInUseOtherUserErrorMessage(err.Error())
+			s.blockWhileInUse(c, ci)
+		} else {
+			bs.SendErrorMessage(err.Error())
+			time.Sleep(time.Second)
+		}
+		return
+	}
+
+	// Tell the LocalBackend about the identity we're now running as.
+	s.b.SetCurrentUserID(ci.UserID)
+
+	if isHTTPReq {
+		httpServer := http.Server{
+			// Localhost connections are cheap; so only do
+			// keep-alives for a short period of time, as these
+			// active connections lock the server into only serving
+			// that user. If the user has this page open, we don't
+			// want another switching user to be locked out for
+			// minutes. 5 seconds is enough to let browser hit
+			// favicon.ico and such.
+			IdleTimeout: 5 * time.Second,
+			ErrorLog:    logger.StdLogger(logf),
+			Handler:     s.localhostHandler(ci),
+		}
+		httpServer.Serve(&oneConnListener{&protoSwitchConn{s: s, br: br, Conn: c}})
+		return
+	}
+
 	defer s.removeAndCloseConn(c)
+	logf("incoming control connection")
+
 	for ctx.Err() == nil {
-		msg, err := ipn.ReadMsg(c)
+		msg, err := ipn.ReadMsg(br)
 		if err != nil {
 			if ctx.Err() == nil {
 				logf("ReadMsg: %v", err)
@@ -107,25 +287,126 @@ func (s *server) serveConn(ctx context.Context, c net.Conn, logf logger.Logf) {
 	}
 }
 
-func (s *server) addConn(c net.Conn) {
+// inUseOtherUserError is the error type for when the server is in use
+// by a different local user.
+type inUseOtherUserError struct{ error }
+
+func (e inUseOtherUserError) Unwrap() error { return e.error }
+
+// checkConnIdentityLocked checks whether the provided identity is
+// allowed to connect to the server.
+//
+// The returned error, when non-nil, will be of type inUseOtherUserError.
+//
+// s.mu must be held.
+func (s *server) checkConnIdentityLocked(ci connIdentity) error {
+	// If clients are already connected, verify they're the same user.
+	// This mostly matters on Windows at the moment.
+	if len(s.allClients) > 0 {
+		var active connIdentity
+		for _, active = range s.allClients {
+			break
+		}
+		if ci.UserID != active.UserID {
+			//lint:ignore ST1005 we want to capitalize Tailscale here
+			return inUseOtherUserError{fmt.Errorf("Tailscale already in use by %s, pid %d", active.User.Username, active.Pid)}
+		}
+	}
+	if su := s.serverModeUser; su != nil && ci.UserID != su.Uid {
+		//lint:ignore ST1005 we want to capitalize Tailscale here
+		return inUseOtherUserError{fmt.Errorf("Tailscale already in use by %s", su.Username)}
+	}
+	return nil
+}
+
+// registerDisconnectSub adds ch as a subscribe to connection disconnect
+// events. If add is false, the subscriber is removed.
+func (s *server) registerDisconnectSub(ch chan<- struct{}, add bool) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
+	if add {
+		if s.disconnectSub == nil {
+			s.disconnectSub = make(map[chan<- struct{}]struct{})
+		}
+		s.disconnectSub[ch] = struct{}{}
+	} else {
+		delete(s.disconnectSub, ch)
+	}
+
+}
+
+// addConn adds c to the server's list of clients.
+//
+// If the returned error is of type inUseOtherUserError then the
+// returned connIdentity is also valid.
+func (s *server) addConn(c net.Conn, isHTTP bool) (ci connIdentity, err error) {
+	ci, err = s.getConnIdentity(c)
+	if err != nil {
+		return
+	}
+
+	// If the connected user changes, reset the backend server state to make
+	// sure node keys don't leak between users.
+	var doReset bool
+	defer func() {
+		if doReset {
+			s.logf("identity changed; resetting server")
+			s.bsMu.Lock()
+			s.bs.Reset()
+			s.bsMu.Unlock()
+		}
+	}()
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	if s.clients == nil {
 		s.clients = map[net.Conn]bool{}
 	}
-	s.clients[c] = true
+	if s.allClients == nil {
+		s.allClients = map[net.Conn]connIdentity{}
+	}
+
+	if err := s.checkConnIdentityLocked(ci); err != nil {
+		return ci, err
+	}
+
+	if !isHTTP {
+		s.clients[c] = true
+	}
+	s.allClients[c] = ci
+
+	if s.lastUserID != ci.UserID {
+		if s.lastUserID != "" {
+			doReset = true
+		}
+		s.lastUserID = ci.UserID
+	}
+	return ci, nil
 }
 
 func (s *server) removeAndCloseConn(c net.Conn) {
 	s.mu.Lock()
 	delete(s.clients, c)
-	remain := len(s.clients)
+	delete(s.allClients, c)
+	remain := len(s.allClients)
+	for sub := range s.disconnectSub {
+		select {
+		case sub <- struct{}{}:
+		default:
+		}
+	}
 	s.mu.Unlock()
 
 	if remain == 0 && s.resetOnZero {
-		s.bsMu.Lock()
-		s.bs.Reset()
-		s.bsMu.Unlock()
+		if s.b.InServerMode() {
+			s.logf("client disconnected; staying alive in server mode")
+		} else {
+			s.logf("client disconnected; stopping server")
+			s.bsMu.Lock()
+			s.bs.Reset()
+			s.bsMu.Unlock()
+		}
 	}
 	c.Close()
 }
@@ -140,9 +421,48 @@ func (s *server) stopAll() {
 	s.clients = nil
 }
 
+// setServerModeUserLocked is called when we're in server mode but our s.serverModeUser is nil.
+//
+// s.mu must be held
+func (s *server) setServerModeUserLocked() {
+	var ci connIdentity
+	var ok bool
+	for _, ci = range s.allClients {
+		ok = true
+		break
+	}
+	if !ok {
+		s.logf("ipnserver: [unexpected] now in server mode, but no connected client")
+		return
+	}
+	if ci.Unknown {
+		return
+	}
+	if ci.User != nil {
+		s.logf("ipnserver: now in server mode; user=%v", ci.User.Username)
+		s.serverModeUser = ci.User
+	} else {
+		s.logf("ipnserver: [unexpected] now in server mode, but nil User")
+	}
+}
+
 func (s *server) writeToClients(b []byte) {
+	inServerMode := s.b.InServerMode()
+
 	s.mu.Lock()
 	defer s.mu.Unlock()
+
+	if inServerMode {
+		if s.serverModeUser == nil {
+			s.setServerModeUserLocked()
+		}
+	} else {
+		if s.serverModeUser != nil {
+			s.logf("ipnserver: no longer in server mode")
+			s.serverModeUser = nil
+		}
+	}
+
 	for c := range s.clients {
 		ipn.WriteMsg(c, b)
 	}
@@ -160,6 +480,7 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	}
 
 	server := &server{
+		logf:        logf,
 		resetOnZero: !opts.SurviveDisconnects,
 	}
 
@@ -176,12 +497,11 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	logf("Listening on %v", listen.Addr())
 
 	bo := backoff.NewBackoff("ipnserver", logf, 30*time.Second)
-
 	var unservedConn net.Conn // if non-nil, accepted, but hasn't served yet
 
 	eng, err := getEngine()
 	if err != nil {
-		logf("Initial getEngine call: %v", err)
+		logf("ipnserver: initial getEngine call: %v", err)
 		for i := 1; ctx.Err() == nil; i++ {
 			c, err := listen.Accept()
 			if err != nil {
@@ -189,14 +509,14 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 				bo.BackOff(ctx, err)
 				continue
 			}
-			logf("%d: trying getEngine again...", i)
+			logf("ipnserver: try%d: trying getEngine again...", i)
 			eng, err = getEngine()
 			if err == nil {
 				logf("%d: GetEngine worked; exiting failure loop", i)
 				unservedConn = c
 				break
 			}
-			logf("%d: getEngine failed again: %v", i, err)
+			logf("ipnserver%d: getEngine failed again: %v", i, err)
 			errMsg := err.Error()
 			go func() {
 				defer c.Close()
@@ -217,6 +537,24 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 		if err != nil {
 			return fmt.Errorf("ipn.NewFileStore(%q): %v", opts.StatePath, err)
 		}
+		if opts.AutostartStateKey == "" {
+			autoStartKey, err := store.ReadState(ipn.ServerModeStartKey)
+			if err != nil && err != ipn.ErrStateNotExist {
+				return fmt.Errorf("calling ReadState on %s: %w", opts.StatePath, err)
+			}
+			key := string(autoStartKey)
+			if strings.HasPrefix(key, "user-") {
+				uid := strings.TrimPrefix(key, "user-")
+				u, err := server.lookupUserFromID(uid)
+				if err != nil {
+					logf("ipnserver: found server mode auto-start key %q; failed to load user: %v", key, err)
+				} else {
+					logf("ipnserver: found server mode auto-start key %q (user %s)", key, u.Username)
+					server.serverModeUser = u
+				}
+				opts.AutostartStateKey = ipn.StateKey(key)
+			}
+		}
 	} else {
 		store = &ipn.MemoryStore{}
 	}
@@ -232,18 +570,16 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 
 	if opts.DebugMux != nil {
 		opts.DebugMux.HandleFunc("/debug/ipn", func(w http.ResponseWriter, r *http.Request) {
-			w.Header().Set("Content-Type", "text/html; charset=utf-8")
-			st := b.Status()
-			// TODO(bradfitz): add LogID and opts to st?
-			st.WriteHTML(w)
+			serveHTMLStatus(w, b)
 		})
 	}
 
+	server.b = b
 	server.bs = ipn.NewBackendServer(logf, b, server.writeToClients)
 
 	if opts.AutostartStateKey != "" {
 		server.bs.GotCommand(&ipn.Command{
-			Version: version.LONG,
+			Version: version.Long,
 			Start: &ipn.StartArgs{
 				Opts: ipn.Options{
 					StateKey:         opts.AutostartStateKey,
@@ -274,6 +610,11 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (
 	return ctx.Err()
 }
 
+// BabysitProc runs the current executable as a child process with the
+// provided args, capturing its output, writing it to files, and
+// restarting the process on any crashes.
+//
+// It's only currently (2020-10-29) used on Windows.
 func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 
 	executable, err := os.Executable()
@@ -281,6 +622,14 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 		panic("cannot determine executable: " + err.Error())
 	}
 
+	if runtime.GOOS == "windows" {
+		if len(args) != 2 && args[0] != "/subproc" {
+			panic(fmt.Sprintf("unexpected arguments %q", args))
+		}
+		logID := args[1]
+		logf = filelogger.New("tailscale-service", logID, logf)
+	}
+
 	var proc struct {
 		mu sync.Mutex
 		p  *os.Process
@@ -394,3 +743,69 @@ func BabysitProc(ctx context.Context, args []string, logf logger.Logf) {
 func FixedEngine(eng wgengine.Engine) func() (wgengine.Engine, error) {
 	return func() (wgengine.Engine, error) { return eng, nil }
 }
+
+type dummyAddr string
+type oneConnListener struct {
+	conn net.Conn
+}
+
+func (l *oneConnListener) Accept() (c net.Conn, err error) {
+	c = l.conn
+	if c == nil {
+		err = io.EOF
+		return
+	}
+	err = nil
+	l.conn = nil
+	return
+}
+
+func (l *oneConnListener) Close() error { return nil }
+
+func (l *oneConnListener) Addr() net.Addr { return dummyAddr("unused-address") }
+
+func (a dummyAddr) Network() string { return string(a) }
+func (a dummyAddr) String() string  { return string(a) }
+
+// protoSwitchConn is a net.Conn that's we want to speak HTTP to but
+// it's already had a few bytes read from it to determine that it's
+// HTTP. So we Read from its bufio.Reader. On Close, we we tell the
+// server it's closed, so the server can account the who's connected.
+type protoSwitchConn struct {
+	s *server
+	net.Conn
+	br        *bufio.Reader
+	closeOnce sync.Once
+}
+
+func (psc *protoSwitchConn) Read(p []byte) (int, error) { return psc.br.Read(p) }
+func (psc *protoSwitchConn) Close() error {
+	psc.closeOnce.Do(func() { psc.s.removeAndCloseConn(psc.Conn) })
+	return nil
+}
+
+func (s *server) localhostHandler(ci connIdentity) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if ci.Unknown {
+			io.WriteString(w, "<html><title>Tailscale</title><body><h1>Tailscale</h1>This is the local Tailscale daemon.")
+			return
+		}
+		serveHTMLStatus(w, s.b)
+	})
+}
+
+func serveHTMLStatus(w http.ResponseWriter, b *ipn.LocalBackend) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	st := b.Status()
+	// TODO(bradfitz): add LogID and opts to st?
+	st.WriteHTML(w)
+}
+
+func peerPid(entries []netstat.Entry, la, ra netaddr.IPPort) int {
+	for _, e := range entries {
+		if e.Local == ra && e.Remote == la {
+			return e.Pid
+		}
+	}
+	return 0
+}

ipn/ipnserver/server_test.go

@@ -7,8 +7,6 @@ package ipnserver_test
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
-	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -25,11 +23,7 @@ func TestRunMultipleAccepts(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	td, err := ioutil.TempDir("", "TestRunMultipleAccepts")
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer os.RemoveAll(td)
+	td := t.TempDir()
 	socketPath := filepath.Join(td, "tailscale.sock")
 
 	logf := func(format string, args ...interface{}) {

ipn/ipnstate/ipnstate.go

@@ -27,8 +27,10 @@ import (
 type Status struct {
 	BackendState string
 	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node
-	Peer         map[key.Public]*PeerStatus
-	User         map[tailcfg.UserID]tailcfg.UserProfile
+	Self         *PeerStatus
+
+	Peer map[key.Public]*PeerStatus
+	User map[tailcfg.UserID]tailcfg.UserProfile
 }
 
 func (s *Status) Peers() []key.Public {
@@ -43,6 +45,7 @@ func (s *Status) Peers() []key.Public {
 type PeerStatus struct {
 	PublicKey key.Public
 	HostName  string // HostInfo's Hostname (not a DNS name or necessarily unique)
+	DNSName   string
 	OS        string // HostInfo.OS
 	UserID    tailcfg.UserID
 
@@ -88,6 +91,12 @@ type StatusBuilder struct {
 	st     Status
 }
 
+func (sb *StatusBuilder) SetBackendState(v string) {
+	sb.mu.Lock()
+	defer sb.mu.Unlock()
+	sb.st.BackendState = v
+}
+
 func (sb *StatusBuilder) Status() *Status {
 	sb.mu.Lock()
 	defer sb.mu.Unlock()
@@ -95,6 +104,13 @@ func (sb *StatusBuilder) Status() *Status {
 	return &sb.st
 }
 
+// SetSelfStatus sets the status of the local machine.
+func (sb *StatusBuilder) SetSelfStatus(ss *PeerStatus) {
+	sb.mu.Lock()
+	defer sb.mu.Unlock()
+	sb.st.Self = ss
+}
+
 // AddUser adds a user profile to the status.
 func (sb *StatusBuilder) AddUser(id tailcfg.UserID, up tailcfg.UserProfile) {
 	sb.mu.Lock()
@@ -151,6 +167,9 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if v := st.HostName; v != "" {
 		e.HostName = v
 	}
+	if v := st.DNSName; v != "" {
+		e.DNSName = v
+	}
 	if v := st.Relay; v != "" {
 		e.Relay = v
 	}
@@ -322,3 +341,21 @@ func osEmoji(os string) string {
 	}
 	return "👽"
 }
+
+// PingResult contains response information for the "tailscale ping" subcommand,
+// saying how Tailscale can reach a Tailscale IP or subnet-routed IP.
+type PingResult struct {
+	IP       string // ping destination
+	NodeIP   string // Tailscale IP of node handling IP (different for subnet routers)
+	NodeName string // DNS name base or (possibly not unique) hostname
+
+	Err            string
+	LatencySeconds float64
+
+	Endpoint string // ip:port if direct UDP was used
+
+	DERPRegionID   int    // non-zero if DERP was used
+	DERPRegionCode string // three-letter airport/region code if DERP was used
+
+	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
+}

ipn/local.go

@@ -5,9 +5,12 @@
 package ipn
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
+	"os"
+	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -19,6 +22,7 @@ import (
 	"tailscale.com/internal/deepprint"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
+	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/portlist"
 	"tailscale.com/tailcfg"
@@ -33,6 +37,15 @@ import (
 	"tailscale.com/wgengine/tsdns"
 )
 
+var controlDebugFlags = getControlDebugFlags()
+
+func getControlDebugFlags() []string {
+	if e := os.Getenv("TS_DEBUG_CONTROL_FLAGS"); e != "" {
+		return strings.Split(e, ",")
+	}
+	return nil
+}
+
 // LocalBackend is the glue between the major pieces of the Tailscale
 // network software: the cloud control plane (via controlclient), the
 // network data plane (via wgengine), and the user-facing UIs and CLIs
@@ -49,32 +62,39 @@ type LocalBackend struct {
 	ctxCancel       context.CancelFunc // cancels ctx
 	logf            logger.Logf        // general logging
 	keyLogf         logger.Logf        // for printing list of peers on change
+	statsLogf       logger.Logf        // for printing peers stats on change
 	e               wgengine.Engine
 	store           StateStore
 	backendLogID    string
 	portpoll        *portlist.Poller // may be nil
-	portpollOnce    sync.Once
-	serverURL       string // tailcontrol URL
+	portpollOnce    sync.Once        // guards starting readPoller
+	gotPortPollRes  chan struct{}    // closed upon first readPoller result
+	serverURL       string           // tailcontrol URL
 	newDecompressor func() (controlclient.Decompressor, error)
 
 	filterHash string
 
 	// The mutex protects the following elements.
-	mu       sync.Mutex
-	notify   func(Notify)
-	c        *controlclient.Client
-	stateKey StateKey
-	prefs    *Prefs
-	state    State
+	mu             sync.Mutex
+	notify         func(Notify)
+	c              *controlclient.Client
+	stateKey       StateKey // computed in part from user-provided value
+	userID         string   // current controlling user ID (for Windows, primarily)
+	prefs          *Prefs
+	inServerMode   bool
+	machinePrivKey wgcfg.PrivateKey
+	state          State
 	// hostinfo is mutated in-place while mu is held.
 	hostinfo *tailcfg.Hostinfo
 	// netMap is not mutated in-place once set.
 	netMap       *controlclient.NetworkMap
+	activeLogin  string // last logged LoginName from netMap
 	engineStatus EngineStatus
 	endpoints    []string
 	blocked      bool
 	authURL      string
-	interact     int
+	interact     bool
+	prevIfState  *interfaces.State
 
 	// statusLock must be held before calling statusChanged.Wait() or
 	// statusChanged.Broadcast().
@@ -99,21 +119,51 @@ func NewLocalBackend(logf logger.Logf, logid string, store StateStore, e wgengin
 	}
 
 	b := &LocalBackend{
-		ctx:          ctx,
-		ctxCancel:    cancel,
-		logf:         logf,
-		keyLogf:      logger.LogOnChange(logf, 5*time.Minute, time.Now),
-		e:            e,
-		store:        store,
-		backendLogID: logid,
-		state:        NoState,
-		portpoll:     portpoll,
+		ctx:            ctx,
+		ctxCancel:      cancel,
+		logf:           logf,
+		keyLogf:        logger.LogOnChange(logf, 5*time.Minute, time.Now),
+		statsLogf:      logger.LogOnChange(logf, 5*time.Minute, time.Now),
+		e:              e,
+		store:          store,
+		backendLogID:   logid,
+		state:          NoState,
+		portpoll:       portpoll,
+		gotPortPollRes: make(chan struct{}),
 	}
+	e.SetLinkChangeCallback(b.linkChange)
 	b.statusChanged = sync.NewCond(&b.statusLock)
 
 	return b, nil
 }
 
+// linkChange is called (in a new goroutine) by wgengine when its link monitor
+// detects a network change.
+func (b *LocalBackend) linkChange(major bool, ifst *interfaces.State) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	hadPAC := b.prevIfState.HasPAC()
+	b.prevIfState = ifst
+
+	networkUp := ifst.AnyInterfaceUp()
+	if b.c != nil {
+		go b.c.SetPaused(b.state == Stopped || !networkUp)
+	}
+
+	// If the PAC-ness of the network changed, reconfig wireguard+route to
+	// add/remove subnets.
+	if hadPAC != ifst.HasPAC() {
+		b.logf("linkChange: in state %v; PAC changed from %v->%v", b.state, hadPAC, ifst.HasPAC())
+		switch b.state {
+		case NoState, Stopped:
+			// Do nothing.
+		default:
+			go b.authReconfig()
+		}
+	}
+}
+
 // Shutdown halts the backend and all its sub-components. The backend
 // can no longer be used after Shutdown returns.
 func (b *LocalBackend) Shutdown() {
@@ -144,6 +194,8 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 
+	sb.SetBackendState(b.state.String())
+
 	// TODO: hostinfo, and its networkinfo
 	// TODO: EngineStatus copy (and deprecate it?)
 	if b.netMap != nil {
@@ -164,6 +216,7 @@ func (b *LocalBackend) UpdateStatus(sb *ipnstate.StatusBuilder) {
 				UserID:       p.User,
 				TailAddr:     tailAddr,
 				HostName:     p.Hostinfo.Hostname,
+				DNSName:      p.Name,
 				OS:           p.Hostinfo.OS,
 				KeepAlive:    p.KeepAlive,
 				Created:      p.Created,
@@ -216,8 +269,14 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 			b.prefs.Persist = st.Persist.Clone()
 		}
 	}
+	if temporarilySetMachineKeyInPersist() && b.prefs.Persist != nil &&
+		b.prefs.Persist.LegacyFrontendPrivateMachineKey.IsZero() {
+		b.prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
+		prefsChanged = true
+	}
 	if st.NetMap != nil {
-		b.netMap = st.NetMap
+		b.setNetMapLocked(st.NetMap)
+
 	}
 	if st.URL != "" {
 		b.authURL = st.URL
@@ -256,23 +315,16 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 
 		b.updateFilter(st.NetMap, prefs)
 		b.e.SetNetworkMap(st.NetMap)
-
 		if !dnsMapsEqual(st.NetMap, netMap) {
 			b.updateDNSMap(st.NetMap)
 		}
-
-		disableDERP := prefs != nil && prefs.DisableDERP
-		if disableDERP {
-			b.e.SetDERPMap(nil)
-		} else {
-			b.e.SetDERPMap(st.NetMap.DERPMap)
-		}
+		b.e.SetDERPMap(st.NetMap.DERPMap)
 
 		b.send(Notify{NetMap: st.NetMap})
 	}
 	if st.URL != "" {
 		b.logf("Received auth URL: %.20v...", st.URL)
-		if interact > 0 {
+		if interact {
 			b.popBrowserAuthNow()
 		}
 	}
@@ -294,9 +346,8 @@ func (b *LocalBackend) setWgengineStatus(s *wgengine.Status, err error) {
 		return
 	}
 
-	es := b.parseWgStatus(s)
-
 	b.mu.Lock()
+	es := b.parseWgStatusLocked(s)
 	c := b.c
 	b.engineStatus = es
 	b.endpoints = append([]string{}, s.LocalAddrs...)
@@ -364,18 +415,44 @@ func (b *LocalBackend) Start(opts Options) error {
 		return fmt.Errorf("loading requested state: %v", err)
 	}
 
+	b.inServerMode = b.prefs.ForceDaemon
 	b.serverURL = b.prefs.ControlURL
 	hostinfo.RoutableIPs = append(hostinfo.RoutableIPs, b.prefs.AdvertiseRoutes...)
 	hostinfo.RequestTags = append(hostinfo.RequestTags, b.prefs.AdvertiseTags...)
+	if b.inServerMode || runtime.GOOS == "windows" {
+		b.logf("Start: serverMode=%v", b.inServerMode)
+	}
 	applyPrefsToHostinfo(hostinfo, b.prefs)
 
 	b.notify = opts.Notify
-	b.netMap = nil
+	b.setNetMapLocked(nil)
 	persist := b.prefs.Persist
+	machinePrivKey := b.machinePrivKey
 	b.mu.Unlock()
 
 	b.updateFilter(nil, nil)
 
+	if b.portpoll != nil {
+		b.portpollOnce.Do(func() {
+			go b.portpoll.Run(b.ctx)
+			go b.readPoller()
+
+			// Give the poller a second to get results to
+			// prevent it from restarting our map poll
+			// HTTP request (via doSetHostinfoFilterServices >
+			// cli.SetHostinfo). In practice this is very quick.
+			t0 := time.Now()
+			timer := time.NewTimer(time.Second)
+			select {
+			case <-b.gotPortPollRes:
+				b.logf("got initial portlist info in %v", time.Since(t0).Round(time.Millisecond))
+				timer.Stop()
+			case <-timer.C:
+				b.logf("timeout waiting for initial portlist")
+			}
+		})
+	}
+
 	var discoPublic tailcfg.DiscoKey
 	if controlclient.Debug.Disco {
 		discoPublic = b.e.DiscoPublicKey()
@@ -387,29 +464,22 @@ func (b *LocalBackend) Start(opts Options) error {
 		persist = &controlclient.Persist{}
 	}
 	cli, err := controlclient.New(controlclient.Options{
-		Logf:            logger.WithPrefix(b.logf, "control: "),
-		Persist:         *persist,
-		ServerURL:       b.serverURL,
-		AuthKey:         opts.AuthKey,
-		Hostinfo:        hostinfo,
-		KeepAlive:       true,
-		NewDecompressor: b.newDecompressor,
-		HTTPTestClient:  opts.HTTPTestClient,
-		DiscoPublicKey:  discoPublic,
+		MachinePrivateKey: machinePrivKey,
+		Logf:              logger.WithPrefix(b.logf, "control: "),
+		Persist:           *persist,
+		ServerURL:         b.serverURL,
+		AuthKey:           opts.AuthKey,
+		Hostinfo:          hostinfo,
+		KeepAlive:         true,
+		NewDecompressor:   b.newDecompressor,
+		HTTPTestClient:    opts.HTTPTestClient,
+		DiscoPublicKey:    discoPublic,
+		DebugFlags:        controlDebugFlags,
 	})
 	if err != nil {
 		return err
 	}
 
-	// At this point, we have finished using hostinfo without synchronization,
-	// so it is safe to start readPoller which concurrently writes to it.
-	if b.portpoll != nil {
-		b.portpollOnce.Do(func() {
-			go b.portpoll.Run(b.ctx)
-			go b.readPoller()
-		})
-	}
-
 	b.mu.Lock()
 	b.c = cli
 	endpoints := b.endpoints
@@ -425,6 +495,12 @@ func (b *LocalBackend) Start(opts Options) error {
 
 	b.mu.Lock()
 	prefs := b.prefs.Clone()
+
+	if temporarilySetMachineKeyInPersist() && prefs.Persist != nil &&
+		prefs.Persist.LegacyFrontendPrivateMachineKey.IsZero() {
+		prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
+	}
+
 	b.mu.Unlock()
 
 	blid := b.backendLogID
@@ -539,7 +615,7 @@ func (b *LocalBackend) updateDNSMap(netMap *controlclient.NetworkMap) {
 
 	nameToIP := make(map[string]netaddr.IP)
 	set := func(name string, addrs []wgcfg.CIDR) {
-		if len(addrs) == 0 {
+		if len(addrs) == 0 || name == "" {
 			return
 		}
 		nameToIP[name] = netaddr.IPFrom16(addrs[0].IP.Addr)
@@ -550,7 +626,7 @@ func (b *LocalBackend) updateDNSMap(netMap *controlclient.NetworkMap) {
 	}
 	set(netMap.Name, netMap.Addresses)
 
-	dnsMap := tsdns.NewMap(nameToIP)
+	dnsMap := tsdns.NewMap(nameToIP, domainsForProxying(netMap))
 	// map diff will be logged in tsdns.Resolver.SetMap.
 	b.e.SetDNSMap(dnsMap)
 }
@@ -558,6 +634,7 @@ func (b *LocalBackend) updateDNSMap(netMap *controlclient.NetworkMap) {
 // readPoller is a goroutine that receives service lists from
 // b.portpoll and propagates them into the controlclient's HostInfo.
 func (b *LocalBackend) readPoller() {
+	n := 0
 	for {
 		ports, ok := <-b.portpoll.C
 		if !ok {
@@ -584,6 +661,11 @@ func (b *LocalBackend) readPoller() {
 		b.mu.Unlock()
 
 		b.doSetHostinfoFilterServices(hi)
+
+		n++
+		if n == 1 {
+			close(b.gotPortPollRes)
+		}
 	}
 }
 
@@ -595,7 +677,7 @@ func (b *LocalBackend) send(n Notify) {
 	b.mu.Unlock()
 
 	if notify != nil {
-		n.Version = version.LONG
+		n.Version = version.Long
 		notify(n)
 	} else {
 		b.logf("nil notify callback; dropping %+v", n)
@@ -607,7 +689,7 @@ func (b *LocalBackend) send(n Notify) {
 func (b *LocalBackend) popBrowserAuthNow() {
 	b.mu.Lock()
 	url := b.authURL
-	b.interact = 0
+	b.interact = false
 	b.authURL = ""
 	b.mu.Unlock()
 
@@ -621,48 +703,171 @@ func (b *LocalBackend) popBrowserAuthNow() {
 	}
 }
 
+// initMachineKeyLocked is called to initialize b.machinePrivKey.
+//
+// b.prefs must already be initialized.
+// b.stateKey should be set too, but just for nicer log messages.
+// b.mu must be held.
+func (b *LocalBackend) initMachineKeyLocked() (err error) {
+	if temporarilySetMachineKeyInPersist() {
+		defer func() {
+			if err != nil {
+				return
+			}
+			if b.prefs != nil && b.prefs.Persist != nil {
+				b.prefs.Persist.LegacyFrontendPrivateMachineKey = b.machinePrivKey
+			}
+		}()
+	}
+
+	if !b.machinePrivKey.IsZero() {
+		// Already set.
+		return nil
+	}
+
+	var legacyMachineKey wgcfg.PrivateKey
+	if b.prefs.Persist != nil {
+		legacyMachineKey = b.prefs.Persist.LegacyFrontendPrivateMachineKey
+	}
+
+	keyText, err := b.store.ReadState(MachineKeyStateKey)
+	if err == nil {
+		if err := b.machinePrivKey.UnmarshalText(keyText); err != nil {
+			return fmt.Errorf("invalid key in %s key of %v: %w", MachineKeyStateKey, b.store, err)
+		}
+		if b.machinePrivKey.IsZero() {
+			return fmt.Errorf("invalid zero key stored in %v key of %v", MachineKeyStateKey, b.store)
+		}
+		if !legacyMachineKey.IsZero() && !bytes.Equal(legacyMachineKey[:], b.machinePrivKey[:]) {
+			b.logf("frontend-provided legacy machine key ignored; used value from server state")
+		}
+		return nil
+	}
+	if err != ErrStateNotExist {
+		return fmt.Errorf("error reading %v key of %v: %w", MachineKeyStateKey, b.store, err)
+	}
+
+	// If we didn't find one already on disk and the prefs already
+	// have a legacy machine key, use that. Otherwise generate a
+	// new one.
+	if !legacyMachineKey.IsZero() {
+		if b.stateKey == "" {
+			b.logf("using frontend-provided legacy machine key")
+		} else {
+			b.logf("using legacy machine key from state key %q", b.stateKey)
+		}
+		b.machinePrivKey = legacyMachineKey
+	} else {
+		b.logf("generating new machine key")
+		var err error
+		b.machinePrivKey, err = wgcfg.NewPrivateKey()
+		if err != nil {
+			return fmt.Errorf("initializing new machine key: %w", err)
+		}
+	}
+
+	keyText, _ = b.machinePrivKey.MarshalText()
+	if err := b.store.WriteState(MachineKeyStateKey, keyText); err != nil {
+		b.logf("error writing machine key to store: %v", err)
+		return err
+	}
+
+	b.logf("machine key written to store")
+	return nil
+}
+
+// writeServerModeStartState stores the ServerModeStartKey value based on the current
+// user and prefs. If userID is blank or prefs is blank, no work is done.
+//
+// b.mu may either be held or not.
+func (b *LocalBackend) writeServerModeStartState(userID string, prefs *Prefs) {
+	if userID == "" || prefs == nil {
+		return
+	}
+
+	if prefs.ForceDaemon {
+		stateKey := StateKey("user-" + userID)
+		if err := b.store.WriteState(ServerModeStartKey, []byte(stateKey)); err != nil {
+			b.logf("WriteState error: %v", err)
+		}
+		// It's important we do this here too, even if it looks
+		// redundant with the one in the 'if stateKey != ""'
+		// check block above. That one won't fire in the case
+		// where the Windows client started up in client mode.
+		// This happens when we transition into server mode:
+		if err := b.store.WriteState(stateKey, prefs.ToBytes()); err != nil {
+			b.logf("WriteState error: %v", err)
+		}
+	} else {
+		if err := b.store.WriteState(ServerModeStartKey, nil); err != nil {
+			b.logf("WriteState error: %v", err)
+		}
+	}
+}
+
 // loadStateLocked sets b.prefs and b.stateKey based on a complex
 // combination of key, prefs, and legacyPath. b.mu must be held when
 // calling.
-func (b *LocalBackend) loadStateLocked(key StateKey, prefs *Prefs, legacyPath string) error {
+func (b *LocalBackend) loadStateLocked(key StateKey, prefs *Prefs, legacyPath string) (err error) {
 	if prefs == nil && key == "" {
 		panic("state key and prefs are both unset")
 	}
 
+	// Optimistically set stateKey (for initMachineKeyLocked's
+	// logging), but revert it if we return an error so a later SetPrefs
+	// call can't pick it up if it's bogus.
+	b.stateKey = key
+	defer func() {
+		if err != nil {
+			b.stateKey = ""
+		}
+	}()
+
 	if key == "" {
-		// Frontend fully owns the state, we just need to obey it.
-		b.logf("Using frontend prefs")
+		// Frontend owns the state, we just need to obey it.
+		//
+		// If the frontend (e.g. on Windows) supplied the
+		// optional/legacy machine key then it's used as the
+		// value instead of making up a new one.
+		b.logf("using frontend prefs: %s", prefs.Pretty())
 		b.prefs = prefs.Clone()
-		b.stateKey = ""
+		if err := b.initMachineKeyLocked(); err != nil {
+			return fmt.Errorf("initMachineKeyLocked: %w", err)
+		}
+		b.writeServerModeStartState(b.userID, b.prefs)
 		return nil
 	}
 
 	if prefs != nil {
 		// Backend owns the state, but frontend is trying to migrate
 		// state into the backend.
-		b.logf("Importing frontend prefs into backend store")
+		b.logf("importing frontend prefs into backend store; frontend prefs: %s", prefs.Pretty())
 		if err := b.store.WriteState(key, prefs.ToBytes()); err != nil {
 			return fmt.Errorf("store.WriteState: %v", err)
 		}
 	}
 
-	b.logf("Using backend prefs")
+	b.logf("using backend prefs")
 	bs, err := b.store.ReadState(key)
 	if err != nil {
 		if errors.Is(err, ErrStateNotExist) {
 			if legacyPath != "" {
 				b.prefs, err = LoadPrefs(legacyPath)
 				if err != nil {
-					b.logf("Failed to load legacy prefs: %v", err)
+					if !errors.Is(err, os.ErrNotExist) {
+						b.logf("failed to load legacy prefs: %v", err)
+					}
 					b.prefs = NewPrefs()
 				} else {
-					b.logf("Imported state from relaynode for %q", key)
+					b.logf("imported prefs from relaynode for %q: %v", key, b.prefs.Pretty())
 				}
 			} else {
 				b.prefs = NewPrefs()
-				b.logf("Created empty state for %q", key)
+				b.logf("created empty state for %q: %s", key, b.prefs.Pretty())
+			}
+			if err := b.initMachineKeyLocked(); err != nil {
+				return fmt.Errorf("initMachineKeyLocked: %w", err)
 			}
-			b.stateKey = key
 			return nil
 		}
 		return fmt.Errorf("store.ReadState(%q): %v", key, err)
@@ -671,7 +876,10 @@ func (b *LocalBackend) loadStateLocked(key StateKey, prefs *Prefs, legacyPath st
 	if err != nil {
 		return fmt.Errorf("PrefsFromBytes: %v", err)
 	}
-	b.stateKey = key
+	b.logf("backend prefs for %q: %s", key, b.prefs.Pretty())
+	if err := b.initMachineKeyLocked(); err != nil {
+		return fmt.Errorf("initMachineKeyLocked: %w", err)
+	}
 	return nil
 }
 
@@ -683,6 +891,12 @@ func (b *LocalBackend) State() State {
 	return b.state
 }
 
+func (b *LocalBackend) InServerMode() bool {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	return b.inServerMode
+}
+
 // getEngineStatus returns a copy of b.engineStatus.
 //
 // TODO(bradfitz): remove this and use Status() throughout.
@@ -710,7 +924,7 @@ func (b *LocalBackend) Login(token *oauth2.Token) {
 func (b *LocalBackend) StartLoginInteractive() {
 	b.mu.Lock()
 	b.assertClientLocked()
-	b.interact++
+	b.interact = true
 	url := b.authURL
 	c := b.c
 	b.mu.Unlock()
@@ -741,32 +955,48 @@ func (b *LocalBackend) FakeExpireAfter(x time.Duration) {
 	if e.IsZero() || time.Until(e) > x {
 		mapCopy.Expiry = time.Now().Add(x)
 	}
-	b.netMap = &mapCopy
+	b.setNetMapLocked(&mapCopy)
 	b.send(Notify{NetMap: b.netMap})
 }
 
-func (b *LocalBackend) parseWgStatus(s *wgengine.Status) (ret EngineStatus) {
-	var (
-		peerStats []string
-		peerKeys  []string
-	)
+func (b *LocalBackend) Ping(ipStr string) {
+	ip, err := netaddr.ParseIP(ipStr)
+	if err != nil {
+		b.logf("ignoring Ping request to invalid IP %q", ipStr)
+		return
+	}
+	b.e.Ping(ip, func(pr *ipnstate.PingResult) {
+		b.send(Notify{PingResult: pr})
+	})
+}
+
+// parseWgStatusLocked returns an EngineStatus based on s.
+//
+// b.mu must be held; mostly because the caller is about to anyway, and doing so
+// gives us slightly better guarantees about the two peers stats lines not
+// being intermixed if there are concurrent calls to our caller.
+func (b *LocalBackend) parseWgStatusLocked(s *wgengine.Status) (ret EngineStatus) {
+	var peerStats, peerKeys strings.Builder
 
 	ret.LiveDERPs = s.DERPs
 	ret.LivePeers = map[tailcfg.NodeKey]wgengine.PeerStatus{}
 	for _, p := range s.Peers {
 		if !p.LastHandshake.IsZero() {
-			peerStats = append(peerStats, fmt.Sprintf("%d/%d", p.RxBytes, p.TxBytes))
+			fmt.Fprintf(&peerStats, "%d/%d ", p.RxBytes, p.TxBytes)
+			fmt.Fprintf(&peerKeys, "%s ", p.NodeKey.ShortString())
+
 			ret.NumLive++
 			ret.LivePeers[p.NodeKey] = p
 
-			peerKeys = append(peerKeys, p.NodeKey.ShortString())
 		}
 		ret.RBytes += p.RxBytes
 		ret.WBytes += p.TxBytes
 	}
-	if len(peerStats) > 0 {
-		b.keyLogf("peer keys: %s", strings.Join(peerKeys, " "))
-		b.logf("v%v peers: %v", version.LONG, strings.Join(peerStats, " "))
+
+	// [GRINDER STATS LINES] - please don't remove (used for log parsing)
+	if peerStats.Len() > 0 {
+		b.keyLogf("peer keys: %s", strings.TrimSpace(peerKeys.String()))
+		b.statsLogf("v%v peers: %v", version.Long, strings.TrimSpace(peerStats.String()))
 	}
 	return ret
 }
@@ -783,10 +1013,28 @@ func (b *LocalBackend) shieldsAreUp() bool {
 	return b.prefs.ShieldsUp
 }
 
+func (b *LocalBackend) SetCurrentUserID(uid string) {
+	b.mu.Lock()
+	b.userID = uid
+	b.mu.Unlock()
+}
+
+func (b *LocalBackend) SetWantRunning(wantRunning bool) {
+	b.mu.Lock()
+	new := b.prefs.Clone()
+	b.mu.Unlock()
+	if new.WantRunning == wantRunning {
+		return
+	}
+	new.WantRunning = wantRunning
+	b.logf("SetWantRunning: %v", wantRunning)
+	b.SetPrefs(new)
+}
+
 // SetPrefs saves new user preferences and propagates them throughout
 // the system. Implements Backend.
-func (b *LocalBackend) SetPrefs(new *Prefs) {
-	if new == nil {
+func (b *LocalBackend) SetPrefs(newp *Prefs) {
+	if newp == nil {
 		panic("SetPrefs got nil prefs")
 	}
 
@@ -795,50 +1043,64 @@ func (b *LocalBackend) SetPrefs(new *Prefs) {
 	netMap := b.netMap
 	stateKey := b.stateKey
 
-	old := b.prefs
-	new.Persist = old.Persist // caller isn't allowed to override this
-	b.prefs = new
+	oldp := b.prefs
+	newp.Persist = oldp.Persist // caller isn't allowed to override this
+	b.prefs = newp
+	b.inServerMode = newp.ForceDaemon
 	// We do this to avoid holding the lock while doing everything else.
-	new = b.prefs.Clone()
+	newp = b.prefs.Clone()
 
 	oldHi := b.hostinfo
 	newHi := oldHi.Clone()
 	newHi.RoutableIPs = append([]wgcfg.CIDR(nil), b.prefs.AdvertiseRoutes...)
-	applyPrefsToHostinfo(newHi, new)
+	applyPrefsToHostinfo(newHi, newp)
 	b.hostinfo = newHi
 	hostInfoChanged := !oldHi.Equal(newHi)
+	userID := b.userID
 
 	b.mu.Unlock()
 
 	if stateKey != "" {
-		if err := b.store.WriteState(stateKey, new.ToBytes()); err != nil {
+		if err := b.store.WriteState(stateKey, newp.ToBytes()); err != nil {
 			b.logf("Failed to save new controlclient state: %v", err)
 		}
 	}
+	b.writeServerModeStartState(userID, newp)
 
-	b.logf("SetPrefs: %v", new.Pretty())
+	// [GRINDER STATS LINE] - please don't remove (used for log parsing)
+	b.logf("SetPrefs: %v", newp.Pretty())
+	if netMap != nil {
+		if login := netMap.UserProfiles[netMap.User].LoginName; login != "" {
+			if newp.Persist == nil {
+				b.logf("active login: %s", login)
+			} else if newp.Persist.LoginName != login {
+				// Corp issue 461: sometimes the wrong prefs are
+				// logged; the frontend isn't always getting
+				// notified (to update its prefs/persist) on
+				// account switch.  Log this while we figure it
+				// out.
+				b.logf("active login: %s ([unexpected] corp#461, not %s)", newp.Persist.LoginName)
+			}
+		}
+	}
 
-	if old.ShieldsUp != new.ShieldsUp || hostInfoChanged {
+	if oldp.ShieldsUp != newp.ShieldsUp || hostInfoChanged {
 		b.doSetHostinfoFilterServices(newHi)
 	}
 
-	b.updateFilter(netMap, new)
+	b.updateFilter(netMap, newp)
 
-	turnDERPOff := new.DisableDERP && !old.DisableDERP
-	turnDERPOn := !new.DisableDERP && old.DisableDERP
-	if turnDERPOff {
-		b.e.SetDERPMap(nil)
-	} else if turnDERPOn && netMap != nil {
+	if netMap != nil {
 		b.e.SetDERPMap(netMap.DERPMap)
 	}
 
-	if old.WantRunning != new.WantRunning {
+	if oldp.WantRunning != newp.WantRunning {
 		b.stateMachine()
 	} else {
 		b.authReconfig()
 	}
 
-	b.send(Notify{Prefs: new})
+	b.send(Notify{Prefs: newp})
 }
 
 // doSetHostinfoFilterServices calls SetHostinfo on the controlclient,
@@ -891,6 +1153,8 @@ func (b *LocalBackend) authReconfig() {
 	blocked := b.blocked
 	uc := b.prefs
 	nm := b.netMap
+	hasPAC := b.prevIfState.HasPAC()
+	disableSubnetsIfPAC := nm != nil && nm.Debug != nil && nm.Debug.DisableSubnetsIfPAC.EqualBool(true)
 	b.mu.Unlock()
 
 	if blocked {
@@ -911,16 +1175,16 @@ func (b *LocalBackend) authReconfig() {
 		flags |= controlclient.AllowDefaultRoute
 		// TODO(apenwarr): Make subnet routes a different pref?
 		flags |= controlclient.AllowSubnetRoutes
-		// TODO(apenwarr): Remove this once we sort out subnet routes.
-		//  Right now default routes are broken in Windows, but
-		//  controlclient doesn't properly send subnet routes. So
-		//  let's convert a default route into a subnet route in order
-		//  to allow experimentation.
-		flags |= controlclient.HackDefaultRoute
 	}
 	if uc.AllowSingleHosts {
 		flags |= controlclient.AllowSingleHosts
 	}
+	if hasPAC && disableSubnetsIfPAC {
+		if flags&controlclient.AllowSubnetRoutes != 0 {
+			b.logf("authReconfig: have PAC; disabling subnet routes")
+			flags &^= controlclient.AllowSubnetRoutes
+		}
+	}
 
 	cfg, err := nm.WGCfg(b.logf, flags)
 	if err != nil {
@@ -1070,6 +1334,7 @@ func (b *LocalBackend) enterState(newState State) {
 	prefs := b.prefs
 	notify := b.notify
 	bc := b.c
+	networkUp := b.prevIfState.AnyInterfaceUp()
 	b.mu.Unlock()
 
 	if state == newState {
@@ -1082,7 +1347,7 @@ func (b *LocalBackend) enterState(newState State) {
 	}
 
 	if bc != nil {
-		bc.SetPaused(newState == Stopped)
+		bc.SetPaused(newState == Stopped || !networkUp)
 	}
 
 	switch newState {
@@ -1209,15 +1474,25 @@ func (b *LocalBackend) requestEngineStatusAndWait() {
 //  rebooting will fix it.
 func (b *LocalBackend) Logout() {
 	b.mu.Lock()
-	b.assertClientLocked()
 	c := b.c
-	b.netMap = nil
+	b.setNetMapLocked(nil)
 	b.mu.Unlock()
 
+	if c == nil {
+		// Double Logout can happen via repeated IPN
+		// connections to ipnserver making it repeatedly
+		// transition from 1->0 total connections, which on
+		// Windows by default ("client mode") causes a Logout
+		// on the transition to zero.
+		// Previously this crashed when we asserted that c was non-nil
+		// here.
+		return
+	}
+
 	c.Logout()
 
 	b.mu.Lock()
-	b.netMap = nil
+	b.setNetMapLocked(nil)
 	b.mu.Unlock()
 
 	b.stateMachine()
@@ -1246,19 +1521,52 @@ func (b *LocalBackend) setNetInfo(ni *tailcfg.NetInfo) {
 	c.SetNetInfo(ni)
 }
 
+func (b *LocalBackend) setNetMapLocked(nm *controlclient.NetworkMap) {
+	var login string
+	if nm != nil {
+		login = nm.UserProfiles[nm.User].LoginName
+		if login == "" {
+			login = "<missing-profile>"
+		}
+	}
+	b.netMap = nm
+	if login != b.activeLogin {
+		b.logf("active login: %v", login)
+		b.activeLogin = login
+	}
+}
+
 // TestOnlyPublicKeys returns the current machine and node public
 // keys. Used in tests only to facilitate automated node authorization
 // in the test harness.
 func (b *LocalBackend) TestOnlyPublicKeys() (machineKey tailcfg.MachineKey, nodeKey tailcfg.NodeKey) {
 	b.mu.Lock()
 	prefs := b.prefs
+	machinePrivKey := b.machinePrivKey
 	b.mu.Unlock()
 
-	if prefs == nil {
+	if prefs == nil || machinePrivKey.IsZero() {
 		return
 	}
 
-	mk := prefs.Persist.PrivateMachineKey.Public()
+	mk := machinePrivKey.Public()
 	nk := prefs.Persist.PrivateNodeKey.Public()
 	return tailcfg.MachineKey(mk), tailcfg.NodeKey(nk)
 }
+
+// temporarilySetMachineKeyInPersist reports whether we should set
+// the machine key in Prefs.Persist.LegacyFrontendPrivateMachineKey
+// for the frontend to write out to its preferences for use later.
+//
+// TODO: remove this in Tailscale 1.3.x (so it effectively always
+// returns false). It just exists so users can downgrade from 1.2.x to
+// 1.0.x.  But eventually we want to stop sending the machine key to
+// clients. We can't do that until 1.0.x is no longer supported.
+func temporarilySetMachineKeyInPersist() bool {
+	//lint:ignore S1008 for comments
+	if runtime.GOOS == "darwin" || runtime.GOOS == "android" {
+		// iOS, macOS, Android users can't downgrade anyway.
+		return false
+	}
+	return true
+}

ipn/loglines_test.go

@@ -0,0 +1,91 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ipn
+
+import (
+	"reflect"
+	"testing"
+	"time"
+
+	"tailscale.com/control/controlclient"
+	"tailscale.com/logtail"
+	"tailscale.com/tailcfg"
+	"tailscale.com/tstest"
+	"tailscale.com/types/key"
+	"tailscale.com/wgengine"
+)
+
+// TestLocalLogLines tests to make sure that the log lines required for log parsing are
+// being logged by the expected functions. Update these tests if moving log lines between
+// functions.
+func TestLocalLogLines(t *testing.T) {
+	logListen := tstest.NewLogLineTracker(t.Logf, []string{
+		"SetPrefs: %v",
+		"peer keys: %s",
+		"v%v peers: %v",
+	})
+
+	logid := func(hex byte) logtail.PublicID {
+		var ret logtail.PublicID
+		for i := 0; i < len(ret); i++ {
+			ret[i] = hex
+		}
+		return ret
+	}
+	idA := logid(0xaa)
+
+	// set up a LocalBackend, super bare bones. No functional data.
+	store := &MemoryStore{
+		cache: make(map[StateKey][]byte),
+	}
+	e, err := wgengine.NewFakeUserspaceEngine(logListen.Logf, 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	lb, err := NewLocalBackend(logListen.Logf, idA.String(), store, e)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer lb.Shutdown()
+
+	// custom adjustments for required non-nil fields
+	lb.prefs = NewPrefs()
+	lb.hostinfo = &tailcfg.Hostinfo{}
+	// hacky manual override of the usual log-on-change behaviour of keylogf
+	lb.keyLogf = logListen.Logf
+
+	testWantRemain := func(wantRemain ...string) func(t *testing.T) {
+		return func(t *testing.T) {
+			if remain := logListen.Check(); !reflect.DeepEqual(remain, wantRemain) {
+				t.Errorf("remain %q, want %q", remain, wantRemain)
+			}
+		}
+	}
+
+	// log prefs line
+	persist := &controlclient.Persist{}
+	prefs := NewPrefs()
+	prefs.Persist = persist
+	lb.SetPrefs(prefs)
+
+	t.Run("after_prefs", testWantRemain("peer keys: %s", "v%v peers: %v"))
+
+	// log peers, peer keys
+	status := &wgengine.Status{
+		Peers: []wgengine.PeerStatus{wgengine.PeerStatus{
+			TxBytes:       10,
+			RxBytes:       10,
+			LastHandshake: time.Now(),
+			NodeKey:       tailcfg.NodeKey(key.NewPrivate()),
+		}},
+		LocalAddrs: []string{"idk an address"},
+	}
+	lb.mu.Lock()
+	lb.parseWgStatusLocked(status)
+	lb.mu.Unlock()
+
+	t.Run("after_peers", testWantRemain())
+}

ipn/message.go

@@ -5,6 +5,7 @@
 package ipn
 
 import (
+	"bytes"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
@@ -19,6 +20,8 @@ import (
 	"tailscale.com/version"
 )
 
+var jsonEscapedZero = []byte(`\u0000`)
+
 type NoArgs struct{}
 
 type StartArgs struct {
@@ -33,6 +36,10 @@ type FakeExpireAfterArgs struct {
 	Duration time.Duration
 }
 
+type PingArgs struct {
+	IP string
+}
+
 // Command is a command message that is JSON encoded and sent by a
 // frontend to a backend.
 type Command struct {
@@ -53,9 +60,11 @@ type Command struct {
 	Login                 *oauth2.Token
 	Logout                *NoArgs
 	SetPrefs              *SetPrefsArgs
+	SetWantRunning        *bool
 	RequestEngineStatus   *NoArgs
 	RequestStatus         *NoArgs
 	FakeExpireAfter       *FakeExpireAfterArgs
+	Ping                  *PingArgs
 }
 
 type BackendServer struct {
@@ -74,11 +83,14 @@ func NewBackendServer(logf logger.Logf, b Backend, sendNotifyMsg func(b []byte))
 }
 
 func (bs *BackendServer) send(n Notify) {
-	n.Version = version.LONG
+	n.Version = version.Long
 	b, err := json.Marshal(n)
 	if err != nil {
 		log.Fatalf("Failed json.Marshal(notify): %v\n%#v", err, n)
 	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendServer.send notify message: %q", b)
+	}
 	bs.sendNotifyMsg(b)
 }
 
@@ -86,6 +98,17 @@ func (bs *BackendServer) SendErrorMessage(msg string) {
 	bs.send(Notify{ErrMessage: &msg})
 }
 
+// SendInUseOtherUserErrorMessage sends a Notify message to the client that
+// both sets the state to 'InUseOtherUser' and sets the associated reason
+// to msg.
+func (bs *BackendServer) SendInUseOtherUserErrorMessage(msg string) {
+	inUse := InUseOtherUser
+	bs.send(Notify{
+		State:      &inUse,
+		ErrMessage: &msg,
+	})
+}
+
 // GotCommandMsg parses the incoming message b as a JSON Command and
 // calls GotCommand with it.
 func (bs *BackendServer) GotCommandMsg(b []byte) error {
@@ -100,14 +123,14 @@ func (bs *BackendServer) GotCommandMsg(b []byte) error {
 }
 
 func (bs *BackendServer) GotFakeCommand(cmd *Command) error {
-	cmd.Version = version.LONG
+	cmd.Version = version.Long
 	return bs.GotCommand(cmd)
 }
 
 func (bs *BackendServer) GotCommand(cmd *Command) error {
-	if cmd.Version != version.LONG && !cmd.AllowVersionSkew {
+	if cmd.Version != version.Long && !cmd.AllowVersionSkew {
 		vs := fmt.Sprintf("GotCommand: Version mismatch! frontend=%#v backend=%#v",
-			cmd.Version, version.LONG)
+			cmd.Version, version.Long)
 		bs.logf("%s", vs)
 		// ignore the command, but send a message back to the
 		// caller so it can realize the version mismatch too.
@@ -139,6 +162,9 @@ func (bs *BackendServer) GotCommand(cmd *Command) error {
 	} else if c := cmd.SetPrefs; c != nil {
 		bs.b.SetPrefs(c.New)
 		return nil
+	} else if c := cmd.SetWantRunning; c != nil {
+		bs.b.SetWantRunning(*c)
+		return nil
 	} else if c := cmd.RequestEngineStatus; c != nil {
 		bs.b.RequestEngineStatus()
 		return nil
@@ -148,6 +174,9 @@ func (bs *BackendServer) GotCommand(cmd *Command) error {
 	} else if c := cmd.FakeExpireAfter; c != nil {
 		bs.b.FakeExpireAfter(c.Duration)
 		return nil
+	} else if c := cmd.Ping; c != nil {
+		bs.b.Ping(c.IP)
+		return nil
 	} else {
 		return fmt.Errorf("BackendServer.Do: no command specified")
 	}
@@ -181,13 +210,16 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 		// not interesting
 		return
 	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendClient.GotNotifyMsg message: %q", b)
+	}
 	n := Notify{}
 	if err := json.Unmarshal(b, &n); err != nil {
 		log.Fatalf("BackendClient.Notify: cannot decode message (length=%d)\n%#v", len(b), string(b))
 	}
-	if n.Version != version.LONG && !bc.AllowVersionSkew {
+	if n.Version != version.Long && !bc.AllowVersionSkew {
 		vs := fmt.Sprintf("GotNotify: Version mismatch! frontend=%#v backend=%#v",
-			version.LONG, n.Version)
+			version.Long, n.Version)
 		bc.logf("%s", vs)
 		// delete anything in the notification except the version,
 		// to prevent incorrect operation.
@@ -202,11 +234,14 @@ func (bc *BackendClient) GotNotifyMsg(b []byte) {
 }
 
 func (bc *BackendClient) send(cmd Command) {
-	cmd.Version = version.LONG
+	cmd.Version = version.Long
 	b, err := json.Marshal(cmd)
 	if err != nil {
 		log.Fatalf("Failed json.Marshal(cmd): %v\n%#v\n", err, cmd)
 	}
+	if bytes.Contains(b, jsonEscapedZero) {
+		log.Printf("[unexpected] zero byte in BackendClient.send command: %q", b)
+	}
 	bc.sendCommandMsg(b)
 }
 
@@ -254,6 +289,14 @@ func (bc *BackendClient) FakeExpireAfter(x time.Duration) {
 	bc.send(Command{FakeExpireAfter: &FakeExpireAfterArgs{Duration: x}})
 }
 
+func (bc *BackendClient) Ping(ip string) {
+	bc.send(Command{Ping: &PingArgs{IP: ip}})
+}
+
+func (bc *BackendClient) SetWantRunning(v bool) {
+	bc.send(Command{SetWantRunning: &v})
+}
+
 // MaxMessageSize is the maximum message size, in bytes.
 const MaxMessageSize = 10 << 20
 

ipn/prefs.go

@@ -11,6 +11,8 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"runtime"
+	"strings"
 
 	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/atomicfile"
@@ -18,44 +20,57 @@ import (
 	"tailscale.com/wgengine/router"
 )
 
+//go:generate go run tailscale.com/cmd/cloner -type=Prefs -output=prefs_clone.go
+
 // Prefs are the user modifiable settings of the Tailscale node agent.
 type Prefs struct {
 	// ControlURL is the URL of the control server to use.
 	ControlURL string
+
 	// RouteAll specifies whether to accept subnet and default routes
 	// advertised by other nodes on the Tailscale network.
 	RouteAll bool
+
 	// AllowSingleHosts specifies whether to install routes for each
 	// node IP on the tailscale network, in addition to a route for
 	// the whole network.
+	// This corresponds to the "tailscale up --host-routes" value,
+	// which defaults to true.
 	//
 	// TODO(danderson): why do we have this? It dumps a lot of stuff
 	// into the routing table, and a single network route _should_ be
 	// all that we need. But when I turn this off in my tailscaled,
 	// packets stop flowing. What's up with that?
 	AllowSingleHosts bool
+
 	// CorpDNS specifies whether to install the Tailscale network's
 	// DNS configuration, if it exists.
 	CorpDNS bool
+
 	// WantRunning indicates whether networking should be active on
 	// this node.
 	WantRunning bool
+
 	// ShieldsUp indicates whether to block all incoming connections,
 	// regardless of the control-provided packet filter. If false, we
 	// use the packet filter as provided. If true, we block incoming
 	// connections.
 	ShieldsUp bool
+
 	// AdvertiseTags specifies groups that this node wants to join, for
 	// purposes of ACL enforcement. These can be referenced from the ACL
 	// security policy. Note that advertising a tag doesn't guarantee that
 	// the control server will allow you to take on the rights for that
 	// tag.
 	AdvertiseTags []string
+
 	// Hostname is the hostname to use for identifying the node. If
 	// not set, os.Hostname is used.
 	Hostname string
+
 	// OSVersion overrides tailcfg.Hostinfo's OSVersion.
 	OSVersion string
+
 	// DeviceModel overrides tailcfg.Hostinfo's DeviceModel.
 	DeviceModel string
 
@@ -67,8 +82,17 @@ type Prefs struct {
 	// users narrow it down a bit.
 	NotepadURLs bool
 
-	// DisableDERP prevents DERP from being used.
-	DisableDERP bool
+	// ForceDaemon specifies whether a platform that normally
+	// operates in "client mode" (that is, requires an active user
+	// logged in with the GUI app running) should keep running after the
+	// GUI ends and/or the user logs out.
+	//
+	// The only current applicable platform is Windows. This
+	// forced Windows to go into "server mode" where Tailscale is
+	// running even with no users logged in. This might also be
+	// used for macOS in the future. This setting has no effect
+	// for Linux/etc, which always operate in daemon mode.
+	ForceDaemon bool `json:"ForceDaemon,omitempty"`
 
 	// The following block of options only have an effect on Linux.
 
@@ -76,6 +100,7 @@ type Prefs struct {
 	// Tailscale network as reachable through the current
 	// node.
 	AdvertiseRoutes []wgcfg.CIDR
+
 	// NoSNAT specifies whether to source NAT traffic going to
 	// destinations in AdvertiseRoutes. The default is to apply source
 	// NAT, which makes the traffic appear to come from the router
@@ -87,6 +112,7 @@ type Prefs struct {
 	//
 	// Linux-only.
 	NoSNAT bool
+
 	// NetfilterMode specifies how much to manage netfilter rules for
 	// Tailscale, if at all.
 	NetfilterMode router.NetfilterMode
@@ -102,16 +128,46 @@ type Prefs struct {
 // IsEmpty reports whether p is nil or pointing to a Prefs zero value.
 func (p *Prefs) IsEmpty() bool { return p == nil || p.Equals(&Prefs{}) }
 
-func (p *Prefs) Pretty() string {
-	var pp string
-	if p.Persist != nil {
-		pp = p.Persist.Pretty()
-	} else {
-		pp = "Persist=nil"
+func (p *Prefs) Pretty() string { return p.pretty(runtime.GOOS) }
+func (p *Prefs) pretty(goos string) string {
+	var sb strings.Builder
+	sb.WriteString("Prefs{")
+	fmt.Fprintf(&sb, "ra=%v ", p.RouteAll)
+	if !p.AllowSingleHosts {
+		sb.WriteString("mesh=false ")
 	}
-	return fmt.Sprintf("Prefs{ra=%v mesh=%v dns=%v want=%v notepad=%v derp=%v shields=%v routes=%v snat=%v nf=%v %v}",
-		p.RouteAll, p.AllowSingleHosts, p.CorpDNS, p.WantRunning,
-		p.NotepadURLs, !p.DisableDERP, p.ShieldsUp, p.AdvertiseRoutes, !p.NoSNAT, p.NetfilterMode, pp)
+	fmt.Fprintf(&sb, "dns=%v want=%v ", p.CorpDNS, p.WantRunning)
+	if p.ForceDaemon {
+		sb.WriteString("server=true ")
+	}
+	if p.NotepadURLs {
+		sb.WriteString("notepad=true ")
+	}
+	if p.ShieldsUp {
+		sb.WriteString("shields=true ")
+	}
+	if len(p.AdvertiseRoutes) > 0 || goos == "linux" {
+		fmt.Fprintf(&sb, "routes=%v ", p.AdvertiseRoutes)
+	}
+	if len(p.AdvertiseRoutes) > 0 || p.NoSNAT {
+		fmt.Fprintf(&sb, "snat=%v ", !p.NoSNAT)
+	}
+	if len(p.AdvertiseTags) > 0 {
+		fmt.Fprintf(&sb, "tags=%s ", strings.Join(p.AdvertiseTags, ","))
+	}
+	if goos == "linux" {
+		fmt.Fprintf(&sb, "nf=%v ", p.NetfilterMode)
+	}
+	if p.ControlURL != "" && p.ControlURL != "https://login.tailscale.com" {
+		fmt.Fprintf(&sb, "url=%q ", p.ControlURL)
+	}
+	if p.Persist != nil {
+		sb.WriteString(p.Persist.Pretty())
+	} else {
+		sb.WriteString("Persist=nil")
+	}
+	sb.WriteString("}")
+	return sb.String()
 }
 
 func (p *Prefs) ToBytes() []byte {
@@ -137,13 +193,13 @@ func (p *Prefs) Equals(p2 *Prefs) bool {
 		p.CorpDNS == p2.CorpDNS &&
 		p.WantRunning == p2.WantRunning &&
 		p.NotepadURLs == p2.NotepadURLs &&
-		p.DisableDERP == p2.DisableDERP &&
 		p.ShieldsUp == p2.ShieldsUp &&
 		p.NoSNAT == p2.NoSNAT &&
 		p.NetfilterMode == p2.NetfilterMode &&
 		p.Hostname == p2.Hostname &&
 		p.OSVersion == p2.OSVersion &&
 		p.DeviceModel == p2.DeviceModel &&
+		p.ForceDaemon == p2.ForceDaemon &&
 		compareIPNets(p.AdvertiseRoutes, p2.AdvertiseRoutes) &&
 		compareStrings(p.AdvertiseTags, p2.AdvertiseTags) &&
 		p.Persist.Equals(p2.Persist)
@@ -213,26 +269,16 @@ func PrefsFromBytes(b []byte, enforceDefaults bool) (*Prefs, error) {
 	return p, err
 }
 
-// Clone returns a deep copy of p.
-func (p *Prefs) Clone() *Prefs {
-	// TODO: write a faster/non-Fatal-y Clone implementation?
-	p2, err := PrefsFromBytes(p.ToBytes(), false)
-	if err != nil {
-		log.Fatalf("Prefs was uncopyable: %v\n", err)
-	}
-	return p2
-}
-
 // LoadPrefs loads a legacy relaynode config file into Prefs
 // with sensible migration defaults set.
 func LoadPrefs(filename string) (*Prefs, error) {
 	data, err := ioutil.ReadFile(filename)
 	if err != nil {
-		return nil, fmt.Errorf("loading prefs from %q: %v", filename, err)
+		return nil, fmt.Errorf("LoadPrefs open: %w", err) // err includes path
 	}
 	p, err := PrefsFromBytes(data, false)
 	if err != nil {
-		return nil, fmt.Errorf("decoding prefs in %q: %v", filename, err)
+		return nil, fmt.Errorf("LoadPrefs(%q) decode: %w", filename, err)
 	}
 	return p, nil
 }

ipn/prefs_clone.go

@@ -0,0 +1,51 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner -type Prefs; DO NOT EDIT.
+
+package ipn
+
+import (
+	"github.com/tailscale/wireguard-go/wgcfg"
+	"tailscale.com/control/controlclient"
+	"tailscale.com/wgengine/router"
+)
+
+// Clone makes a deep copy of Prefs.
+// The result aliases no memory with the original.
+func (src *Prefs) Clone() *Prefs {
+	if src == nil {
+		return nil
+	}
+	dst := new(Prefs)
+	*dst = *src
+	dst.AdvertiseTags = append(src.AdvertiseTags[:0:0], src.AdvertiseTags...)
+	dst.AdvertiseRoutes = append(src.AdvertiseRoutes[:0:0], src.AdvertiseRoutes...)
+	if dst.Persist != nil {
+		dst.Persist = new(controlclient.Persist)
+		*dst.Persist = *src.Persist
+	}
+	return dst
+}
+
+// A compilation failure here means this code must be regenerated, with command:
+//   tailscale.com/cmd/cloner -type Prefs
+var _PrefsNeedsRegeneration = Prefs(struct {
+	ControlURL       string
+	RouteAll         bool
+	AllowSingleHosts bool
+	CorpDNS          bool
+	WantRunning      bool
+	ShieldsUp        bool
+	AdvertiseTags    []string
+	Hostname         string
+	OSVersion        string
+	DeviceModel      string
+	NotepadURLs      bool
+	ForceDaemon      bool
+	AdvertiseRoutes  []wgcfg.CIDR
+	NoSNAT           bool
+	NetfilterMode    router.NetfilterMode
+	Persist          *controlclient.Persist
+}{})

ipn/prefs_test.go

@@ -5,8 +5,12 @@
 package ipn
 
 import (
+	"errors"
+	"fmt"
+	"os"
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/tailscale/wireguard-go/wgcfg"
 	"tailscale.com/control/controlclient"
@@ -24,7 +28,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 func TestPrefsEqual(t *testing.T) {
 	tstest.PanicOnLog()
 
-	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseTags", "Hostname", "OSVersion", "DeviceModel", "NotepadURLs", "DisableDERP", "AdvertiseRoutes", "NoSNAT", "NetfilterMode", "Persist"}
+	prefsHandles := []string{"ControlURL", "RouteAll", "AllowSingleHosts", "CorpDNS", "WantRunning", "ShieldsUp", "AdvertiseTags", "Hostname", "OSVersion", "DeviceModel", "NotepadURLs", "ForceDaemon", "AdvertiseRoutes", "NoSNAT", "NetfilterMode", "Persist"}
 	if have := fieldsOf(reflect.TypeOf(Prefs{})); !reflect.DeepEqual(have, prefsHandles) {
 		t.Errorf("Prefs.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, prefsHandles)
@@ -278,3 +282,92 @@ func TestPrefsPersist(t *testing.T) {
 	}
 	checkPrefs(t, p)
 }
+
+func TestPrefsPretty(t *testing.T) {
+	tests := []struct {
+		p    Prefs
+		os   string
+		want string
+	}{
+		{
+			Prefs{},
+			"linux",
+			"Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off Persist=nil}",
+		},
+		{
+			Prefs{},
+			"windows",
+			"Prefs{ra=false mesh=false dns=false want=false Persist=nil}",
+		},
+		{
+			Prefs{ShieldsUp: true},
+			"windows",
+			"Prefs{ra=false mesh=false dns=false want=false shields=true Persist=nil}",
+		},
+		{
+			Prefs{AllowSingleHosts: true},
+			"windows",
+			"Prefs{ra=false dns=false want=false Persist=nil}",
+		},
+		{
+			Prefs{
+				NotepadURLs:      true,
+				AllowSingleHosts: true,
+			},
+			"windows",
+			"Prefs{ra=false dns=false want=false notepad=true Persist=nil}",
+		},
+		{
+			Prefs{
+				AllowSingleHosts: true,
+				WantRunning:      true,
+				ForceDaemon:      true, // server mode
+			},
+			"windows",
+			"Prefs{ra=false dns=false want=true server=true Persist=nil}",
+		},
+		{
+			Prefs{
+				AllowSingleHosts: true,
+				WantRunning:      true,
+				ControlURL:       "http://localhost:1234",
+				AdvertiseTags:    []string{"tag:foo", "tag:bar"},
+			},
+			"darwin",
+			`Prefs{ra=false dns=false want=true tags=tag:foo,tag:bar url="http://localhost:1234" Persist=nil}`,
+		},
+		{
+			Prefs{
+				Persist: &controlclient.Persist{},
+			},
+			"linux",
+			`Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off Persist{lm=, o=, n= u=""}}`,
+		},
+		{
+			Prefs{
+				Persist: &controlclient.Persist{
+					PrivateNodeKey: wgcfg.PrivateKey{1: 1},
+				},
+			},
+			"linux",
+			`Prefs{ra=false mesh=false dns=false want=false routes=[] nf=off Persist{lm=, o=, n=[B1VKl] u=""}}`,
+		},
+	}
+	for i, tt := range tests {
+		got := tt.p.pretty(tt.os)
+		if got != tt.want {
+			t.Errorf("%d. wrong String:\n got: %s\nwant: %s\n", i, got, tt.want)
+		}
+	}
+}
+
+func TestLoadPrefsNotExist(t *testing.T) {
+	bogusFile := fmt.Sprintf("/tmp/not-exist-%d", time.Now().UnixNano())
+
+	p, err := LoadPrefs(bogusFile)
+	if errors.Is(err, os.ErrNotExist) {
+		// expected.
+		return
+	}
+	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
+}

ipn/store.go

@@ -5,9 +5,12 @@
 package ipn
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
+	"log"
 	"os"
 	"path/filepath"
 	"sync"
@@ -19,6 +22,30 @@ import (
 // requested state ID doesn't exist.
 var ErrStateNotExist = errors.New("no state with given ID")
 
+const (
+	// MachineKeyStateKey is the key under which we store the machine key,
+	// in its wgcfg.PrivateKey.MarshalText representation.
+	MachineKeyStateKey = StateKey("_machinekey")
+
+	// GlobalDaemonStateKey is the ipn.StateKey that tailscaled
+	// loads on startup.
+	//
+	// We have to support multiple state keys for other OSes (Windows in
+	// particular), but right now Unix daemons run with a single
+	// node-global state. To keep open the option of having per-user state
+	// later, the global state key doesn't look like a username.
+	GlobalDaemonStateKey = StateKey("_daemon")
+
+	// ServerModeStartKey's value, if non-empty, is the value of a
+	// StateKey containing the prefs to start with which to start the
+	// server.
+	//
+	// For example, the value might be "user-1234", meaning the
+	// the server should start with the Prefs JSON loaded from
+	// StateKey "user-1234".
+	ServerModeStartKey = StateKey("server-mode-start-key")
+)
+
 // StateStore persists state, and produces it back on request.
 type StateStore interface {
 	// ReadState returns the bytes associated with ID. Returns (nil,
@@ -34,6 +61,8 @@ type MemoryStore struct {
 	cache map[StateKey][]byte
 }
 
+func (s *MemoryStore) String() string { return "MemoryStore" }
+
 // ReadState implements the StateStore interface.
 func (s *MemoryStore) ReadState(id StateKey) ([]byte, error) {
 	s.mu.Lock()
@@ -67,9 +96,19 @@ type FileStore struct {
 	cache map[StateKey][]byte
 }
 
+func (s *FileStore) String() string { return fmt.Sprintf("FileStore(%q)", s.path) }
+
 // NewFileStore returns a new file store that persists to path.
 func NewFileStore(path string) (*FileStore, error) {
 	bs, err := ioutil.ReadFile(path)
+
+	// Treat an empty file as a missing file.
+	// (https://github.com/tailscale/tailscale/issues/895#issuecomment-723255589)
+	if err == nil && len(bs) == 0 {
+		log.Printf("ipn.NewFileStore(%q): file empty; treating it like a missing file [warning]", path)
+		err = os.ErrNotExist
+	}
+
 	if err != nil {
 		if os.IsNotExist(err) {
 			// Write out an initial file, to verify that we can write
@@ -112,6 +151,9 @@ func (s *FileStore) ReadState(id StateKey) ([]byte, error) {
 func (s *FileStore) WriteState(id StateKey, bs []byte) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
+	if bytes.Equal(s.cache[id], bs) {
+		return nil
+	}
 	s.cache[id] = append([]byte(nil), bs...)
 	bs, err := json.MarshalIndent(s.cache, "", "  ")
 	if err != nil {

log/filelogger/log.go

@@ -0,0 +1,199 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package filelogger provides localdisk log writing & rotation, primarily for Windows
+// clients. (We get this for free on other platforms.)
+package filelogger
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"tailscale.com/types/logger"
+)
+
+const (
+	maxSize  = 100 << 20
+	maxFiles = 50
+)
+
+// New returns a logf wrapper that appends to local disk log
+// files on Windows, rotating old log files as needed to stay under
+// file count & byte limits.
+func New(fileBasePrefix, logID string, logf logger.Logf) logger.Logf {
+	if runtime.GOOS != "windows" {
+		panic("not yet supported on any platform except Windows")
+	}
+	if logf == nil {
+		panic("nil logf")
+	}
+	dir := filepath.Join(os.Getenv("LocalAppData"), "Tailscale", "Logs")
+
+	if err := os.MkdirAll(dir, 0700); err != nil {
+		log.Printf("failed to create local log directory; not writing logs to disk: %v", err)
+		return logf
+	}
+	logf("local disk logdir: %v", dir)
+	lfw := &logFileWriter{
+		fileBasePrefix: fileBasePrefix,
+		logID:          logID,
+		dir:            dir,
+		wrappedLogf:    logf,
+	}
+	return lfw.Logf
+}
+
+// logFileWriter is the state for the log writer & rotator.
+type logFileWriter struct {
+	dir            string      // e.g. `C:\Users\FooBarUser\AppData\Local\Tailscale\Logs`
+	logID          string      // hex logID
+	fileBasePrefix string      // e.g. "tailscale-service" or "tailscale-gui"
+	wrappedLogf    logger.Logf // underlying logger to send to
+
+	mu   sync.Mutex   // guards following
+	buf  bytes.Buffer // scratch buffer to avoid allocs
+	fday civilDay     // day that f was opened; zero means no file yet open
+	f    *os.File     // file currently opened for append
+}
+
+// civilDay is a year, month, and day in the local timezone.
+// It's a comparable value type.
+type civilDay struct {
+	year  int
+	month time.Month
+	day   int
+}
+
+func dayOf(t time.Time) civilDay {
+	return civilDay{t.Year(), t.Month(), t.Day()}
+}
+
+func (w *logFileWriter) Logf(format string, a ...interface{}) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	w.buf.Reset()
+	fmt.Fprintf(&w.buf, format, a...)
+	if w.buf.Len() == 0 {
+		return
+	}
+	out := w.buf.Bytes()
+	w.wrappedLogf("%s", out)
+
+	// Make sure there's a final newline before we write to the log file.
+	if out[len(out)-1] != '\n' {
+		w.buf.WriteByte('\n')
+		out = w.buf.Bytes()
+	}
+
+	w.appendToFileLocked(out)
+}
+
+// out should end in a newline.
+// w.mu must be held.
+func (w *logFileWriter) appendToFileLocked(out []byte) {
+	now := time.Now()
+	day := dayOf(now)
+	if w.fday != day {
+		w.startNewFileLocked()
+	}
+	if w.f != nil {
+		// RFC3339Nano but with a fixed number (3) of nanosecond digits:
+		const formatPre = "2006-01-02T15:04:05"
+		const formatPost = "Z07:00"
+		fmt.Fprintf(w.f, "%s.%03d%s: %s",
+			now.Format(formatPre),
+			now.Nanosecond()/int(time.Millisecond/time.Nanosecond),
+			now.Format(formatPost),
+			out)
+	}
+}
+
+// startNewFileLocked opens a new log file for writing
+// and also cleans up any old files.
+//
+// w.mu must be held.
+func (w *logFileWriter) startNewFileLocked() {
+	var oldName string
+	if w.f != nil {
+		oldName = filepath.Base(w.f.Name())
+		w.f.Close()
+		w.f = nil
+		w.fday = civilDay{}
+	}
+	w.cleanLocked()
+
+	now := time.Now()
+	day := dayOf(now)
+	name := filepath.Join(w.dir, fmt.Sprintf("%s-%04d%02d%02dT%02d%02d%02d-%d.txt",
+		w.fileBasePrefix,
+		day.year,
+		day.month,
+		day.day,
+		now.Hour(),
+		now.Minute(),
+		now.Second(),
+		now.Unix()))
+	var err error
+	w.f, err = os.Create(name)
+	if err != nil {
+		w.wrappedLogf("failed to create log file: %v", err)
+		return
+	}
+	if oldName != "" {
+		fmt.Fprintf(w.f, "(logID %q; continued from log file %s)\n", w.logID, oldName)
+	} else {
+		fmt.Fprintf(w.f, "(logID %q)\n", w.logID)
+	}
+	w.fday = day
+}
+
+// cleanLocked cleans up old log files.
+//
+// w.mu must be held.
+func (w *logFileWriter) cleanLocked() {
+	fis, _ := ioutil.ReadDir(w.dir)
+	prefix := w.fileBasePrefix + "-"
+	fileSize := map[string]int64{}
+	var files []string
+	var sumSize int64
+	for _, fi := range fis {
+		baseName := filepath.Base(fi.Name())
+		if !strings.HasPrefix(baseName, prefix) {
+			continue
+		}
+		size := fi.Size()
+		fileSize[baseName] = size
+		sumSize += size
+		files = append(files, baseName)
+	}
+	if sumSize > maxSize {
+		w.wrappedLogf("cleaning log files; sum byte count %d > %d", sumSize, maxSize)
+	}
+	if len(files) > maxFiles {
+		w.wrappedLogf("cleaning log files; number of files %d > %d", len(files), maxFiles)
+	}
+	for (sumSize > maxSize || len(files) > maxFiles) && len(files) > 0 {
+		target := files[0]
+		files = files[1:]
+
+		targetSize := fileSize[target]
+		targetFull := filepath.Join(w.dir, target)
+		err := os.Remove(targetFull)
+		if err != nil {
+			w.wrappedLogf("error cleaning log file: %v", err)
+		} else {
+			sumSize -= targetSize
+			w.wrappedLogf("cleaned log file %s (size %d); new bytes=%v, files=%v", targetFull, targetSize, sumSize, len(files))
+		}
+	}
+}

log/logheap/logheap.go

@@ -15,15 +15,18 @@ import (
 	"time"
 )
 
-// LogHeap writes a JSON logtail record with the base64 heap pprof to
-// os.Stderr.
+// LogHeap uploads a JSON logtail record with the base64 heap pprof by means
+// of an HTTP POST request to the endpoint referred to in postURL.
 func LogHeap(postURL string) {
 	if postURL == "" {
 		return
 	}
 	runtime.GC()
 	buf := new(bytes.Buffer)
-	pprof.WriteHeapProfile(buf)
+	if err := pprof.WriteHeapProfile(buf); err != nil {
+		log.Printf("LogHeap: %v", err)
+		return
+	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()

logpolicy/logpolicy.go

@@ -31,6 +31,8 @@ import (
 	"tailscale.com/logtail/filch"
 	"tailscale.com/net/netns"
 	"tailscale.com/net/tlsdial"
+	"tailscale.com/net/tshttpproxy"
+	"tailscale.com/paths"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
 	"tailscale.com/version"
@@ -103,12 +105,23 @@ func (l logWriter) Write(buf []byte) (int, error) {
 // logsDir returns the directory to use for log configuration and
 // buffer storage.
 func logsDir(logf logger.Logf) string {
+	// STATE_DIRECTORY is set by systemd 240+ but we support older
+	// systems-d. For example, Ubuntu 18.04 (Bionic Beaver) is 237.
 	systemdStateDir := os.Getenv("STATE_DIRECTORY")
 	if systemdStateDir != "" {
 		logf("logpolicy: using $STATE_DIRECTORY, %q", systemdStateDir)
 		return systemdStateDir
 	}
 
+	// Default to e.g. /var/lib/tailscale or /var/db/tailscale on Unix.
+	if d := paths.DefaultTailscaledStateFile(); d != "" {
+		d = filepath.Dir(d) // directory of e.g. "/var/lib/tailscale/tailscaled.state"
+		if err := os.MkdirAll(d, 0700); err == nil {
+			logf("logpolicy: using system state directory %q", d)
+			return d
+		}
+	}
+
 	cacheDir, err := os.UserCacheDir()
 	if err == nil {
 		d := filepath.Join(cacheDir, "Tailscale")
@@ -302,6 +315,9 @@ func New(collection string) *Policy {
 	} else {
 		lflags = log.LstdFlags
 	}
+	if v, _ := strconv.ParseBool(os.Getenv("TS_DEBUG_LOG_TIME")); v {
+		lflags = log.LstdFlags | log.Lmicroseconds
+	}
 	if runningUnderSystemd() {
 		// If journalctl is going to prepend its own timestamp
 		// anyway, no need to add one.
@@ -343,7 +359,7 @@ func New(collection string) *Policy {
 		newc.PrivateID = logtail.PrivateID{}
 		newc.Collection = collection
 	}
-	if newc.PrivateID == (logtail.PrivateID{}) {
+	if newc.PrivateID.IsZero() {
 		newc.PrivateID, err = logtail.NewPrivateID()
 		if err != nil {
 			log.Fatalf("logpolicy: NewPrivateID() should never fail")
@@ -379,7 +395,7 @@ func New(collection string) *Policy {
 	log.SetOutput(lw)
 
 	log.Printf("Program starting: v%v, Go %v: %#v",
-		version.LONG,
+		version.Long,
 		strings.TrimPrefix(runtime.Version(), "go"),
 		os.Args)
 	log.Printf("LogID: %v", newc.PublicID)
@@ -419,6 +435,9 @@ func newLogtailTransport(host string) *http.Transport {
 	// Start with a copy of http.DefaultTransport and tweak it a bit.
 	tr := http.DefaultTransport.(*http.Transport).Clone()
 
+	tr.Proxy = tshttpproxy.ProxyFromEnvironment
+	tshttpproxy.SetTransportGetProxyConnectHeader(tr)
+
 	// We do our own zstd compression on uploads, and responses never contain any payload,
 	// so don't send "Accept-Encoding: gzip" to save a few bytes on the wire, since there
 	// will never be any body to decompress:

logtail/filch/filch_test.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 	"unicode"
@@ -56,19 +56,8 @@ func (f *filchTest) close(t *testing.T) {
 	}
 }
 
-func genFilePrefix(t *testing.T) (dir, prefix string) {
-	t.Helper()
-	dir, err := ioutil.TempDir("", "filch")
-	if err != nil {
-		t.Fatal(err)
-	}
-	return dir, filepath.Join(dir, "ringbuffer-")
-}
-
 func TestQueue(t *testing.T) {
-	td, filePrefix := genFilePrefix(t)
-	defer os.RemoveAll(td)
-
+	filePrefix := t.TempDir()
 	f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})
 
 	f.readEOF(t)
@@ -90,8 +79,7 @@ func TestQueue(t *testing.T) {
 
 func TestRecover(t *testing.T) {
 	t.Run("empty", func(t *testing.T) {
-		td, filePrefix := genFilePrefix(t)
-		defer os.RemoveAll(td)
+		filePrefix := t.TempDir()
 		f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})
 		f.write(t, "hello")
 		f.read(t, "hello")
@@ -104,8 +92,7 @@ func TestRecover(t *testing.T) {
 	})
 
 	t.Run("cur", func(t *testing.T) {
-		td, filePrefix := genFilePrefix(t)
-		defer os.RemoveAll(td)
+		filePrefix := t.TempDir()
 		f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})
 		f.write(t, "hello")
 		f.close(t)
@@ -123,8 +110,7 @@ func TestRecover(t *testing.T) {
 		filch_test.go:129: r.ReadLine()="hello", want "world"
 		*/
 
-		td, filePrefix := genFilePrefix(t)
-		defer os.RemoveAll(td)
+		filePrefix := t.TempDir()
 		f := newFilchTest(t, filePrefix, Options{ReplaceStderr: false})
 		f.write(t, "hello")
 		f.read(t, "hello")
@@ -143,6 +129,14 @@ func TestRecover(t *testing.T) {
 }
 
 func TestFilchStderr(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		// TODO(bradfitz): this is broken on Windows but not
+		// fully sure why. Investigate.  But notably, the
+		// stderrFD variable (defined in filch.go) and set
+		// below is only ever read in filch_unix.go. So just
+		// skip this for test for now.
+		t.Skip("test broken on Windows")
+	}
 	pipeR, pipeW, err := os.Pipe()
 	if err != nil {
 		t.Fatal(err)
@@ -155,8 +149,7 @@ func TestFilchStderr(t *testing.T) {
 		stderrFD = 2
 	}()
 
-	td, filePrefix := genFilePrefix(t)
-	defer os.RemoveAll(td)
+	filePrefix := t.TempDir()
 	f := newFilchTest(t, filePrefix, Options{ReplaceStderr: true})
 	f.write(t, "hello")
 	if _, err := fmt.Fprintf(pipeW, "filch\n"); err != nil {

net/interfaces/interfaces.go

@@ -8,13 +8,20 @@ package interfaces
 import (
 	"fmt"
 	"net"
+	"net/http"
 	"reflect"
+	"sort"
 	"strings"
 
 	"inet.af/netaddr"
 	"tailscale.com/net/tsaddr"
+	"tailscale.com/net/tshttpproxy"
 )
 
+// LoginEndpointForProxyDetermination is the URL used for testing
+// which HTTP proxy the system should use.
+var LoginEndpointForProxyDetermination = "https://login.tailscale.com/"
+
 // Tailscale returns the current machine's Tailscale interface, if any.
 // If none is found, all zero values are returned.
 // A non-nil error is only returned on a problem listing the system interfaces.
@@ -43,7 +50,8 @@ func Tailscale() (net.IP, *net.Interface, error) {
 // maybeTailscaleInterfaceName reports whether s is an interface
 // name that might be used by Tailscale.
 func maybeTailscaleInterfaceName(s string) bool {
-	return strings.HasPrefix(s, "wg") ||
+	return s == "Tailscale" ||
+		strings.HasPrefix(s, "wg") ||
 		strings.HasPrefix(s, "ts") ||
 		strings.HasPrefix(s, "tailscale") ||
 		strings.HasPrefix(s, "utun")
@@ -153,35 +161,118 @@ type State struct {
 	InterfaceUp  map[string]bool
 
 	// HaveV6Global is whether this machine has an IPv6 global address
-	// on some interface.
+	// on some non-Tailscale interface that's up.
 	HaveV6Global bool
 
-	// HaveV4 is whether the machine has some non-localhost IPv4 address.
+	// HaveV4 is whether the machine has some non-localhost,
+	// non-link-local IPv4 address on a non-Tailscale interface that's up.
 	HaveV4 bool
 
 	// IsExpensive is whether the current network interface is
 	// considered "expensive", which currently means LTE/etc
 	// instead of Wifi. This field is not populated by GetState.
 	IsExpensive bool
+
+	// DefaultRouteInterface is the interface name for the machine's default route.
+	// It is not yet populated on all OSes.
+	// Its exact value should not be assumed to be a map key for
+	// the Interface maps above; it's only used for debugging.
+	DefaultRouteInterface string
+
+	// HTTPProxy is the HTTP proxy to use.
+	HTTPProxy string
+
+	// PAC is the URL to the Proxy Autoconfig URL, if applicable.
+	PAC string
+}
+
+func (s *State) String() string {
+	var sb strings.Builder
+	fmt.Fprintf(&sb, "interfaces.State{defaultRoute=%v ifs={", s.DefaultRouteInterface)
+	ifs := make([]string, 0, len(s.InterfaceUp))
+	for k := range s.InterfaceUp {
+		if allLoopbackIPs(s.InterfaceIPs[k]) {
+			continue
+		}
+		ifs = append(ifs, k)
+	}
+	sort.Slice(ifs, func(i, j int) bool {
+		upi, upj := s.InterfaceUp[ifs[i]], s.InterfaceUp[ifs[j]]
+		if upi != upj {
+			// Up sorts before down.
+			return upi
+		}
+		return ifs[i] < ifs[j]
+	})
+	for i, ifName := range ifs {
+		if i > 0 {
+			sb.WriteString(" ")
+		}
+		if s.InterfaceUp[ifName] {
+			fmt.Fprintf(&sb, "%s:[", ifName)
+			needSpace := false
+			for _, ip := range s.InterfaceIPs[ifName] {
+				if ip.IsLinkLocalUnicast() {
+					continue
+				}
+				if needSpace {
+					sb.WriteString(" ")
+				}
+				fmt.Fprintf(&sb, "%s", ip)
+				needSpace = true
+			}
+			sb.WriteString("]")
+		} else {
+			fmt.Fprintf(&sb, "%s:down", ifName)
+		}
+	}
+	sb.WriteString("}")
+
+	if s.IsExpensive {
+		sb.WriteString(" expensive")
+	}
+	if s.HTTPProxy != "" {
+		fmt.Fprintf(&sb, " httpproxy=%s", s.HTTPProxy)
+	}
+	if s.PAC != "" {
+		fmt.Fprintf(&sb, " pac=%s", s.PAC)
+	}
+	fmt.Fprintf(&sb, " v4=%v v6global=%v}", s.HaveV4, s.HaveV6Global)
+	return sb.String()
 }
 
 func (s *State) Equal(s2 *State) bool {
 	return reflect.DeepEqual(s, s2)
 }
 
+func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }
+
+// AnyInterfaceUp reports whether any interface seems like it has Internet access.
+func (s *State) AnyInterfaceUp() bool {
+	return s != nil && (s.HaveV4 || s.HaveV6Global)
+}
+
 // RemoveTailscaleInterfaces modifes s to remove any interfaces that
 // are owned by this process. (TODO: make this true; currently it
 // makes the Linux-only assumption that the interface is named
 // /^tailscale/)
 func (s *State) RemoveTailscaleInterfaces() {
 	for name := range s.InterfaceIPs {
-		if strings.HasPrefix(name, "tailscale") { // TODO: use --tun flag value, etc; see TODO in method doc
+		if isTailscaleInterfaceName(name) {
 			delete(s.InterfaceIPs, name)
 			delete(s.InterfaceUp, name)
 		}
 	}
 }
 
+func isTailscaleInterfaceName(name string) bool {
+	return name == "Tailscale" || // as it is on Windows
+		strings.HasPrefix(name, "tailscale") // TODO: use --tun flag value, etc; see TODO in method doc
+}
+
+// getPAC, if non-nil, returns the current PAC file URL.
+var getPAC func() string
+
 // GetState returns the state of all the current machine's network interfaces.
 //
 // It does not set the returned State.IsExpensive. The caller can populate that.
@@ -191,13 +282,31 @@ func GetState() (*State, error) {
 		InterfaceUp:  make(map[string]bool),
 	}
 	if err := ForeachInterfaceAddress(func(ni Interface, ip netaddr.IP) {
+		ifUp := ni.IsUp()
 		s.InterfaceIPs[ni.Name] = append(s.InterfaceIPs[ni.Name], ip)
-		s.InterfaceUp[ni.Name] = ni.IsUp()
-		s.HaveV6Global = s.HaveV6Global || isGlobalV6(ip)
-		s.HaveV4 = s.HaveV4 || (ip.Is4() && !ip.IsLoopback())
+		s.InterfaceUp[ni.Name] = ifUp
+		if ifUp && !ip.IsLoopback() && !ip.IsLinkLocalUnicast() && !isTailscaleInterfaceName(ni.Name) {
+			s.HaveV6Global = s.HaveV6Global || isGlobalV6(ip)
+			s.HaveV4 = s.HaveV4 || ip.Is4()
+		}
 	}); err != nil {
 		return nil, err
 	}
+	s.DefaultRouteInterface, _ = DefaultRouteInterface()
+
+	if s.AnyInterfaceUp() {
+		req, err := http.NewRequest("GET", LoginEndpointForProxyDetermination, nil)
+		if err != nil {
+			return nil, err
+		}
+		if u, err := tshttpproxy.ProxyFromEnvironment(req); err == nil && u != nil {
+			s.HTTPProxy = u.String()
+		}
+		if getPAC != nil {
+			s.PAC = getPAC()
+		}
+	}
+
 	return s, nil
 }
 
@@ -287,3 +396,15 @@ var (
 	linkLocalIPv4 = mustCIDR("169.254.0.0/16")
 	v6Global1     = mustCIDR("2000::/3")
 )
+
+func allLoopbackIPs(ips []netaddr.IP) bool {
+	if len(ips) == 0 {
+		return false
+	}
+	for _, ip := range ips {
+		if !ip.IsLoopback() {
+			return false
+		}
+	}
+	return true
+}

net/interfaces/interfaces_darwin_cgo.go

@@ -105,8 +105,6 @@ import "C"
 
 import (
 	"encoding/binary"
-	"fmt"
-	"os"
 
 	"inet.af/netaddr"
 )
@@ -117,7 +115,6 @@ func init() {
 
 func likelyHomeRouterIPDarwinSyscall() (ret netaddr.IP, ok bool) {
 	ip := C.privateGatewayIP()
-	fmt.Fprintln(os.Stderr, "likelyHomeRouterIPDarwinSyscall", ip)
 	if ip < 255 {
 		return netaddr.IP{}, false
 	}

net/interfaces/interfaces_defaultrouteif_todo.go

@@ -0,0 +1,15 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !linux,!windows
+
+package interfaces
+
+import "errors"
+
+var errTODO = errors.New("TODO")
+
+func DefaultRouteInterface() (string, error) {
+	return "TODO", errTODO
+}

net/interfaces/interfaces_linux.go

@@ -5,10 +5,15 @@
 package interfaces
 
 import (
+	"bufio"
 	"bytes"
+	"errors"
+	"io"
 	"log"
+	"os"
 	"os/exec"
 	"runtime"
+	"strings"
 
 	"go4.org/mem"
 	"inet.af/netaddr"
@@ -115,3 +120,91 @@ func likelyHomeRouterIPAndroid() (ret netaddr.IP, ok bool) {
 	cmd.Wait()
 	return ret, !ret.IsZero()
 }
+
+// DefaultRouteInterface returns the name of the network interface that owns
+// the default route, not including any tailscale interfaces.
+func DefaultRouteInterface() (string, error) {
+	v, err := defaultRouteInterfaceProcNet()
+	if err == nil {
+		return v, nil
+	}
+	if runtime.GOOS == "android" {
+		return defaultRouteInterfaceAndroidIPRoute()
+	}
+	return v, err
+}
+
+var zeroRouteBytes = []byte("00000000")
+
+func defaultRouteInterfaceProcNet() (string, error) {
+	f, err := os.Open("/proc/net/route")
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+	br := bufio.NewReaderSize(f, 128)
+	for {
+		line, err := br.ReadSlice('\n')
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return "", err
+		}
+		if !bytes.Contains(line, zeroRouteBytes) {
+			continue
+		}
+		fields := strings.Fields(string(line))
+		ifc := fields[0]
+		ip := fields[1]
+		netmask := fields[7]
+
+		if strings.HasPrefix(ifc, "tailscale") ||
+			strings.HasPrefix(ifc, "wg") {
+			continue
+		}
+		if ip == "00000000" && netmask == "00000000" {
+			// default route
+			return ifc, nil // interface name
+		}
+	}
+
+	return "", errors.New("no default routes found")
+
+}
+
+// defaultRouteInterfaceAndroidIPRoute tries to find the machine's default route interface name
+// by parsing the "ip route" command output. We use this on Android where /proc/net/route
+// can be missing entries or have locked-down permissions.
+// See also comments in https://github.com/tailscale/tailscale/pull/666.
+func defaultRouteInterfaceAndroidIPRoute() (ifname string, err error) {
+	cmd := exec.Command("/system/bin/ip", "route", "show", "table", "0")
+	out, err := cmd.StdoutPipe()
+	if err != nil {
+		return "", err
+	}
+	if err := cmd.Start(); err != nil {
+		log.Printf("interfaces: running /system/bin/ip: %v", err)
+		return "", err
+	}
+	// Search for line like "default via 10.0.2.2 dev radio0 table 1016 proto static mtu 1500 "
+	lineread.Reader(out, func(line []byte) error {
+		const pfx = "default via "
+		if !mem.HasPrefix(mem.B(line), mem.S(pfx)) {
+			return nil
+		}
+		ff := strings.Fields(string(line))
+		for i, v := range ff {
+			if i > 0 && ff[i-1] == "dev" && ifname == "" {
+				ifname = v
+			}
+		}
+		return nil
+	})
+	cmd.Process.Kill()
+	cmd.Wait()
+	if ifname == "" {
+		return "", errors.New("no default routes found")
+	}
+	return ifname, nil
+}

net/interfaces/interfaces_linux_test.go

@@ -0,0 +1,16 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package interfaces
+
+import "testing"
+
+func BenchmarkDefaultRouteInterface(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		if _, err := DefaultRouteInterface(); err != nil {
+			b.Fatal(err)
+		}
+	}
+}

net/interfaces/interfaces_test.go

@@ -35,6 +35,7 @@ func TestGetState(t *testing.T) {
 		t.Fatal(err)
 	}
 	t.Logf("Got: %#v", st)
+	t.Logf("As string: %s", st)
 
 	st2, err := GetState()
 	if err != nil {
@@ -46,6 +47,9 @@ func TestGetState(t *testing.T) {
 		// the two GetState calls.
 		t.Fatal("two States back-to-back were not equal")
 	}
+
+	st.RemoveTailscaleInterfaces()
+	t.Logf("As string without Tailscale:\n\t%s", st)
 }
 
 func TestLikelyHomeRouterIP(t *testing.T) {

net/interfaces/interfaces_windows.go

@@ -5,16 +5,24 @@
 package interfaces
 
 import (
+	"fmt"
+	"log"
+	"net/url"
 	"os/exec"
 	"syscall"
+	"unsafe"
 
 	"go4.org/mem"
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"inet.af/netaddr"
+	"tailscale.com/tsconst"
 	"tailscale.com/util/lineread"
 )
 
 func init() {
 	likelyHomeRouterIP = likelyHomeRouterIPWindows
+	getPAC = getPACWindows
 }
 
 /*
@@ -71,3 +79,118 @@ func likelyHomeRouterIPWindows() (ret netaddr.IP, ok bool) {
 	})
 	return ret, !ret.IsZero()
 }
+
+// NonTailscaleMTUs returns a map of interface LUID to interface MTU,
+// for all interfaces except Tailscale tunnels.
+func NonTailscaleMTUs() (map[winipcfg.LUID]uint32, error) {
+	mtus := map[winipcfg.LUID]uint32{}
+	ifs, err := NonTailscaleInterfaces()
+	for luid, iface := range ifs {
+		mtus[luid] = iface.MTU
+	}
+	return mtus, err
+}
+
+// NonTailscaleInterfaces returns a map of interface LUID to interface
+// for all interfaces except Tailscale tunnels.
+func NonTailscaleInterfaces() (map[winipcfg.LUID]*winipcfg.IPAdapterAddresses, error) {
+	ifs, err := winipcfg.GetAdaptersAddresses(windows.AF_UNSPEC, winipcfg.GAAFlagIncludeAllInterfaces)
+	if err != nil {
+		return nil, err
+	}
+
+	ret := map[winipcfg.LUID]*winipcfg.IPAdapterAddresses{}
+	for _, iface := range ifs {
+		if iface.Description() == tsconst.WintunInterfaceDesc {
+			continue
+		}
+		ret[iface.LUID] = iface
+	}
+
+	return ret, nil
+}
+
+// GetWindowsDefault returns the interface that has the non-Tailscale
+// default route for the given address family.
+//
+// It returns (nil, nil) if no interface is found.
+func GetWindowsDefault(family winipcfg.AddressFamily) (*winipcfg.IPAdapterAddresses, error) {
+	ifs, err := NonTailscaleInterfaces()
+	if err != nil {
+		return nil, err
+	}
+
+	routes, err := winipcfg.GetIPForwardTable2(family)
+	if err != nil {
+		return nil, err
+	}
+
+	bestMetric := ^uint32(0)
+	var bestIface *winipcfg.IPAdapterAddresses
+	for _, route := range routes {
+		iface := ifs[route.InterfaceLUID]
+		if route.DestinationPrefix.PrefixLength != 0 || iface == nil {
+			continue
+		}
+		if iface.OperStatus == winipcfg.IfOperStatusUp && route.Metric < bestMetric {
+			bestMetric = route.Metric
+			bestIface = iface
+		}
+	}
+
+	return bestIface, nil
+}
+
+func DefaultRouteInterface() (string, error) {
+	iface, err := GetWindowsDefault(windows.AF_INET)
+	if err != nil {
+		return "", err
+	}
+	if iface == nil {
+		return "(none)", nil
+	}
+	return fmt.Sprintf("%s (%s)", iface.FriendlyName(), iface.Description()), nil
+}
+
+var (
+	winHTTP                  = windows.NewLazySystemDLL("winhttp.dll")
+	detectAutoProxyConfigURL = winHTTP.NewProc("WinHttpDetectAutoProxyConfigUrl")
+
+	kernel32   = windows.NewLazySystemDLL("kernel32.dll")
+	globalFree = kernel32.NewProc("GlobalFree")
+)
+
+const (
+	winHTTP_AUTO_DETECT_TYPE_DHCP  = 0x00000001
+	winHTTP_AUTO_DETECT_TYPE_DNS_A = 0x00000002
+)
+
+func getPACWindows() string {
+	var res *uint16
+	r, _, e := detectAutoProxyConfigURL.Call(
+		winHTTP_AUTO_DETECT_TYPE_DHCP|winHTTP_AUTO_DETECT_TYPE_DNS_A,
+		uintptr(unsafe.Pointer(&res)),
+	)
+	if r == 1 {
+		if res == nil {
+			log.Printf("getPACWindows: unexpected success with nil result")
+			return ""
+		}
+		defer globalFree.Call(uintptr(unsafe.Pointer(res)))
+		s := windows.UTF16PtrToString(res)
+		if _, err := url.Parse(s); err != nil {
+			log.Printf("getPACWindows: invalid URL %q from winhttp; ignoring", s)
+			return ""
+		}
+		return s
+	}
+	const (
+		ERROR_WINHTTP_AUTODETECTION_FAILED = 12180
+	)
+	if e == syscall.Errno(ERROR_WINHTTP_AUTODETECTION_FAILED) {
+		// Common case on networks without advertised PAC.
+		return ""
+	}
+	log.Printf("getPACWindows: %T=%v", e, e) // syscall.Errno=0x....
+	return ""
+}

net/interfaces/interfaces_windows_test.go

@@ -0,0 +1,17 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package interfaces
+
+import "testing"
+
+func BenchmarkGetPACWindows(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		v := getPACWindows()
+		if i == 0 {
+			b.Logf("Got: %q", v)
+		}
+	}
+}

net/netcheck/netcheck.go

@@ -156,6 +156,15 @@ type Client struct {
 	// GetSTUNConn6 is like GetSTUNConn4, but for IPv6.
 	GetSTUNConn6 func() STUNConn
 
+	// SkipExternalNetwork controls whether the client should not try
+	// to reach things other than localhost. This is set to true
+	// in tests to avoid probing the local LAN's router, etc.
+	SkipExternalNetwork bool
+
+	// UDPBindAddr, if non-empty, is the address to listen on for UDP.
+	// It defaults to ":0".
+	UDPBindAddr string
+
 	mu       sync.Mutex            // guards following
 	nextFull bool                  // do a full region scan, even if last != nil
 	prev     map[time.Time]*Report // some previous reports
@@ -171,6 +180,15 @@ type STUNConn interface {
 	ReadFrom([]byte) (int, net.Addr, error)
 }
 
+func (c *Client) enoughRegions() int {
+	if c.Verbose {
+		// Abuse verbose a bit here so netcheck can show all region latencies
+		// in verbose mode.
+		return 100
+	}
+	return 3
+}
+
 func (c *Client) logf(format string, a ...interface{}) {
 	if c.Logf != nil {
 		c.Logf(format, a...)
@@ -227,7 +245,6 @@ func (c *Client) ReceiveSTUNPacket(pkt []byte, src netaddr.IPPort) {
 
 	tx, addr, port, err := stun.ParseResponse(pkt)
 	if err != nil {
-		c.mu.Unlock()
 		if _, err := stun.ParseBindingRequest(pkt); err == nil {
 			// This was probably our own netcheck hairpin
 			// check probe coming in late. Ignore.
@@ -615,12 +632,13 @@ func (rs *reportState) addNodeLatency(node *tailcfg.DERPNode, ipp netaddr.IPPort
 	ret.UDP = true
 	updateLatency(ret.RegionLatency, node.RegionID, d)
 
-	// Once we've heard from 3 regions, start a timer to give up
-	// on the other ones.  The timer's duration is a function of
-	// whether this is our initial full probe or an incremental
-	// one. For incremental ones, wait for the duration of the
-	// slowest region. For initial ones, double that.
-	if len(ret.RegionLatency) == 3 {
+	// Once we've heard from enough regions (3), start a timer to
+	// give up on the other ones. The timer's duration is a
+	// function of whether this is our initial full probe or an
+	// incremental one. For incremental ones, wait for the
+	// duration of the slowest region. For initial ones, double
+	// that.
+	if len(ret.RegionLatency) == rs.c.enoughRegions() {
 		timeout := maxDurationValue(ret.RegionLatency)
 		if !rs.incremental {
 			timeout *= 2
@@ -763,6 +781,13 @@ func newReport() *Report {
 	}
 }
 
+func (c *Client) udpBindAddr() string {
+	if v := c.UDPBindAddr; v != "" {
+		return v
+	}
+	return ":0"
+}
+
 // GetReport gets a report.
 //
 // It may not be called concurrently with itself.
@@ -822,8 +847,10 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 	}
 	defer rs.pc4Hair.Close()
 
-	rs.waitPortMap.Add(1)
-	go rs.probePortMapServices()
+	if !c.SkipExternalNetwork {
+		rs.waitPortMap.Add(1)
+		go rs.probePortMapServices()
+	}
 
 	// At least the Apple Airport Extreme doesn't allow hairpin
 	// sends from a private socket until it's seen traffic from
@@ -841,7 +868,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 	if f := c.GetSTUNConn4; f != nil {
 		rs.pc4 = f()
 	} else {
-		u4, err := netns.Listener().ListenPacket(ctx, "udp4", ":0")
+		u4, err := netns.Listener().ListenPacket(ctx, "udp4", c.udpBindAddr())
 		if err != nil {
 			c.logf("udp4: %v", err)
 			return nil, err
@@ -854,7 +881,7 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 		if f := c.GetSTUNConn6; f != nil {
 			rs.pc6 = f()
 		} else {
-			u6, err := netns.Listener().ListenPacket(ctx, "udp6", ":0")
+			u6, err := netns.Listener().ListenPacket(ctx, "udp6", c.udpBindAddr())
 			if err != nil {
 				c.logf("udp6: %v", err)
 			} else {
@@ -893,8 +920,10 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (*Report, e
 
 	rs.waitHairCheck(ctx)
 	c.vlogf("hairCheck done")
-	rs.waitPortMap.Wait()
-	c.vlogf("portMap done")
+	if !c.SkipExternalNetwork {
+		rs.waitPortMap.Wait()
+		c.vlogf("portMap done")
+	}
 	rs.stopTimers()
 
 	// Try HTTPS latency check if all STUN probes failed due to UDP presumably being blocked.

net/netcheck/netcheck_test.go

@@ -50,7 +50,8 @@ func TestBasic(t *testing.T) {
 	defer cleanup()
 
 	c := &Client{
-		Logf: t.Logf,
+		Logf:        t.Logf,
+		UDPBindAddr: "127.0.0.1:0",
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)

net/netns/netns_default.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// +build !linux
+// +build !linux,!windows
 
 package netns
 

net/netns/netns_linux.go

@@ -5,19 +5,15 @@
 package netns
 
 import (
-	"bufio"
-	"bytes"
-	"errors"
 	"flag"
 	"fmt"
-	"io"
 	"os"
 	"os/exec"
-	"strings"
 	"sync"
 	"syscall"
 
 	"golang.org/x/sys/unix"
+	"tailscale.com/net/interfaces"
 )
 
 // tailscaleBypassMark is the mark indicating that packets originating
@@ -43,47 +39,6 @@ func ipRuleAvailable() bool {
 	return ipRuleOnce.v
 }
 
-var zeroRouteBytes = []byte("00000000")
-
-// defaultRouteInterface returns the name of the network interface that owns
-// the default route, not including any tailscale interfaces. We only use
-// this in SO_BINDTODEVICE mode.
-func defaultRouteInterface() (string, error) {
-	f, err := os.Open("/proc/net/route")
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	br := bufio.NewReaderSize(f, 128)
-	for {
-		line, err := br.ReadSlice('\n')
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return "", err
-		}
-		if !bytes.Contains(line, zeroRouteBytes) {
-			continue
-		}
-		fields := strings.Fields(string(line))
-		ifc := fields[0]
-		ip := fields[1]
-		netmask := fields[7]
-
-		if strings.HasPrefix(ifc, "tailscale") ||
-			strings.HasPrefix(ifc, "wg") {
-			continue
-		}
-		if ip == "00000000" && netmask == "00000000" {
-			// default route
-			return ifc, nil // interface name
-		}
-	}
-
-	return "", errors.New("no default routes found")
-}
-
 // ignoreErrors returns true if we should ignore setsocketopt errors in
 // this instance.
 func ignoreErrors() bool {
@@ -133,7 +88,7 @@ func setBypassMark(fd uintptr) error {
 }
 
 func bindToDevice(fd uintptr) error {
-	ifc, err := defaultRouteInterface()
+	ifc, err := interfaces.DefaultRouteInterface()
 	if err != nil {
 		// Make sure we bind to *some* interface,
 		// or we could get a routing loop.

net/netns/netns_linux_test.go

@@ -49,12 +49,3 @@ func TestBypassMarkInSync(t *testing.T) {
 	}
 	t.Errorf("tailscaleBypassMark not found in router_linux.go")
 }
-
-func BenchmarkDefaultRouteInterface(b *testing.B) {
-	b.ReportAllocs()
-	for i := 0; i < b.N; i++ {
-		if _, err := defaultRouteInterface(); err != nil {
-			b.Fatal(err)
-		}
-	}
-}

net/netns/netns_windows.go

@@ -0,0 +1,121 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package netns
+
+import (
+	"math/bits"
+	"strings"
+	"syscall"
+
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"tailscale.com/net/interfaces"
+	"tailscale.com/util/endian"
+)
+
+func interfaceIndex(iface *winipcfg.IPAdapterAddresses) uint32 {
+	if iface == nil {
+		// The zero ifidx means "unspecified". If we end up passing zero
+		// to bindSocket*(), it unsets the binding and lets the socket
+		// behave as normal again, which is what we want if there's no
+		// default route we can use.
+		return 0
+	}
+	return iface.IfIndex
+}
+
+// control binds c to the Windows interface that holds a default
+// route, and is not the Tailscale WinTun interface.
+func control(network, address string, c syscall.RawConn) error {
+	if strings.HasPrefix(address, "127.") {
+		// Don't bind to an interface for localhost connections,
+		// otherwise we get:
+		//   connectex: The requested address is not valid in its context
+		// (The derphttp tests were failing)
+		return nil
+	}
+	canV4, canV6 := false, false
+	switch network {
+	case "tcp", "udp":
+		canV4, canV6 = true, true
+	case "tcp4", "udp4":
+		canV4 = true
+	case "tcp6", "udp6":
+		canV6 = true
+	}
+
+	if canV4 {
+		iface, err := interfaces.GetWindowsDefault(windows.AF_INET)
+		if err != nil {
+			return err
+		}
+		if err := bindSocket4(c, interfaceIndex(iface)); err != nil {
+			return err
+		}
+	}
+
+	if canV6 {
+		iface, err := interfaces.GetWindowsDefault(windows.AF_INET6)
+		if err != nil {
+			return err
+		}
+		if err := bindSocket6(c, interfaceIndex(iface)); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// sockoptBoundInterface is the value of IP_UNICAST_IF and IPV6_UNICAST_IF.
+//
+// See https://docs.microsoft.com/en-us/windows/win32/winsock/ipproto-ip-socket-options
+// and https://docs.microsoft.com/en-us/windows/win32/winsock/ipproto-ipv6-socket-options
+const sockoptBoundInterface = 31
+
+// bindSocket4 binds the given RawConn to the network interface with
+// index ifidx, for IPv4 traffic only.
+func bindSocket4(c syscall.RawConn, ifidx uint32) error {
+	// For IPv4 (but NOT IPv6) the interface index must be passed
+	// as a big-endian integer (regardless of platform endianness)
+	// because the underlying sockopt takes either an IPv4 address
+	// or an index shoved into IPv4 address representation (an IP
+	// in 0.0.0.0/8 means it's actually an index).
+	//
+	// See https://docs.microsoft.com/en-us/windows/win32/winsock/ipproto-ip-socket-options
+	// and IP_UNICAST_IF.
+	indexAsAddr := nativeToBigEndian(ifidx)
+	var controlErr error
+	err := c.Control(func(fd uintptr) {
+		controlErr = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IP, sockoptBoundInterface, int(indexAsAddr))
+	})
+	if err != nil {
+		return err
+	}
+	return controlErr
+}
+
+// bindSocket6 binds the given RawConn to the network interface with
+// index ifidx, for IPv6 traffic only.
+func bindSocket6(c syscall.RawConn, ifidx uint32) error {
+	var controlErr error
+	err := c.Control(func(fd uintptr) {
+		controlErr = windows.SetsockoptInt(windows.Handle(fd), windows.IPPROTO_IPV6, sockoptBoundInterface, int(ifidx))
+	})
+	if err != nil {
+		return err
+	}
+	return controlErr
+}
+
+// nativeToBigEndian returns i converted into big-endian
+// representation, suitable for passing to Windows APIs that require a
+// mangled uint32.
+func nativeToBigEndian(i uint32) uint32 {
+	if endian.Big {
+		return i
+	}
+	return bits.ReverseBytes32(i)
+}

net/netstat/netstat.go

@@ -0,0 +1,36 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package netstat returns the local machine's network connection table.
+package netstat
+
+import (
+	"errors"
+	"runtime"
+
+	"inet.af/netaddr"
+)
+
+var ErrNotImplemented = errors.New("not implemented for GOOS=" + runtime.GOOS)
+
+type Entry struct {
+	Local, Remote netaddr.IPPort
+	Pid           int
+	State         string // TODO: type?
+}
+
+// Table contains local machine's TCP connection entries.
+//
+// Currently only TCP (IPv4 and IPv6) are included.
+type Table struct {
+	Entries []Entry
+}
+
+// Get returns the connection table.
+//
+// It returns ErrNotImplemented if the table is not available for the
+// current operating system.
+func Get() (*Table, error) {
+	return get()
+}

net/netstat/netstat_noimpl.go

@@ -0,0 +1,11 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !windows
+
+package netstat
+
+func get() (*Table, error) {
+	return nil, ErrNotImplemented
+}

net/netstat/netstat_test.go

@@ -0,0 +1,22 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package netstat
+
+import (
+	"testing"
+)
+
+func TestGet(t *testing.T) {
+	nt, err := Get()
+	if err == ErrNotImplemented {
+		t.Skip("TODO: not implemented")
+	}
+	if err != nil {
+		t.Fatal(err)
+	}
+	for _, e := range nt.Entries {
+		t.Logf("Entry: %+v", e)
+	}
+}

net/netstat/netstat_windows.go

@@ -0,0 +1,183 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package netstat returns the local machine's network connection table.
+package netstat
+
+import (
+	"errors"
+	"fmt"
+	"math/bits"
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows"
+	"inet.af/netaddr"
+	"tailscale.com/util/endian"
+)
+
+// See https://docs.microsoft.com/en-us/windows/win32/api/iphlpapi/nf-iphlpapi-getextendedtcptable
+
+// TCP_TABLE_OWNER_PID_ALL means to include the PID info. The table type
+// we get back from Windows depends on AF_INET vs AF_INET6:
+// MIB_TCPTABLE_OWNER_PID for v4 or MIB_TCP6TABLE_OWNER_PID for v6.
+const tcpTableOwnerPidAll = 5
+
+var (
+	iphlpapi    = syscall.NewLazyDLL("iphlpapi.dll")
+	getTCPTable = iphlpapi.NewProc("GetExtendedTcpTable")
+	// TODO: GetExtendedUdpTable also? if/when needed.
+)
+
+type _MIB_TCPROW_OWNER_PID struct {
+	state      uint32
+	localAddr  uint32
+	localPort  uint32
+	remoteAddr uint32
+	remotePort uint32
+	pid        uint32
+}
+
+type _MIB_TCP6ROW_OWNER_PID struct {
+	localAddr   [16]byte
+	localScope  uint32
+	localPort   uint32
+	remoteAddr  [16]byte
+	remoteScope uint32
+	remotePort  uint32
+	state       uint32
+	pid         uint32
+}
+
+func get() (*Table, error) {
+	t := new(Table)
+	if err := t.addEntries(windows.AF_INET); err != nil {
+		return nil, fmt.Errorf("failed to get IPv4 entries: %w", err)
+	}
+	if err := t.addEntries(windows.AF_INET6); err != nil {
+		return nil, fmt.Errorf("failed to get IPv6 entries: %w", err)
+	}
+	return t, nil
+}
+
+func (t *Table) addEntries(fam int) error {
+	var size uint32
+	var addr unsafe.Pointer
+	var buf []byte
+	for {
+		err, _, _ := getTCPTable.Call(
+			uintptr(addr),
+			uintptr(unsafe.Pointer(&size)),
+			1, // sorted
+			uintptr(fam),
+			tcpTableOwnerPidAll,
+			0, // reserved; "must be zero"
+		)
+		if err == 0 {
+			break
+		}
+		if err == uintptr(syscall.ERROR_INSUFFICIENT_BUFFER) {
+			const maxSize = 10 << 20
+			if size > maxSize || size < 4 {
+				return fmt.Errorf("unreasonable kernel-reported size %d", size)
+			}
+			buf = make([]byte, size)
+			addr = unsafe.Pointer(&buf[0])
+			continue
+		}
+		return syscall.Errno(err)
+	}
+	if len(buf) < int(size) {
+		return errors.New("unexpected size growth from system call")
+	}
+	buf = buf[:size]
+
+	numEntries := *(*uint32)(unsafe.Pointer(&buf[0]))
+	buf = buf[4:]
+
+	var recSize int
+	switch fam {
+	case windows.AF_INET:
+		recSize = 6 * 4
+	case windows.AF_INET6:
+		recSize = 6*4 + 16*2
+	}
+	dataLen := numEntries * uint32(recSize)
+	if uint32(len(buf)) > dataLen {
+		buf = buf[:dataLen]
+	}
+	for len(buf) >= recSize {
+		switch fam {
+		case windows.AF_INET:
+			row := (*_MIB_TCPROW_OWNER_PID)(unsafe.Pointer(&buf[0]))
+			t.Entries = append(t.Entries, Entry{
+				Local:  ipport4(row.localAddr, port(&row.localPort)),
+				Remote: ipport4(row.remoteAddr, port(&row.remotePort)),
+				Pid:    int(row.pid),
+				State:  state(row.state),
+			})
+		case windows.AF_INET6:
+			row := (*_MIB_TCP6ROW_OWNER_PID)(unsafe.Pointer(&buf[0]))
+			t.Entries = append(t.Entries, Entry{
+				Local:  ipport6(row.localAddr, row.localScope, port(&row.localPort)),
+				Remote: ipport6(row.remoteAddr, row.remoteScope, port(&row.remotePort)),
+				Pid:    int(row.pid),
+				State:  state(row.state),
+			})
+		}
+		buf = buf[recSize:]
+	}
+	return nil
+}
+
+var states = []string{
+	"",
+	"CLOSED",
+	"LISTEN",
+	"SYN-SENT",
+	"SYN-RECEIVED",
+	"ESTABLISHED",
+	"FIN-WAIT-1",
+	"FIN-WAIT-2",
+	"CLOSE-WAIT",
+	"CLOSING",
+	"LAST-ACK",
+	"DELETE-TCB",
+}
+
+func state(v uint32) string {
+	if v < uint32(len(states)) {
+		return states[v]
+	}
+	return fmt.Sprintf("unknown-state-%d", v)
+}
+
+func ipport4(addr uint32, port uint16) netaddr.IPPort {
+	if !endian.Big {
+		addr = bits.ReverseBytes32(addr)
+	}
+	return netaddr.IPPort{
+		IP:   netaddr.IPv4(byte(addr>>24), byte(addr>>16), byte(addr>>8), byte(addr)),
+		Port: port,
+	}
+}
+
+func ipport6(addr [16]byte, scope uint32, port uint16) netaddr.IPPort {
+	ip := netaddr.IPFrom16(addr)
+	if scope != 0 {
+		// TODO: something better here?
+		ip = ip.WithZone(fmt.Sprint(scope))
+	}
+	return netaddr.IPPort{
+		IP:   ip,
+		Port: port,
+	}
+}
+
+func port(v *uint32) uint16 {
+	if !endian.Big {
+		return uint16(bits.ReverseBytes32(*v) >> 16)
+	}
+	return uint16(*v >> 16)
+}

net/stun/stun.go

@@ -137,15 +137,15 @@ func foreachAttr(b []byte, fn func(attrType uint16, a []byte) error) error {
 		}
 		attrType := binary.BigEndian.Uint16(b[:2])
 		attrLen := int(binary.BigEndian.Uint16(b[2:4]))
-		attrLenPad := attrLen % 4
+		attrLenWithPad := (attrLen + 3) &^ 3
 		b = b[4:]
-		if attrLen+attrLenPad > len(b) {
+		if attrLenWithPad > len(b) {
 			return ErrMalformedAttrs
 		}
 		if err := fn(attrType, b[:attrLen]); err != nil {
 			return err
 		}
-		b = b[attrLen+attrLenPad:]
+		b = b[attrLenWithPad:]
 	}
 	return nil
 }

net/stun/stun_test.go

@@ -140,6 +140,41 @@ var responseTests = []struct {
 		wantAddr: net.ParseIP("2602:d1:b4cf:c100:38b2:31ff:feef:96f6"),
 		wantPort: 37070,
 	},
+
+	// Testing STUN attribute padding rules using STUN software attribute
+	// with values of 1 & 3 length respectively before the XorMappedAddress attribute
+	{
+		name: "software-a",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x14, 0x21, 0x12, 0xa4, 0x42,
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e, 0x80, 0x22, 0x00, 0x01,
+			0x61, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x08,
+			0x00, 0x01, 0xce, 0x66, 0x5e, 0x12, 0xa4, 0x43,
+		},
+		wantTID: []byte{
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e,
+		},
+		wantAddr: []byte{127, 0, 0, 1},
+		wantPort: 61300,
+	},
+	{
+		name: "software-abc",
+		data: []byte{
+			0x01, 0x01, 0x00, 0x14, 0x21, 0x12, 0xa4, 0x42,
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e, 0x80, 0x22, 0x00, 0x03,
+			0x61, 0x62, 0x63, 0x00, 0x00, 0x20, 0x00, 0x08,
+			0x00, 0x01, 0xce, 0x66, 0x5e, 0x12, 0xa4, 0x43,
+		},
+		wantTID: []byte{
+			0xeb, 0xc2, 0xd3, 0x6e, 0xf4, 0x71, 0x21, 0x7c,
+			0x4f, 0x3e, 0x30, 0x8e,
+		},
+		wantAddr: []byte{127, 0, 0, 1},
+		wantPort: 61300,
+	},
 }
 
 func TestParseResponse(t *testing.T) {

net/tsaddr/tsaddr.go

@@ -30,7 +30,11 @@ func CGNATRange() netaddr.IPPrefix {
 	return cgnatRange.v
 }
 
-var cgnatRange oncePrefix
+var (
+	cgnatRange   oncePrefix
+	ulaRange     oncePrefix
+	ula4To6Range oncePrefix
+)
 
 // TailscaleServiceIP returns the listen address of services
 // provided by Tailscale itself such as the Magic DNS proxy.
@@ -44,7 +48,40 @@ var serviceIP onceIP
 // IsTailscaleIP reports whether ip is an IP address in a range that
 // Tailscale assigns from.
 func IsTailscaleIP(ip netaddr.IP) bool {
-	return CGNATRange().Contains(ip) && !ChromeOSVMRange().Contains(ip)
+	if ip.Is4() {
+		return CGNATRange().Contains(ip) && !ChromeOSVMRange().Contains(ip)
+	}
+	return TailscaleULARange().Contains(ip)
+}
+
+// TailscaleULARange returns the IPv6 Unique Local Address range that
+// is the superset range that Tailscale assigns out of.
+func TailscaleULARange() netaddr.IPPrefix {
+	ulaRange.Do(func() { mustPrefix(&ulaRange.v, "fd7a:115c:a1e0::/48") })
+	return ulaRange.v
+}
+
+// Tailscale4To6Range returns the subset of TailscaleULARange used for
+// auto-translated Tailscale ipv4 addresses.
+func Tailscale4To6Range() netaddr.IPPrefix {
+	// This IP range has no significance, beyond being a subset of
+	// TailscaleULARange. The bits from /48 to /104 were picked at
+	// random.
+	ula4To6Range.Do(func() { mustPrefix(&ula4To6Range.v, "fd7a:115c:a1e0:ab12:4843:cd96:6200::/104") })
+	return ula4To6Range.v
+}
+
+// Tailscale4To6 returns a Tailscale IPv6 address that maps 1:1 to the
+// given Tailscale IPv4 address. Returns a zero IP if ipv4 isn't a
+// Tailscale IPv4 address.
+func Tailscale4To6(ipv4 netaddr.IP) netaddr.IP {
+	if !ipv4.Is4() || !IsTailscaleIP(ipv4) {
+		return netaddr.IP{}
+	}
+	ret := Tailscale4To6Range().IP.As16()
+	v4 := ipv4.As4()
+	copy(ret[13:], v4[1:])
+	return netaddr.IPFrom16(ret)
 }
 
 func mustPrefix(v *netaddr.IPPrefix, prefix string) {

net/tshttpproxy/tshttpproxy.go

@@ -0,0 +1,91 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package tshttpproxy contains Tailscale additions to httpproxy not available
+// in golang.org/x/net/http/httpproxy. Notably, it aims to support Windows better.
+package tshttpproxy
+
+import (
+	"net/http"
+	"net/url"
+	"os"
+	"sync"
+	"time"
+)
+
+// InvalidateCache invalidates the package-level cache for ProxyFromEnvironment.
+//
+// It's intended to be called on network link/routing table changes.
+func InvalidateCache() {
+	mu.Lock()
+	defer mu.Unlock()
+	noProxyUntil = time.Time{}
+}
+
+var (
+	mu           sync.Mutex
+	noProxyUntil time.Time // if non-zero, time at which ProxyFromEnvironment should check again
+)
+
+func setNoProxyUntil(d time.Duration) {
+	mu.Lock()
+	defer mu.Unlock()
+	noProxyUntil = time.Now().Add(d)
+}
+
+var _ = setNoProxyUntil // quiet staticcheck; Windows uses the above, more might later
+
+// sysProxyFromEnv, if non-nil, specifies a platform-specific ProxyFromEnvironment
+// func to use if http.ProxyFromEnvironment doesn't return a proxy.
+// For example, WPAD PAC files on Windows.
+var sysProxyFromEnv func(*http.Request) (*url.URL, error)
+
+func ProxyFromEnvironment(req *http.Request) (*url.URL, error) {
+	mu.Lock()
+	noProxyTime := noProxyUntil
+	mu.Unlock()
+	if time.Now().Before(noProxyTime) {
+		return nil, nil
+	}
+
+	u, err := http.ProxyFromEnvironment(req)
+	if u != nil && err == nil {
+		return u, nil
+	}
+
+	if sysProxyFromEnv != nil {
+		u, err := sysProxyFromEnv(req)
+		if u != nil && err == nil {
+			return u, nil
+		}
+	}
+
+	return nil, err
+}
+
+var sysAuthHeader func(*url.URL) (string, error)
+
+// GetAuthHeader returns the Authorization header value to send to proxy u.
+func GetAuthHeader(u *url.URL) (string, error) {
+	if fake := os.Getenv("TS_DEBUG_FAKE_PROXY_AUTH"); fake != "" {
+		return fake, nil
+	}
+	if sysAuthHeader != nil {
+		return sysAuthHeader(u)
+	}
+	return "", nil
+}
+
+var condSetTransportGetProxyConnectHeader func(*http.Transport)
+
+// SetTarnsportGetProxyConnectHeader sets the provided Transport's
+// GetProxyConnectHeader field, if the current build of Go supports
+// it.
+//
+// See https://github.com/golang/go/issues/41048.
+func SetTransportGetProxyConnectHeader(tr *http.Transport) {
+	if f := condSetTransportGetProxyConnectHeader; f != nil {
+		f(tr)
+	}
+}

net/tshttpproxy/tshttpproxy_future.go

@@ -0,0 +1,45 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build tailscale_go
+
+// We want to use https://github.com/golang/go/issues/41048 but it's only in the
+// Tailscale Go tree for now. Hence the build tag above.
+
+package tshttpproxy
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/http"
+	"net/url"
+)
+
+const proxyAuthHeader = "Proxy-Authorization"
+
+func init() {
+	condSetTransportGetProxyConnectHeader = func(tr *http.Transport) {
+		tr.GetProxyConnectHeader = func(ctx context.Context, proxyURL *url.URL, target string) (http.Header, error) {
+			v, err := GetAuthHeader(proxyURL)
+			if err != nil {
+				log.Printf("failed to get proxy Auth header for %v; ignoring: %v", proxyURL, err)
+				return nil, nil
+			}
+			if v == "" {
+				return nil, nil
+			}
+			return http.Header{proxyAuthHeader: []string{v}}, nil
+		}
+		tr.OnProxyConnectResponse = func(ctx context.Context, proxyURL *url.URL, connectReq *http.Request, res *http.Response) error {
+			auth := connectReq.Header.Get(proxyAuthHeader)
+			const truncLen = 20
+			if len(auth) > truncLen {
+				auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
+			}
+			log.Printf("tshttpproxy: CONNECT response from %v for target %q (auth %q): %v", proxyURL, connectReq.Host, auth, res.Status)
+			return nil
+		}
+	}
+}

net/tshttpproxy/tshttpproxy_windows.go

@@ -0,0 +1,236 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package tshttpproxy
+
+import (
+	"context"
+	"encoding/base64"
+	"fmt"
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+	"unsafe"
+
+	"github.com/alexbrainman/sspi/negotiate"
+	"golang.org/x/sys/windows"
+	"tailscale.com/types/logger"
+)
+
+var (
+	winHTTP            = windows.NewLazySystemDLL("winhttp.dll")
+	httpOpenProc       = winHTTP.NewProc("WinHttpOpen")
+	closeHandleProc    = winHTTP.NewProc("WinHttpCloseHandle")
+	getProxyForUrlProc = winHTTP.NewProc("WinHttpGetProxyForUrl")
+)
+
+func init() {
+	sysProxyFromEnv = proxyFromWinHTTPOrCache
+	sysAuthHeader = sysAuthHeaderWindows
+}
+
+var cachedProxy struct {
+	sync.Mutex
+	val *url.URL
+}
+
+// proxyErrorf is a rate-limited logger specifically for errors asking
+// WinHTTP for the proxy information. We don't want to log about
+// errors often, otherwise the log message itself will generate a new
+// HTTP request which ultimately will call back into us to log again,
+// forever. So for errors, we only log a bit.
+var proxyErrorf = logger.RateLimitedFn(log.Printf, 10*time.Minute, 2 /* burst*/, 10 /* maxCache */)
+
+func proxyFromWinHTTPOrCache(req *http.Request) (*url.URL, error) {
+	if req.URL == nil {
+		return nil, nil
+	}
+	urlStr := req.URL.String()
+
+	ctx, cancel := context.WithTimeout(req.Context(), 5*time.Second)
+	defer cancel()
+
+	type result struct {
+		proxy *url.URL
+		err   error
+	}
+	resc := make(chan result, 1)
+	go func() {
+		proxy, err := proxyFromWinHTTP(ctx, urlStr)
+		resc <- result{proxy, err}
+	}()
+
+	select {
+	case res := <-resc:
+		err := res.err
+		if err == nil {
+			cachedProxy.Lock()
+			defer cachedProxy.Unlock()
+			if was, now := fmt.Sprint(cachedProxy.val), fmt.Sprint(res.proxy); was != now {
+				log.Printf("tshttpproxy: winhttp: updating cached proxy setting from %v to %v", was, now)
+			}
+			cachedProxy.val = res.proxy
+			return res.proxy, nil
+		}
+
+		// See https://docs.microsoft.com/en-us/windows/win32/winhttp/error-messages
+		const (
+			ERROR_WINHTTP_AUTODETECTION_FAILED      = 12180
+			ERROR_WINHTTP_UNABLE_TO_DOWNLOAD_SCRIPT = 12167
+		)
+		if err == syscall.Errno(ERROR_WINHTTP_AUTODETECTION_FAILED) {
+			setNoProxyUntil(10 * time.Second)
+			return nil, nil
+		}
+		if err == windows.ERROR_INVALID_PARAMETER {
+			// Seen on Windows 8.1. (https://github.com/tailscale/tailscale/issues/879)
+			// TODO(bradfitz): figure this out.
+			setNoProxyUntil(time.Hour)
+			proxyErrorf("tshttpproxy: winhttp: GetProxyForURL(%q): ERROR_INVALID_PARAMETER [unexpected]", urlStr)
+			return nil, nil
+		}
+		proxyErrorf("tshttpproxy: winhttp: GetProxyForURL(%q): %v/%#v", urlStr, err, err)
+		if err == syscall.Errno(ERROR_WINHTTP_UNABLE_TO_DOWNLOAD_SCRIPT) {
+			setNoProxyUntil(10 * time.Second)
+			return nil, nil
+		}
+		return nil, err
+	case <-ctx.Done():
+		cachedProxy.Lock()
+		defer cachedProxy.Unlock()
+		proxyErrorf("tshttpproxy: winhttp: GetProxyForURL(%q): timeout; using cached proxy %v", urlStr, cachedProxy.val)
+		return cachedProxy.val, nil
+	}
+}
+
+func proxyFromWinHTTP(ctx context.Context, urlStr string) (proxy *url.URL, err error) {
+	whi, err := winHTTPOpen()
+	if err != nil {
+		proxyErrorf("winhttp: Open: %v", err)
+		return nil, err
+	}
+	defer whi.Close()
+
+	t0 := time.Now()
+	v, err := whi.GetProxyForURL(urlStr)
+	td := time.Since(t0).Round(time.Millisecond)
+	if err := ctx.Err(); err != nil {
+		log.Printf("tshttpproxy: winhttp: context canceled, ignoring GetProxyForURL(%q) after %v", urlStr, td)
+		return nil, err
+	}
+	if err != nil {
+		return nil, err
+	}
+	if v == "" {
+		return nil, nil
+	}
+	// Discard all but first proxy value for now.
+	if i := strings.Index(v, ";"); i != -1 {
+		v = v[:i]
+	}
+	if !strings.HasPrefix(v, "https://") {
+		v = "http://" + v
+	}
+	return url.Parse(v)
+}
+
+var userAgent = windows.StringToUTF16Ptr("Tailscale")
+
+const (
+	winHTTP_ACCESS_TYPE_AUTOMATIC_PROXY = 4
+	winHTTP_AUTOPROXY_ALLOW_AUTOCONFIG  = 0x00000100
+	winHTTP_AUTOPROXY_AUTO_DETECT       = 1
+	winHTTP_AUTO_DETECT_TYPE_DHCP       = 0x00000001
+	winHTTP_AUTO_DETECT_TYPE_DNS_A      = 0x00000002
+)
+
+func winHTTPOpen() (winHTTPInternet, error) {
+	if err := httpOpenProc.Find(); err != nil {
+		return 0, err
+	}
+	r, _, err := httpOpenProc.Call(
+		uintptr(unsafe.Pointer(userAgent)),
+		winHTTP_ACCESS_TYPE_AUTOMATIC_PROXY,
+		0, /* WINHTTP_NO_PROXY_NAME */
+		0, /* WINHTTP_NO_PROXY_BYPASS */
+		0)
+	if r == 0 {
+		return 0, err
+	}
+	return winHTTPInternet(r), nil
+}
+
+type winHTTPInternet windows.Handle
+
+func (hi winHTTPInternet) Close() error {
+	if err := closeHandleProc.Find(); err != nil {
+		return err
+	}
+	r, _, err := closeHandleProc.Call(uintptr(hi))
+	if r == 1 {
+		return nil
+	}
+	return err
+}
+
+// WINHTTP_AUTOPROXY_OPTIONS
+// https://docs.microsoft.com/en-us/windows/win32/api/winhttp/ns-winhttp-winhttp_autoproxy_options
+type autoProxyOptions struct {
+	DwFlags                uint32
+	DwAutoDetectFlags      uint32
+	AutoConfigUrl          *uint16
+	_                      uintptr
+	_                      uint32
+	FAutoLogonIfChallenged bool
+}
+
+// WINHTTP_PROXY_INFO
+// https://docs.microsoft.com/en-us/windows/win32/api/winhttp/ns-winhttp-winhttp_proxy_info
+type winHTTPProxyInfo struct {
+	AccessType  uint16
+	Proxy       *uint16
+	ProxyBypass *uint16
+}
+
+var proxyForURLOpts = &autoProxyOptions{
+	DwFlags:           winHTTP_AUTOPROXY_ALLOW_AUTOCONFIG | winHTTP_AUTOPROXY_AUTO_DETECT,
+	DwAutoDetectFlags: winHTTP_AUTO_DETECT_TYPE_DHCP, // | winHTTP_AUTO_DETECT_TYPE_DNS_A,
+}
+
+func (hi winHTTPInternet) GetProxyForURL(urlStr string) (string, error) {
+	if err := getProxyForUrlProc.Find(); err != nil {
+		return "", err
+	}
+	var out winHTTPProxyInfo
+	r, _, err := getProxyForUrlProc.Call(
+		uintptr(hi),
+		uintptr(unsafe.Pointer(windows.StringToUTF16Ptr(urlStr))),
+		uintptr(unsafe.Pointer(proxyForURLOpts)),
+		uintptr(unsafe.Pointer(&out)))
+	if r == 1 {
+		return windows.UTF16PtrToString(out.Proxy), nil
+	}
+	return "", err
+}
+
+func sysAuthHeaderWindows(u *url.URL) (string, error) {
+	spn := "HTTP/" + u.Hostname()
+	creds, err := negotiate.AcquireCurrentUserCredentials()
+	if err != nil {
+		return "", fmt.Errorf("negotiate.AcquireCurrentUserCredentials: %w", err)
+	}
+	defer creds.Release()
+
+	secCtx, token, err := negotiate.NewClientContext(creds, spn)
+	if err != nil {
+		return "", fmt.Errorf("negotiate.NewClientContext: %w", err)
+	}
+	defer secCtx.Release()
+
+	return "Negotiate " + base64.StdEncoding.EncodeToString(token), nil
+}

portlist/netstat.go

@@ -41,6 +41,10 @@ func parsePort(s string) int {
 	return int(port)
 }
 
+func isLoopbackAddr(s string) bool {
+	return strings.HasPrefix(s, "127.0.0.1:") || strings.HasPrefix(s, "127.0.0.1.")
+}
+
 type nothing struct{}
 
 // Lowest common denominator parser for "netstat -na" format.
@@ -74,7 +78,7 @@ func parsePortsNetstat(output string) List {
 				// not interested in non-listener sockets
 				continue
 			}
-			if strings.HasPrefix(laddr, "127.0.0.1:") || strings.HasPrefix(laddr, "127.0.0.1.") {
+			if isLoopbackAddr(laddr) {
 				// not interested in loopback-bound listeners
 				continue
 			}
@@ -85,7 +89,7 @@ func parsePortsNetstat(output string) List {
 			proto = "udp"
 			laddr = cols[len(cols)-2]
 			raddr = cols[len(cols)-1]
-			if strings.HasPrefix(laddr, "127.0.0.1:") || strings.HasPrefix(laddr, "127.0.0.1.") {
+			if isLoopbackAddr(laddr) {
 				// not interested in loopback-bound listeners
 				continue
 			}

portlist/portlist_macos.go

@@ -95,9 +95,12 @@ func addProcesses(pl []Port) ([]Port, error) {
 			if port > 0 {
 				pp := ProtoPort{proto, uint16(port)}
 				p := m[pp]
-				if p != nil {
+				switch {
+				case p != nil:
 					p.Process = cmd
-				} else {
+				case isLoopbackAddr(val):
+					// ignore
+				default:
 					fmt.Fprintf(os.Stderr, "weird: missing %v\n", pp)
 				}
 			}

portlist/portlist_windows.go

@@ -8,6 +8,7 @@ import (
 	"syscall"
 	"time"
 
+	"golang.org/x/sys/windows"
 	exec "tailscale.com/tempfork/osexec"
 )
 
@@ -19,6 +20,9 @@ func listPorts() (List, error) {
 }
 
 func addProcesses(pl []Port) ([]Port, error) {
+	if t := windows.GetCurrentProcessToken(); !t.IsElevated() {
+		return listPortsNetstat("-na")
+	}
 	return listPortsNetstat("-nab")
 }
 

scripts/check_license_headers.sh

@@ -30,7 +30,7 @@ if [ $# != 1 ]; then
 fi
 
 fail=0
-for file in $(find $1 -name '*.go'); do
+for file in $(find $1 -name '*.go' -not -path '*/.git/*'); do
     case $file in
         $1/tempfork/*)
             # Skip, tempfork of third-party code

syncs/locked.go

@@ -0,0 +1,58 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.13,!go1.16
+
+// This file makes assumptions about the inner workings of sync.Mutex and sync.RWMutex.
+// This includes not just their memory layout but their invariants and functionality.
+// To prevent accidents, it is limited to a known good subset of Go versions.
+
+package syncs
+
+import (
+	"sync"
+	"sync/atomic"
+	"unsafe"
+)
+
+const (
+	mutexLocked = 1
+
+	// sync.Mutex field offsets
+	stateOffset = 0
+
+	// sync.RWMutext field offsets
+	mutexOffset       = 0
+	readerCountOffset = 16
+)
+
+// add returns a pointer with value p + off.
+func add(p unsafe.Pointer, off uintptr) unsafe.Pointer {
+	return unsafe.Pointer(uintptr(p) + off)
+}
+
+// AssertLocked panics if m is not locked.
+func AssertLocked(m *sync.Mutex) {
+	p := add(unsafe.Pointer(m), stateOffset)
+	if atomic.LoadInt32((*int32)(p))&mutexLocked == 0 {
+		panic("mutex is not locked")
+	}
+}
+
+// AssertRLocked panics if rw is not locked for reading or writing.
+func AssertRLocked(rw *sync.RWMutex) {
+	p := add(unsafe.Pointer(rw), readerCountOffset)
+	if atomic.LoadInt32((*int32)(p)) != 0 {
+		// There are readers present or writers pending, so someone has a read lock.
+		return
+	}
+	// No readers.
+	AssertWLocked(rw)
+}
+
+// AssertWLocked panics if rw is not locked for writing.
+func AssertWLocked(rw *sync.RWMutex) {
+	m := (*sync.Mutex)(add(unsafe.Pointer(rw), mutexOffset))
+	AssertLocked(m)
+}

syncs/locked_test.go

@@ -0,0 +1,123 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build go1.13,!go1.16
+
+//lint:file-ignore SA2001 the empty critical sections are part of triggering different internal mutex states
+
+package syncs
+
+import (
+	"sync"
+	"testing"
+	"time"
+)
+
+func wantPanic(t *testing.T, fn func()) {
+	t.Helper()
+	defer func() {
+		recover()
+	}()
+	fn()
+	t.Fatal("failed to panic")
+}
+
+func TestAssertLocked(t *testing.T) {
+	m := new(sync.Mutex)
+	wantPanic(t, func() { AssertLocked(m) })
+	m.Lock()
+	AssertLocked(m)
+	m.Unlock()
+	wantPanic(t, func() { AssertLocked(m) })
+	// Test correct handling of mutex with waiter.
+	m.Lock()
+	AssertLocked(m)
+	go func() {
+		m.Lock()
+		m.Unlock()
+	}()
+	// Give the goroutine above a few moments to get started.
+	// The test will pass whether or not we win the race,
+	// but we want to run sometimes, to get the test coverage.
+	time.Sleep(10 * time.Millisecond)
+	AssertLocked(m)
+}
+
+func TestAssertWLocked(t *testing.T) {
+	m := new(sync.RWMutex)
+	wantPanic(t, func() { AssertWLocked(m) })
+	m.Lock()
+	AssertWLocked(m)
+	m.Unlock()
+	wantPanic(t, func() { AssertWLocked(m) })
+	// Test correct handling of mutex with waiter.
+	m.Lock()
+	AssertWLocked(m)
+	go func() {
+		m.Lock()
+		m.Unlock()
+	}()
+	// Give the goroutine above a few moments to get started.
+	// The test will pass whether or not we win the race,
+	// but we want to run sometimes, to get the test coverage.
+	time.Sleep(10 * time.Millisecond)
+	AssertWLocked(m)
+}
+
+func TestAssertRLocked(t *testing.T) {
+	m := new(sync.RWMutex)
+	wantPanic(t, func() { AssertRLocked(m) })
+
+	m.Lock()
+	AssertRLocked(m)
+	m.Unlock()
+
+	m.RLock()
+	AssertRLocked(m)
+	m.RUnlock()
+
+	wantPanic(t, func() { AssertRLocked(m) })
+
+	// Test correct handling of mutex with waiter.
+	m.RLock()
+	AssertRLocked(m)
+	go func() {
+		m.RLock()
+		m.RUnlock()
+	}()
+	// Give the goroutine above a few moments to get started.
+	// The test will pass whether or not we win the race,
+	// but we want to run sometimes, to get the test coverage.
+	time.Sleep(10 * time.Millisecond)
+	AssertRLocked(m)
+	m.RUnlock()
+
+	// Test correct handling of rlock with write waiter.
+	m.RLock()
+	AssertRLocked(m)
+	go func() {
+		m.Lock()
+		m.Unlock()
+	}()
+	// Give the goroutine above a few moments to get started.
+	// The test will pass whether or not we win the race,
+	// but we want to run sometimes, to get the test coverage.
+	time.Sleep(10 * time.Millisecond)
+	AssertRLocked(m)
+	m.RUnlock()
+
+	// Test correct handling of rlock with other rlocks.
+	// This is a bit racy, but losing the race hurts nothing,
+	// and winning the race means correct test coverage.
+	m.RLock()
+	AssertRLocked(m)
+	go func() {
+		m.RLock()
+		time.Sleep(10 * time.Millisecond)
+		m.RUnlock()
+	}()
+	time.Sleep(5 * time.Millisecond)
+	AssertRLocked(m)
+	m.RUnlock()
+}

syncs/syncs.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package syncs contains addition sync types.
+// Package syncs contains additional sync types and functionality.
 package syncs
 
 import "sync/atomic"

syncs/watchdog.go

@@ -0,0 +1,95 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package syncs
+
+import (
+	"context"
+	"sync"
+	"time"
+)
+
+// Watch monitors mu for contention.
+// On first call, and at every tick, Watch locks and unlocks mu.
+// (Tick should be large to avoid adding contention to mu.)
+// Max is the maximum length of time Watch will wait to acquire the lock.
+// The time required to lock mu is sent on the returned channel.
+// Watch exits when ctx is done, and closes the returned channel.
+func Watch(ctx context.Context, mu sync.Locker, tick, max time.Duration) chan time.Duration {
+	// Set up the return channel.
+	c := make(chan time.Duration)
+	var (
+		closemu sync.Mutex
+		closed  bool
+	)
+	sendc := func(d time.Duration) {
+		closemu.Lock()
+		defer closemu.Unlock()
+		if closed {
+			// Drop values written after c is closed.
+			return
+		}
+		c <- d
+	}
+	closec := func() {
+		closemu.Lock()
+		defer closemu.Unlock()
+		close(c)
+		closed = true
+	}
+
+	// check locks the mutex and writes how long it took to c.
+	// check returns ~immediately.
+	check := func() {
+		// Start a race between two goroutines.
+		// One locks the mutex; the other times out.
+		// Ensure that only one of the two gets to write its result.
+		// Since the common case is that locking the mutex is fast,
+		// let the timeout goroutine exit early when that happens.
+		var sendonce sync.Once
+		done := make(chan bool)
+		go func() {
+			start := time.Now()
+			mu.Lock()
+			mu.Unlock() //lint:ignore SA2001 ignore the empty critical section
+			elapsed := time.Since(start)
+			if elapsed > max {
+				elapsed = max
+			}
+			close(done)
+			sendonce.Do(func() { sendc(elapsed) })
+		}()
+		go func() {
+			select {
+			case <-time.After(max):
+				// the other goroutine may not have sent a value
+				sendonce.Do(func() { sendc(max) })
+			case <-done:
+				// the other goroutine sent a value
+			}
+		}()
+	}
+
+	// Check once at startup.
+	// This is mainly to make testing easier.
+	check()
+
+	// Start the watchdog goroutine.
+	// It checks the mutex every tick, until ctx is done.
+	go func() {
+		ticker := time.NewTicker(tick)
+		for {
+			select {
+			case <-ctx.Done():
+				closec()
+				ticker.Stop()
+				return
+			case <-ticker.C:
+				check()
+			}
+		}
+	}()
+
+	return c
+}

syncs/watchdog_test.go

@@ -0,0 +1,71 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package syncs
+
+import (
+	"context"
+	"sync"
+	"testing"
+	"time"
+)
+
+// Time-based tests are fundamentally flaky.
+// We use exaggerated durations in the hopes of minimizing such issues.
+
+func TestWatchUncontended(t *testing.T) {
+	mu := new(sync.Mutex)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	// Once an hour, and now, check whether we can lock mu in under an hour.
+	tick := time.Hour
+	max := time.Hour
+	c := Watch(ctx, mu, tick, max)
+	d := <-c
+	if d == max {
+		t.Errorf("uncontended mutex did not lock in under %v", max)
+	}
+}
+
+func TestWatchContended(t *testing.T) {
+	mu := new(sync.Mutex)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	// Every hour, and now, check whether we can lock mu in under a millisecond,
+	// which is enough time for an uncontended mutex by several orders of magnitude.
+	tick := time.Hour
+	max := time.Millisecond
+	mu.Lock()
+	defer mu.Unlock()
+	c := Watch(ctx, mu, tick, max)
+	d := <-c
+	if d != max {
+		t.Errorf("contended mutex locked in under %v", max)
+	}
+}
+
+func TestWatchMultipleValues(t *testing.T) {
+	mu := new(sync.Mutex)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel() // not necessary, but keep vet happy
+	// Check the mutex every millisecond.
+	// The goal is to see that we get a sufficient number of values out of the channel.
+	tick := time.Millisecond
+	max := time.Millisecond
+	c := Watch(ctx, mu, tick, max)
+	start := time.Now()
+	n := 0
+	for d := range c {
+		n++
+		if d == max {
+			t.Errorf("uncontended mutex did not lock in under %v", max)
+		}
+		if n == 10 {
+			cancel()
+		}
+	}
+	if elapsed := time.Since(start); elapsed > 100*time.Millisecond {
+		t.Errorf("expected 1 event per millisecond, got only %v events in %v", n, elapsed)
+	}
+}

tailcfg/derpmap.go

@@ -51,6 +51,10 @@ type DERPRegion struct {
 	// "fra", etc.
 	RegionCode string
 
+	// RegionName is a long English name for the region: "New York City",
+	// "San Francisco", "Singapore", "Frankfurt", etc.
+	RegionName string
+
 	// Nodes are the DERP nodes running in this region, in
 	// priority order for the current client. Client TLS
 	// connections should ideally only go to the first entry

tailcfg/tailcfg.go

@@ -4,7 +4,7 @@
 
 package tailcfg
 
-//go:generate go run tailscale.com/cmd/cloner -type=User,Node,Hostinfo,NetInfo -output=tailcfg_clone.go
+//go:generate go run tailscale.com/cmd/cloner --type=User,Node,Hostinfo,NetInfo,Group,Role,Capability,Login,DNSConfig,RegisterResponse --clonefunc=true --output=tailcfg_clone.go
 
 import (
 	"bytes"
@@ -27,14 +27,34 @@ type ID int64
 
 type UserID ID
 
+func (u UserID) IsZero() bool {
+	return u == 0
+}
+
 type LoginID ID
 
+func (u LoginID) IsZero() bool {
+	return u == 0
+}
+
 type NodeID ID
 
+func (u NodeID) IsZero() bool {
+	return u == 0
+}
+
 type GroupID ID
 
+func (u GroupID) IsZero() bool {
+	return u == 0
+}
+
 type RoleID ID
 
+func (u RoleID) IsZero() bool {
+	return u == 0
+}
+
 type CapabilityID ID
 
 // MachineKey is the curve25519 public key for a machine.
@@ -114,7 +134,7 @@ type UserProfile struct {
 	LoginName     string // "alice@smith.com"; for display purposes only (provider is not listed)
 	DisplayName   string // "Alice Smith"
 	ProfilePicURL string
-	Roles         []RoleID
+	Roles         []RoleID // deprecated; clients should not rely on Roles
 }
 
 type Node struct {
@@ -239,7 +259,7 @@ type Service struct {
 	_           structs.Incomparable
 	Proto       ServiceProto // TCP or UDP
 	Port        uint16       // port number service is listening on
-	Description string       // text description of service
+	Description string       `json:",omitempty"` // text description of service
 	// TODO(apenwarr): allow advertising services on subnet IPs?
 	// TODO(apenwarr): add "tags" here for each service?
 
@@ -255,13 +275,13 @@ type Hostinfo struct {
 	// TODO(crawshaw): mark all these fields ",omitempty" when all the
 	// iOS apps are updated with the latest swift version of this struct.
 	IPNVersion    string       // version of this code
-	FrontendLogID string       // logtail ID of frontend instance
-	BackendLogID  string       // logtail ID of backend instance
+	FrontendLogID string       `json:",omitempty"` // logtail ID of frontend instance
+	BackendLogID  string       `json:",omitempty"` // logtail ID of backend instance
 	OS            string       // operating system the client runs on (a version.OS value)
-	OSVersion     string       // operating system version, with optional distro prefix ("Debian 10.4", "Windows 10 Pro 10.0.19041")
-	DeviceModel   string       // mobile phone model ("Pixel 3a", "iPhone 11 Pro")
+	OSVersion     string       `json:",omitempty"` // operating system version, with optional distro prefix ("Debian 10.4", "Windows 10 Pro 10.0.19041")
+	DeviceModel   string       `json:",omitempty"` // mobile phone model ("Pixel 3a", "iPhone 11 Pro")
 	Hostname      string       // name of the host the client runs on
-	GoArch        string       // the host's GOARCH value (of the running binary)
+	GoArch        string       `json:",omitempty"` // the host's GOARCH value (of the running binary)
 	RoutableIPs   []wgcfg.CIDR `json:",omitempty"` // set of IP ranges this client can route
 	RequestTags   []string     `json:",omitempty"` // set of ACL tags this node wants to claim
 	Services      []Service    `json:",omitempty"` // services advertised by this machine
@@ -308,7 +328,7 @@ type NetInfo struct {
 	PreferredDERP int
 
 	// LinkType is the current link type, if known.
-	LinkType string // "wired", "wifi", "mobile" (LTE, 4G, 3G, etc)
+	LinkType string `json:",omitempty"` // "wired", "wifi", "mobile" (LTE, 4G, 3G, etc)
 
 	// DERPLatency is the fastest recent time to reach various
 	// DERP STUN servers, in seconds. The map key is the
@@ -441,22 +461,51 @@ type RegisterResponse struct {
 // using the local machine key, and sent to:
 //	https://login.tailscale.com/machine/<mkey hex>/map
 type MapRequest struct {
-	Version     int    // current version is 4
+	// Version is incremented whenever the client code changes enough that
+	// we want to signal to the control server that we're capable of something
+	// different.
+	//
+	// History of versions:
+	//     3: implicit compression, keep-alives
+	//     4: opt-in keep-alives via KeepAlive field, opt-in compression via Compress
+	//     5: 2020-10-19, implies IncludeIPv6, DeltaPeers/DeltaUserProfiles, supports MagicDNS
+	Version     int
 	Compress    string // "zstd" or "" (no compression)
 	KeepAlive   bool   // whether server should send keep-alives back to us
 	NodeKey     NodeKey
 	DiscoKey    DiscoKey
 	Endpoints   []string // caller's endpoints (IPv4 or IPv6)
-	IncludeIPv6 bool     // include IPv6 endpoints in returned Node Endpoints
-	DeltaPeers  bool     // whether the 2nd+ network map in response should be deltas, using PeersChanged, PeersRemoved
+	IncludeIPv6 bool     `json:",omitempty"` // include IPv6 endpoints in returned Node Endpoints (for Version 4 clients)
 	Stream      bool     // if true, multiple MapResponse objects are returned
 	Hostinfo    *Hostinfo
 
-	// DebugForceDisco is a temporary flag during the deployment
-	// of magicsock active discovery. It says that that the client
-	// has environment variables explicitly turning discovery on,
-	// so control should not disable it.
-	DebugForceDisco bool `json:"debugForceDisco,omitempty"`
+	// ReadOnly is whether the client just wants to fetch the
+	// MapResponse, without updating their Endpoints. The
+	// Endpoints field will be ignored and LastSeen will not be
+	// updated and peers will not be notified of changes.
+	//
+	// The intended use is for clients to discover the DERP map at
+	// start-up before their first real endpoint update.
+	ReadOnly bool `json:",omitempty"`
+
+	// OmitPeers is whether the client is okay with the Peers list
+	// being omitted in the response. (For example, a client on
+	// start up using ReadOnly to get the DERP map.)
+	OmitPeers bool `json:",omitempty"`
+
+	// DebugFlags is a list of strings specifying debugging and
+	// development features to enable in handling this map
+	// request. The values are deliberately unspecified, as they get
+	// added and removed all the time during development, and offer no
+	// compatibility promise. To roll out semantic changes, bump
+	// Version instead.
+	//
+	// Current DebugFlags values are:
+	//     * "warn-ip-forwarding-off": client is trying to be a subnet
+	//       router but their IP forwarding is broken.
+	//     * "v6-overlay": IPv6 development flag to have control send
+	//       v6 node addrs
+	DebugFlags []string `json:",omitempty"`
 }
 
 // PortRange represents a range of UDP or TCP port numbers.
@@ -470,23 +519,42 @@ var PortRangeAny = PortRange{0, 65535}
 // NetPortRange represents a single subnet:portrange.
 type NetPortRange struct {
 	_     structs.Incomparable
-	IP    string
-	Bits  *int // backward compatibility: if missing, means "all" bits
+	IP    string // "*" means all
+	Bits  *int   // backward compatibility: if missing, means "all" bits
 	Ports PortRange
 }
 
 // FilterRule represents one rule in a packet filter.
+//
+// A rule is logically a set of source CIDRs to match (described by
+// SrcIPs and SrcBits), and a set of destination targets that are then
+// allowed if a source IP is mathces of those CIDRs.
 type FilterRule struct {
-	SrcIPs   []string
-	SrcBits  []int
+	// SrcIPs are the source IPs/networks to match.
+	// The special value "*" means to match all.
+	SrcIPs []string
+
+	// SrcBits values correspond to the SrcIPs above.
+	//
+	// If present at the same index, it changes the SrcIP above to
+	// be a network with /n CIDR bits. If the slice is nil or
+	// insufficiently long, the default value (for an IPv4
+	// address) for a position is 32, as if the SrcIPs above were
+	// a /32 mask. For a "*" SrcIPs value, the corresponding
+	// SrcBits value is ignored.
+	// TODO: for IPv6, clarify default bits length.
+	SrcBits []int
+
+	// DstPorts are the port ranges to allow once a source IP
+	// matches (is in the CIDR described by SrcIPs & SrcBits).
 	DstPorts []NetPortRange
 }
 
 var FilterAllowAll = []FilterRule{
-	FilterRule{
+	{
 		SrcIPs:  []string{"*"},
 		SrcBits: nil,
-		DstPorts: []NetPortRange{NetPortRange{
+		DstPorts: []NetPortRange{{
 			IP:    "*",
 			Bits:  nil,
 			Ports: PortRange{0, 65535},
@@ -496,10 +564,18 @@ var FilterAllowAll = []FilterRule{
 
 // DNSConfig is the DNS configuration.
 type DNSConfig struct {
+	// Nameservers are the IP addresses of the nameservers to use.
 	Nameservers []netaddr.IP `json:",omitempty"`
-	Domains     []string     `json:",omitempty"`
-	PerDomain   bool
-	Proxied     bool
+	// Domains are the search domains to use.
+	Domains []string `json:",omitempty"`
+	// PerDomain indicates whether it is preferred to use Nameservers
+	// only for DNS queries for subdomains of Domains.
+	// Some OSes and OS configurations don't support per-domain DNS configuration,
+	// in which case Nameservers applies to all DNS requests regardless of PerDomain's value.
+	PerDomain bool
+	// Proxied indicates whether DNS requests are proxied through a tsdns.Resolver.
+	// This enables Magic DNS. It is togglable independently of PerDomain.
+	Proxied bool
 }
 
 type MapResponse struct {
@@ -537,8 +613,8 @@ type MapResponse struct {
 	// ACLs
 	Domain       string
 	PacketFilter []FilterRule
-	UserProfiles []UserProfile
-	Roles        []Role
+	UserProfiles []UserProfile // as of 1.1.541: may be new or updated user profiles only
+	Roles        []Role        // deprecated; clients should not rely on Roles
 	// TODO: Groups       []Group
 	// TODO: Capabilities []Capability
 
@@ -563,10 +639,26 @@ type Debug struct {
 	// always do its background STUN queries (see magicsock's
 	// periodicReSTUN), regardless of inactivity.
 	ForceBackgroundSTUN bool `json:",omitempty"`
+
+	// DERPRoute controls whether the DERP reverse path
+	// optimization (see Issue 150) should be enabled or
+	// disabled. The environment variable in magicsock is the
+	// highest priority (if set), then this (if set), then the
+	// binary default value.
+	DERPRoute opt.Bool `json:",omitempty"`
+
+	// TrimWGConfig controls whether Tailscale does lazy, on-demand
+	// wireguard configuration of peers.
+	TrimWGConfig opt.Bool `json:",omitempty"`
+
+	// DisableSubnetsIfPAC controls whether subnet routers should be
+	// disabled if WPAD is present on the network.
+	DisableSubnetsIfPAC opt.Bool `json:",omitempty"`
 }
 
 func (k MachineKey) String() string                   { return fmt.Sprintf("mkey:%x", k[:]) }
 func (k MachineKey) MarshalText() ([]byte, error)     { return keyMarshalText("mkey:", k), nil }
+func (k MachineKey) HexString() string                { return fmt.Sprintf("%x", k[:]) }
 func (k *MachineKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "mkey:", text) }
 
 func keyMarshalText(prefix string, k [32]byte) []byte {
@@ -596,6 +688,9 @@ func (k *NodeKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:
 // IsZero reports whether k is the zero value.
 func (k NodeKey) IsZero() bool { return k == NodeKey{} }
 
+// IsZero reports whether k is the zero value.
+func (k MachineKey) IsZero() bool { return k == MachineKey{} }
+
 func (k DiscoKey) String() string                   { return fmt.Sprintf("discokey:%x", k[:]) }
 func (k DiscoKey) MarshalText() ([]byte, error)     { return keyMarshalText("discokey:", k), nil }
 func (k *DiscoKey) UnmarshalText(text []byte) error { return keyUnmarshalText(k[:], "discokey:", text) }
@@ -628,6 +723,7 @@ func (n *Node) Equal(n2 *Node) bool {
 		eqCIDRs(n.Addresses, n2.Addresses) &&
 		eqCIDRs(n.AllowedIPs, n2.AllowedIPs) &&
 		eqStrings(n.Endpoints, n2.Endpoints) &&
+		n.DERP == n2.DERP &&
 		n.Hostinfo.Equal(&n2.Hostinfo) &&
 		n.Created.Equal(n2.Created) &&
 		eqTimePtr(n.LastSeen, n2.LastSeen) &&