README.md: update how to find tailnet

Signed-off-by: Walter Poupore <walterp@tailscale.com>
2022-09-19 17:10:39 -07:00
195 changed files with 1246 additions and 7697 deletions
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -2,7 +2,7 @@ name: CIFuzz
 on: [pull_request]

 concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

 jobs:
--- a/api.md
+++ b/api.md
@@ -3,11 +3,12 @@
 The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.

 # Authentication
+
 Currently based on {some authentication method}. Visit the [admin panel](https://login.tailscale.com/admin) and navigate to the `Settings` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints (leave the password blank).

 # APIs

-* **[Devices](#device)**
+- **[Devices](#device)**
  - [GET device](#device-get)
  - [DELETE device](#device-delete)
  - Routes
@@ -19,12 +20,12 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [POST device tags](#device-tags-post)
  - Key
    - [POST device key](#device-key-post)
-* **[Tailnets](#tailnet)**
+- **[Tailnets](#tailnet)**
  - ACLs
    - [GET tailnet ACL](#tailnet-acl-get)
    - [POST tailnet ACL](#tailnet-acl-post)
    - [POST tailnet ACL preview](#tailnet-acl-preview-post)
-	- [POST tailnet ACL validate](#tailnet-acl-validate-post)
+    - [POST tailnet ACL validate](#tailnet-acl-validate-post)
  - [Devices](#tailnet-devices)
    - [GET tailnet devices](#tailnet-devices-get)
  - [Keys](#tailnet-keys)
@@ -41,7 +42,9 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
    - [POST tailnet DNS searchpaths](#tailnet-dns-searchpaths-post)

 ## Device
+
 <!-- TODO: description about what devices are -->
+
 Each Tailscale-connected device has a globally-unique identifier number which we refer as the "deviceID" or sometimes, just "id".
 You can use the deviceID to specify operations on a specific device, like retrieving its subnet routes.

@@ -52,20 +55,23 @@ This is your deviceID.
 <a name=device-get></a>

 #### `GET /api/v2/device/:deviceid` - lists the details for a device
+
 Returns the details for the specified device.
 Supply the device of interest in the path using its ID.
 Use the `fields` query parameter to explicitly indicate which fields are returned.

-
 ##### Parameters
+
 ##### Query Parameters
+
 `fields` - Controls which fields will be included in the returned response.
 Currently, supported options are:
-* `all`: returns all fields in the response.
-* `default`: return all fields except:
-  * `enabledRoutes`
-  * `advertisedRoutes`
-  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+
+- `all`: returns all fields in the response.
+- `default`: return all fields except:
+  - `enabledRoutes`
+  - `advertisedRoutes`
+  - `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)

 Use commas to separate multiple options.
 If more than one option is indicated, then the union is used.
@@ -73,6 +79,7 @@ For example, for `fields=default,all`, all fields are returned.
 If the `fields` parameter is not provided, then the default option is used.

 ##### Example
+
 ```
 GET /api/v2/device/12345
 curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
@@ -80,6 +87,7 @@ curl 'https://api.tailscale.com/api/v2/device/12345?fields=all' \
 ```

 Response
+
 ```
 {
  "addresses":[
@@ -141,16 +149,18 @@ Response
 <a name=device-delete></a>

 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
+
 Deletes the provided device from its tailnet.
 The device must belong to the user's tailnet.
 Deleting shared/external devices is not supported.
 Supply the device of interest in the path using its ID.

-
 ##### Parameters
+
 No parameters.

 ##### Example
+
 ```
 DELETE /api/v2/device/12345
 curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
@@ -160,6 +170,7 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/device/12345' \
 Response

 If successful, the response should be empty:
+
 ```
 < HTTP/1.1 200 OK
 ...
@@ -168,13 +179,13 @@ If successful, the response should be empty:
 ```

 If the device is not owned by your tailnet:
+
 ```
 < HTTP/1.1 501 Not Implemented
 ...
 {"message":"cannot delete devices outside of your tailnet"}
 ```

-
 <a name=device-routes-get></a>

 #### `GET /api/v2/device/:deviceID/routes` - fetch subnet routes that are advertised and enabled for a device
@@ -193,6 +204,7 @@ curl 'https://api.tailscale.com/api/v2/device/11055/routes' \
 ```

 Response
+
 ```
 {
   "advertisedRoutes" : [
@@ -213,7 +225,9 @@ Sets which subnet routes are enabled to be routed by a device by replacing the e
 ##### Parameters

 ###### POST Body
+
 `routes` - The new list of enabled subnet routes in JSON.
+
 ```
 {
  "routes": ["10.0.1.0/24", "1.2.0.0/16", "2.0.0.0/24"]
@@ -254,7 +268,9 @@ Marks a device as authorized, for Tailnets where device authorization is require
 ##### Parameters

 ###### POST Body
+
 `authorized` - whether the device is authorized; only `true` is currently supported.
+
 ```
 {
  "authorized": true
@@ -335,9 +351,9 @@ The response is 2xx on success. The response body is currently an empty JSON
 object.

 ## Tailnet
-A tailnet is the name of your Tailscale network.
-You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.

+A tailnet is the name of your Tailscale network.
+You can find it in the [Settings](https://login.tailscale.com/admin/settings/) page of the admin console.

 `alice@example.com` belongs to the `example.com` tailnet and would use the following format for API calls:

@@ -346,10 +362,10 @@ GET /api/v2/tailnet/example.com/...
 curl https://api.tailscale.com/api/v2/tailnet/example.com/...
 ```

-
 For solo plans, the tailnet is the email you signed up with.
 So `alice@gmail.com` has the tailnet `alice@gmail.com` since `@gmail.com` is a shared email host.
 Her API calls would have the following format:
+
 ```
 GET /api/v2/tailnet/alice@gmail.com/...
 curl https://api.tailscale.com/api/v2/tailnet/alice@gmail.com/...
@@ -370,15 +386,19 @@ Retrieves the ACL that is currently set for the given tailnet. Supply the tailne
 ##### Parameters

 ###### Headers
+
 `Accept` - Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.

 ##### Returns
+
 Returns the ACL HuJSON by default. Returns a parsed JSON of the ACL (sans comments) if the `Accept` type is explicitly set to `application/json`. An `ETag` header is also sent in the response, which can be optionally used in POST requests to avoid missed updates.
+
 <!-- TODO (chungdaniel): define error types and a set of docs for them -->

 ##### Example

 ###### Requesting a HuJSON response:
+
 ```
 GET /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -388,6 +408,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response
+
 ```
 ...
 Content-Type: application/hujson
@@ -426,6 +447,7 @@ Etag: "e0b2816b418b3f266309d94426ac7668ab3c1fa87798785bf82f1085cc2f6d9c"
 ```

 ###### Requesting a JSON response:
+
 ```
 GET /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -435,6 +457,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response
+
 ```
 ...
 Content-Type: application/json
@@ -477,6 +500,7 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 ##### Parameters

 ###### Headers
+
 `If-Match` - A request header. Set this value to the ETag header provided in an `ACL GET` request to avoid missed updates.

 `Accept` - Sets the return type of the updated ACL. Response is parsed `JSON` if `application/json` is explicitly named, otherwise HuJSON will be returned.
@@ -486,15 +510,16 @@ Returns the updated ACL in JSON or HuJSON according to the `Accept` header on su
 The POST body should be a JSON or [HuJSON](https://github.com/tailscale/hujson#hujson---human-json) formatted JSON object.
 An ACL policy may contain the following top-level properties:

-* `Groups` - Static groups of users which can be used for ACL rules.
-* `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
-* `ACLs` - Access control lists.
-* `TagOwners` - Defines who is allowed to use which tags.
-* `Tests` - Run on ACL updates to check correct functionality of defined ACLs.
+- `Groups` - Static groups of users which can be used for ACL rules.
+- `Hosts` - Hostname aliases to use in place of IP addresses or subnets.
+- `ACLs` - Access control lists.
+- `TagOwners` - Defines who is allowed to use which tags.
+- `Tests` - Run on ACL updates to check correct functionality of defined ACLs.

 See https://tailscale.com/kb/1018/acls for more information on those properties.

 ##### Example
+
 ```
 POST /api/v2/tailnet/example.com/acl
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
@@ -524,6 +549,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl' \
 ```

 Response:
+
 ```
 // Example/default ACLs for unrestricted connections.
 {
@@ -549,6 +575,7 @@ Response:
 ```

 Failed test error response:
+
 ```
 {
    "message": "test(s) failed",
@@ -572,14 +599,17 @@ Determines what rules match for a user on an ACL without saving the ACL to the s
 ##### Parameters

 ###### Query Parameters
+
 `type` - can be 'user' or 'ipport'
 `previewFor` - if type=user, a user's email. If type=ipport, a IP address + port like "10.0.0.1:80".
 The provided ACL is queried with this parameter to determine which rules match.

 ###### POST Body
+
 ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)

 ##### Example
+
 ```
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFor=user1@example.com&type=user' \
  -u "tskey-yourapikey123:" \
@@ -607,6 +637,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/preview?previewFo
 ```

 Response:
+
 ```
 {"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
 ```
@@ -631,6 +662,7 @@ The POST body should be a JSON formatted array of ACL Tests.
 See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.

 ##### Example with tests
+
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -642,6 +674,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
 ```

 ##### Example with an ACL body
+
 ```
 POST /api/v2/tailnet/example.com/acl/validate
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
@@ -684,21 +717,23 @@ An empty body or a JSON object with no `message` is returned on success.
 <a name=tailnet-devices-get></a>

 #### <a name="getdevices"></a> `GET /api/v2/tailnet/:tailnet/devices` - list the devices for a tailnet
+
 Lists the devices in a tailnet.
 Supply the tailnet of interest in the path.
 Use the `fields` query parameter to explicitly indicate which fields are returned.

-
 ##### Parameters

 ###### Query Parameters
+
 `fields` - Controls which fields will be included in the returned response.
 Currently, supported options are:
-* `all`: Returns all fields in the response.
-* `default`: return all fields except:
-  * `enabledRoutes`
-  * `advertisedRoutes`
-  * `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)
+
+- `all`: Returns all fields in the response.
+- `default`: return all fields except:
+  - `enabledRoutes`
+  - `advertisedRoutes`
+  - `clientConnectivity` (which contains the following fields: `mappingVariesByDestIP`, `derp`, `endpoints`, `latency`, and `clientSupports`)

 Use commas to separate multiple options.
 If more than one option is indicated, then the union is used.
@@ -714,6 +749,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/devices' \
 ```

 Response
+
 ```
 {
  "devices":[
@@ -776,6 +812,7 @@ for the user who owns the API key used to perform this query.
 Supply the tailnet of interest in the path.

 ##### Parameters
+
 No parameters.

 ##### Returns
@@ -792,6 +829,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys' \
 ```

 Response:
+
 ```
 {"keys": [
 	{"id": "kYKVU14CNTRL"},
@@ -812,7 +850,9 @@ Supply the tailnet in the path.
 ##### Parameters

 ###### POST Body
+
 `capabilities` - A mapping of resources to permissible actions.
+
 ```
 {
  "capabilities": {
@@ -859,6 +899,7 @@ echo '{
 ```

 Response:
+
 ```
 {
 	"id":           "k123456CNTRL",
@@ -877,6 +918,7 @@ Returns a JSON object with information about specific key.
 Supply the tailnet and key ID of interest in the path.

 ##### Parameters
+
 No parameters.

 ##### Returns
@@ -893,6 +935,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k123456CNTRL' \
 ```

 Response:
+
 ```
 {
  "id": "k123456CNTRL",
@@ -922,9 +965,11 @@ Deletes a specific key.
 Supply the tailnet and key ID of interest in the path.

 ##### Parameters
+
 No parameters.

 ##### Returns
+
 This reports status 200 upon success.

 ##### Example
@@ -941,10 +986,12 @@ curl -X DELETE 'https://api.tailscale.com/api/v2/tailnet/example.com/keys/k12345
 <a name=tailnet-dns-nameservers-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/nameservers` - list the DNS nameservers for a tailnet
+
 Lists the DNS nameservers for a tailnet.
 Supply the tailnet of interest in the path.

 ##### Parameters
+
 No parameters.

 ##### Example
@@ -956,6 +1003,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
 ```

 Response
+
 ```
 {
  "dns": ["8.8.8.8"],
@@ -965,13 +1013,17 @@ Response
 <a name=tailnet-dns-nameservers-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/nameservers` - replaces the list of DNS nameservers for a tailnet
+
 Replaces the list of DNS nameservers for the given tailnet with the list supplied by the user.
 Supply the tailnet of interest in the path.
 Note that changing the list of DNS nameservers may also affect the status of MagicDNS (if MagicDNS is on).

 ##### Parameters
+
 ###### POST Body
+
 `dns` - The new list of DNS nameservers in JSON.
+
 ```
 {
  "dns":["8.8.8.8"]
@@ -979,12 +1031,15 @@ Note that changing the list of DNS nameservers may also affect the status of Mag
 ```

 ##### Returns
+
 Returns the new list of nameservers and the status of MagicDNS.

 If all nameservers have been removed, MagicDNS will be automatically disabled (until explicitly turned back on by the user).

 ##### Example
+
 ###### Adding DNS nameservers with the MagicDNS on:
+
 ```
 POST /api/v2/tailnet/example.com/dns/nameservers
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
@@ -993,6 +1048,7 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameserve
 ```

 Response:
+
 ```
 {
  "dns":["8.8.8.8"],
@@ -1001,6 +1057,7 @@ Response:
 ```

 ###### Removing all DNS nameservers with the MagicDNS on:
+
 ```
 POST /api/v2/tailnet/example.com/dns/nameservers
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameservers' \
@@ -1009,6 +1066,7 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/nameserve
 ```

 Response:
+
 ```
 {
  "dns":[],
@@ -1019,13 +1077,16 @@ Response:
 <a name=tailnet-dns-preferences-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/preferences` - retrieves the DNS preferences for a tailnet
+
 Retrieves the DNS preferences that are currently set for the given tailnet.
 Supply the tailnet of interest in the path.

 ##### Parameters
+
 No parameters.

 ##### Example
+
 ```
 GET /api/v2/tailnet/example.com/dns/preferences
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
@@ -1033,6 +1094,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
 ```

 Response:
+
 ```
 {
  "magicDNS":false,
@@ -1042,6 +1104,7 @@ Response:
 <a name=tailnet-dns-preferences-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/preferences` - replaces the DNS preferences for a tailnet
+
 Replaces the DNS preferences for a tailnet, specifically, the MagicDNS setting.
 Note that MagicDNS is dependent on DNS servers.

@@ -1051,9 +1114,12 @@ Note that removing all nameservers will turn off MagicDNS.
 To reenable it, nameservers must be added back, and MagicDNS must be explicitly turned on.

 ##### Parameters
+
 ###### POST Body
+
 The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
-`magicDNS` -  Automatically registers DNS names for devices in your tailnet.
+`magicDNS` - Automatically registers DNS names for devices in your tailnet.
+
 ```
 {
  "magicDNS": true
@@ -1061,6 +1127,7 @@ The DNS preferences in JSON. Currently, MagicDNS is the only setting available.
 ```

 ##### Example
+
 ```
 POST /api/v2/tailnet/example.com/dns/preferences
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferences' \
@@ -1068,10 +1135,10 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/preferenc
  --data-binary '{"magicDNS": true}'
 ```

-
 Response:

 If there are no DNS servers, it returns an error message:
+
 ```
 {
  "message":"need at least one nameserver to enable MagicDNS"
@@ -1079,6 +1146,7 @@ If there are no DNS servers, it returns an error message:
 ```

 If there are DNS servers:
+
 ```
 {
  "magicDNS":true,
@@ -1088,14 +1156,16 @@ If there are DNS servers:
 <a name=tailnet-dns-searchpaths-get></a>

 #### `GET /api/v2/tailnet/:tailnet/dns/searchpaths` - retrieves the search paths for a tailnet
+
 Retrieves the list of search paths that is currently set for the given tailnet.
 Supply the tailnet of interest in the path.

-
 ##### Parameters
+
 No parameters.

 ##### Example
+
 ```
 GET /api/v2/tailnet/example.com/dns/searchpaths
 curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
@@ -1103,6 +1173,7 @@ curl 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
 ```

 Response:
+
 ```
 {
  "searchPaths": ["user1.example.com"],
@@ -1112,12 +1183,15 @@ Response:
 <a name=tailnet-dns-searchpaths-post></a>

 #### `POST /api/v2/tailnet/:tailnet/dns/searchpaths` - replaces the search paths for a tailnet
+
 Replaces the list of searchpaths with the list supplied by the user and returns an error otherwise.

 ##### Parameters

 ###### POST Body
+
 `searchPaths` - A list of searchpaths in JSON.
+
 ```
 {
  "searchPaths": ["user1.example.com", "user2.example.com"]
@@ -1125,6 +1199,7 @@ Replaces the list of searchpaths with the list supplied by the user and returns
 ```

 ##### Example
+
 ```
 POST /api/v2/tailnet/example.com/dns/searchpaths
 curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpaths' \
@@ -1133,6 +1208,7 @@ curl -X POST 'https://api.tailscale.com/api/v2/tailnet/example.com/dns/searchpat
 ```

 Response:
+
 ```
 {
  "searchPaths": ["user1.example.com", "user2.example.com"],
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -24,17 +24,11 @@ func New(socket string) (*BIRDClient, error) {
 	return newWithTimeout(socket, responseTimeout)
 }

-func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
+func newWithTimeout(socket string, timeout time.Duration) (*BIRDClient, error) {
 	conn, err := net.Dial("unix", socket)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
 	}
-	defer func() {
-		if err != nil {
-			conn.Close()
-		}
-	}()
-
 	b := &BIRDClient{
 		socket:  socket,
 		conn:    conn,
--- a/chirp/chirp_test.go
+++ b/chirp/chirp_test.go
@@ -106,10 +106,10 @@ func TestChirp(t *testing.T) {
 		t.Fatal(err)
 	}
 	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeeded", "rando")
+		t.Fatalf("enabling %q succeded", "rando")
 	}
 	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeeded", "rando")
+		t.Fatalf("disabling %q succeded", "rando")
 	}
 }

--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -459,7 +459,7 @@ func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (test
 	}

 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
+		return nil, fmt.Errorf("control api responsed with %d status code", resp.StatusCode)
 	}

 	// The test ran without fail
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -19,7 +19,6 @@ import (
 	"net/http"
 	"net/http/httptrace"
 	"net/netip"
-	"net/textproto"
 	"net/url"
 	"os/exec"
 	"runtime"
@@ -268,47 +267,15 @@ func (lc *LocalClient) Profile(ctx context.Context, pprofType string, sec int) (
 	return lc.get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
 }

-// BugReportOpts contains options to pass to the Tailscale daemon when
-// generating a bug report.
-type BugReportOpts struct {
-	// Note contains an optional user-provided note to add to the logs.
-	Note string
-
-	// Diagnose specifies whether to print additional diagnostic information to
-	// the logs when generating this bugreport.
-	Diagnose bool
-}
-
-// BugReportWithOpts logs and returns a log marker that can be shared by the
-// user with support.
-//
-// The opts type specifies options to pass to the Tailscale daemon when
-// generating this bug report.
-func (lc *LocalClient) BugReportWithOpts(ctx context.Context, opts BugReportOpts) (string, error) {
-	var qparams url.Values
-	if opts.Note != "" {
-		qparams.Set("note", opts.Note)
-	}
-	if opts.Diagnose {
-		qparams.Set("diagnose", "true")
-	}
-
-	uri := fmt.Sprintf("/localapi/v0/bugreport?%s", qparams.Encode())
-	body, err := lc.send(ctx, "POST", uri, 200, nil)
+// BugReport logs and returns a log marker that can be shared by the user with support.
+func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
+	body, err := lc.send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
 	if err != nil {
 		return "", err
 	}
 	return strings.TrimSpace(string(body)), nil
 }

-// BugReport logs and returns a log marker that can be shared by the user with support.
-//
-// This is the same as calling BugReportWithOpts and only specifying the Note
-// field.
-func (lc *LocalClient) BugReport(ctx context.Context, note string) (string, error) {
-	return lc.BugReportWithOpts(ctx, BugReportOpts{Note: note})
-}
-
 // DebugAction invokes a debug action, such as "rebind" or "restun".
 // These are development tools and subject to change or removal over time.
 func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
@@ -319,28 +286,6 @@ func (lc *LocalClient) DebugAction(ctx context.Context, action string) error {
 	return nil
 }

-// SetComponentDebugLogging sets component's debug logging enabled for
-// the provided duration. If the duration is in the past, the debug logging
-// is disabled.
-func (lc *LocalClient) SetComponentDebugLogging(ctx context.Context, component string, d time.Duration) error {
-	body, err := lc.send(ctx, "POST",
-		fmt.Sprintf("/localapi/v0/component-debug-logging?component=%s&secs=%d",
-			url.QueryEscape(component), int64(d.Seconds())), 200, nil)
-	if err != nil {
-		return fmt.Errorf("error %w: %s", err, body)
-	}
-	var res struct {
-		Error string
-	}
-	if err := json.Unmarshal(body, &res); err != nil {
-		return err
-	}
-	if res.Error != "" {
-		return errors.New(res.Error)
-	}
-	return nil
-}
-
 // Status returns the Tailscale daemon's status.
 func Status(ctx context.Context) (*ipnstate.Status, error) {
 	return defaultLocalClient.Status(ctx)
@@ -559,15 +504,6 @@ func (lc *LocalClient) SetDNS(ctx context.Context, name, value string) error {
 //
 // The ctx is only used for the duration of the call, not the lifetime of the net.Conn.
 func (lc *LocalClient) DialTCP(ctx context.Context, host string, port uint16) (net.Conn, error) {
-	return lc.dialViaLocalAPI(ctx, host, fmt.Sprint(port))
-}
-
-// DialTCPNamedPort is like DialTCP but takes a named port rather than an integer.
-func (lc *LocalClient) DialTCPNamedPort(ctx context.Context, host, portName string) (net.Conn, error) {
-	return lc.dialViaLocalAPI(ctx, host, portName)
-}
-
-func (lc *LocalClient) dialViaLocalAPI(ctx context.Context, host, port string) (net.Conn, error) {
 	connCh := make(chan net.Conn, 1)
 	trace := httptrace.ClientTrace{
 		GotConn: func(info httptrace.GotConnInfo) {
@@ -583,7 +519,7 @@ func (lc *LocalClient) dialViaLocalAPI(ctx context.Context, host, port string) (
 		"Upgrade":    []string{"ts-dial"},
 		"Connection": []string{"upgrade"},
 		"Dial-Host":  []string{host},
-		"Dial-Port":  []string{port},
+		"Dial-Port":  []string{fmt.Sprint(port)},
 	}
 	res, err := lc.DoLocalRequest(req)
 	if err != nil {
@@ -615,59 +551,6 @@ func (lc *LocalClient) dialViaLocalAPI(ctx context.Context, host, port string) (
 	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
 }

-// ListenNewRandomPortName...
-func (lc *LocalClient) ListenNewRandomPortName(ctx context.Context) (portName string, accept func(context.Context) (net.Conn, error), err error) {
-	connCh := make(chan net.Conn, 1)
-	portNameCh := make(chan string, 1)
-	trace := httptrace.ClientTrace{
-		GotConn: func(info httptrace.GotConnInfo) {
-			connCh <- info.Conn
-		},
-		Got1xxResponse: func(code int, header textproto.MIMEHeader) error {
-			portNameCh <- fmt.Sprintf("Got %v, %v", code, header)
-			return nil
-		},
-	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/open-bidi-pipe", nil)
-	if err != nil {
-		return "", nil, err
-	}
-	req.Header = http.Header{
-		"Upgrade":    []string{"ts-open-bidi-pipe"},
-		"Connection": []string{"upgrade"},
-	}
-
-	doErrc := make(chan error, 1)
-
-	go func() {
-		res, err := lc.DoLocalRequest(req)
-		if err != nil {
-			doErrc <- err
-			return
-		}
-		_ = res
-	}()
-
-	accept = func(ctx context.Context) (net.Conn, error) {
-		panic("TODO")
-	}
-
-	select {
-	case name := <-portNameCh:
-		return name, accept, nil
-	case err := <-doErrc:
-		return "", nil, err
-	}
-
-	// if res.StatusCode != http.StatusSwitchingProtocols {
-	// 	body, _ := io.ReadAll(res.Body)
-	// 	res.Body.Close()
-	// 	return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
-	// }
-	panic("TODO")
-}
-
 // CurrentDERPMap returns the current DERPMap that is being used by the local tailscaled.
 // It is intended to be used with netcheck to see availability of DERPs.
 func (lc *LocalClient) CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
@@ -759,14 +642,14 @@ func (lc *LocalClient) GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate
 	return &cert, nil
 }

-// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
 //
 // Deprecated: use LocalClient.ExpandSNIName.
 func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	return defaultLocalClient.ExpandSNIName(ctx, name)
 }

-// ExpandSNIName expands bare label name into the most likely actual TLS cert name.
+// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
 func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
 	st, err := lc.StatusWithoutPeers(ctx)
 	if err != nil {
@@ -833,30 +716,6 @@ func (lc *LocalClient) NetworkLockInit(ctx context.Context, keys []tka.Key) (*ip
 	return pr, nil
 }

-// NetworkLockModify adds and/or removes key(s) to the tailnet key authority.
-func (lc *LocalClient) NetworkLockModify(ctx context.Context, addKeys, removeKeys []tka.Key) (*ipnstate.NetworkLockStatus, error) {
-	var b bytes.Buffer
-	type modifyRequest struct {
-		AddKeys    []tka.Key
-		RemoveKeys []tka.Key
-	}
-
-	if err := json.NewEncoder(&b).Encode(modifyRequest{AddKeys: addKeys, RemoveKeys: removeKeys}); err != nil {
-		return nil, err
-	}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/modify", 200, &b)
-	if err != nil {
-		return nil, fmt.Errorf("error: %w", err)
-	}
-
-	pr := new(ipnstate.NetworkLockStatus)
-	if err := json.Unmarshal(body, pr); err != nil {
-		return nil, err
-	}
-	return pr, nil
-}
-
 // tailscaledConnectHint gives a little thing about why tailscaled (or
 // platform equivalent) is not answering localapi connections.
 //
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -115,7 +115,7 @@ func (c *Client) Do(req *http.Request) (*http.Response, error) {
 	return c.httpClient().Do(req)
 }

-// sendRequest add the authentication key to the request and sends it. It
+// sendRequest add the authenication key to the request and sends it. It
 // receives the response and reads up to 10MB of it.
 func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
 	if !I_Acknowledge_This_API_Is_Unstable {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -51,7 +51,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale+
+        tailscale.com/tka                                            from tailscale.com/client/tailscale
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
@@ -107,8 +107,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
--- a/cmd/derper/websocket.go
+++ b/cmd/derper/websocket.go
@@ -23,7 +23,7 @@ func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
 		up := strings.ToLower(r.Header.Get("Upgrade"))

 		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
+		// speak WebSockets (they still assumed DERP's binary framining). So to distinguish
 		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
 		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
 			base.ServeHTTP(w, r)
--- a/cmd/pgproxy/README.md
+++ b/cmd/pgproxy/README.md
@@ -1,42 +0,0 @@
-# pgproxy
-
-The pgproxy server is a proxy for the Postgres wire protocol. [Read
-more in our blog
-post](https://tailscale.com/blog/introducing-pgproxy/) about it!
-
-The proxy runs an in-process Tailscale instance, accepts postgres
-client connections over Tailscale only, and proxies them to the
-configured upstream postgres server.
-
-This proxy exists because postgres clients default to very insecure
-connection settings: either they "prefer" but do not require TLS; or
-they set sslmode=require, which merely requires that a TLS handshake
-took place, but don't verify the server's TLS certificate or the
-presented TLS hostname.  In other words, sslmode=require enforces that
-a TLS session is created, but that session can trivially be
-machine-in-the-middled to steal credentials, data, inject malicious
-queries, and so forth.
-
-Because this flaw is in the client's validation of the TLS session,
-you have no way of reliably detecting the misconfiguration
-server-side. You could fix the configuration of all the clients you
-know of, but the default makes it very easy to accidentally regress.
-
-Instead of trying to verify client configuration over time, this proxy
-removes the need for postgres clients to be configured correctly: the
-upstream database is configured to only accept connections from the
-proxy, and the proxy is only available to clients over Tailscale.
-
-Therefore, clients must use the proxy to connect to the database. The
-client<>proxy connection is secured end-to-end by Tailscale, which the
-proxy enforces by verifying that the connecting client is a known
-current Tailscale peer. The proxy<>server connection is established by
-the proxy itself, using strict TLS verification settings, and the
-client is only allowed to communicate with the server once we've
-established that the upstream connection is safe to use.
-
-A couple side benefits: because clients can only connect via
-Tailscale, you can use Tailscale ACLs as an extra layer of defense on
-top of the postgres user/password authentication. And, the proxy can
-maintain an audit log of who connected to the database, complete with
-the strongly authenticated Tailscale identity of the client.
--- a/cmd/pgproxy/pgproxy.go
+++ b/cmd/pgproxy/pgproxy.go
@@ -1,366 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The pgproxy server is a proxy for the Postgres wire protocol.
-package main
-
-import (
-	"context"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	crand "crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"expvar"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"math/big"
-	"net"
-	"net/http"
-	"os"
-	"strings"
-	"time"
-
-	"tailscale.com/client/tailscale"
-	"tailscale.com/metrics"
-	"tailscale.com/tsnet"
-	"tailscale.com/tsweb"
-	"tailscale.com/types/logger"
-)
-
-var (
-	hostname     = flag.String("hostname", "", "Tailscale hostname to serve on")
-	port         = flag.Int("port", 5432, "Listening port for client connections")
-	debugPort    = flag.Int("debug-port", 80, "Listening port for debug/metrics endpoint")
-	upstreamAddr = flag.String("upstream-addr", "", "Address of the upstream Postgres server, in host:port format")
-	upstreamCA   = flag.String("upstream-ca-file", "", "File containing the PEM-encoded CA certificate for the upstream server")
-	tailscaleDir = flag.String("state-dir", "", "Directory in which to store the Tailscale auth state")
-)
-
-func main() {
-	flag.Parse()
-	if *hostname == "" {
-		log.Fatal("missing --hostname")
-	}
-	if *upstreamAddr == "" {
-		log.Fatal("missing --upstream-addr")
-	}
-	if *upstreamCA == "" {
-		log.Fatal("missing --upstream-ca-file")
-	}
-	if *tailscaleDir == "" {
-		log.Fatal("missing --state-dir")
-	}
-
-	ts := &tsnet.Server{
-		Dir:      *tailscaleDir,
-		Hostname: *hostname,
-		// Make the stdout logs a clean audit log of connections.
-		Logf: logger.Discard,
-	}
-
-	if os.Getenv("TS_AUTHKEY") == "" {
-		log.Print("Note: you need to run this with TS_AUTHKEY=... the first time, to join your tailnet of choice.")
-	}
-
-	tsclient, err := ts.LocalClient()
-	if err != nil {
-		log.Fatalf("getting tsnet API client: %v", err)
-	}
-
-	p, err := newProxy(*upstreamAddr, *upstreamCA, tsclient)
-	if err != nil {
-		log.Fatal(err)
-	}
-	expvar.Publish("pgproxy", p.Expvar())
-
-	if *debugPort != 0 {
-		mux := http.NewServeMux()
-		tsweb.Debugger(mux)
-		srv := &http.Server{
-			Handler: mux,
-		}
-		dln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *debugPort))
-		if err != nil {
-			log.Fatal(err)
-		}
-		go func() {
-			log.Fatal(srv.Serve(dln))
-		}()
-	}
-
-	ln, err := ts.Listen("tcp", fmt.Sprintf(":%d", *port))
-	if err != nil {
-		log.Fatal(err)
-	}
-	log.Printf("serving access to %s on port %d", *upstreamAddr, *port)
-	log.Fatal(p.Serve(ln))
-}
-
-// proxy is a postgres wire protocol proxy, which strictly enforces
-// the security of the TLS connection to its upstream regardless of
-// what the client's TLS configuration is.
-type proxy struct {
-	upstreamAddr     string // "my.database.com:5432"
-	upstreamHost     string // "my.database.com"
-	upstreamCertPool *x509.CertPool
-	downstreamCert   []tls.Certificate
-	client           *tailscale.LocalClient
-
-	activeSessions  expvar.Int
-	startedSessions expvar.Int
-	errors          metrics.LabelMap
-}
-
-// newProxy returns a proxy that forwards connections to
-// upstreamAddr. The upstream's TLS session is verified using the CA
-// cert(s) in upstreamCAPath.
-func newProxy(upstreamAddr, upstreamCAPath string, client *tailscale.LocalClient) (*proxy, error) {
-	bs, err := os.ReadFile(upstreamCAPath)
-	if err != nil {
-		return nil, err
-	}
-	upstreamCertPool := x509.NewCertPool()
-	if !upstreamCertPool.AppendCertsFromPEM(bs) {
-		return nil, fmt.Errorf("invalid CA cert in %q", upstreamCAPath)
-	}
-
-	h, _, err := net.SplitHostPort(upstreamAddr)
-	if err != nil {
-		return nil, err
-	}
-	downstreamCert, err := mkSelfSigned(h)
-	if err != nil {
-		return nil, err
-	}
-
-	return &proxy{
-		upstreamAddr:     upstreamAddr,
-		upstreamHost:     h,
-		upstreamCertPool: upstreamCertPool,
-		downstreamCert:   []tls.Certificate{downstreamCert},
-		client:           client,
-		errors:           metrics.LabelMap{Label: "kind"},
-	}, nil
-}
-
-// Expvar returns p's monitoring metrics.
-func (p *proxy) Expvar() expvar.Var {
-	ret := &metrics.Set{}
-	ret.Set("sessions_active", &p.activeSessions)
-	ret.Set("sessions_started", &p.startedSessions)
-	ret.Set("session_errors", &p.errors)
-	return ret
-}
-
-// Serve accepts postgres client connections on ln and proxies them to
-// the configured upstream. ln can be any net.Listener, but all client
-// connections must originate from tailscale IPs that can be verified
-// with WhoIs.
-func (p *proxy) Serve(ln net.Listener) error {
-	var lastSessionID int64
-	for {
-		c, err := ln.Accept()
-		if err != nil {
-			return err
-		}
-		id := time.Now().UnixNano()
-		if id == lastSessionID {
-			// Bluntly enforce SID uniqueness, even if collisions are
-			// fantastically unlikely (but OSes vary in how much timer
-			// precision they expose to the OS, so id might be rounded
-			// e.g. to the same millisecond)
-			id++
-		}
-		lastSessionID = id
-		go func(sessionID int64) {
-			if err := p.serve(sessionID, c); err != nil {
-				log.Printf("%d: session ended with error: %v", sessionID, err)
-			}
-		}(id)
-	}
-}
-
-var (
-	// sslStart is the magic bytes that postgres clients use to indicate
-	// that they want to do a TLS handshake. Servers should respond with
-	// the single byte "S" before starting a normal TLS handshake.
-	sslStart = [8]byte{0, 0, 0, 8, 0x04, 0xd2, 0x16, 0x2f}
-	// plaintextStart is the magic bytes that postgres clients use to
-	// indicate that they're starting a plaintext authentication
-	// handshake.
-	plaintextStart = [8]byte{0, 0, 0, 86, 0, 3, 0, 0}
-)
-
-// serve proxies the postgres client on c to the proxy's upstream,
-// enforcing strict TLS to the upstream.
-func (p *proxy) serve(sessionID int64, c net.Conn) error {
-	defer c.Close()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	whois, err := p.client.WhoIs(ctx, c.RemoteAddr().String())
-	if err != nil {
-		p.errors.Add("whois-failed", 1)
-		return fmt.Errorf("getting client identity: %v", err)
-	}
-
-	// Before anything else, log the connection attempt.
-	user, machine := "", ""
-	if whois.Node != nil {
-		if whois.Node.Hostinfo.ShareeNode() {
-			machine = "external-device"
-		} else {
-			machine = strings.TrimSuffix(whois.Node.Name, ".")
-		}
-	}
-	if whois.UserProfile != nil {
-		user = whois.UserProfile.LoginName
-		if user == "tagged-devices" && whois.Node != nil {
-			user = strings.Join(whois.Node.Tags, ",")
-		}
-	}
-	if user == "" || machine == "" {
-		p.errors.Add("no-ts-identity", 1)
-		return fmt.Errorf("couldn't identify source user and machine (user %q, machine %q)", user, machine)
-	}
-	log.Printf("%d: session start, from %s (machine %s, user %s)", sessionID, c.RemoteAddr(), machine, user)
-	start := time.Now()
-	defer func() {
-		elapsed := time.Since(start)
-		log.Printf("%d: session end, from %s (machine %s, user %s), lasted %s", sessionID, c.RemoteAddr(), machine, user, elapsed.Round(time.Millisecond))
-	}()
-
-	// Read the client's opening message, to figure out if it's trying
-	// to TLS or not.
-	var buf [8]byte
-	if _, err := io.ReadFull(c, buf[:len(sslStart)]); err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("initial magic read: %v", err)
-	}
-	var clientIsTLS bool
-	switch {
-	case buf == sslStart:
-		clientIsTLS = true
-	case buf == plaintextStart:
-		clientIsTLS = false
-	default:
-		p.errors.Add("client-bad-protocol", 1)
-		return fmt.Errorf("unrecognized initial packet = % 02x", buf)
-	}
-
-	// Dial & verify upstream connection.
-	var d net.Dialer
-	d.Timeout = 10 * time.Second
-	upc, err := d.Dial("tcp", p.upstreamAddr)
-	if err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("upstream dial: %v", err)
-	}
-	defer upc.Close()
-	if _, err := upc.Write(sslStart[:]); err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("upstream write of start-ssl magic: %v", err)
-	}
-	if _, err := io.ReadFull(upc, buf[:1]); err != nil {
-		p.errors.Add("network-error", 1)
-		return fmt.Errorf("reading upstream start-ssl response: %v", err)
-	}
-	if buf[0] != 'S' {
-		p.errors.Add("upstream-bad-protocol", 1)
-		return fmt.Errorf("upstream didn't acknowldge start-ssl, said %q", buf[0])
-	}
-	tlsConf := &tls.Config{
-		ServerName: p.upstreamHost,
-		RootCAs:    p.upstreamCertPool,
-		MinVersion: tls.VersionTLS12,
-	}
-	uptc := tls.Client(upc, tlsConf)
-	if err = uptc.HandshakeContext(ctx); err != nil {
-		p.errors.Add("upstream-tls", 1)
-		return fmt.Errorf("upstream TLS handshake: %v", err)
-	}
-
-	// Accept the client conn and set it up the way the client wants.
-	var clientConn net.Conn
-	if clientIsTLS {
-		io.WriteString(c, "S") // yeah, we're good to speak TLS
-		s := tls.Server(c, &tls.Config{
-			ServerName:   p.upstreamHost,
-			Certificates: p.downstreamCert,
-			MinVersion:   tls.VersionTLS12,
-		})
-		if err = uptc.HandshakeContext(ctx); err != nil {
-			p.errors.Add("client-tls", 1)
-			return fmt.Errorf("client TLS handshake: %v", err)
-		}
-		clientConn = s
-	} else {
-		// Repeat the header we read earlier up to the server.
-		if _, err := uptc.Write(plaintextStart[:]); err != nil {
-			p.errors.Add("network-error", 1)
-			return fmt.Errorf("sending initial client bytes to upstream: %v", err)
-		}
-		clientConn = c
-	}
-
-	// Finally, proxy the client to the upstream.
-	errc := make(chan error, 1)
-	go func() {
-		_, err := io.Copy(uptc, clientConn)
-		errc <- err
-	}()
-	go func() {
-		_, err := io.Copy(clientConn, uptc)
-		errc <- err
-	}()
-	if err := <-errc; err != nil {
-		// Don't increment error counts here, because the most common
-		// cause of termination is client or server closing the
-		// connection normally, and it'll obscure "interesting"
-		// handshake errors.
-		return fmt.Errorf("session terminated with error: %v", err)
-	}
-	return nil
-}
-
-// mkSelfSigned creates and returns a self-signed TLS certificate for
-// hostname.
-func mkSelfSigned(hostname string) (tls.Certificate, error) {
-	priv, err := ecdsa.GenerateKey(elliptic.P256(), crand.Reader)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	pub := priv.Public()
-	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			Organization: []string{"pgproxy"},
-		},
-		DNSNames:              []string{hostname},
-		NotBefore:             time.Now(),
-		NotAfter:              time.Now().Add(10 * 365 * 24 * time.Hour),
-		KeyUsage:              x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-	derBytes, err := x509.CreateCertificate(crand.Reader, &template, &template, pub, priv)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	cert, err := x509.ParseCertificate(derBytes)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-
-	return tls.Certificate{
-		Certificate: [][]byte{derBytes},
-		PrivateKey:  priv,
-		Leaf:        cert,
-	}, nil
-}
--- a/cmd/speedtest/speedtest.go
+++ b/cmd/speedtest/speedtest.go
@@ -110,12 +110,11 @@ func runSpeedtest(ctx context.Context, args []string) error {
 	w := tabwriter.NewWriter(os.Stdout, 12, 0, 0, ' ', tabwriter.TabIndent)
 	fmt.Println("Results:")
 	fmt.Fprintln(w, "Interval\t\tTransfer\t\tBandwidth\t\t")
-	startTime := results[0].IntervalStart
 	for _, r := range results {
 		if r.Total {
 			fmt.Fprintln(w, "-------------------------------------------------------------------------")
 		}
-		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Sub(startTime).Seconds(), r.IntervalEnd.Sub(startTime).Seconds(), r.MegaBits(), r.MBitsPerSecond())
+		fmt.Fprintf(w, "%.2f-%.2f\tsec\t%.4f\tMBits\t%.4f\tMbits/sec\t\n", r.IntervalStart.Seconds(), r.IntervalEnd.Seconds(), r.MegaBits(), r.MBitsPerSecond())
 	}
 	w.Flush()
 	return nil
--- a/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
+++ b/cmd/ssh-auth-none-demo/ssh-auth-none-demo.go
@@ -1,187 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// ssh-auth-none-demo is a demo SSH server that's meant to run on the
-// public internet (at 188.166.70.128 port 2222) and
-// highlight the unique parts of the Tailscale SSH server so SSH
-// client authors can hit it easily and fix their SSH clients without
-// needing to set up Tailscale and Tailscale SSH.
-package main
-
-import (
-	"crypto/ecdsa"
-	"crypto/ed25519"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"encoding/pem"
-	"flag"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"os"
-	"path/filepath"
-	"time"
-
-	gossh "github.com/tailscale/golang-x-crypto/ssh"
-	"tailscale.com/tempfork/gliderlabs/ssh"
-)
-
-// keyTypes are the SSH key types that we either try to read from the
-// system's OpenSSH keys.
-var keyTypes = []string{"rsa", "ecdsa", "ed25519"}
-
-var (
-	addr = flag.String("addr", ":2222", "address to listen on")
-)
-
-func main() {
-	flag.Parse()
-
-	cacheDir, err := os.UserCacheDir()
-	if err != nil {
-		log.Fatal(err)
-	}
-	dir := filepath.Join(cacheDir, "ssh-auth-none-demo")
-	if err := os.MkdirAll(dir, 0700); err != nil {
-		log.Fatal(err)
-	}
-
-	keys, err := getHostKeys(dir)
-	if err != nil {
-		log.Fatal(err)
-	}
-	if len(keys) == 0 {
-		log.Fatal("no host keys")
-	}
-
-	srv := &ssh.Server{
-		Addr:    *addr,
-		Version: "Tailscale",
-		Handler: handleSessionPostSSHAuth,
-		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
-			start := time.Now()
-			return &gossh.ServerConfig{
-				ImplicitAuthMethod: "tailscale",
-				NoClientAuth:       true, // required for the NoClientAuthCallback to run
-				NoClientAuthCallback: func(cm gossh.ConnMetadata) (*gossh.Permissions, error) {
-					cm.SendAuthBanner(fmt.Sprintf("# Banner: doing none auth at %v\r\n", time.Since(start)))
-
-					totalBanners := 2
-					if cm.User() == "banners" {
-						totalBanners = 5
-					}
-					for banner := 2; banner <= totalBanners; banner++ {
-						time.Sleep(time.Second)
-						if banner == totalBanners {
-							cm.SendAuthBanner(fmt.Sprintf("# Banner%d: access granted at %v\r\n", banner, time.Since(start)))
-						} else {
-							cm.SendAuthBanner(fmt.Sprintf("# Banner%d at %v\r\n", banner, time.Since(start)))
-						}
-					}
-					return nil, nil
-				},
-				BannerCallback: func(cm gossh.ConnMetadata) string {
-					log.Printf("Got connection from user %q, %q from %v", cm.User(), cm.ClientVersion(), cm.RemoteAddr())
-					return fmt.Sprintf("# Banner for user %q, %q\n", cm.User(), cm.ClientVersion())
-				},
-			}
-		},
-	}
-
-	for _, signer := range keys {
-		srv.AddHostKey(signer)
-	}
-
-	log.Printf("Running on %s ...", srv.Addr)
-	if err := srv.ListenAndServe(); err != nil {
-		log.Fatal(err)
-	}
-	log.Printf("done")
-}
-
-func handleSessionPostSSHAuth(s ssh.Session) {
-	log.Printf("Started session from user %q", s.User())
-	fmt.Fprintf(s, "Hello user %q, it worked.\n", s.User())
-
-	// Abort the session on Control-C or Control-D.
-	go func() {
-		buf := make([]byte, 1024)
-		for {
-			n, err := s.Read(buf)
-			for _, b := range buf[:n] {
-				if b <= 4 { // abort on Control-C (3) or Control-D (4)
-					io.WriteString(s, "bye\n")
-					s.Exit(1)
-				}
-			}
-			if err != nil {
-				return
-			}
-		}
-	}()
-
-	for i := 10; i > 0; i-- {
-		fmt.Fprintf(s, "%v ...\n", i)
-		time.Sleep(time.Second)
-	}
-	s.Exit(0)
-}
-
-func getHostKeys(dir string) (ret []ssh.Signer, err error) {
-	for _, typ := range keyTypes {
-		hostKey, err := hostKeyFileOrCreate(dir, typ)
-		if err != nil {
-			return nil, err
-		}
-		signer, err := gossh.ParsePrivateKey(hostKey)
-		if err != nil {
-			return nil, err
-		}
-		ret = append(ret, signer)
-	}
-	return ret, nil
-}
-
-func hostKeyFileOrCreate(keyDir, typ string) ([]byte, error) {
-	path := filepath.Join(keyDir, "ssh_host_"+typ+"_key")
-	v, err := ioutil.ReadFile(path)
-	if err == nil {
-		return v, nil
-	}
-	if !os.IsNotExist(err) {
-		return nil, err
-	}
-	var priv any
-	switch typ {
-	default:
-		return nil, fmt.Errorf("unsupported key type %q", typ)
-	case "ed25519":
-		_, priv, err = ed25519.GenerateKey(rand.Reader)
-	case "ecdsa":
-		// curve is arbitrary. We pick whatever will at
-		// least pacify clients as the actual encryption
-		// doesn't matter: it's all over WireGuard anyway.
-		curve := elliptic.P256()
-		priv, err = ecdsa.GenerateKey(curve, rand.Reader)
-	case "rsa":
-		// keySize is arbitrary. We pick whatever will at
-		// least pacify clients as the actual encryption
-		// doesn't matter: it's all over WireGuard anyway.
-		const keySize = 2048
-		priv, err = rsa.GenerateKey(rand.Reader, keySize)
-	}
-	if err != nil {
-		return nil, err
-	}
-	mk, err := x509.MarshalPKCS8PrivateKey(priv)
-	if err != nil {
-		return nil, err
-	}
-	pemGen := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: mk})
-	err = os.WriteFile(path, pemGen, 0700)
-	return pemGen, err
-}
--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -7,11 +7,8 @@ package cli
 import (
 	"context"
 	"errors"
-	"flag"
-	"fmt"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/tailscale"
 )

 var bugReportCmd = &ffcli.Command{
@@ -19,17 +16,6 @@ var bugReportCmd = &ffcli.Command{
 	Exec:       runBugReport,
 	ShortHelp:  "Print a shareable identifier to help diagnose issues",
 	ShortUsage: "bugreport [note]",
-	FlagSet: (func() *flag.FlagSet {
-		fs := newFlagSet("bugreport")
-		fs.BoolVar(&bugReportArgs.diagnose, "diagnose", false, "run additional in-depth checks")
-		fs.BoolVar(&bugReportArgs.record, "record", false, "if true, pause and then write another bugreport")
-		return fs
-	})(),
-}
-
-var bugReportArgs struct {
-	diagnose bool
-	record   bool
 }

 func runBugReport(ctx context.Context, args []string) error {
@@ -39,31 +25,12 @@ func runBugReport(ctx context.Context, args []string) error {
 	case 1:
 		note = args[0]
 	default:
-		return errors.New("unknown arguments")
+		return errors.New("unknown argumets")
 	}
-	logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{
-		Note:     note,
-		Diagnose: bugReportArgs.diagnose,
-	})
+	logMarker, err := localClient.BugReport(ctx, note)
 	if err != nil {
 		return err
 	}
-
-	if bugReportArgs.record {
-		outln("The initial bugreport is below; please reproduce your issue and then press Enter...")
-	}
-
 	outln(logMarker)
-
-	if bugReportArgs.record {
-		fmt.Scanln()
-
-		logMarker, err := localClient.BugReportWithOpts(ctx, tailscale.BugReportOpts{})
-		if err != nil {
-			return err
-		}
-		outln(logMarker)
-		outln("Please provide both bugreport markers above to the support team or GitHub issue.")
-	}
 	return nil
 }
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -34,7 +34,6 @@ import (

 var Stderr io.Writer = os.Stderr
 var Stdout io.Writer = os.Stdout
-var Stdin io.Reader = os.Stdin

 func printf(format string, a ...any) {
 	fmt.Fprintf(Stdout, format, a...)
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -410,7 +410,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 			want: accidentalUpPrefix + " --hostname=foo --exit-node=100.64.5.7",
 		},
 		{
-			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Issue 3480
+			name:          "error_exit_node_and_allow_lan_omit_with_id_pref", // Isue 3480
 			flags:         []string{"--hostname=foo"},
 			curExitNodeIP: netip.MustParseAddr("100.2.3.4"),
 			curPrefs: &ipn.Prefs{
@@ -448,7 +448,7 @@ func TestCheckForAccidentalSettingReverts(t *testing.T) {
 		},
 		{
 			// Issue 3176: on Synology, don't require --accept-routes=false because user
-			// might've had an old install, and we don't support --accept-routes anyway.
+			// migth've had old an install, and we don't support --accept-routes anyway.
 			name:  "synology_permit_omit_accept_routes",
 			flags: []string{"--hostname=foo"},
 			curPrefs: &ipn.Prefs{
--- a/cmd/tailscale/cli/configure-host.go
+++ b/cmd/tailscale/cli/configure-host.go
@@ -48,11 +48,11 @@ func runConfigureHost(ctx context.Context, args []string) error {
 	if uid := os.Getuid(); uid != 0 {
 		return fmt.Errorf("must be run as root, not %q (%v)", os.Getenv("USER"), uid)
 	}
-	hi := hostinfo.New()
-	isDSM6 := strings.HasPrefix(hi.DistroVersion, "6.")
-	isDSM7 := strings.HasPrefix(hi.DistroVersion, "7.")
+	osVer := hostinfo.GetOSVersion()
+	isDSM6 := strings.HasPrefix(osVer, "Synology 6")
+	isDSM7 := strings.HasPrefix(osVer, "Synology 7")
 	if !isDSM6 && !isDSM7 {
-		return fmt.Errorf("unsupported DSM version %q", hi.DistroVersion)
+		return fmt.Errorf("unsupported DSM version %q", osVer)
 	}
 	if _, err := os.Stat("/dev/net/tun"); os.IsNotExist(err) {
 		if err := os.MkdirAll("/dev/net", 0755); err != nil {
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -53,16 +53,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runDERPMap,
 			ShortHelp: "print DERP map",
 		},
-		{
-			Name:      "component-logs",
-			Exec:      runDebugComponentLogs,
-			ShortHelp: "enable/disable debug logs for a component",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("component-logs")
-				fs.DurationVar(&debugComponentLogsArgs.forDur, "for", time.Hour, "how long to enable debug logs for; zero or negative means to disable")
-				return fs
-			})(),
-		},
 		{
 			Name:      "daemon-goroutines",
 			Exec:      runDaemonGoroutines,
@@ -523,26 +513,3 @@ func runTS2021(ctx context.Context, args []string) error {
 	log.Printf("final underlying conn: %v / %v", conn.LocalAddr(), conn.RemoteAddr())
 	return nil
 }
-
-var debugComponentLogsArgs struct {
-	forDur time.Duration
-}
-
-func runDebugComponentLogs(ctx context.Context, args []string) error {
-	if len(args) != 1 {
-		return errors.New("usage: debug component-logs <component>")
-	}
-	component := args[0]
-	dur := debugComponentLogsArgs.forDur
-
-	err := localClient.SetComponentDebugLogging(ctx, component, dur)
-	if err != nil {
-		return err
-	}
-	if debugComponentLogsArgs.forDur <= 0 {
-		fmt.Printf("Disabled debug logs for component %q\n", component)
-	} else {
-		fmt.Printf("Enabled debug logs for component %q for %v\n", component, dur)
-	}
-	return nil
-}
--- a/cmd/tailscale/cli/nc.go
+++ b/cmd/tailscale/cli/nc.go
@@ -7,65 +7,46 @@ package cli
 import (
 	"context"
 	"errors"
-	"flag"
 	"fmt"
 	"io"
-	"net"
 	"os"
 	"strconv"
-	"strings"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/ipn/ipnstate"
 )

 var ncCmd = &ffcli.Command{
 	Name:       "nc",
-	ShortUsage: "nc <hostname-or-IP> <port>\n  nc -l",
+	ShortUsage: "nc <hostname-or-IP> <port>",
 	ShortHelp:  "Connect to a port on a host, connected to stdin/stdout",
 	Exec:       runNC,
-	FlagSet: func() *flag.FlagSet {
-		fs := flag.NewFlagSet("nc", flag.ExitOnError)
-		fs.BoolVar(&ncArgs.listen, "l", false, "whether to listen for incoming connections (\"Tailpipe\")")
-		return fs
-	}(),
-}
-
-var ncArgs struct {
-	listen bool
 }

 func runNC(ctx context.Context, args []string) error {
-	if ncArgs.listen {
-		if len(args) != 0 {
-			return errors.New("no arguments supported with -l")
-		}
-		return runNCListen(ctx)
+	st, err := localClient.Status(ctx)
+	if err != nil {
+		return fixTailscaledConnectError(err)
+	}
+	description, ok := isRunningOrStarting(st)
+	if !ok {
+		printf("%s\n", description)
+		os.Exit(1)
 	}

 	if len(args) != 2 {
 		return errors.New("usage: nc <hostname-or-IP> <port>")
 	}

-	if _, err := checkRunning(ctx); err != nil {
-		return err
-	}
 	hostOrIP, portStr := args[0], args[1]
-
-	var c net.Conn
-	var err error
-	if strings.HasPrefix(portStr, "tailpipe-") {
-		c, err = localClient.DialTCPNamedPort(ctx, hostOrIP, portStr)
-	} else {
-		port, err := strconv.ParseUint(portStr, 10, 16)
-		if err != nil {
-			return fmt.Errorf("invalid port number %q", portStr)
-		}
-		// TODO(bradfitz): also add UDP too, via flag?
-		c, err = localClient.DialTCP(ctx, hostOrIP, uint16(port))
-	}
+	port, err := strconv.ParseUint(portStr, 10, 16)
 	if err != nil {
-		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, portStr, err)
+		return fmt.Errorf("invalid port number %q", portStr)
+	}
+
+	// TODO(bradfitz): also add UDP too, via flag?
+	c, err := localClient.DialTCP(ctx, hostOrIP, uint16(port))
+	if err != nil {
+		return fmt.Errorf("Dial(%q, %v): %w", hostOrIP, port, err)
 	}
 	defer c.Close()
 	errc := make(chan error, 1)
@@ -79,43 +60,3 @@ func runNC(ctx context.Context, args []string) error {
 	}()
 	return <-errc
 }
-
-func checkRunning(ctx context.Context) (*ipnstate.Status, error) {
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return nil, fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		printf("%s\n", description)
-		os.Exit(1)
-	}
-	return st, err
-}
-
-// runNCLIsten opens a tailpipe.
-func runNCListen(ctx context.Context) error {
-	st, err := checkRunning(ctx)
-	if err != nil {
-		return err
-	}
-	portName, accept, err := localClient.ListenNewRandomPortName(ctx)
-	if err != nil {
-		return err
-	}
-	fmt.Fprintf(Stderr, "Port opened. Connect with: nc %v %v\n", st.Self.Addrs[0], portName)
-	c, err := accept(ctx)
-	if err != nil {
-		return err
-	}
-	errc := make(chan error, 1)
-	go func() {
-		_, err := io.Copy(Stdout, c)
-		errc <- err
-	}()
-	go func() {
-		_, err := io.Copy(c, Stdin)
-		errc <- err
-	}()
-	return <-errc
-}
--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -133,9 +133,6 @@ func printReport(dm *tailcfg.DERPMap, report *netcheck.Report) error {
 	printf("\t* MappingVariesByDestIP: %v\n", report.MappingVariesByDestIP)
 	printf("\t* HairPinning: %v\n", report.HairPinning)
 	printf("\t* PortMapping: %v\n", portMapping(report))
-	if report.CaptivePortal != "" {
-		printf("\t* CaptivePortal: %v\n", report.CaptivePortal)
-	}

 	// When DERP latency checking failed,
 	// magicsock will try to pick the DERP server that
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -17,16 +17,11 @@ import (
 )

 var netlockCmd = &ffcli.Command{
-	Name:       "lock",
-	ShortUsage: "lock <sub-command> <arguments>",
-	ShortHelp:  "Manipulate the tailnet key authority",
-	Subcommands: []*ffcli.Command{
-		nlInitCmd,
-		nlStatusCmd,
-		nlAddCmd,
-		nlRemoveCmd,
-	},
-	Exec: runNetworkLockStatus,
+	Name:        "lock",
+	ShortUsage:  "lock <sub-command> <arguments>",
+	ShortHelp:   "Manipulate the tailnet key authority",
+	Subcommands: []*ffcli.Command{nlInitCmd, nlStatusCmd},
+	Exec:        runNetworkLockStatus,
 }

 var nlInitCmd = &ffcli.Command{
@@ -46,9 +41,29 @@ func runNetworkLockInit(ctx context.Context, args []string) error {
 	}

 	// Parse the set of initially-trusted keys.
-	keys, err := parseNLKeyArgs(args)
-	if err != nil {
-		return err
+	// Keys are specified using their key.NLPublic.MarshalText representation,
+	// with an optional '?<votes>' suffix.
+	var keys []tka.Key
+	for i, a := range args {
+		var key key.NLPublic
+		spl := strings.SplitN(a, "?", 2)
+		if err := key.UnmarshalText([]byte(spl[0])); err != nil {
+			return fmt.Errorf("parsing key %d: %v", i+1, err)
+		}
+
+		k := tka.Key{
+			Kind:   tka.Key25519,
+			Public: key.Verifier(),
+			Votes:  1,
+		}
+		if len(spl) > 1 {
+			votes, err := strconv.Atoi(spl[1])
+			if err != nil {
+				return fmt.Errorf("parsing key %d votes: %v", i+1, err)
+			}
+			k.Votes = uint(votes)
+		}
+		keys = append(keys, k)
 	}

 	status, err := localClient.NetworkLockInit(ctx, keys)
@@ -84,78 +99,3 @@ func runNetworkLockStatus(ctx context.Context, args []string) error {
 	fmt.Printf("our public-key: %s\n", p)
 	return nil
 }
-
-var nlAddCmd = &ffcli.Command{
-	Name:       "add",
-	ShortUsage: "add <public-key>...",
-	ShortHelp:  "Adds one or more signing keys to the tailnet key authority",
-	Exec: func(ctx context.Context, args []string) error {
-		return runNetworkLockModify(ctx, args, nil)
-	},
-}
-
-var nlRemoveCmd = &ffcli.Command{
-	Name:       "remove",
-	ShortUsage: "remove <public-key>...",
-	ShortHelp:  "Removes one or more signing keys to the tailnet key authority",
-	Exec: func(ctx context.Context, args []string) error {
-		return runNetworkLockModify(ctx, nil, args)
-	},
-}
-
-// parseNLKeyArgs converts a slice of strings into a slice of tka.Key. The keys
-// should be specified using their key.NLPublic.MarshalText representation with
-// an optional '?<votes>' suffix. If any of the keys encounters an error, a nil
-// slice is returned along with an appropriate error.
-func parseNLKeyArgs(args []string) ([]tka.Key, error) {
-	var keys []tka.Key
-	for i, a := range args {
-		var nlpk key.NLPublic
-		spl := strings.SplitN(a, "?", 2)
-		if err := nlpk.UnmarshalText([]byte(spl[0])); err != nil {
-			return nil, fmt.Errorf("parsing key %d: %v", i+1, err)
-		}
-
-		k := tka.Key{
-			Kind:   tka.Key25519,
-			Public: nlpk.Verifier(),
-			Votes:  1,
-		}
-		if len(spl) > 1 {
-			votes, err := strconv.Atoi(spl[1])
-			if err != nil {
-				return nil, fmt.Errorf("parsing key %d votes: %v", i+1, err)
-			}
-			k.Votes = uint(votes)
-		}
-		keys = append(keys, k)
-	}
-	return keys, nil
-}
-
-func runNetworkLockModify(ctx context.Context, addArgs, removeArgs []string) error {
-	st, err := localClient.NetworkLockStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	if st.Enabled {
-		return errors.New("network-lock is already enabled")
-	}
-
-	addKeys, err := parseNLKeyArgs(addArgs)
-	if err != nil {
-		return err
-	}
-	removeKeys, err := parseNLKeyArgs(removeArgs)
-	if err != nil {
-		return err
-	}
-
-	status, err := localClient.NetworkLockModify(ctx, addKeys, removeKeys)
-	if err != nil {
-		return err
-	}
-
-	fmt.Printf("Status: %+v\n\n", status)
-	return nil
-}
--- a/cmd/tailscale/cli/ssh_exec_windows.go
+++ b/cmd/tailscale/cli/ssh_exec_windows.go
@@ -13,7 +13,7 @@ import (

 func findSSH() (string, error) {
 	// use C:\Windows\System32\OpenSSH\ssh.exe since unexpected behavior
-	// occurred with ssh.exe provided by msys2/cygwin and other environments.
+	// occured with ssh.exe provided by msys2/cygwin and other environments.
 	if systemRoot := os.Getenv("SystemRoot"); systemRoot != "" {
 		exe := filepath.Join(systemRoot, "System32", "OpenSSH", "ssh.exe")
 		if st, err := os.Stat(exe); err == nil && !st.IsDir() {
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -380,6 +380,7 @@ func updatePrefs(prefs, curPrefs *ipn.Prefs, env upCheckEnv) (simpleUp bool, jus
 	// Do this after validations to avoid the 5s delay if we're going to error
 	// out anyway.
 	wantSSH, haveSSH := env.upArgs.runSSH, curPrefs.RunSSH
+	fmt.Println("wantSSH", wantSSH, "haveSSH", haveSSH)
 	if wantSSH != haveSSH && isSSHOverTailscale() {
 		if wantSSH {
 			err = presentRiskToUser(riskLoseSSH, `You are connected over Tailscale; this action will reroute SSH traffic to Tailscale SSH and will result in your session disconnecting.`, env.upArgs.acceptedRisks)
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -100,7 +100,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
        tailscale.com/util/mak                                       from tailscale.com/net/netcheck
-        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
   L    tailscale.com/util/strs                                      from tailscale.com/hostinfo
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
@@ -135,8 +134,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
  LD    golang.org/x/sys/unix                                        from tailscale.com/net/netns+
   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -109,7 +109,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router+
+   L 💣 github.com/tailscale/netlink                                 from tailscale.com/wgengine/router
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
  LD    github.com/u-root/u-root/pkg/termios                         from tailscale.com/ssh/tailssh
   L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
@@ -190,8 +190,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/derp                                           from tailscale.com/derp/derphttp+
        tailscale.com/derp/derphttp                                  from tailscale.com/net/netcheck+
        tailscale.com/disco                                          from tailscale.com/derp+
-        tailscale.com/doctor                                         from tailscale.com/ipn/ipnlocal
-        tailscale.com/doctor/routetable                              from tailscale.com/ipn/ipnlocal
        tailscale.com/envknob                                        from tailscale.com/control/controlclient+
        tailscale.com/health                                         from tailscale.com/control/controlclient+
        tailscale.com/hostinfo                                       from tailscale.com/control/controlclient+
@@ -232,7 +230,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/ping                                       from tailscale.com/net/netcheck
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/proxymux                                   from tailscale.com/cmd/tailscaled
-        tailscale.com/net/routetable                                 from tailscale.com/doctor/routetable
        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
@@ -240,7 +237,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
        tailscale.com/net/tstun                                      from tailscale.com/net/dns+
-        tailscale.com/net/tunstats                                   from tailscale.com/net/tstun
        tailscale.com/paths                                          from tailscale.com/ipn/ipnlocal+
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/client/tailscale+
@@ -276,7 +272,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/dns+
-        tailscale.com/util/goroutines                                from tailscale.com/control/controlclient+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
@@ -322,7 +317,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/maps                                        from tailscale.com/wgengine
        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -344,7 +338,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W    golang.org/x/sys/windows/registry                            from golang.org/x/sys/windows/svc/eventlog+
   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
   W    golang.org/x/sys/windows/svc/eventlog                        from tailscale.com/cmd/tailscaled
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled+
+   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/cmd/tailscaled
        golang.org/x/term                                            from tailscale.com/logpolicy
        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -88,7 +88,7 @@ func defaultTunName() string {
 			// see https://github.com/tailscale/tailscale/issues/391
 			//
 			// But Gokrazy does have the tun module built-in, so users
-			// can still run --tun=tailscale0 if they wish, if they
+			// can stil run --tun=tailscale0 if they wish, if they
 			// arrange for iptables to be present or run in "tailscale
 			// up --netfilter-mode=off" mode, perhaps. Untested.
 			return "userspace-networking"
@@ -158,7 +158,7 @@ func main() {
 	flag.StringVar(&args.httpProxyAddr, "outbound-http-proxy-listen", "", `optional [ip]:port to run an outbound HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, defaultPort()), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an ephemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
+	flag.StringVar(&args.statepath, "state", "", "absolute path of state file; use 'kube:<secret-name>' to use Kubernetes secrets or 'arn:aws:ssm:...' to store in AWS SSM; use 'mem:' to not store state and register as an emphemeral node. If empty and --statedir is provided, the default is <statedir>/tailscaled.state. Default: "+paths.DefaultTailscaledStateFile())
 	flag.StringVar(&args.statedir, "statedir", "", "path to directory for storage of config state, TLS certs, temporary incoming Taildrop files, etc. If empty, it's derived from --state when possible.")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
 	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
@@ -375,7 +375,8 @@ func run() error {

 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

-	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
+	dialer := new(tsdial.Dialer) // mutated below (before used)
+	dialer.Logf = logf
 	e, useNetstack, err := createEngine(logf, linkMon, dialer)
 	if err != nil {
 		return fmt.Errorf("createEngine: %w", err)
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -7,7 +7,7 @@ After=network-pre.target NetworkManager.service systemd-resolved.service
 [Service]
 EnvironmentFile=/etc/default/tailscaled
 ExecStartPre=/usr/sbin/tailscaled --cleanup
-ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port=${PORT} $FLAGS
+ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
 ExecStopPost=/usr/sbin/tailscaled --cleanup

 Restart=on-failure
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -23,7 +23,6 @@ package main // import "tailscale.com/cmd/tailscaled"
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"log"
 	"net/netip"
@@ -193,7 +192,7 @@ func beWindowsSubprocess() bool {
 	}
 	logid := os.Args[2]

-	// Remove the date/time prefix; the logtail + file loggers add it.
+	// Remove the date/time prefix; the logtail + file logggers add it.
 	log.SetFlags(0)

 	log.Printf("Program starting: v%v: %#v", version.Long, os.Args)
@@ -266,17 +265,11 @@ func startIPNServer(ctx context.Context, logid string) error {
 	if err != nil {
 		return fmt.Errorf("monitor: %w", err)
 	}
-	dialer := &tsdial.Dialer{Logf: logf}
+	dialer := new(tsdial.Dialer)

 	getEngineRaw := func() (wgengine.Engine, *netstack.Impl, error) {
 		dev, devName, err := tstun.New(logf, "Tailscale")
 		if err != nil {
-			if errors.Is(err, windows.ERROR_DEVICE_NOT_AVAILABLE) {
-				// Wintun is not installing correctly. Dump the state of NetSetupSvc
-				// (which is a user-mode service that must be active for network devices
-				// to install) and its dependencies to the log.
-				winutil.LogSvcState(logf, "NetSetupSvc")
-			}
 			return nil, nil, fmt.Errorf("TUN: %w", err)
 		}
 		r, err := router.New(logf, dev, nil)
--- a/cmd/tsconnect/build.go
+++ b/cmd/tsconnect/build.go
@@ -57,7 +57,7 @@ func runBuild() {

 // fixEsbuildMetadataPaths re-keys the esbuild metadata file to use paths
 // relative to the dist directory (it normally uses paths relative to the cwd,
-// which are awkward if we're running with a different cwd at serving time).
+// which are akward if we're running with a different cwd at serving time).
 func fixEsbuildMetadataPaths(metadataStr string) ([]byte, error) {
 	var metadata EsbuildMetadata
 	if err := json.Unmarshal([]byte(metadataStr), &metadata); err != nil {
--- a/cmd/tsconnect/package.json
+++ b/cmd/tsconnect/package.json
@@ -10,9 +10,9 @@
    "qrcode": "^1.5.0",
    "tailwindcss": "^3.1.6",
    "typescript": "^4.7.4",
-    "xterm": "^5.0.0",
-    "xterm-addon-fit": "^0.6.0",
-    "xterm-addon-web-links": "^0.7.0"
+    "xterm": "5.0.0-beta.58",
+    "xterm-addon-fit": "^0.5.0",
+    "xterm-addon-web-links": "0.7.0-beta.6"
  },
  "scripts": {
    "lint": "tsc --noEmit",
--- a/cmd/tsconnect/src/app/ssh.tsx
+++ b/cmd/tsconnect/src/app/ssh.tsx
@@ -46,7 +46,7 @@ function SSHSession({
  const ref = useRef<HTMLDivElement>(null)
  useEffect(() => {
    if (ref.current) {
-      runSSHSession(ref.current, def, ipn, onDone, (err) => console.error(err))
+      runSSHSession(ref.current, def, ipn, onDone)
    }
  }, [ref])

--- a/cmd/tsconnect/src/lib/ssh.ts
+++ b/cmd/tsconnect/src/lib/ssh.ts
@@ -5,8 +5,6 @@ import { WebLinksAddon } from "xterm-addon-web-links"
 export type SSHSessionDef = {
  username: string
  hostname: string
-  /** Defaults to 5 seconds */
-  timeoutSeconds?: number
 }

 export function runSSHSession(
@@ -14,7 +12,6 @@ export function runSSHSession(
  def: SSHSessionDef,
  ipn: IPN,
  onDone: () => void,
-  onError?: (err: string) => void,
  terminalOptions?: ITerminalOptions
 ) {
  const parentWindow = termContainerNode.ownerDocument.defaultView ?? window
@@ -42,14 +39,14 @@ export function runSSHSession(
  term.focus()

  let resizeObserver: ResizeObserver | undefined
-  let handleUnload: ((e: Event) => void) | undefined
+  let handleBeforeUnload: ((e: BeforeUnloadEvent) => void) | undefined

  const sshSession = ipn.ssh(def.hostname, def.username, {
    writeFn(input) {
      term.write(input)
    },
    writeErrorFn(err) {
-      onError?.(err)
+      console.error(err)
      term.write(err)
    },
    setReadFn(hook) {
@@ -60,12 +57,11 @@ export function runSSHSession(
    onDone() {
      resizeObserver?.disconnect()
      term.dispose()
-      if (handleUnload) {
-        parentWindow.removeEventListener("unload", handleUnload)
+      if (handleBeforeUnload) {
+        parentWindow.removeEventListener("beforeunload", handleBeforeUnload)
      }
      onDone()
    },
-    timeoutSeconds: def.timeoutSeconds,
  })

  // Make terminal and SSH session track the size of the containing DOM node.
@@ -75,6 +71,6 @@ export function runSSHSession(

  // Close the session if the user closes the window without an explicit
  // exit.
-  handleUnload = () => sshSession.close()
-  parentWindow.addEventListener("unload", handleUnload)
+  handleBeforeUnload = () => sshSession.close()
+  parentWindow.addEventListener("beforeunload", handleBeforeUnload)
 }
--- a/cmd/tsconnect/src/pkg/pkg.ts
+++ b/cmd/tsconnect/src/pkg/pkg.ts
@@ -15,12 +15,12 @@ import wasmURL from "./main.wasm"
 * needed for the package to function.
 */
 type IPNPackageConfig = IPNConfig & {
-  // Auth key used to initialize the Tailscale client (required)
+  // Auth key used to intitialize the Tailscale client (required)
  authKey: string
  // URL of the main.wasm file that is included in the page, if it is not
  // accessible via a relative URL.
  wasmURL?: string
-  // Function invoked if the Go process panics or unexpectedly exits.
+  // Funtion invoked if the Go process panics or unexpectedly exits.
  panicHandler: (err: string) => void
 }

--- a/cmd/tsconnect/src/types/wasm_js.d.ts
+++ b/cmd/tsconnect/src/types/wasm_js.d.ts
@@ -23,8 +23,6 @@ declare global {
        setReadFn: (readFn: (data: string) => void) => void
        rows: number
        cols: number
-        /** Defaults to 5 seconds */
-        timeoutSeconds?: number
        onDone: () => void
      }
    ): IPNSSHSession
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -96,7 +96,7 @@ func newIPN(jsConfig js.Value) map[string]any {
 	logtail := logtail.NewLogger(c, log.Printf)
 	logf := logtail.Logf

-	dialer := &tsdial.Dialer{Logf: logf}
+	dialer := new(tsdial.Dialer)
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
 		Dialer: dialer,
 	})
@@ -360,10 +360,6 @@ func (s *jsSSHSession) Run() {
 	setReadFn := s.termConfig.Get("setReadFn")
 	rows := s.termConfig.Get("rows").Int()
 	cols := s.termConfig.Get("cols").Int()
-	timeoutSeconds := 5.0
-	if jsTimeoutSeconds := s.termConfig.Get("timeoutSeconds"); jsTimeoutSeconds.Type() == js.TypeNumber {
-		timeoutSeconds = jsTimeoutSeconds.Float()
-	}
 	onDone := s.termConfig.Get("onDone")
 	defer onDone.Invoke()

@@ -371,7 +367,7 @@ func (s *jsSSHSession) Run() {
 		writeErrorFn.Invoke(fmt.Sprintf("%s Error: %v\r\n", label, err))
 	}

-	ctx, cancel := context.WithTimeout(context.Background(), time.Duration(timeoutSeconds*float64(time.Second)))
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	c, err := s.jsIPN.dialer.UserDial(ctx, "tcp", net.JoinHostPort(s.host, "22"))
 	if err != nil {
--- a/cmd/tsconnect/yarn.lock
+++ b/cmd/tsconnect/yarn.lock
@@ -639,20 +639,20 @@ xtend@^4.0.2:
  resolved "https://registry.yarnpkg.com/xtend/-/xtend-4.0.2.tgz#bb72779f5fa465186b1f438f674fa347fdb5db54"
  integrity sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==

-xterm-addon-fit@^0.6.0:
-  version "0.6.0"
-  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.6.0.tgz#142e1ce181da48763668332593fc440349c88c34"
-  integrity sha512-9/7A+1KEjkFam0yxTaHfuk9LEvvTSBi0PZmEkzJqgafXPEXL9pCMAVV7rB09sX6ATRDXAdBpQhZkhKj7CGvYeg==
+xterm-addon-fit@^0.5.0:
+  version "0.5.0"
+  resolved "https://registry.yarnpkg.com/xterm-addon-fit/-/xterm-addon-fit-0.5.0.tgz#2d51b983b786a97dcd6cde805e700c7f913bc596"
+  integrity sha512-DsS9fqhXHacEmsPxBJZvfj2la30Iz9xk+UKjhQgnYNkrUIN5CYLbw7WEfz117c7+S86S/tpHPfvNxJsF5/G8wQ==

-xterm-addon-web-links@^0.7.0:
-  version "0.7.0"
-  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0.tgz#dceac36170605f9db10a01d716bd83ee38f65c17"
-  integrity sha512-6PqoqzzPwaeSq22skzbvyboDvSnYk5teUYEoKBwMYvhbkwOQkemZccjWHT5FnNA8o1aInTc4PRYAl4jjPucCKA==
+xterm@5.0.0-beta.58:
+  version "5.0.0-beta.58"
+  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0-beta.58.tgz#e3e96ab9fd24d006ec16cc9351a060cc79e67e80"
+  integrity sha512-gjg39oKdgUKful27+7I1hvSK51lu/LRhdimFhfZyMvdk0iATH0FAfzv1eAvBKWY2UBgYUfxhicTkanYioANdMw==

-xterm@^5.0.0:
-  version "5.0.0"
-  resolved "https://registry.yarnpkg.com/xterm/-/xterm-5.0.0.tgz#0af50509b33d0dc62fde7a4ec17750b8e453cc5c"
-  integrity sha512-tmVsKzZovAYNDIaUinfz+VDclraQpPUnAME+JawosgWRMphInDded/PuY0xmU5dOhyeYZsI0nz5yd8dPYsdLTA==
+xterm-addon-web-links@0.7.0-beta.6:
+  version "0.7.0-beta.6"
+  resolved "https://registry.yarnpkg.com/xterm-addon-web-links/-/xterm-addon-web-links-0.7.0-beta.6.tgz#ec63b681b4f0f0135fa039f53664f65fe9d9f43a"
+  integrity sha512-nD/r/GchGTN4c9gAIVLWVoxExTzAUV7E9xZnwsvhuwI4CEE6yqO15ns8g2hdcUrsPyCbNEw05mIrkF6W5Yj8qA==

 y18n@^4.0.0:
  version "4.0.3"
--- a/cmd/viewer/viewer.go
+++ b/cmd/viewer/viewer.go
@@ -388,7 +388,7 @@ func main() {
 		log.Fatal(err)
 	}
 	if runCloner {
-		// When a new package is added or when existing generated files have
+		// When a new pacakge is added or when existing generated files have
 		// been deleted, we might run into a case where tailscale.com/cmd/cloner
 		// has not run yet. We detect this by verifying that all the structs we
 		// interacted with have had Clone method already generated. If they
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -114,11 +114,19 @@ func NewNoStart(opts Options) (*Auto, error) {
 	}
 	c.authCtx, c.authCancel = context.WithCancel(context.Background())
 	c.mapCtx, c.mapCancel = context.WithCancel(context.Background())
-	c.unregisterHealthWatch = health.RegisterWatcher(direct.ReportHealthChange)
+	c.unregisterHealthWatch = health.RegisterWatcher(c.onHealthChange)
 	return c, nil

 }

+func (c *Auto) onHealthChange(sys health.Subsystem, err error) {
+	if sys == health.SysOverall {
+		return
+	}
+	c.logf("controlclient: restarting map request for %q health change to new state: %v", sys, err)
+	c.cancelMapSafely()
+}
+
 // SetPaused controls whether HTTP activity should be paused.
 //
 // The client can be paused and unpaused repeatedly, unlike Start and Shutdown, which can only be used once.
--- a/control/controlclient/debug.go
+++ b/control/controlclient/debug.go
@@ -8,11 +8,12 @@ import (
 	"bytes"
 	"compress/gzip"
 	"context"
+	"fmt"
 	"log"
 	"net/http"
+	"runtime"
+	"strconv"
 	"time"
-
-	"tailscale.com/util/goroutines"
 )

 func dumpGoroutinesToURL(c *http.Client, targetURL string) {
@@ -21,7 +22,7 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {

 	zbuf := new(bytes.Buffer)
 	zw := gzip.NewWriter(zbuf)
-	zw.Write(goroutines.ScrubbedGoroutineDump())
+	zw.Write(scrubbedGoroutineDump())
 	zw.Close()

 	req, err := http.NewRequestWithContext(ctx, "PUT", targetURL, zbuf)
@@ -39,3 +40,83 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {
 		log.Printf("dumpGoroutinesToURL complete to %v (after %v)", targetURL, d)
 	}
 }
+
+// scrubbedGoroutineDump returns the list of all current goroutines, but with the actual
+// values of arguments scrubbed out, lest it contain some private key material.
+func scrubbedGoroutineDump() []byte {
+	var buf []byte
+	// Grab stacks multiple times into increasingly larger buffer sizes
+	// to minimize the risk that we blow past our iOS memory limit.
+	for size := 1 << 10; size <= 1<<20; size += 1 << 10 {
+		buf = make([]byte, size)
+		buf = buf[:runtime.Stack(buf, true)]
+		if len(buf) < size {
+			// It fit.
+			break
+		}
+	}
+	return scrubHex(buf)
+}
+
+func scrubHex(buf []byte) []byte {
+	saw := map[string][]byte{} // "0x123" => "v1%3" (unique value 1 and its value mod 8)
+
+	foreachHexAddress(buf, func(in []byte) {
+		if string(in) == "0x0" {
+			return
+		}
+		if v, ok := saw[string(in)]; ok {
+			for i := range in {
+				in[i] = '_'
+			}
+			copy(in, v)
+			return
+		}
+		inStr := string(in)
+		u64, err := strconv.ParseUint(string(in[2:]), 16, 64)
+		for i := range in {
+			in[i] = '_'
+		}
+		if err != nil {
+			in[0] = '?'
+			return
+		}
+		v := []byte(fmt.Sprintf("v%d%%%d", len(saw)+1, u64%8))
+		saw[inStr] = v
+		copy(in, v)
+	})
+	return buf
+}
+
+var ohx = []byte("0x")
+
+// foreachHexAddress calls f with each subslice of b that matches
+// regexp `0x[0-9a-f]*`.
+func foreachHexAddress(b []byte, f func([]byte)) {
+	for len(b) > 0 {
+		i := bytes.Index(b, ohx)
+		if i == -1 {
+			return
+		}
+		b = b[i:]
+		hx := hexPrefix(b)
+		f(hx)
+		b = b[len(hx):]
+	}
+}
+
+func hexPrefix(b []byte) []byte {
+	for i, c := range b {
+		if i < 2 {
+			continue
+		}
+		if !isHexByte(c) {
+			return b[:i]
+		}
+	}
+	return b
+}
+
+func isHexByte(b byte) bool {
+	return '0' <= b && b <= '9' || 'a' <= b && b <= 'f' || 'A' <= b && b <= 'F'
+}
--- a/control/controlclient/debug_test.go
+++ b/control/controlclient/debug_test.go
@@ -2,12 +2,12 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package goroutines
+package controlclient

 import "testing"

 func TestScrubbedGoroutineDump(t *testing.T) {
-	t.Logf("Got:\n%s\n", ScrubbedGoroutineDump())
+	t.Logf("Got:\n%s\n", scrubbedGoroutineDump())
 }

 func TestScrubHex(t *testing.T) {
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -76,8 +76,6 @@ type Direct struct {
 	popBrowser             func(url string) // or nil
 	c2nHandler             http.Handler     // or nil

-	dialPlan ControlDialPlanner // can be nil
-
 	mu             sync.Mutex        // mutex guards the following fields
 	serverKey      key.MachinePublic // original ("legacy") nacl crypto_box-based public key
 	serverNoiseKey key.MachinePublic
@@ -108,7 +106,6 @@ type Options struct {
 	KeepAlive            bool
 	Logf                 logger.Logf
 	HTTPTestClient       *http.Client     // optional HTTP client to use (for tests only)
-	NoiseTestClient      *http.Client     // optional HTTP client to use for noise RPCs (tests only)
 	DebugFlags           []string         // debug settings to send to control
 	LinkMonitor          *monitor.Mon     // optional link monitor
 	PopBrowserURL        func(url string) // optional func to open browser
@@ -135,34 +132,6 @@ type Options struct {
 	// MapResponse.PingRequest queries from the control plane.
 	// If nil, PingRequest queries are not answered.
 	Pinger Pinger
-
-	// DialPlan contains and stores a previous dial plan that we received
-	// from the control server; if nil, we fall back to using DNS.
-	//
-	// If we receive a new DialPlan from the server, this value will be
-	// updated.
-	DialPlan ControlDialPlanner
-}
-
-// ControlDialPlanner is the interface optionally supplied when creating a
-// control client to control exactly how TCP connections to the control plane
-// are dialed.
-//
-// It is usually implemented by an atomic.Pointer.
-type ControlDialPlanner interface {
-	// Load returns the current plan for how to connect to control.
-	//
-	// The returned plan can be nil. If so, connections should be made by
-	// resolving the control URL using DNS.
-	Load() *tailcfg.ControlDialPlan
-
-	// Store updates the dial plan with new directions from the control
-	// server.
-	//
-	// The dial plan can span multiple connections to the control server.
-	// That is, a dial plan received when connected over Wi-Fi is still
-	// valid for a subsequent connection over LTE after a network switch.
-	Store(*tailcfg.ControlDialPlan)
 }

 // Pinger is the LocalBackend.Ping method.
@@ -246,7 +215,6 @@ func NewDirect(opts Options) (*Direct, error) {
 		popBrowser:             opts.PopBrowserURL,
 		c2nHandler:             opts.C2NHandler,
 		dialer:                 opts.Dialer,
-		dialPlan:               opts.DialPlan,
 	}
 	if opts.Hostinfo == nil {
 		c.SetHostinfo(hostinfo.New())
@@ -258,12 +226,6 @@ func NewDirect(opts Options) (*Direct, error) {
 			c.SetNetInfo(ni)
 		}
 	}
-	if opts.NoiseTestClient != nil {
-		c.noiseClient = &noiseClient{
-			Client: opts.NoiseTestClient,
-		}
-		c.serverNoiseKey = key.NewMachine().Public() // prevent early error before hitting test client
-	}
 	return c, nil
 }

@@ -776,7 +738,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		// with useful results. The first POST just gets us the DERP map which we
 		// need to do the STUN queries to discover our endpoints.
 		// TODO(bradfitz): we skip this optimization in tests, though,
-		// because the e2e tests are currently hyper-specific about the
+		// because the e2e tests are currently hyperspecific about the
 		// ordering of things. The e2e tests need love.
 		ReadOnly: readOnly || (len(epStrs) == 0 && !everEndpoints && !inTest()),
 	}
@@ -946,14 +908,6 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool
 		} else {
 			vlogf("netmap: got new map")
 		}
-		if resp.ControlDialPlan != nil {
-			if c.dialPlan != nil {
-				c.logf("netmap: got new dial plan from control")
-				c.dialPlan.Store(resp.ControlDialPlan)
-			} else {
-				c.logf("netmap: [unexpected] new dial plan; nowhere to store it")
-			}
-		}

 		select {
 		case timeoutReset <- struct{}{}:
@@ -1404,17 +1358,12 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 	if nc != nil {
 		return nc, nil
 	}
-	var dp func() *tailcfg.ControlDialPlan
-	if c.dialPlan != nil {
-		dp = c.dialPlan.Load
-	}
 	nc, err, _ := c.sfGroup.Do(struct{}{}, func() (*noiseClient, error) {
 		k, err := c.getMachinePrivKey()
 		if err != nil {
 			return nil, err
 		}
-		c.logf("creating new noise client")
-		nc, err := newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer, dp)
+		nc, err := newNoiseClient(k, serverNoiseKey, c.serverURL, c.dialer)
 		if err != nil {
 			return nil, err
 		}
@@ -1434,11 +1383,15 @@ func (c *Direct) getNoiseClient() (*noiseClient, error) {
 func (c *Direct) setDNSNoise(ctx context.Context, req *tailcfg.SetDNSRequest) error {
 	newReq := *req
 	newReq.Version = tailcfg.CurrentCapabilityVersion
-	nc, err := c.getNoiseClient()
+	np, err := c.getNoiseClient()
 	if err != nil {
 		return err
 	}
-	res, err := nc.post(ctx, "/machine/set-dns", &newReq)
+	bodyData, err := json.Marshal(newReq)
+	if err != nil {
+		return err
+	}
+	res, err := np.Post(fmt.Sprintf("https://%v/%v", np.host, "machine/set-dns"), "application/json", bytes.NewReader(bodyData))
 	if err != nil {
 		return err
 	}
@@ -1586,38 +1539,6 @@ func postPingResult(start time.Time, logf logger.Logf, c *http.Client, pr *tailc
 	return nil
 }

-// ReportHealthChange reports to the control plane a change to this node's
-// health.
-func (c *Direct) ReportHealthChange(sys health.Subsystem, sysErr error) {
-	if sys == health.SysOverall {
-		// We don't report these. These include things like the network is down
-		// (in which case we can't report anyway) or the user wanted things
-		// stopped, as opposed to the more unexpected failure types in the other
-		// subsystems.
-		return
-	}
-	np, err := c.getNoiseClient()
-	if err != nil {
-		// Don't report errors to control if the server doesn't support noise.
-		return
-	}
-	req := &tailcfg.HealthChangeRequest{
-		Subsys: string(sys),
-	}
-	if sysErr != nil {
-		req.Error = sysErr.Error()
-	}
-
-	// Best effort, no logging:
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	res, err := np.post(ctx, "/machine/update-health", req)
-	if err != nil {
-		return
-	}
-	res.Body.Close()
-}
-
 var (
 	metricMapRequestsActive = clientmetric.NewGauge("controlclient_map_requests_active")

--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -35,7 +35,7 @@ type mapSession struct {
 	machinePubKey          key.MachinePublic
 	keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit

-	// Fields storing state over the course of multiple MapResponses.
+	// Fields storing state over the the coards of multiple MapResponses.
 	lastNode               *tailcfg.Node
 	lastDNSConfig          *tailcfg.DNSConfig
 	lastDERPMap            *tailcfg.DERPMap
@@ -45,11 +45,9 @@ type mapSession struct {
 	collectServices        bool
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
-	lastDomainAuditLogID   string
 	lastHealth             []string
 	lastPopBrowserURL      string
 	stickyDebug            tailcfg.Debug // accumulated opt.Bool values
-	lastTKAInfo            *tailcfg.TKAInfo

 	// netMapBuilding is non-nil during a netmapForResponse call,
 	// containing the value to be returned, once fully populated.
@@ -114,15 +112,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if resp.Domain != "" {
 		ms.lastDomain = resp.Domain
 	}
-	if resp.DomainDataPlaneAuditLogID != "" {
-		ms.lastDomainAuditLogID = resp.DomainDataPlaneAuditLogID
-	}
 	if resp.Health != nil {
 		ms.lastHealth = resp.Health
 	}
-	if resp.TKAInfo != nil {
-		ms.lastTKAInfo = resp.TKAInfo
-	}

 	debug := resp.Debug
 	if debug != nil {
@@ -147,31 +139,22 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	}

 	nm := &netmap.NetworkMap{
-		NodeKey:          ms.privateNodeKey.Public(),
-		PrivateKey:       ms.privateNodeKey,
-		MachineKey:       ms.machinePubKey,
-		Peers:            resp.Peers,
-		UserProfiles:     make(map[tailcfg.UserID]tailcfg.UserProfile),
-		Domain:           ms.lastDomain,
-		DomainAuditLogID: ms.lastDomainAuditLogID,
-		DNS:              *ms.lastDNSConfig,
-		PacketFilter:     ms.lastParsedPacketFilter,
-		SSHPolicy:        ms.lastSSHPolicy,
-		CollectServices:  ms.collectServices,
-		DERPMap:          ms.lastDERPMap,
-		Debug:            debug,
-		ControlHealth:    ms.lastHealth,
-		TKAEnabled:       ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
+		NodeKey:         ms.privateNodeKey.Public(),
+		PrivateKey:      ms.privateNodeKey,
+		MachineKey:      ms.machinePubKey,
+		Peers:           resp.Peers,
+		UserProfiles:    make(map[tailcfg.UserID]tailcfg.UserProfile),
+		Domain:          ms.lastDomain,
+		DNS:             *ms.lastDNSConfig,
+		PacketFilter:    ms.lastParsedPacketFilter,
+		SSHPolicy:       ms.lastSSHPolicy,
+		CollectServices: ms.collectServices,
+		DERPMap:         ms.lastDERPMap,
+		Debug:           debug,
+		ControlHealth:   ms.lastHealth,
 	}
 	ms.netMapBuilding = nm

-	if ms.lastTKAInfo != nil && ms.lastTKAInfo.Head != "" {
-		if err := nm.TKAHead.UnmarshalText([]byte(ms.lastTKAInfo.Head)); err != nil {
-			ms.logf("error unmarshalling TKAHead: %v", err)
-			nm.TKAEnabled = false
-		}
-	}
-
 	if resp.Node != nil {
 		ms.lastNode = resp.Node
 	}
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -466,7 +466,7 @@ func TestNetmapForResponse(t *testing.T) {
 	})
 }

-// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResponses
+// TestDeltaDebug tests that tailcfg.Debug values can be omitted in MapResposnes
 // entirely or have their opt.Bool values unspecified between MapResponses in a
 // session and that should mean no change. (as of capver 37). But two Debug
 // fields existed prior to capver 37 that weren't opt.Bool; we test that we both
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -5,10 +5,8 @@
 package controlclient

 import (
-	"bytes"
 	"context"
 	"crypto/tls"
-	"encoding/json"
 	"math"
 	"net"
 	"net/http"
@@ -55,11 +53,6 @@ type noiseClient struct {
 	httpPort     string // the default port to call
 	httpsPort    string // the fallback Noise-over-https port

-	// dialPlan optionally returns a ControlDialPlan previously received
-	// from the control server; either the function or the return value can
-	// be nil.
-	dialPlan func() *tailcfg.ControlDialPlan
-
 	// mu only protects the following variables.
 	mu       sync.Mutex
 	nextID   int
@@ -68,9 +61,7 @@ type noiseClient struct {

 // newNoiseClient returns a new noiseClient for the provided server and machine key.
 // serverURL is of the form https://<host>:<port> (no trailing slash).
-//
-// dialPlan may be nil
-func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer, dialPlan func() *tailcfg.ControlDialPlan) (*noiseClient, error) {
+func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, serverURL string, dialer *tsdial.Dialer) (*noiseClient, error) {
 	u, err := url.Parse(serverURL)
 	if err != nil {
 		return nil, err
@@ -98,7 +89,6 @@ func newNoiseClient(priKey key.MachinePrivate, serverPubKey key.MachinePublic, s
 		httpPort:     httpPort,
 		httpsPort:    httpsPort,
 		dialer:       dialer,
-		dialPlan:     dialPlan,
 	}

 	// Create the HTTP/2 Transport using a net/http.Transport
@@ -165,51 +155,16 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	nc.nextID++
 	nc.mu.Unlock()

+	// Timeout is a little arbitrary, but plenty long enough for even the
+	// highest latency links.
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
 	if tailcfg.CurrentCapabilityVersion > math.MaxUint16 {
 		// Panic, because a test should have started failing several
 		// thousand version numbers before getting to this point.
 		panic("capability version is too high to fit in the wire protocol")
 	}
-
-	var dialPlan *tailcfg.ControlDialPlan
-	if nc.dialPlan != nil {
-		dialPlan = nc.dialPlan()
-	}
-
-	// If we have a dial plan, then set our timeout as slightly longer than
-	// the maximum amount of time contained therein; we assume that
-	// explicit instructions on timeouts are more useful than a single
-	// hard-coded timeout.
-	//
-	// The default value of 5 is chosen so that, when there's no dial plan,
-	// we retain the previous behaviour of 10 seconds end-to-end timeout.
-	timeoutSec := 5.0
-	if dialPlan != nil {
-		for _, c := range dialPlan.Candidates {
-			if v := c.DialStartDelaySec + c.DialTimeoutSec; v > timeoutSec {
-				timeoutSec = v
-			}
-		}
-	}
-
-	// After we establish a connection, we need some time to actually
-	// upgrade it into a Noise connection. With a ballpark worst-case RTT
-	// of 1000ms, give ourselves an extra 5 seconds to complete the
-	// handshake.
-	timeoutSec += 5
-
-	// Be extremely defensive and ensure that the timeout is in the range
-	// [5, 60] seconds (e.g. if we accidentally get a negative number).
-	if timeoutSec > 60 {
-		timeoutSec = 60
-	} else if timeoutSec < 5 {
-		timeoutSec = 5
-	}
-
-	timeout := time.Duration(timeoutSec * float64(time.Second))
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
 	conn, err := (&controlhttp.Dialer{
 		Hostname:        nc.host,
 		HTTPPort:        nc.httpPort,
@@ -218,7 +173,6 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 		ControlKey:      nc.serverPubKey,
 		ProtocolVersion: uint16(tailcfg.CurrentCapabilityVersion),
 		Dialer:          nc.dialer.SystemDial,
-		DialPlan:        dialPlan,
 	}).Dial(ctx)
 	if err != nil {
 		return nil, err
@@ -230,16 +184,3 @@ func (nc *noiseClient) dial(_, _ string, _ *tls.Config) (net.Conn, error) {
 	mak.Set(&nc.connPool, ncc.id, ncc)
 	return ncc, nil
 }
-
-func (nc *noiseClient) post(ctx context.Context, path string, body any) (*http.Response, error) {
-	jbody, err := json.Marshal(body)
-	if err != nil {
-		return nil, err
-	}
-	req, err := http.NewRequestWithContext(ctx, "POST", "https://"+nc.host+path, bytes.NewReader(jbody))
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Content-Type", "application/json")
-	return nc.Do(req)
-}
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -28,25 +28,18 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"math"
 	"net"
 	"net/http"
 	"net/http/httptrace"
-	"net/netip"
 	"net/url"
-	"sort"
-	"sync/atomic"
 	"time"

 	"tailscale.com/control/controlbase"
-	"tailscale.com/envknob"
 	"tailscale.com/net/dnscache"
 	"tailscale.com/net/dnsfallback"
 	"tailscale.com/net/netutil"
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/multierr"
 )

 var stdDialer net.Dialer
@@ -89,170 +82,7 @@ func (a *Dialer) httpsFallbackDelay() time.Duration {
 	return 500 * time.Millisecond
 }

-var _ = envknob.RegisterBool("TS_USE_CONTROL_DIAL_PLAN") // to record at init time whether it's in use
-
 func (a *Dialer) dial(ctx context.Context) (*controlbase.Conn, error) {
-	// If we don't have a dial plan, just fall back to dialing the single
-	// host we know about.
-	useDialPlan := envknob.BoolDefaultTrue("TS_USE_CONTROL_DIAL_PLAN")
-	if !useDialPlan || a.DialPlan == nil || len(a.DialPlan.Candidates) == 0 {
-		return a.dialHost(ctx, netip.Addr{})
-	}
-	candidates := a.DialPlan.Candidates
-
-	// Otherwise, we try dialing per the plan. Store the highest priority
-	// in the list, so that if we get a connection to one of those
-	// candidates we can return quickly.
-	var highestPriority int = math.MinInt
-	for _, c := range candidates {
-		if c.Priority > highestPriority {
-			highestPriority = c.Priority
-		}
-	}
-
-	// This context allows us to cancel in-flight connections if we get a
-	// highest-priority connection before we're all done.
-	ctx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	// Now, for each candidate, kick off a dial in parallel.
-	type dialResult struct {
-		conn     *controlbase.Conn
-		err      error
-		addr     netip.Addr
-		priority int
-	}
-	resultsCh := make(chan dialResult, len(candidates))
-
-	var pending atomic.Int32
-	pending.Store(int32(len(candidates)))
-	for _, c := range candidates {
-		go func(ctx context.Context, c tailcfg.ControlIPCandidate) {
-			var (
-				conn *controlbase.Conn
-				err  error
-			)
-
-			// Always send results back to our channel.
-			defer func() {
-				resultsCh <- dialResult{conn, err, c.IP, c.Priority}
-				if pending.Add(-1) == 0 {
-					close(resultsCh)
-				}
-			}()
-
-			// If non-zero, wait the configured start timeout
-			// before we do anything.
-			if c.DialStartDelaySec > 0 {
-				a.logf("[v2] controlhttp: waiting %.2f seconds before dialing %q @ %v", c.DialStartDelaySec, a.Hostname, c.IP)
-				tmr := time.NewTimer(time.Duration(c.DialStartDelaySec * float64(time.Second)))
-				defer tmr.Stop()
-				select {
-				case <-ctx.Done():
-					err = ctx.Err()
-					return
-				case <-tmr.C:
-				}
-			}
-
-			// Now, create a sub-context with the given timeout and
-			// try dialing the provided host.
-			ctx, cancel := context.WithTimeout(ctx, time.Duration(c.DialTimeoutSec*float64(time.Second)))
-			defer cancel()
-
-			// This will dial, and the defer above sends it back to our parent.
-			a.logf("[v2] controlhttp: trying to dial %q @ %v", a.Hostname, c.IP)
-			conn, err = a.dialHost(ctx, c.IP)
-		}(ctx, c)
-	}
-
-	var results []dialResult
-	for res := range resultsCh {
-		// If we get a response that has the highest priority, we don't
-		// need to wait for any of the other connections to finish; we
-		// can just return this connection.
-		//
-		// TODO(andrew): we could make this better by keeping track of
-		// the highest remaining priority dynamically, instead of just
-		// checking for the highest total
-		if res.priority == highestPriority && res.conn != nil {
-			a.logf("[v1] controlhttp: high-priority success dialing %q @ %v from dial plan", a.Hostname, res.addr)
-
-			// Drain the channel and any existing connections in
-			// the background.
-			go func() {
-				for _, res := range results {
-					if res.conn != nil {
-						res.conn.Close()
-					}
-				}
-				for res := range resultsCh {
-					if res.conn != nil {
-						res.conn.Close()
-					}
-				}
-				if a.drainFinished != nil {
-					close(a.drainFinished)
-				}
-			}()
-			return res.conn, nil
-		}
-
-		// This isn't a highest-priority result, so just store it until
-		// we're done.
-		results = append(results, res)
-	}
-
-	// After we finish this function, close any remaining open connections.
-	defer func() {
-		for _, result := range results {
-			// Note: below, we nil out the returned connection (if
-			// any) in the slice so we don't close it.
-			if result.conn != nil {
-				result.conn.Close()
-			}
-		}
-
-		// We don't drain asynchronously after this point, so notify our
-		// channel when we return.
-		if a.drainFinished != nil {
-			close(a.drainFinished)
-		}
-	}()
-
-	// Sort by priority, then take the first non-error response.
-	sort.Slice(results, func(i, j int) bool {
-		// NOTE: intentionally inverted so that the highest priority
-		// item comes first
-		return results[i].priority > results[j].priority
-	})
-
-	var (
-		conn *controlbase.Conn
-		errs []error
-	)
-	for i, result := range results {
-		if result.err != nil {
-			errs = append(errs, result.err)
-			continue
-		}
-
-		a.logf("[v1] controlhttp: succeeded dialing %q @ %v from dial plan", a.Hostname, result.addr)
-		conn = result.conn
-		results[i].conn = nil // so we don't close it in the defer
-		return conn, nil
-	}
-	merr := multierr.New(errs...)
-
-	// If we get here, then we didn't get anywhere with our dial plan; fall back to just using DNS.
-	a.logf("controlhttp: failed dialing using DialPlan, falling back to DNS; errs=%s", merr.Error())
-	return a.dialHost(ctx, netip.Addr{})
-}
-
-// dialHost connects to the configured Dialer.Hostname and upgrades the
-// connection into a controlbase.Conn. If addr is valid, then no DNS is used
-// and the connection will be made to the provided address.
-func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Conn, error) {
 	// Create one shared context used by both port 80 and port 443 dials.
 	// If port 80 is still in flight when 443 returns, this deferred cancel
 	// will stop the port 80 dial.
@@ -280,7 +110,7 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Co
 	}
 	ch := make(chan tryURLRes) // must be unbuffered
 	try := func(u *url.URL) {
-		cbConn, err := a.dialURL(ctx, u, addr)
+		cbConn, err := a.dialURL(ctx, u)
 		select {
 		case ch <- tryURLRes{u, cbConn, err}:
 		case <-ctx.Done():
@@ -331,12 +161,12 @@ func (a *Dialer) dialHost(ctx context.Context, addr netip.Addr) (*controlbase.Co
 }

 // dialURL attempts to connect to the given URL.
-func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*controlbase.Conn, error) {
+func (a *Dialer) dialURL(ctx context.Context, u *url.URL) (*controlbase.Conn, error) {
 	init, cont, err := controlbase.ClientDeferred(a.MachineKey, a.ControlKey, a.ProtocolVersion)
 	if err != nil {
 		return nil, err
 	}
-	netConn, err := a.tryURLUpgrade(ctx, u, addr, init)
+	netConn, err := a.tryURLUpgrade(ctx, u, init)
 	if err != nil {
 		return nil, err
 	}
@@ -348,27 +178,14 @@ func (a *Dialer) dialURL(ctx context.Context, u *url.URL, addr netip.Addr) (*con
 	return cbConn, nil
 }

-// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn. If addr
-// is valid, then no DNS is used and the connection will be made to the
-// provided address.
+// tryURLUpgrade connects to u, and tries to upgrade it to a net.Conn.
 //
 // Only the provided ctx is used, not a.ctx.
-func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, addr netip.Addr, init []byte) (net.Conn, error) {
-	var dns *dnscache.Resolver
-
-	// If we were provided an address to dial, then create a resolver that just
-	// returns that value; otherwise, fall back to DNS.
-	if addr.IsValid() {
-		dns = &dnscache.Resolver{
-			SingleHostStaticResult: []netip.Addr{addr},
-			SingleHost:             u.Hostname(),
-		}
-	} else {
-		dns = &dnscache.Resolver{
-			Forward:          dnscache.Get().Forward,
-			LookupIPFallback: dnsfallback.Lookup,
-			UseLastGood:      true,
-		}
+func (a *Dialer) tryURLUpgrade(ctx context.Context, u *url.URL, init []byte) (net.Conn, error) {
+	dns := &dnscache.Resolver{
+		Forward:          dnscache.Get().Forward,
+		LookupIPFallback: dnsfallback.Lookup,
+		UseLastGood:      true,
 	}

 	var dialer dnscache.DialContextFunc
--- a/control/controlhttp/client_js.go
+++ b/control/controlhttp/client_js.go
@@ -29,11 +29,9 @@ func (d *Dialer) Dial(ctx context.Context) (*controlbase.Conn, error) {

 	wsScheme := "wss"
 	host := d.Hostname
-	// If using a custom control server (on a non-standard port), prefer that.
-	// This mirrors the port selection in newNoiseClient from noise.go.
-	if d.HTTPPort != "" && d.HTTPPort != "80" && d.HTTPSPort == "443" {
+	if host == "localhost" {
 		wsScheme = "ws"
-		host = net.JoinHostPort(host, d.HTTPPort)
+		host = net.JoinHostPort(host, strDef(d.HTTPPort, "80"))
 	}
 	wsURL := &url.URL{
 		Scheme: wsScheme,
--- a/control/controlhttp/constants.go
+++ b/control/controlhttp/constants.go
@@ -10,7 +10,6 @@ import (
 	"time"

 	"tailscale.com/net/dnscache"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -71,15 +70,9 @@ type Dialer struct {
 	// dropped.
 	Logf logger.Logf

-	// DialPlan, if set, contains instructions from the control server on
-	// how to connect to it. If present, we will try the methods in this
-	// plan before falling back to DNS.
-	DialPlan *tailcfg.ControlDialPlan
-
 	proxyFunc func(*http.Request) (*url.URL, error) // or nil

 	// For tests only
-	drainFinished     chan struct{}
 	insecureTLS       bool
 	testFallbackDelay time.Duration
 }
--- a/control/controlhttp/http_test.go
+++ b/control/controlhttp/http_test.go
@@ -13,21 +13,16 @@ import (
 	"net"
 	"net/http"
 	"net/http/httputil"
-	"net/netip"
 	"net/url"
-	"runtime"
 	"strconv"
 	"sync"
 	"testing"
 	"time"

 	"tailscale.com/control/controlbase"
-	"tailscale.com/net/dnscache"
 	"tailscale.com/net/socks5"
 	"tailscale.com/net/tsdial"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
-	"tailscale.com/types/logger"
 )

 type httpTestParam struct {
@@ -449,263 +444,3 @@ func brokenMITMHandler(w http.ResponseWriter, r *http.Request) {
 	w.(http.Flusher).Flush()
 	<-r.Context().Done()
 }
-
-func TestDialPlan(t *testing.T) {
-	if runtime.GOOS != "linux" {
-		t.Skip("only works on Linux due to multiple localhost addresses")
-	}
-
-	client, server := key.NewMachine(), key.NewMachine()
-
-	const (
-		testProtocolVersion = 1
-
-		// We need consistent ports for each address; these are chosen
-		// randomly and we hope that they won't conflict during this test.
-		httpPort  = "40080"
-		httpsPort = "40443"
-	)
-
-	makeHandler := func(t *testing.T, name string, host netip.Addr, wrap func(http.Handler) http.Handler) {
-		done := make(chan struct{})
-		t.Cleanup(func() {
-			close(done)
-		})
-		var handler http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			conn, err := AcceptHTTP(context.Background(), w, r, server)
-			if err != nil {
-				log.Print(err)
-			} else {
-				defer conn.Close()
-			}
-			w.Header().Set("X-Handler-Name", name)
-			<-done
-		})
-		if wrap != nil {
-			handler = wrap(handler)
-		}
-
-		httpLn, err := net.Listen("tcp", host.String()+":"+httpPort)
-		if err != nil {
-			t.Fatalf("HTTP listen: %v", err)
-		}
-		httpsLn, err := net.Listen("tcp", host.String()+":"+httpsPort)
-		if err != nil {
-			t.Fatalf("HTTPS listen: %v", err)
-		}
-
-		httpServer := &http.Server{Handler: handler}
-		go httpServer.Serve(httpLn)
-		t.Cleanup(func() {
-			httpServer.Close()
-		})
-
-		httpsServer := &http.Server{
-			Handler:   handler,
-			TLSConfig: tlsConfig(t),
-			ErrorLog:  logger.StdLogger(logger.WithPrefix(t.Logf, "http.Server.ErrorLog: ")),
-		}
-		go httpsServer.ServeTLS(httpsLn, "", "")
-		t.Cleanup(func() {
-			httpsServer.Close()
-		})
-		return
-	}
-
-	fallbackAddr := netip.MustParseAddr("127.0.0.1")
-	goodAddr := netip.MustParseAddr("127.0.0.2")
-	otherAddr := netip.MustParseAddr("127.0.0.3")
-	other2Addr := netip.MustParseAddr("127.0.0.4")
-	brokenAddr := netip.MustParseAddr("127.0.0.10")
-
-	testCases := []struct {
-		name string
-		plan *tailcfg.ControlDialPlan
-		wrap func(http.Handler) http.Handler
-		want netip.Addr
-
-		allowFallback bool
-	}{
-		{
-			name: "single",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
-			}},
-			want: goodAddr,
-		},
-		{
-			name: "broken-then-good",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				// Dials the broken one, which fails, and then
-				// eventually dials the good one and succeeds
-				{IP: brokenAddr, Priority: 2, DialTimeoutSec: 10},
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10, DialStartDelaySec: 1},
-			}},
-			want: goodAddr,
-		},
-		{
-			name: "multiple-priority-fast-path",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				// Dials some good IPs and our bad one (which
-				// hangs forever), which then hits the fast
-				// path where we bail without waiting.
-				{IP: brokenAddr, Priority: 1, DialTimeoutSec: 10},
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
-				{IP: other2Addr, Priority: 1, DialTimeoutSec: 10},
-				{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
-			}},
-			want: otherAddr,
-		},
-		{
-			name: "multiple-priority-slow-path",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				// Our broken address is the highest priority,
-				// so we don't hit our fast path.
-				{IP: brokenAddr, Priority: 10, DialTimeoutSec: 10},
-				{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
-				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
-			}},
-			want: otherAddr,
-		},
-		{
-			name: "fallback",
-			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-				{IP: brokenAddr, Priority: 1, DialTimeoutSec: 1},
-			}},
-			want:          fallbackAddr,
-			allowFallback: true,
-		},
-	}
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			makeHandler(t, "fallback", fallbackAddr, nil)
-			makeHandler(t, "good", goodAddr, nil)
-			makeHandler(t, "other", otherAddr, nil)
-			makeHandler(t, "other2", other2Addr, nil)
-			makeHandler(t, "broken", brokenAddr, func(h http.Handler) http.Handler {
-				return http.HandlerFunc(brokenMITMHandler)
-			})
-
-			dialer := closeTrackDialer{
-				t:     t,
-				inner: new(tsdial.Dialer).SystemDial,
-				conns: make(map[*closeTrackConn]bool),
-			}
-			defer dialer.Done()
-
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			defer cancel()
-
-			// By default, we intentionally point to something that
-			// we know won't connect, since we want a fallback to
-			// DNS to be an error.
-			host := "example.com"
-			if tt.allowFallback {
-				host = "localhost"
-			}
-
-			drained := make(chan struct{})
-			a := &Dialer{
-				Hostname:          host,
-				HTTPPort:          httpPort,
-				HTTPSPort:         httpsPort,
-				MachineKey:        client,
-				ControlKey:        server.Public(),
-				ProtocolVersion:   testProtocolVersion,
-				Dialer:            dialer.Dial,
-				Logf:              t.Logf,
-				DialPlan:          tt.plan,
-				proxyFunc:         func(*http.Request) (*url.URL, error) { return nil, nil },
-				drainFinished:     drained,
-				insecureTLS:       true,
-				testFallbackDelay: 50 * time.Millisecond,
-			}
-
-			conn, err := a.dial(ctx)
-			if err != nil {
-				t.Fatalf("dialing controlhttp: %v", err)
-			}
-			defer conn.Close()
-
-			raddr := conn.RemoteAddr().(*net.TCPAddr)
-
-			got, ok := netip.AddrFromSlice(raddr.IP)
-			if !ok {
-				t.Errorf("invalid remote IP: %v", raddr.IP)
-			} else if got != tt.want {
-				t.Errorf("got connection from %q; want %q", got, tt.want)
-			} else {
-				t.Logf("successfully connected to %q", raddr.String())
-			}
-
-			// Wait until our dialer drains so we can verify that
-			// all connections are closed.
-			<-drained
-		})
-	}
-}
-
-type closeTrackDialer struct {
-	t     testing.TB
-	inner dnscache.DialContextFunc
-	mu    sync.Mutex
-	conns map[*closeTrackConn]bool
-}
-
-func (d *closeTrackDialer) Dial(ctx context.Context, network, addr string) (net.Conn, error) {
-	c, err := d.inner(ctx, network, addr)
-	if err != nil {
-		return nil, err
-	}
-	ct := &closeTrackConn{Conn: c, d: d}
-
-	d.mu.Lock()
-	d.conns[ct] = true
-	d.mu.Unlock()
-	return ct, nil
-}
-
-func (d *closeTrackDialer) Done() {
-	// Unfortunately, tsdial.Dialer.SystemDial closes connections
-	// asynchronously in a goroutine, so we can't assume that everything is
-	// closed by the time we get here.
-	//
-	// Sleep/wait a few times on the assumption that things will close
-	// "eventually".
-	const iters = 100
-	for i := 0; i < iters; i++ {
-		d.mu.Lock()
-		if len(d.conns) == 0 {
-			d.mu.Unlock()
-			return
-		}
-
-		// Only error on last iteration
-		if i != iters-1 {
-			d.mu.Unlock()
-			time.Sleep(100 * time.Millisecond)
-			continue
-		}
-
-		for conn := range d.conns {
-			d.t.Errorf("expected close of conn %p; RemoteAddr=%q", conn, conn.RemoteAddr().String())
-		}
-		d.mu.Unlock()
-	}
-}
-
-func (d *closeTrackDialer) noteClose(c *closeTrackConn) {
-	d.mu.Lock()
-	delete(d.conns, c) // safe if already deleted
-	d.mu.Unlock()
-}
-
-type closeTrackConn struct {
-	net.Conn
-	d *closeTrackDialer
-}
-
-func (c *closeTrackConn) Close() error {
-	c.d.noteClose(c)
-	return c.Conn.Close()
-}
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -232,7 +232,7 @@ func TestSendFreeze(t *testing.T) {
 	//	alice --> bob
 	//	alice --> cathy
 	//
-	// Then cathy stops processing messages.
+	// Then cathy stops processing messsages.
 	// That should not interfere with alice talking to bob.

 	newClient := func(ctx context.Context, name string, k key.NodePrivate) (c *Client, clientConn nettest.Conn) {
@@ -772,7 +772,7 @@ func TestForwarderRegistration(t *testing.T) {
 	})

 	// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
-	// that they're also connected to a peer of ours. That shouldn't transition the forwarder
+	// that they're also connected to a peer of ours. That sholdn't transition the forwarder
 	// from nil to the new one, not a multiForwarder.
 	s.clients[u1] = singleClient{u1c}
 	s.clientsMesh[u1] = nil
--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -199,7 +199,7 @@ func (c *Client) urlString(node *tailcfg.DERPNode) string {
 	return fmt.Sprintf("https://%s/derp", node.HostName)
 }

-// AddressFamilySelector decides whether IPv6 is preferred for
+// AddressFamilySelector decides whethers IPv6 is preferred for
 // outbound dials.
 type AddressFamilySelector interface {
 	// PreferIPv6 reports whether IPv4 dials should be slightly
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -15,9 +15,9 @@
 // The recipient then decrypts the bytes following (the nacl secretbox)
 // and then the inner payload structure is:
 //
-//	messageType     byte  (the MessageType constants below)
-//	messageVersion  byte  (0 for now; but always ignore bytes at the end)
-//	message-payload [...]byte
+//	messageType    byte  (the MessageType constants below)
+//	messageVersion byte  (0 for now; but always ignore bytes at the end)
+//	message-paylod [...]byte
 package disco

 import (
--- a/docs/k8s/proxy.yaml
+++ b/docs/k8s/proxy.yaml
@@ -9,7 +9,7 @@ spec:
  serviceAccountName: "{{SA_NAME}}"
  initContainers:
    # In order to run as a proxy we need to enable IP Forwarding inside
-    # the container. The `net.ipv4.ip_forward` sysctl is not allowlisted
+    # the container. The `net.ipv4.ip_forward` sysctl is not whitelisted
    # in Kubelet by default.
  - name: sysctler
    image: busybox
@@ -18,7 +18,7 @@ spec:
    command: ["/bin/sh"]
    args:
      - -c
-      - sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
+      - sysctl -w net.ipv4.ip_forward=1 -w net.ipv6.conf.all.forwarding=1
    resources:
      requests:
        cpu: 1m
@@ -37,7 +37,7 @@ spec:
      valueFrom:
        secretKeyRef:
          name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
          optional: true
    - name: TS_DEST_IP
      value: "{{TS_DEST_IP}}"
--- a/docs/k8s/run.sh
+++ b/docs/k8s/run.sh
@@ -17,11 +17,10 @@ TS_KUBE_SECRET="${TS_KUBE_SECRET:-tailscale}"
 TS_SOCKS5_SERVER="${TS_SOCKS5_SERVER:-}"
 TS_OUTBOUND_HTTP_PROXY_LISTEN="${TS_OUTBOUND_HTTP_PROXY_LISTEN:-}"
 TS_TAILSCALED_EXTRA_ARGS="${TS_TAILSCALED_EXTRA_ARGS:-}"
-TS_SOCKET="${TS_SOCKET:-/tmp/tailscaled.sock}"

 set -e

-TAILSCALED_ARGS="--socket=${TS_SOCKET}"
+TAILSCALED_ARGS="--socket=/tmp/tailscaled.sock"

 if [[ ! -z "${KUBERNETES_SERVICE_HOST}" ]]; then
  TAILSCALED_ARGS="${TAILSCALED_ARGS} --state=kube:${TS_KUBE_SECRET} --statedir=${TS_STATE_DIR:-/tmp}"
@@ -82,11 +81,11 @@ if [[ ! -z "${TS_EXTRA_ARGS}" ]]; then
 fi

 echo "Running tailscale up"
-tailscale --socket="${TS_SOCKET}" up ${UP_ARGS}
+tailscale --socket=/tmp/tailscaled.sock up ${UP_ARGS}

 if [[ ! -z "${TS_DEST_IP}" ]]; then
  echo "Adding iptables rule for DNAT"
-  iptables -t nat -I PREROUTING -d "$(tailscale --socket=${TS_SOCKET} ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
+  iptables -t nat -I PREROUTING -d "$(tailscale --socket=/tmp/tailscaled.sock ip -4)" -j DNAT --to-destination "${TS_DEST_IP}"
 fi

 echo "Waiting for tailscaled to exit"
--- a/docs/k8s/subnet.yaml
+++ b/docs/k8s/subnet.yaml
@@ -23,7 +23,7 @@ spec:
      valueFrom:
        secretKeyRef:
          name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
          optional: true
    - name: TS_ROUTES
      value: "{{TS_ROUTES}}"
--- a/docs/k8s/userspace-sidecar.yaml
+++ b/docs/k8s/userspace-sidecar.yaml
@@ -26,5 +26,5 @@ spec:
      valueFrom:
        secretKeyRef:
          name: tailscale-auth
-          key: TS_AUTH_KEY
+          key: AUTH_KEY
          optional: true
--- a/doctor/doctor.go
+++ b/doctor/doctor.go
@@ -1,80 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package doctor contains more in-depth healthchecks that can be run to aid in
-// diagnosing Tailscale issues.
-package doctor
-
-import (
-	"context"
-	"sync"
-
-	"tailscale.com/types/logger"
-)
-
-// Check is the interface defining a singular check.
-//
-// A check should log information that it gathers using the provided log
-// function, and should attempt to make as much progress as possible in error
-// conditions.
-type Check interface {
-	// Name should return a name describing this check, in lower-kebab-case
-	// (i.e. "my-check", not "MyCheck" or "my_check").
-	Name() string
-	// Run executes the check, logging diagnostic information to the
-	// provided logger function.
-	Run(context.Context, logger.Logf) error
-}
-
-// RunChecks runs a list of checks in parallel, and logs any returned errors
-// after all checks have returned.
-func RunChecks(ctx context.Context, log logger.Logf, checks ...Check) {
-	if len(checks) == 0 {
-		return
-	}
-
-	type namedErr struct {
-		name string
-		err  error
-	}
-	errs := make(chan namedErr, len(checks))
-
-	var wg sync.WaitGroup
-	wg.Add(len(checks))
-	for _, check := range checks {
-		go func(c Check) {
-			defer wg.Done()
-
-			plog := logger.WithPrefix(log, c.Name()+": ")
-			errs <- namedErr{
-				name: c.Name(),
-				err:  c.Run(ctx, plog),
-			}
-		}(check)
-	}
-
-	wg.Wait()
-	close(errs)
-
-	for n := range errs {
-		if n.err == nil {
-			continue
-		}
-
-		log("check %s: %v", n.name, n.err)
-	}
-}
-
-// CheckFunc creates a Check from a name and a function.
-func CheckFunc(name string, run func(context.Context, logger.Logf) error) Check {
-	return checkFunc{name, run}
-}
-
-type checkFunc struct {
-	name string
-	run  func(context.Context, logger.Logf) error
-}
-
-func (c checkFunc) Name() string                                   { return c.name }
-func (c checkFunc) Run(ctx context.Context, log logger.Logf) error { return c.run(ctx, log) }
--- a/doctor/doctor_test.go
+++ b/doctor/doctor_test.go
@@ -1,50 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package doctor
-
-import (
-	"context"
-	"fmt"
-	"sync"
-	"testing"
-
-	qt "github.com/frankban/quicktest"
-	"tailscale.com/types/logger"
-)
-
-func TestRunChecks(t *testing.T) {
-	c := qt.New(t)
-	var (
-		mu    sync.Mutex
-		lines []string
-	)
-	logf := func(format string, args ...any) {
-		mu.Lock()
-		defer mu.Unlock()
-		lines = append(lines, fmt.Sprintf(format, args...))
-	}
-
-	ctx := context.Background()
-	RunChecks(ctx, logf,
-		testCheck1{},
-		CheckFunc("testcheck2", func(_ context.Context, log logger.Logf) error {
-			log("check 2")
-			return nil
-		}),
-	)
-
-	mu.Lock()
-	defer mu.Unlock()
-	c.Assert(lines, qt.Contains, "testcheck1: check 1")
-	c.Assert(lines, qt.Contains, "testcheck2: check 2")
-}
-
-type testCheck1 struct{}
-
-func (t testCheck1) Name() string { return "testcheck1" }
-func (t testCheck1) Run(_ context.Context, log logger.Logf) error {
-	log("check 1")
-	return nil
-}
--- a/doctor/routetable/routetable.go
+++ b/doctor/routetable/routetable.go
@@ -1,35 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package routetable provides a doctor.Check that dumps the current system's
-// route table to the log.
-package routetable
-
-import (
-	"context"
-
-	"tailscale.com/net/routetable"
-	"tailscale.com/types/logger"
-)
-
-// MaxRoutes is the maximum number of routes that will be displayed.
-const MaxRoutes = 1000
-
-// Check implements the doctor.Check interface.
-type Check struct{}
-
-func (Check) Name() string {
-	return "routetable"
-}
-
-func (Check) Run(_ context.Context, logf logger.Logf) error {
-	rs, err := routetable.Get(MaxRoutes)
-	if err != nil {
-		return err
-	}
-	for _, r := range rs {
-		logf("%s", r)
-	}
-	return nil
-}
--- a/envknob/envknob.go
+++ b/envknob/envknob.go
@@ -277,11 +277,6 @@ func SSHPolicyFile() string { return String("TS_DEBUG_SSH_POLICY_FILE") }
 // SSHIgnoreTailnetPolicy is whether to ignore the Tailnet SSH policy for development.
 func SSHIgnoreTailnetPolicy() bool { return Bool("TS_DEBUG_SSH_IGNORE_TAILNET_POLICY") }

-
-// TKASkipSignatureCheck is whether to skip node-key signature checking for development.
-func TKASkipSignatureCheck() bool { return Bool("TS_UNSAFE_SKIP_NKS_VERIFICATION") }
-
-
 // NoLogsNoSupport reports whether the client's opted out of log uploads and
 // technical support.
 func NoLogsNoSupport() bool {
--- a/go.mod
+++ b/go.mod
@@ -44,7 +44,7 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20221009170451-62f465106986
+	github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
@@ -57,9 +57,9 @@ require (
 	go4.org/netipx v0.0.0-20220725152314-7e7bdc8411bf
 	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
 	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e
-	golang.org/x/net v0.0.0-20221002022538-bcab6841153b
+	golang.org/x/net v0.0.0-20220607020251-c690dde0001d
 	golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f
-	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10
+	golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11
 	golang.org/x/tools v0.1.11
@@ -210,6 +210,7 @@ require (
 	github.com/nishanths/exhaustive v0.7.11 // indirect
 	github.com/nishanths/predeclared v0.2.1 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
+	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
@@ -229,7 +230,7 @@ require (
 	github.com/ryancurrah/gomodguard v1.2.3 // indirect
 	github.com/ryanrolds/sqlclosecheck v0.3.0 // indirect
 	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
-	github.com/sassoftware/go-rpmutils v0.1.0 // indirect
+	github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b // indirect
 	github.com/securego/gosec/v2 v2.9.3 // indirect
 	github.com/sergi/go-diff v1.2.0 // indirect
 	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
--- a/go.sum
+++ b/go.sum
@@ -876,6 +876,7 @@ github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 h1:lDH9UUVJtmYCjyT0CI4q8xvlXPxeZ0gYCVvWbmPlp88=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -989,9 +990,8 @@ github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYI
 github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
 github.com/sanposhiho/wastedassign/v2 v2.0.7 h1:J+6nrY4VW+gC9xFzUc+XjPD3g3wF3je/NsJFwFK7Uxc=
 github.com/sanposhiho/wastedassign/v2 v2.0.7/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
+github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b h1:+gCnWOZV8Z/8jehJ2CdqB47Z3S+SREmQcuXkRFLNsiI=
 github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b/go.mod h1:am+Fp8Bt506lA3Rk3QCmSqmYmLMnPDhdDUcosQCAx+I=
-github.com/sassoftware/go-rpmutils v0.1.0 h1:VLrna+tV+77Tclr956QkY/pTyyKomQlq2Xw6PuE8tsc=
-github.com/sassoftware/go-rpmutils v0.1.0/go.mod h1:euhXULoBpvAxqrBHEyJS4Tsu3hHxUmQWNymxoJbzgUY=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
 github.com/securego/gosec/v2 v2.5.0/go.mod h1:L/CDXVntIff5ypVHIkqPXbtRpJiNCh6c6Amn68jXDjo=
 github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc=
@@ -1082,8 +1082,8 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20221009170451-62f465106986 h1:jWSwTR9CY13oa2oxhR3FInk1ybqC1NbF9cFeoWrrx+E=
-github.com/tailscale/golang-x-crypto v0.0.0-20221009170451-62f465106986/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
+github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1 h1:vsFV6BKSIgjRd8m8UfrGW4r+cc28fRF71K6IRo46rKs=
+github.com/tailscale/golang-x-crypto v0.0.0-20220428210705-0b941c09a5e1/go.mod h1:95n9fbUCixVSI4QXLEvdKJjnYK2eUlkTx9+QwLPXFKU=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f h1:n4r/sJ92cBSBHK8n9lR1XLFr0OiTVeGfN5TR+9LaN7E=
@@ -1235,7 +1235,6 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
@@ -1355,8 +1354,8 @@ golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20221002022538-bcab6841153b h1:6e93nYa3hNqAvLr0pD4PN1fFS+gKzp2zAXqrnTCstqU=
-golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
+golang.org/x/net v0.0.0-20220607020251-c690dde0001d h1:4SFsTMi4UahlKoloni7L4eYzhFRifURQLw+yv0QDCx8=
+golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1491,9 +1490,8 @@ golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211105183446-c75c47738b0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 h1:WIoqL4EROvwiPdUtaip4VcDdpZ4kha7wBWZrbVKCIZg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-3fd24dee31726924c1b61c8037a889b30b8aa0f6
+b13188dd36c1ad2509796ce10b6a1231b200c36a
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -69,7 +69,7 @@ type Notify struct {
 	State         *State             // if non-nil, the new or current IPN state
 	Prefs         *Prefs             // if non-nil, the new or current preferences
 	NetMap        *netmap.NetworkMap // if non-nil, the new or current netmap
-	Engine        *EngineStatus      // if non-nil, the new or current wireguard stats
+	Engine        *EngineStatus      // if non-nil, the new or urrent wireguard stats
 	BrowseToURL   *string            // if non-nil, UI should open a browser right now
 	BackendLogID  *string            // if non-nil, the public logtail ID used by backend

@@ -168,11 +168,6 @@ type PartialFile struct {
 //     LocalBackend.userID, a string like "user-$USER_ID" (used in
 //     server mode).
 //   - on Linux/etc, it's always "_daemon" (ipn.GlobalDaemonStateKey)
-//
-// Additionally, the StateKey can be debug setting name:
-//
-//   - "_debug_magicsock_until" with value being a unix timestamp stringified
-//   - "_debug_<component>_until" with value being a unix timestamp stringified
 type StateKey string

 type Options struct {
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -8,47 +8,16 @@ import (
 	"encoding/json"
 	"io"
 	"net/http"
-	"strconv"
-	"time"

 	"tailscale.com/tailcfg"
-	"tailscale.com/util/clientmetric"
-	"tailscale.com/util/goroutines"
 )

 func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
-	writeJSON := func(v any) {
-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(v)
-	}
 	switch r.URL.Path {
 	case "/echo":
 		// Test handler.
 		body, _ := io.ReadAll(r.Body)
 		w.Write(body)
-	case "/debug/goroutines":
-		w.Header().Set("Content-Type", "text/plain")
-		w.Write(goroutines.ScrubbedGoroutineDump())
-	case "/debug/prefs":
-		writeJSON(b.Prefs())
-	case "/debug/metrics":
-		w.Header().Set("Content-Type", "text/plain")
-		clientmetric.WritePrometheusExpositionFormat(w)
-	case "/debug/component-logging":
-		component := r.FormValue("component")
-		secs, _ := strconv.Atoi(r.FormValue("secs"))
-		if secs == 0 {
-			secs -= 1
-		}
-		until := time.Now().Add(time.Duration(secs) * time.Second)
-		err := b.SetComponentDebugLogging(component, until)
-		var res struct {
-			Error string `json:",omitempty"`
-		}
-		if err != nil {
-			res.Error = err.Error()
-		}
-		writeJSON(res)
 	case "/ssh/usernames":
 		var req tailcfg.C2NSSHUsernamesRequest
 		if r.Method == "POST" {
@@ -62,7 +31,8 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, err.Error(), 500)
 			return
 		}
-		writeJSON(res)
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(res)
 	default:
 		http.Error(w, "unknown c2n path", http.StatusBadRequest)
 	}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -24,11 +24,8 @@ import (
 	"time"

 	"go4.org/netipx"
-	"golang.org/x/exp/slices"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
-	"tailscale.com/doctor"
-	"tailscale.com/doctor/routetable"
 	"tailscale.com/envknob"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
@@ -56,7 +53,6 @@ import (
 	"tailscale.com/types/views"
 	"tailscale.com/util/deephash"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/util/mak"
 	"tailscale.com/util/multierr"
 	"tailscale.com/util/osshare"
 	"tailscale.com/util/systemd"
@@ -188,16 +184,11 @@ type LocalBackend struct {
 	// *.partial file to its final name on completion.
 	directFileRoot          string
 	directFileDoFinalRename bool // false on macOS, true on several NAS platforms
-	componentLogUntil       map[string]componentLogState

 	// statusLock must be held before calling statusChanged.Wait() or
 	// statusChanged.Broadcast().
 	statusLock    sync.Mutex
 	statusChanged *sync.Cond
-
-	// dialPlan is any dial plan that we've received from the control
-	// server during a previous connection; it is cleared on logout.
-	dialPlan atomic.Pointer[tailcfg.ControlDialPlan]
 }

 // clientGen is a func that creates a control plane client.
@@ -217,7 +208,7 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 	logf.JSON(1, "Hostinfo", hi)
 	envknob.LogCurrent(logf)
 	if dialer == nil {
-		dialer = &tsdial.Dialer{Logf: logf}
+		dialer = new(tsdial.Dialer)
 	}

 	osshare.SetFileSharingEnabled(false, logf)
@@ -270,91 +261,9 @@ func NewLocalBackend(logf logger.Logf, logid string, store ipn.StateStore, diale
 		b.logf("[unexpected] failed to wire up peer API port for engine %T", e)
 	}

-	for _, component := range debuggableComponents {
-		key := componentStateKey(component)
-		if ut, err := ipn.ReadStoreInt(store, key); err == nil {
-			if until := time.Unix(ut, 0); until.After(time.Now()) {
-				// conditional to avoid log spam at start when off
-				b.SetComponentDebugLogging(component, until)
-			}
-		}
-	}
-
 	return b, nil
 }

-type componentLogState struct {
-	until time.Time
-	timer *time.Timer // if non-nil, the AfterFunc to disable it
-}
-
-var debuggableComponents = []string{
-	"magicsock",
-}
-
-func componentStateKey(component string) ipn.StateKey {
-	return ipn.StateKey("_debug_" + component + "_until")
-}
-
-// SetComponentDebugLogging sets component's debug logging enabled until the until time.
-// If until is in the past, the component's debug logging is disabled.
-//
-// The following components are recognized:
-//
-//   - magicsock
-func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Time) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	var setEnabled func(bool)
-	switch component {
-	case "magicsock":
-		mc, err := b.magicConn()
-		if err != nil {
-			return err
-		}
-		setEnabled = mc.SetDebugLoggingEnabled
-	}
-	if setEnabled == nil || !slices.Contains(debuggableComponents, component) {
-		return fmt.Errorf("unknown component %q", component)
-	}
-	timeUnixOrZero := func(t time.Time) int64 {
-		if t.IsZero() {
-			return 0
-		}
-		return t.Unix()
-	}
-	ipn.PutStoreInt(b.store, componentStateKey(component), timeUnixOrZero(until))
-	now := time.Now()
-	on := now.Before(until)
-	setEnabled(on)
-	var onFor time.Duration
-	if on {
-		onFor = until.Sub(now)
-		b.logf("debugging logging for component %q enabled for %v (until %v)", component, onFor.Round(time.Second), until.UTC().Format(time.RFC3339))
-	} else {
-		b.logf("debugging logging for component %q disabled", component)
-	}
-	if oldSt, ok := b.componentLogUntil[component]; ok && oldSt.timer != nil {
-		oldSt.timer.Stop()
-	}
-	newSt := componentLogState{until: until}
-	if on {
-		newSt.timer = time.AfterFunc(onFor, func() {
-			// Turn off logging after the timer fires, as long as the state is
-			// unchanged when the timer actually fires.
-			b.mu.Lock()
-			defer b.mu.Unlock()
-			if ls := b.componentLogUntil[component]; ls.until == until {
-				setEnabled(false)
-				b.logf("debugging logging for component %q disabled (by timer)", component)
-			}
-		})
-	}
-	mak.Set(&b.componentLogUntil, component, newSt)
-	return nil
-}
-
 // Dialer returns the backend's dialer.
 func (b *LocalBackend) Dialer() *tsdial.Dialer {
 	return b.dialer
@@ -775,12 +684,6 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		}
 	}
 	if st.NetMap != nil {
-		if err := b.tkaSyncIfNeededLocked(st.NetMap); err != nil {
-			b.logf("[v1] TKA sync error: %v", err)
-		}
-		if !envknob.TKASkipSignatureCheck() {
-			b.tkaFilterNetmapLocked(st.NetMap)
-		}
 		if b.findExitNodeIDLocked(st.NetMap) {
 			prefsChanged = true
 		}
@@ -1181,7 +1084,6 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		Dialer:               b.Dialer(),
 		Status:               b.setClientStatus,
 		C2NHandler:           http.HandlerFunc(b.handleC2N),
-		DialPlan:             &b.dialPlan, // pointer because it can't be copied

 		// Don't warn about broken Linux IP forwarding when
 		// netstack is being used.
@@ -2261,7 +2163,7 @@ func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
 // ServePeerAPIConnection serves an already-accepted connection c.
 //
 // The remote parameter is the remote address.
-// The local parameter is the local address (either a Tailscale IPv4
+// The local paramater is the local address (either a Tailscale IPv4
 // or IPv6 IP and the peerapi port for that address).
 //
 // The connection will be closed by ServePeerAPIConnection.
@@ -3115,7 +3017,7 @@ func (b *LocalBackend) RequestEngineStatus() {
 // that have happened. It is invoked from the various callbacks that
 // feed events into LocalBackend.
 //
-// TODO(apenwarr): use a channel or something to prevent reentrancy?
+// TODO(apenwarr): use a channel or something to prevent re-entrancy?
 // Or maybe just call the state machine from fewer places.
 func (b *LocalBackend) stateMachine() {
 	b.enterState(b.nextState())
@@ -3175,7 +3077,7 @@ func (b *LocalBackend) ResetForClientDisconnect() {

 func (b *LocalBackend) ShouldRunSSH() bool { return b.sshAtomicBool.Load() && envknob.CanSSHD() }

-// ShouldHandleViaIP reports whether ip is an IPv6 address in the
+// ShouldHandleViaIP reports whether whether ip is an IPv6 address in the
 // Tailscale ULA's v6 "via" range embedding an IPv4 address to be forwarded to
 // by Tailscale.
 func (b *LocalBackend) ShouldHandleViaIP(ip netip.Addr) bool {
@@ -3207,9 +3109,6 @@ func (b *LocalBackend) logout(ctx context.Context, sync bool) error {
 		Prefs:          ipn.Prefs{WantRunning: false, LoggedOut: true},
 	})

-	// Clear any previous dial plan(s), if set.
-	b.dialPlan.Store(nil)
-
 	if cc == nil {
 		// Double Logout can happen via repeated IPN
 		// connections to ipnserver making it repeatedly
@@ -3326,17 +3225,6 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	}
 }

-// operatorUserName returns the current pref's OperatorUser's name, or the
-// empty string if none.
-func (b *LocalBackend) operatorUserName() string {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.prefs == nil {
-		return ""
-	}
-	return b.prefs.OperatorUser
-}
-
 // OperatorUserID returns the current pref's OperatorUser's ID (in
 // os/user.User.Uid string form), or the empty string if none.
 func (b *LocalBackend) OperatorUserID() string {
@@ -3419,7 +3307,10 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 		return nil, errors.New("file sharing not enabled by Tailscale admin")
 	}
 	for _, p := range nm.Peers {
-		if !b.peerIsTaildropTargetLocked(p) {
+		if len(p.Addresses) == 0 {
+			continue
+		}
+		if p.User != nm.User && b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharing) {
 			continue
 		}
 		peerAPI := peerAPIBase(b.netMap, p)
@@ -3435,26 +3326,6 @@ func (b *LocalBackend) FileTargets() ([]*apitype.FileTarget, error) {
 	return ret, nil
 }

-// peerIsTaildropTargetLocked reports whether p is a valid Taildrop file
-// recipient from this node according to its ownership and the capabilities in
-// the netmap.
-//
-// b.mu must be locked.
-func (b *LocalBackend) peerIsTaildropTargetLocked(p *tailcfg.Node) bool {
-	if b.netMap == nil || p == nil {
-		return false
-	}
-	if b.netMap.User == p.User {
-		return true
-	}
-	if len(p.Addresses) > 0 &&
-		b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharingTarget) {
-		// Explicitly noted in the netmap ACL caps as a target.
-		return true
-	}
-	return false
-}
-
 func (b *LocalBackend) peerHasCapLocked(addr netip.Addr, wantCap string) bool {
 	for _, hasCap := range b.peerCapsLocked(addr) {
 		if hasCap == wantCap {
@@ -3710,7 +3581,7 @@ func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
 	return mc, nil
 }

-// DoNoiseRequest sends a request to URL over the control plane
+// DoNoiseRequest sends a request to URL over the the control plane
 // Noise connection.
 func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error) {
 	b.mu.Lock()
@@ -3722,17 +3593,6 @@ func (b *LocalBackend) DoNoiseRequest(req *http.Request) (*http.Response, error)
 	return cc.DoNoiseRequest(req)
 }

-// tailscaleSSHEnabled reports whether Tailscale SSH is currently enabled based
-// on prefs. It returns false if there are no prefs set.
-func (b *LocalBackend) tailscaleSSHEnabled() bool {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.prefs == nil {
-		return false
-	}
-	return b.prefs.RunSSH
-}
-
 func (b *LocalBackend) sshServerOrInit() (_ SSHServer, err error) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -3791,19 +3651,3 @@ func (b *LocalBackend) handleQuad100Port80Conn(w http.ResponseWriter, r *http.Re
 	}
 	io.WriteString(w, "</ul>\n")
 }
-
-func (b *LocalBackend) Doctor(ctx context.Context, logf logger.Logf) {
-	var checks []doctor.Check
-
-	checks = append(checks, routetable.Check{})
-
-	// TODO(andrew): more
-
-	numChecks := len(checks)
-	checks = append(checks, doctor.CheckFunc("numchecks", func(_ context.Context, log logger.Logf) error {
-		log("%d checks", numChecks)
-		return nil
-	}))
-
-	doctor.RunChecks(ctx, logf, checks...)
-}
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -1,4 +1,4 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
+// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

@@ -12,12 +12,11 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"os"
-	"path/filepath"
 	"time"

 	"tailscale.com/envknob"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/logtail/backoff"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
 	"tailscale.com/types/key"
@@ -25,278 +24,33 @@ import (
 	"tailscale.com/types/tkatype"
 )

-// TODO(tom): RPC retry/backoff was broken and has been removed. Fix?
-
-var (
-	errMissingNetmap        = errors.New("missing netmap: verify that you are logged in")
-	errNetworkLockNotActive = errors.New("network-lock is not active")
-)
+var networkLockAvailable = envknob.RegisterBool("TS_EXPERIMENTAL_NETWORK_LOCK")

 type tkaState struct {
 	authority *tka.Authority
 	storage   *tka.FS
 }

-// tkaFilterNetmapLocked checks the signatures on each node key, dropping
-// nodes from the netmap who's signature does not verify.
-func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
-	if !envknob.UseWIPCode() {
-		return // Feature-flag till network-lock is in Alpha.
-	}
-	if b.tka == nil {
-		return // TKA not enabled.
-	}
-
-	toDelete := make(map[int]struct{}, len(nm.Peers))
-	for i, p := range nm.Peers {
-		if len(p.KeySignature) == 0 {
-			b.logf("Network lock is dropping peer %v(%v) due to missing signature", p.ID, p.StableID)
-			toDelete[i] = struct{}{}
-		} else {
-			if err := b.tka.authority.NodeKeyAuthorized(p.Key, p.KeySignature); err != nil {
-				b.logf("Network lock is dropping peer %v(%v) due to failed signature check: %v", p.ID, p.StableID, err)
-				toDelete[i] = struct{}{}
-			}
-		}
-	}
-
-	// nm.Peers is ordered, so deletion must be order-preserving.
-	peers := make([]*tailcfg.Node, 0, len(nm.Peers))
-	for i, p := range nm.Peers {
-		if _, delete := toDelete[i]; !delete {
-			peers = append(peers, p)
-		}
-	}
-	nm.Peers = peers
-}
-
-// tkaSyncIfNeededLocked examines TKA info reported from the control plane,
-// performing the steps necessary to synchronize local tka state.
-//
-// There are 4 scenarios handled here:
-//   - Enablement: nm.TKAEnabled but b.tka == nil
-//     ∴ reach out to /machine/tka/bootstrap to get the genesis AUM, then
-//     initialize TKA.
-//   - Disablement: !nm.TKAEnabled but b.tka != nil
-//     ∴ reach out to /machine/tka/bootstrap to read the disablement secret,
-//     then verify and clear tka local state.
-//   - Sync needed: b.tka.Head != nm.TKAHead
-//     ∴ complete multi-step synchronization flow.
-//   - Everything up to date: All other cases.
-//     ∴ no action necessary.
-//
-// b.mu must be held. b.mu will be stepped out of (and back in) during network
-// RPCs.
-func (b *LocalBackend) tkaSyncIfNeededLocked(nm *netmap.NetworkMap) error {
-	if !envknob.UseWIPCode() {
-		// If the feature flag is not enabled, pretend we don't exist.
-		return nil
-	}
-	ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
-
-	isEnabled := b.tka != nil
-	wantEnabled := nm.TKAEnabled
-	if isEnabled != wantEnabled {
-		var ourHead tka.AUMHash
-		if b.tka != nil {
-			ourHead = b.tka.authority.Head()
-		}
-
-		// Regardless of whether we are moving to disabled or enabled, we
-		// need information from the tka bootstrap endpoint.
-		b.mu.Unlock()
-		bs, err := b.tkaFetchBootstrap(ourNodeKey, ourHead)
-		b.mu.Lock()
-		if err != nil {
-			return fmt.Errorf("fetching bootstrap: %w", err)
-		}
-
-		if wantEnabled && !isEnabled {
-			if err := b.tkaBootstrapFromGenesisLocked(bs.GenesisAUM); err != nil {
-				return fmt.Errorf("bootstrap: %w", err)
-			}
-			isEnabled = true
-		} else if !wantEnabled && isEnabled {
-			if b.tka.authority.ValidDisablement(bs.DisablementSecret) {
-				b.tka = nil
-				isEnabled = false
-
-				if err := os.RemoveAll(b.chonkPath()); err != nil {
-					return fmt.Errorf("os.RemoveAll: %v", err)
-				}
-			} else {
-				b.logf("Disablement secret did not verify, leaving TKA enabled.")
-			}
-		} else {
-			return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
-		}
-	}
-
-	if isEnabled && b.tka.authority.Head() != nm.TKAHead {
-		if err := b.tkaSyncLocked(ourNodeKey); err != nil {
-			return fmt.Errorf("tka sync: %w", err)
-		}
-	}
-
-	return nil
-}
-
-func toSyncOffer(head string, ancestors []string) (tka.SyncOffer, error) {
-	var out tka.SyncOffer
-	if err := out.Head.UnmarshalText([]byte(head)); err != nil {
-		return tka.SyncOffer{}, fmt.Errorf("head.UnmarshalText: %v", err)
-	}
-	out.Ancestors = make([]tka.AUMHash, len(ancestors))
-	for i, a := range ancestors {
-		if err := out.Ancestors[i].UnmarshalText([]byte(a)); err != nil {
-			return tka.SyncOffer{}, fmt.Errorf("ancestor[%d].UnmarshalText: %v", i, err)
-		}
-	}
-	return out, nil
-}
-
-// tkaSyncLocked synchronizes TKA state with control. b.mu must be held
-// and tka must be initialized. b.mu will be stepped out of (and back into)
-// during network RPCs.
-func (b *LocalBackend) tkaSyncLocked(ourNodeKey key.NodePublic) error {
-	offer, err := b.tka.authority.SyncOffer(b.tka.storage)
-	if err != nil {
-		return fmt.Errorf("offer: %w", err)
-	}
-
-	b.mu.Unlock()
-	offerResp, err := b.tkaDoSyncOffer(ourNodeKey, offer)
-	b.mu.Lock()
-	if err != nil {
-		return fmt.Errorf("offer RPC: %w", err)
-	}
-	controlOffer, err := toSyncOffer(offerResp.Head, offerResp.Ancestors)
-	if err != nil {
-		return fmt.Errorf("control offer: %v", err)
-	}
-
-	if controlOffer.Head == offer.Head {
-		// We are up to date.
-		return nil
-	}
-
-	// Compute missing AUMs before we apply any AUMs from the control-plane,
-	// so we still submit AUMs to control even if they are not part of the
-	// active chain.
-	toSendAUMs, err := b.tka.authority.MissingAUMs(b.tka.storage, controlOffer)
-	if err != nil {
-		return fmt.Errorf("computing missing AUMs: %w", err)
-	}
-
-	// If we got this far, then we are not up to date. Either the control-plane
-	// has updates for us, or we have updates for the control plane.
-	//
-	// TODO(tom): Do we want to keep processing even if the Inform fails? Need
-	// to think through if theres holdback concerns here or not.
-	if len(offerResp.MissingAUMs) > 0 {
-		aums := make([]tka.AUM, len(offerResp.MissingAUMs))
-		for i, a := range offerResp.MissingAUMs {
-			if err := aums[i].Unserialize(a); err != nil {
-				return fmt.Errorf("MissingAUMs[%d]: %v", i, err)
-			}
-		}
-
-		if err := b.tka.authority.Inform(b.tka.storage, aums); err != nil {
-			return fmt.Errorf("inform failed: %v", err)
-		}
-	}
-
-	// NOTE(tom): We could short-circuit here if our HEAD equals the
-	// control-plane's head, but we don't just so control always has a
-	// copy of all forks that clients had.
-
-	b.mu.Unlock()
-	sendResp, err := b.tkaDoSyncSend(ourNodeKey, toSendAUMs, false)
-	b.mu.Lock()
-	if err != nil {
-		return fmt.Errorf("send RPC: %v", err)
-	}
-
-	var remoteHead tka.AUMHash
-	if err := remoteHead.UnmarshalText([]byte(sendResp.Head)); err != nil {
-		return fmt.Errorf("head unmarshal: %v", err)
-	}
-	if remoteHead != b.tka.authority.Head() {
-		b.logf("TKA desync: expected consensus after sync but our head is %v and the control plane's is %v", b.tka.authority.Head(), remoteHead)
-	}
-
-	return nil
-}
-
-// chonkPath returns the absolute path to the directory in which TKA
-// state (the 'tailchonk') is stored.
-func (b *LocalBackend) chonkPath() string {
-	return filepath.Join(b.TailscaleVarRoot(), "tka")
-}
-
-// tkaBootstrapFromGenesisLocked initializes the local (on-disk) state of the
-// tailnet key authority, based on the given genesis AUM.
-//
-// b.mu must be held.
-func (b *LocalBackend) tkaBootstrapFromGenesisLocked(g tkatype.MarshaledAUM) error {
-	if err := b.CanSupportNetworkLock(); err != nil {
-		return err
-	}
-
-	var genesis tka.AUM
-	if err := genesis.Unserialize(g); err != nil {
-		return fmt.Errorf("reading genesis: %v", err)
-	}
-
-	chonkDir := b.chonkPath()
-	if err := os.Mkdir(chonkDir, 0755); err != nil && !os.IsExist(err) {
-		return fmt.Errorf("mkdir: %v", err)
-	}
-
-	chonk, err := tka.ChonkDir(chonkDir)
-	if err != nil {
-		return fmt.Errorf("chonk: %v", err)
-	}
-	authority, err := tka.Bootstrap(chonk, genesis)
-	if err != nil {
-		return fmt.Errorf("tka bootstrap: %v", err)
-	}
-
-	b.tka = &tkaState{
-		authority: authority,
-		storage:   chonk,
-	}
-	return nil
-}
-
-// CanSupportNetworkLock returns nil if tailscaled is able to operate
+// CanSupportNetworkLock returns true if tailscaled is able to operate
 // a local tailnet key authority (and hence enforce network lock).
-func (b *LocalBackend) CanSupportNetworkLock() error {
-	if !envknob.UseWIPCode() {
-		return errors.New("this feature is not yet complete, a later release may support this functionality")
-	}
-
+func (b *LocalBackend) CanSupportNetworkLock() bool {
 	if b.tka != nil {
-		// If the TKA is being used, it is supported.
-		return nil
+		// The TKA is being used, so yeah its supported.
+		return true
 	}

-	if b.TailscaleVarRoot() == "" {
-		return errors.New("network-lock is not supported in this configuration, try setting --statedir")
+	if b.TailscaleVarRoot() != "" {
+		// Theres a var root (aka --statedir), so if network lock gets
+		// initialized we have somewhere to store our AUMs. Thats all
+		// we need.
+		return true
 	}
-
-	// There's a var root (aka --statedir), so if network lock gets
-	// initialized we have somewhere to store our AUMs. That's all
-	// we need.
-	return nil
+	return false
 }

 // NetworkLockStatus returns a structure describing the state of the
 // tailnet key authority, if any.
 func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
 	if b.tka == nil {
 		return &ipnstate.NetworkLockStatus{
 			Enabled:   false,
@@ -325,18 +79,18 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 // The Finish RPC submits signatures for all these nodes, at which point
 // Control has everything it needs to atomically enable network lock.
 func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
-	if err := b.CanSupportNetworkLock(); err != nil {
-		return err
+	if b.tka != nil {
+		return errors.New("network-lock is already initialized")
 	}
-
-	var ourNodeKey key.NodePublic
-	b.mu.Lock()
-	if b.prefs != nil {
-		ourNodeKey = b.prefs.Persist.PrivateNodeKey.Public()
+	if !networkLockAvailable() {
+		return errors.New("this is an experimental feature in your version of tailscale - Please upgrade to the latest to use this.")
 	}
-	b.mu.Unlock()
-	if ourNodeKey.IsZero() {
-		return errors.New("no node-key: is tailscale logged in?")
+	if !b.CanSupportNetworkLock() {
+		return errors.New("network-lock is not supported in this configuration. Did you supply a --statedir?")
+	}
+	nm := b.NetMap()
+	if nm == nil {
+		return errors.New("no netmap: are you logged into tailscale?")
 	}

 	// Generates a genesis AUM representing trust in the provided keys.
@@ -358,7 +112,7 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	}

 	// Phase 1/2 of initialization: Transmit the genesis AUM to Control.
-	initResp, err := b.tkaInitBegin(ourNodeKey, genesisAUM)
+	initResp, err := b.tkaInitBegin(nm, genesisAUM)
 	if err != nil {
 		return fmt.Errorf("tka init-begin RPC: %w", err)
 	}
@@ -379,91 +133,10 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key) error {
 	}

 	// Finalize enablement by transmitting signature for all nodes to Control.
-	_, err = b.tkaInitFinish(ourNodeKey, sigs)
+	_, err = b.tkaInitFinish(nm, sigs)
 	return err
 }

-// Only use is in tests.
-func (b *LocalBackend) NetworkLockVerifySignatureForTest(nks tkatype.MarshaledSignature, nodeKey key.NodePublic) error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return errNetworkLockNotActive
-	}
-	return b.tka.authority.NodeKeyAuthorized(nodeKey, nks)
-}
-
-// Only use is in tests.
-func (b *LocalBackend) NetworkLockKeyTrustedForTest(keyID tkatype.KeyID) bool {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		panic("network lock not initialized")
-	}
-	return b.tka.authority.KeyTrusted(keyID)
-}
-
-// NetworkLockModify adds and/or removes keys in the tailnet's key authority.
-func (b *LocalBackend) NetworkLockModify(addKeys, removeKeys []tka.Key) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("modify network-lock keys: %w", err)
-		}
-	}()
-
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if err := b.CanSupportNetworkLock(); err != nil {
-		return err
-	}
-	if b.tka == nil {
-		return errNetworkLockNotActive
-	}
-
-	updater := b.tka.authority.NewUpdater(b.nlPrivKey)
-
-	for _, addKey := range addKeys {
-		if err := updater.AddKey(addKey); err != nil {
-			return err
-		}
-	}
-	for _, removeKey := range removeKeys {
-		if err := updater.RemoveKey(removeKey.ID()); err != nil {
-			return err
-		}
-	}
-
-	aums, err := updater.Finalize(b.tka.storage)
-	if err != nil {
-		return err
-	}
-
-	if len(aums) == 0 {
-		return nil
-	}
-
-	ourNodeKey := b.prefs.Persist.PrivateNodeKey.Public()
-	b.mu.Unlock()
-	resp, err := b.tkaDoSyncSend(ourNodeKey, aums, true)
-	b.mu.Lock()
-	if err != nil {
-		return err
-	}
-
-	var controlHead tka.AUMHash
-	if err := controlHead.UnmarshalText([]byte(resp.Head)); err != nil {
-		return err
-	}
-
-	lastHead := aums[len(aums)-1].Hash()
-	if controlHead != lastHead {
-		return errors.New("central tka head differs from submitted AUM, try again")
-	}
-
-	return nil
-}
-
 func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeKeySignature, error) {
 	p, err := nodeInfo.NodePublic.MarshalBinary()
 	if err != nil {
@@ -483,11 +156,10 @@ func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeK
 	return &sig, nil
 }

-func (b *LocalBackend) tkaInitBegin(ourNodeKey key.NodePublic, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
+func (b *LocalBackend) tkaInitBegin(nm *netmap.NetworkMap, aum tka.AUM) (*tailcfg.TKAInitBeginResponse, error) {
 	var req bytes.Buffer
 	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitBeginRequest{
-		Version:    tailcfg.CurrentCapabilityVersion,
-		NodeKey:    ourNodeKey,
+		NodeID:     nm.SelfNode.ID,
 		GenesisAUM: aum.Serialize(),
 	}); err != nil {
 		return nil, fmt.Errorf("encoding request: %v", err)
@@ -495,34 +167,40 @@ func (b *LocalBackend) tkaInitBegin(ourNodeKey key.NodePublic, aum tka.AUM) (*ta

 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/begin", &req)
-	if err != nil {
-		return nil, fmt.Errorf("req: %w", err)
-	}
-	res, err := b.DoNoiseRequest(req2)
-	if err != nil {
-		return nil, fmt.Errorf("resp: %w", err)
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
+	bo := backoff.NewBackoff("tka-init-begin", b.logf, 5*time.Second)
+	for {
+		if err := ctx.Err(); err != nil {
+			return nil, fmt.Errorf("ctx: %w", err)
+		}
+		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/begin", &req)
+		if err != nil {
+			return nil, fmt.Errorf("req: %w", err)
+		}
+		res, err := b.DoNoiseRequest(req)
+		if err != nil {
+			bo.BackOff(ctx, err)
+			continue
+		}
+		if res.StatusCode != 200 {
+			body, _ := io.ReadAll(res.Body)
+			res.Body.Close()
+			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+		}
+		a := new(tailcfg.TKAInitBeginResponse)
+		err = json.NewDecoder(res.Body).Decode(a)
 		res.Body.Close()
-		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-	}
-	a := new(tailcfg.TKAInitBeginResponse)
-	err = json.NewDecoder(res.Body).Decode(a)
-	res.Body.Close()
-	if err != nil {
-		return nil, fmt.Errorf("decoding JSON: %w", err)
-	}
+		if err != nil {
+			return nil, fmt.Errorf("decoding JSON: %w", err)
+		}

-	return a, nil
+		return a, nil
+	}
 }

-func (b *LocalBackend) tkaInitFinish(ourNodeKey key.NodePublic, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
+func (b *LocalBackend) tkaInitFinish(nm *netmap.NetworkMap, nks map[tailcfg.NodeID]tkatype.MarshaledSignature) (*tailcfg.TKAInitFinishResponse, error) {
 	var req bytes.Buffer
 	if err := json.NewEncoder(&req).Encode(tailcfg.TKAInitFinishRequest{
-		Version:    tailcfg.CurrentCapabilityVersion,
-		NodeKey:    ourNodeKey,
+		NodeID:     nm.SelfNode.ID,
 		Signatures: nks,
 	}); err != nil {
 		return nil, fmt.Errorf("encoding request: %v", err)
@@ -530,178 +208,32 @@ func (b *LocalBackend) tkaInitFinish(ourNodeKey key.NodePublic, nks map[tailcfg.

 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-
-	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/finish", &req)
-	if err != nil {
-		return nil, fmt.Errorf("req: %w", err)
-	}
-	res, err := b.DoNoiseRequest(req2)
-	if err != nil {
-		return nil, fmt.Errorf("resp: %w", err)
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-	}
-	a := new(tailcfg.TKAInitFinishResponse)
-	err = json.NewDecoder(res.Body).Decode(a)
-	res.Body.Close()
-	if err != nil {
-		return nil, fmt.Errorf("decoding JSON: %w", err)
-	}
-
-	return a, nil
-}
-
-// tkaFetchBootstrap sends a /machine/tka/bootstrap RPC to the control plane
-// over noise. This is used to get values necessary to enable or disable TKA.
-func (b *LocalBackend) tkaFetchBootstrap(ourNodeKey key.NodePublic, head tka.AUMHash) (*tailcfg.TKABootstrapResponse, error) {
-	bootstrapReq := tailcfg.TKABootstrapRequest{
-		Version: tailcfg.CurrentCapabilityVersion,
-		NodeKey: ourNodeKey,
-	}
-	if !head.IsZero() {
-		head, err := head.MarshalText()
-		if err != nil {
-			return nil, fmt.Errorf("head.MarshalText failed: %v", err)
+	bo := backoff.NewBackoff("tka-init-finish", b.logf, 5*time.Second)
+	for {
+		if err := ctx.Err(); err != nil {
+			return nil, fmt.Errorf("ctx: %w", err)
 		}
-		bootstrapReq.Head = string(head)
-	}
-
-	var req bytes.Buffer
-	if err := json.NewEncoder(&req).Encode(bootstrapReq); err != nil {
-		return nil, fmt.Errorf("encoding request: %v", err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-	if err := ctx.Err(); err != nil {
-		return nil, fmt.Errorf("ctx: %w", err)
-	}
-	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/bootstrap", &req)
-	if err != nil {
-		return nil, fmt.Errorf("req: %w", err)
-	}
-	res, err := b.DoNoiseRequest(req2)
-	if err != nil {
-		return nil, fmt.Errorf("resp: %w", err)
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-	}
-	a := new(tailcfg.TKABootstrapResponse)
-	err = json.NewDecoder(res.Body).Decode(a)
-	res.Body.Close()
-	if err != nil {
-		return nil, fmt.Errorf("decoding JSON: %w", err)
-	}
-
-	return a, nil
-}
-
-func fromSyncOffer(offer tka.SyncOffer) (head string, ancestors []string, err error) {
-	headBytes, err := offer.Head.MarshalText()
-	if err != nil {
-		return "", nil, fmt.Errorf("head.MarshalText: %v", err)
-	}
-
-	ancestors = make([]string, len(offer.Ancestors))
-	for i, ancestor := range offer.Ancestors {
-		hash, err := ancestor.MarshalText()
+		req, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/init/finish", &req)
 		if err != nil {
-			return "", nil, fmt.Errorf("ancestor[%d].MarshalText: %v", i, err)
+			return nil, fmt.Errorf("req: %w", err)
 		}
-		ancestors[i] = string(hash)
-	}
-	return string(headBytes), ancestors, nil
-}
-
-// tkaDoSyncOffer sends a /machine/tka/sync/offer RPC to the control plane
-// over noise. This is the first of two RPCs implementing tka synchronization.
-func (b *LocalBackend) tkaDoSyncOffer(ourNodeKey key.NodePublic, offer tka.SyncOffer) (*tailcfg.TKASyncOfferResponse, error) {
-	head, ancestors, err := fromSyncOffer(offer)
-	if err != nil {
-		return nil, fmt.Errorf("encoding offer: %v", err)
-	}
-	syncReq := tailcfg.TKASyncOfferRequest{
-		Version:   tailcfg.CurrentCapabilityVersion,
-		NodeKey:   ourNodeKey,
-		Head:      head,
-		Ancestors: ancestors,
-	}
-
-	var req bytes.Buffer
-	if err := json.NewEncoder(&req).Encode(syncReq); err != nil {
-		return nil, fmt.Errorf("encoding request: %v", err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sync/offer", &req)
-	if err != nil {
-		return nil, fmt.Errorf("req: %w", err)
-	}
-	res, err := b.DoNoiseRequest(req2)
-	if err != nil {
-		return nil, fmt.Errorf("resp: %w", err)
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
+		res, err := b.DoNoiseRequest(req)
+		if err != nil {
+			bo.BackOff(ctx, err)
+			continue
+		}
+		if res.StatusCode != 200 {
+			body, _ := io.ReadAll(res.Body)
+			res.Body.Close()
+			return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
+		}
+		a := new(tailcfg.TKAInitFinishResponse)
+		err = json.NewDecoder(res.Body).Decode(a)
 		res.Body.Close()
-		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-	}
-	a := new(tailcfg.TKASyncOfferResponse)
-	err = json.NewDecoder(res.Body).Decode(a)
-	res.Body.Close()
-	if err != nil {
-		return nil, fmt.Errorf("decoding JSON: %w", err)
-	}
+		if err != nil {
+			return nil, fmt.Errorf("decoding JSON: %w", err)
+		}

-	return a, nil
-}
-
-// tkaDoSyncSend sends a /machine/tka/sync/send RPC to the control plane
-// over noise. This is the second of two RPCs implementing tka synchronization.
-func (b *LocalBackend) tkaDoSyncSend(ourNodeKey key.NodePublic, aums []tka.AUM, interactive bool) (*tailcfg.TKASyncSendResponse, error) {
-	sendReq := tailcfg.TKASyncSendRequest{
-		Version:     tailcfg.CurrentCapabilityVersion,
-		NodeKey:     ourNodeKey,
-		MissingAUMs: make([]tkatype.MarshaledAUM, len(aums)),
-		Interactive: interactive,
-	}
-	for i, a := range aums {
-		sendReq.MissingAUMs[i] = a.Serialize()
-	}
-
-	var req bytes.Buffer
-	if err := json.NewEncoder(&req).Encode(sendReq); err != nil {
-		return nil, fmt.Errorf("encoding request: %v", err)
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-	req2, err := http.NewRequestWithContext(ctx, "GET", "https://unused/machine/tka/sync/send", &req)
-	if err != nil {
-		return nil, fmt.Errorf("req: %w", err)
-	}
-	res, err := b.DoNoiseRequest(req2)
-	if err != nil {
-		return nil, fmt.Errorf("resp: %w", err)
-	}
-	if res.StatusCode != 200 {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("request returned (%d): %s", res.StatusCode, string(body))
-	}
-	a := new(tailcfg.TKASyncSendResponse)
-	err = json.NewDecoder(res.Body).Decode(a)
-	res.Body.Close()
-	if err != nil {
-		return nil, fmt.Errorf("decoding JSON: %w", err)
-	}
-
-	return a, nil
+		return a, nil
+	}
 }
--- a/ipn/ipnlocal/network-lock_test.go
+++ b/ipn/ipnlocal/network-lock_test.go
@@ -1,546 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ipnlocal
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"tailscale.com/control/controlclient"
-	"tailscale.com/envknob"
-	"tailscale.com/hostinfo"
-	"tailscale.com/ipn"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tka"
-	"tailscale.com/types/key"
-	"tailscale.com/types/netmap"
-	"tailscale.com/types/persist"
-	"tailscale.com/types/tkatype"
-)
-
-func fakeControlClient(t *testing.T, c *http.Client) *controlclient.Auto {
-	hi := hostinfo.New()
-	ni := tailcfg.NetInfo{LinkType: "wired"}
-	hi.NetInfo = &ni
-
-	k := key.NewMachine()
-	opts := controlclient.Options{
-		ServerURL: "https://example.com",
-		Hostinfo:  hi,
-		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
-			return k, nil
-		},
-		HTTPTestClient:  c,
-		NoiseTestClient: c,
-		Status:          func(controlclient.Status) {},
-	}
-
-	cc, err := controlclient.NewNoStart(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return cc
-}
-
-func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server, *http.Client) {
-	ts := httptest.NewUnstartedServer(handler)
-	ts.StartTLS()
-	client := ts.Client()
-	client.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = true
-	client.Transport.(*http.Transport).DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
-		return (&net.Dialer{}).DialContext(ctx, network, ts.Listener.Addr().String())
-	}
-	return ts, client
-}
-
-func TestTKAEnablementFlow(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	nodePriv := key.NewNode()
-
-	// Make a fake TKA authority, getting a usable genesis AUM which
-	// our mock server can communicate.
-	nlPriv := key.NewNLPrivate()
-	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-	a1, genesisAUM, err := tka.Create(&tka.Mem{}, tka.State{
-		Keys:               []tka.Key{key},
-		DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
-	}, nlPriv)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-		switch r.URL.Path {
-		case "/machine/tka/bootstrap":
-			body := new(tailcfg.TKABootstrapRequest)
-			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-				t.Fatal(err)
-			}
-			if body.Version != tailcfg.CurrentCapabilityVersion {
-				t.Errorf("bootstrap CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
-			}
-			if body.NodeKey != nodePriv.Public() {
-				t.Errorf("bootstrap nodeKey=%v, want %v", body.NodeKey, nodePriv.Public())
-			}
-			if body.Head != "" {
-				t.Errorf("bootstrap head=%s, want empty hash", body.Head)
-			}
-
-			w.WriteHeader(200)
-			out := tailcfg.TKABootstrapResponse{
-				GenesisAUM: genesisAUM.Serialize(),
-			}
-			if err := json.NewEncoder(w).Encode(out); err != nil {
-				t.Fatal(err)
-			}
-
-		case "/machine/tka/sync/offer", "/machine/tka/sync/send":
-			t.Error("node attempted to sync, but should have been up to date")
-
-		default:
-			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
-			w.WriteHeader(404)
-		}
-	}))
-	defer ts.Close()
-	temp := t.TempDir()
-
-	cc := fakeControlClient(t, client)
-	b := LocalBackend{
-		varRoot: temp,
-		cc:      cc,
-		ccAuto:  cc,
-		logf:    t.Logf,
-		prefs: &ipn.Prefs{
-			Persist: &persist.Persist{PrivateNodeKey: nodePriv},
-		},
-	}
-
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
-		TKAEnabled: true,
-		TKAHead:    a1.Head(),
-	})
-	b.mu.Unlock()
-	if err != nil {
-		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
-	}
-	if b.tka == nil {
-		t.Fatal("tka was not initialized")
-	}
-	if b.tka.authority.Head() != a1.Head() {
-		t.Errorf("authority.Head() = %x, want %x", b.tka.authority.Head(), a1.Head())
-	}
-}
-
-func TestTKADisablementFlow(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-	temp := t.TempDir()
-	os.Mkdir(filepath.Join(temp, "tka"), 0755)
-	nodePriv := key.NewNode()
-
-	// Make a fake TKA authority, to seed local state.
-	disablementSecret := bytes.Repeat([]byte{0xa5}, 32)
-	nlPriv := key.NewNLPrivate()
-	key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-	chonk, err := tka.ChonkDir(filepath.Join(temp, "tka"))
-	if err != nil {
-		t.Fatal(err)
-	}
-	authority, _, err := tka.Create(chonk, tka.State{
-		Keys:               []tka.Key{key},
-		DisablementSecrets: [][]byte{tka.DisablementKDF(disablementSecret)},
-	}, nlPriv)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	returnWrongSecret := false
-	ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-		switch r.URL.Path {
-		case "/machine/tka/bootstrap":
-			body := new(tailcfg.TKABootstrapRequest)
-			if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-				t.Fatal(err)
-			}
-			if body.Version != tailcfg.CurrentCapabilityVersion {
-				t.Errorf("bootstrap CapVer = %v, want %v", body.Version, tailcfg.CurrentCapabilityVersion)
-			}
-			if body.NodeKey != nodePriv.Public() {
-				t.Errorf("nodeKey=%v, want %v", body.NodeKey, nodePriv.Public())
-			}
-			var head tka.AUMHash
-			if err := head.UnmarshalText([]byte(body.Head)); err != nil {
-				t.Fatalf("failed unmarshal of body.Head: %v", err)
-			}
-			if head != authority.Head() {
-				t.Errorf("reported head = %x, want %x", head, authority.Head())
-			}
-
-			var disablement []byte
-			if returnWrongSecret {
-				disablement = bytes.Repeat([]byte{0x42}, 32) // wrong secret
-			} else {
-				disablement = disablementSecret
-			}
-
-			w.WriteHeader(200)
-			out := tailcfg.TKABootstrapResponse{
-				DisablementSecret: disablement,
-			}
-			if err := json.NewEncoder(w).Encode(out); err != nil {
-				t.Fatal(err)
-			}
-
-		default:
-			t.Errorf("unhandled endpoint path: %v", r.URL.Path)
-			w.WriteHeader(404)
-		}
-	}))
-	defer ts.Close()
-
-	cc := fakeControlClient(t, client)
-	b := LocalBackend{
-		varRoot: temp,
-		cc:      cc,
-		ccAuto:  cc,
-		logf:    t.Logf,
-		tka: &tkaState{
-			authority: authority,
-			storage:   chonk,
-		},
-		prefs: &ipn.Prefs{
-			Persist: &persist.Persist{PrivateNodeKey: nodePriv},
-		},
-	}
-
-	// Test that the wrong disablement secret does not shut down the authority.
-	returnWrongSecret = true
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
-		TKAEnabled: false,
-		TKAHead:    authority.Head(),
-	})
-	b.mu.Unlock()
-	if err != nil {
-		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
-	}
-	if b.tka == nil {
-		t.Error("TKA was disabled despite incorrect disablement secret")
-	}
-
-	// Test the correct disablement secret shuts down the authority.
-	returnWrongSecret = false
-	b.mu.Lock()
-	err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
-		TKAEnabled: false,
-		TKAHead:    authority.Head(),
-	})
-	b.mu.Unlock()
-	if err != nil {
-		t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
-	}
-
-	if b.tka != nil {
-		t.Fatal("tka was not shut down")
-	}
-	if _, err := os.Stat(b.chonkPath()); err == nil || !os.IsNotExist(err) {
-		t.Errorf("os.Stat(chonkDir) = %v, want ErrNotExist", err)
-	}
-}
-
-func TestTKASync(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-
-	someKeyPriv := key.NewNLPrivate()
-	someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}
-
-	type tkaSyncScenario struct {
-		name string
-		// controlAUMs is called (if non-nil) to get any AUMs which the tka state
-		// on control should be seeded with.
-		controlAUMs func(*testing.T, *tka.Authority, tka.Chonk, tka.Signer) []tka.AUM
-		// controlAUMs is called (if non-nil) to get any AUMs which the tka state
-		// on the node should be seeded with.
-		nodeAUMs func(*testing.T, *tka.Authority, tka.Chonk, tka.Signer) []tka.AUM
-	}
-
-	tcs := []tkaSyncScenario{
-		{name: "up to date"},
-		{
-			name: "control has an update",
-			controlAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
-				b := a.NewUpdater(signer)
-				if err := b.RemoveKey(someKey.ID()); err != nil {
-					t.Fatal(err)
-				}
-				aums, err := b.Finalize(storage)
-				if err != nil {
-					t.Fatal(err)
-				}
-				return aums
-			},
-		},
-		{
-			// AKA 'control data loss' scenario
-			name: "node has an update",
-			nodeAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
-				b := a.NewUpdater(signer)
-				if err := b.RemoveKey(someKey.ID()); err != nil {
-					t.Fatal(err)
-				}
-				aums, err := b.Finalize(storage)
-				if err != nil {
-					t.Fatal(err)
-				}
-				return aums
-			},
-		},
-		{
-			// AKA 'control data loss + update in the meantime' scenario
-			name: "node and control diverge",
-			controlAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
-				b := a.NewUpdater(signer)
-				if err := b.SetKeyMeta(someKey.ID(), map[string]string{"ye": "swiggity"}); err != nil {
-					t.Fatal(err)
-				}
-				aums, err := b.Finalize(storage)
-				if err != nil {
-					t.Fatal(err)
-				}
-				return aums
-			},
-			nodeAUMs: func(t *testing.T, a *tka.Authority, storage tka.Chonk, signer tka.Signer) []tka.AUM {
-				b := a.NewUpdater(signer)
-				if err := b.SetKeyMeta(someKey.ID(), map[string]string{"ye": "swooty"}); err != nil {
-					t.Fatal(err)
-				}
-				aums, err := b.Finalize(storage)
-				if err != nil {
-					t.Fatal(err)
-				}
-				return aums
-			},
-		},
-	}
-
-	for _, tc := range tcs {
-		t.Run(tc.name, func(t *testing.T) {
-			temp := t.TempDir()
-			os.Mkdir(filepath.Join(temp, "tka"), 0755)
-			nodePriv := key.NewNode()
-			nlPriv := key.NewNLPrivate()
-
-			// Setup the tka authority on the control plane.
-			key := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-			controlStorage := &tka.Mem{}
-			controlAuthority, bootstrap, err := tka.Create(controlStorage, tka.State{
-				Keys:               []tka.Key{key, someKey},
-				DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
-			}, nlPriv)
-			if err != nil {
-				t.Fatalf("tka.Create() failed: %v", err)
-			}
-			if tc.controlAUMs != nil {
-				if err := controlAuthority.Inform(controlStorage, tc.controlAUMs(t, controlAuthority, controlStorage, nlPriv)); err != nil {
-					t.Fatalf("controlAuthority.Inform() failed: %v", err)
-				}
-			}
-
-			// Setup the TKA authority on the node.
-			nodeStorage, err := tka.ChonkDir(filepath.Join(temp, "tka"))
-			if err != nil {
-				t.Fatal(err)
-			}
-			nodeAuthority, err := tka.Bootstrap(nodeStorage, bootstrap)
-			if err != nil {
-				t.Fatalf("tka.Bootstrap() failed: %v", err)
-			}
-			if tc.nodeAUMs != nil {
-				if err := nodeAuthority.Inform(nodeStorage, tc.nodeAUMs(t, nodeAuthority, nodeStorage, nlPriv)); err != nil {
-					t.Fatalf("nodeAuthority.Inform() failed: %v", err)
-				}
-			}
-
-			// Make a mock control server.
-			ts, client := fakeNoiseServer(t, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				defer r.Body.Close()
-				switch r.URL.Path {
-				case "/machine/tka/sync/offer":
-					body := new(tailcfg.TKASyncOfferRequest)
-					if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-						t.Fatal(err)
-					}
-					t.Logf("got sync offer:\n%+v", body)
-					nodeOffer, err := toSyncOffer(body.Head, body.Ancestors)
-					if err != nil {
-						t.Fatal(err)
-					}
-					controlOffer, err := controlAuthority.SyncOffer(controlStorage)
-					if err != nil {
-						t.Fatal(err)
-					}
-					sendAUMs, err := controlAuthority.MissingAUMs(controlStorage, nodeOffer)
-					if err != nil {
-						t.Fatal(err)
-					}
-
-					head, ancestors, err := fromSyncOffer(controlOffer)
-					if err != nil {
-						t.Fatal(err)
-					}
-					resp := tailcfg.TKASyncOfferResponse{
-						Head:        head,
-						Ancestors:   ancestors,
-						MissingAUMs: make([]tkatype.MarshaledAUM, len(sendAUMs)),
-					}
-					for i, a := range sendAUMs {
-						resp.MissingAUMs[i] = a.Serialize()
-					}
-
-					t.Logf("responding to sync offer with:\n%+v", resp)
-					w.WriteHeader(200)
-					if err := json.NewEncoder(w).Encode(resp); err != nil {
-						t.Fatal(err)
-					}
-
-				case "/machine/tka/sync/send":
-					body := new(tailcfg.TKASyncSendRequest)
-					if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-						t.Fatal(err)
-					}
-					t.Logf("got sync send:\n%+v", body)
-					toApply := make([]tka.AUM, len(body.MissingAUMs))
-					for i, a := range body.MissingAUMs {
-						if err := toApply[i].Unserialize(a); err != nil {
-							t.Fatalf("decoding missingAUM[%d]: %v", i, err)
-						}
-					}
-
-					if len(toApply) > 0 {
-						if err := controlAuthority.Inform(controlStorage, toApply); err != nil {
-							t.Fatalf("control.Inform(%+v) failed: %v", toApply, err)
-						}
-					}
-					head, err := controlAuthority.Head().MarshalText()
-					if err != nil {
-						t.Fatal(err)
-					}
-
-					w.WriteHeader(200)
-					if err := json.NewEncoder(w).Encode(tailcfg.TKASyncSendResponse{Head: string(head)}); err != nil {
-						t.Fatal(err)
-					}
-
-				default:
-					t.Errorf("unhandled endpoint path: %v", r.URL.Path)
-					w.WriteHeader(404)
-				}
-			}))
-			defer ts.Close()
-
-			// Setup the client.
-			cc := fakeControlClient(t, client)
-			b := LocalBackend{
-				varRoot: temp,
-				cc:      cc,
-				ccAuto:  cc,
-				logf:    t.Logf,
-				tka: &tkaState{
-					authority: nodeAuthority,
-					storage:   nodeStorage,
-				},
-				prefs: &ipn.Prefs{
-					Persist: &persist.Persist{PrivateNodeKey: nodePriv},
-				},
-			}
-
-			// Finally, lets trigger a sync.
-			b.mu.Lock()
-			err = b.tkaSyncIfNeededLocked(&netmap.NetworkMap{
-				TKAEnabled: true,
-				TKAHead:    controlAuthority.Head(),
-			})
-			b.mu.Unlock()
-			if err != nil {
-				t.Errorf("tkaSyncIfNeededLocked() failed: %v", err)
-			}
-
-			// Check that at the end of this ordeal, the node and the control
-			// plane are in sync.
-			if nodeHead, controlHead := b.tka.authority.Head(), controlAuthority.Head(); nodeHead != controlHead {
-				t.Errorf("node head = %v, want %v", nodeHead, controlHead)
-			}
-		})
-	}
-}
-
-func TestTKAFilterNetmap(t *testing.T) {
-	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
-
-	nlPriv := key.NewNLPrivate()
-	nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
-	storage := &tka.Mem{}
-	authority, _, err := tka.Create(storage, tka.State{
-		Keys:               []tka.Key{nlKey},
-		DisablementSecrets: [][]byte{bytes.Repeat([]byte{0xa5}, 32)},
-	}, nlPriv)
-	if err != nil {
-		t.Fatalf("tka.Create() failed: %v", err)
-	}
-
-	n1, n2, n3, n4, n5 := key.NewNode(), key.NewNode(), key.NewNode(), key.NewNode(), key.NewNode()
-	n1GoodSig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n1.Public()}, nlPriv)
-	if err != nil {
-		t.Fatal(err)
-	}
-	n4Sig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n4.Public()}, nlPriv)
-	if err != nil {
-		t.Fatal(err)
-	}
-	n4Sig.Signature[3] = 42 // mess up the signature
-	n4Sig.Signature[4] = 42 // mess up the signature
-	n5GoodSig, err := signNodeKey(tailcfg.TKASignInfo{NodePublic: n5.Public()}, nlPriv)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	nm := netmap.NetworkMap{
-		Peers: []*tailcfg.Node{
-			{ID: 1, Key: n1.Public(), KeySignature: n1GoodSig.Serialize()},
-			{ID: 2, Key: n2.Public(), KeySignature: nil},                   // missing sig
-			{ID: 3, Key: n3.Public(), KeySignature: n1GoodSig.Serialize()}, // someone elses sig
-			{ID: 4, Key: n4.Public(), KeySignature: n4Sig.Serialize()},     // messed-up signature
-			{ID: 5, Key: n5.Public(), KeySignature: n5GoodSig.Serialize()},
-		},
-	}
-
-	b := &LocalBackend{
-		logf: t.Logf,
-		tka:  &tkaState{authority: authority},
-	}
-	b.tkaFilterNetmapLocked(&nm)
-
-	want := []*tailcfg.Node{
-		{ID: 1, Key: n1.Public(), KeySignature: n1GoodSig.Serialize()},
-		{ID: 5, Key: n5.Public(), KeySignature: n5GoodSig.Serialize()},
-	}
-	nodePubComparer := cmp.Comparer(func(x, y key.NodePublic) bool {
-		return x.Raw32() == y.Raw32()
-	})
-	if diff := cmp.Diff(nm.Peers, want, nodePubComparer); diff != "" {
-		t.Errorf("filtered netmap differs (-want, +got):\n%s", diff)
-	}
-}
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -79,7 +79,7 @@ type peerAPIServer struct {
 }

 const (
-	// partialSuffix is the suffix appended to files while they're
+	// partialSuffix is the suffix appened to files while they're
 	// still in the process of being transferred.
 	partialSuffix = ".partial"

@@ -1184,7 +1184,7 @@ func newFakePeerAPIListener(ip netip.Addr) net.Listener {
 // even if the kernel isn't cooperating (like on Android: Issue 4449, 4293, etc)
 // or we lack permission to listen on a port. It's okay to not actually listen via
 // the kernel because on almost all platforms (except iOS as of 2022-04-20) we
-// also intercept incoming netstack TCP requests to our peerapi port and hand them over
+// also intercept netstack TCP requests in to our peerapi port and hand it over
 // directly to peerapi, without involving the kernel. So this doesn't need to be
 // real. But the port number we return (1, in this case) is the port number we advertise
 // to peers and they connect to. 1 seems pretty safe to use. Even if the kernel's
--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -109,7 +109,7 @@ func TestHandlePeerAPI(t *testing.T) {
 	tests := []struct {
 		name       string
 		isSelf     bool // the peer sending the request is owned by us
-		capSharing bool // self node has file sharing capability
+		capSharing bool // self node has file sharing capabilty
 		omitRoot   bool // don't configure
 		req        *http.Request
 		checks     []check
--- a/ipn/ipnlocal/ssh.go
+++ b/ipn/ipnlocal/ssh.go
@@ -38,16 +38,15 @@ import (
 // running as root.
 var keyTypes = []string{"rsa", "ecdsa", "ed25519"}

-// getSSHUsernames discovers and returns the list of usernames that are
-// potential Tailscale SSH user targets.
-//
-// Invariant: must not be called with b.mu held.
 func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*tailcfg.C2NSSHUsernamesResponse, error) {
 	res := new(tailcfg.C2NSSHUsernamesResponse)
-	if !b.tailscaleSSHEnabled() {
+
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if b.sshServer == nil {
 		return res, nil
 	}
-
 	max := 10
 	if req != nil && req.Max != 0 {
 		max = req.Max
@@ -71,8 +70,8 @@ func (b *LocalBackend) getSSHUsernames(req *tailcfg.C2NSSHUsernamesRequest) (*ta
 		res.Usernames = append(res.Usernames, u)
 	}

-	if opUser := b.operatorUserName(); opUser != "" {
-		add(opUser)
+	if b.prefs != nil && b.prefs.OperatorUser != "" {
+		add(b.prefs.OperatorUser)
 	}

 	// Check popular usernames and see if they exist with a real shell.
--- a/ipn/ipnlocal/tailpipe.go
+++ b/ipn/ipnlocal/tailpipe.go
@@ -1,104 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ipnlocal
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/http"
-	"net/http/httptrace"
-	"net/netip"
-
-	"golang.org/x/exp/slices"
-	"tailscale.com/ipn"
-	"tailscale.com/net/netutil"
-	"tailscale.com/net/tsaddr"
-	"tailscale.com/tailcfg"
-)
-
-// PipeDialPeerAPIURL ....
-func (b *LocalBackend) PipeDialPeerAPIURL(ip netip.Addr) (peerAPIURL string, err error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	nm := b.netMap
-	if b.state != ipn.Running || nm == nil {
-		return "", errors.New("not connected to the tailnet")
-	}
-	ipa := netip.PrefixFrom(ip, ip.BitLen())
-	for _, p := range nm.Peers {
-		if slices.Contains(p.Addresses, ipa) {
-			if p.User == nm.User ||
-				len(p.Addresses) > 0 && b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityTailpipeTarget) {
-				peerAPI := peerAPIBase(b.netMap, p)
-				if peerAPI == "" {
-					continue
-				}
-			}
-			return "", errors.New("invalid target")
-		}
-	}
-	return "", errors.New("target not found")
-}
-
-func (b *LocalBackend) DialTailpipe(ctx context.Context, tailscaleIPStr, portName string) (net.Conn, error) {
-	ip, err := netip.ParseAddr(tailscaleIPStr)
-	if err != nil || !tsaddr.IsTailscaleIP(ip) {
-		return nil, fmt.Errorf("host must be a Tailscale IP for now, not %q", tailscaleIPStr)
-	}
-
-	hc := b.dialer.PeerAPIHTTPClient()
-
-	peerAPIBase, err := b.PipeDialPeerAPIURL(ip)
-	if err != nil {
-		return nil, err
-	}
-	connCh := make(chan net.Conn, 1)
-	trace := httptrace.ClientTrace{
-		GotConn: func(info httptrace.GotConnInfo) {
-			connCh <- info.Conn
-		},
-	}
-	ctx = httptrace.WithClientTrace(ctx, &trace)
-	req, err := http.NewRequestWithContext(ctx, "POST", peerAPIBase+"/localapi/v0/connect-to-open-tailpipe", nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header = http.Header{
-		"Upgrade":    []string{"tailpipe"},
-		"Connection": []string{"upgrade"},
-		"Port-Name":  []string{portName},
-	}
-	res, err := hc.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	if res.StatusCode != http.StatusSwitchingProtocols {
-		body, _ := io.ReadAll(res.Body)
-		res.Body.Close()
-		return nil, fmt.Errorf("unexpected HTTP response: %s, %s", res.Status, body)
-	}
-	// From here on, the underlying net.Conn is ours to use, but there
-	// is still a read buffer attached to it within resp.Body. So, we
-	// must direct I/O through resp.Body, but we can still use the
-	// underlying net.Conn for stuff like deadlines.
-	var switchedConn net.Conn
-	select {
-	case switchedConn = <-connCh:
-	default:
-	}
-	if switchedConn == nil {
-		res.Body.Close()
-		return nil, fmt.Errorf("httptrace didn't provide a connection")
-	}
-	rwc, ok := res.Body.(io.ReadWriteCloser)
-	if !ok {
-		res.Body.Close()
-		return nil, errors.New("http Transport did not provide a writable body")
-	}
-	return netutil.NewAltReadWriteCloserConn(rwc, switchedConn), nil
-}
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -57,7 +57,7 @@ import (

 // Options is the configuration of the Tailscale node agent.
 type Options struct {
-	// VarRoot is the Tailscale daemon's private writable
+	// VarRoot is the the Tailscale daemon's private writable
 	// directory (usually "/var/lib/tailscale" on Linux) that
 	// contains the "tailscaled.state" file, the "certs" directory
 	// for TLS certs, and the "files" directory for incoming
@@ -772,7 +772,7 @@ func New(logf logger.Logf, logid string, store ipn.StateStore, eng wgengine.Engi
 	})

 	if root := b.TailscaleVarRoot(); root != "" {
-		chonkDir := filepath.Join(root, "tka")
+		chonkDir := filepath.Join(root, "chonk")
 		if _, err := os.Stat(chonkDir); err == nil {
 			// The directory exists, which means network-lock has been initialized.
 			storage, err := tka.ChonkDir(chonkDir)
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -26,8 +26,6 @@ import (

 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/envknob"
-	"tailscale.com/health"
-	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
@@ -37,50 +35,9 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/mak"
-	"tailscale.com/util/strs"
 	"tailscale.com/version"
 )

-type localAPIHandler func(*Handler, http.ResponseWriter, *http.Request)
-
-// handler is the set of LocalAPI handlers, keyed by the part of the
-// Request.URL.Path after "/localapi/v0/". If the key ends with a trailing slash
-// then it's a prefix match.
-var handler = map[string]localAPIHandler{
-	// The prefix match handlers end with a slash:
-	"cert/":     (*Handler).serveCert,
-	"file-put/": (*Handler).serveFilePut,
-	"files/":    (*Handler).serveFiles,
-
-	// The other /localapi/v0/NAME handlers are exact matches and contain only NAME
-	// without a trailing slash:
-	"bugreport":               (*Handler).serveBugReport,
-	"check-ip-forwarding":     (*Handler).serveCheckIPForwarding,
-	"check-prefs":             (*Handler).serveCheckPrefs,
-	"component-debug-logging": (*Handler).serveComponentDebugLogging,
-	"debug":                   (*Handler).serveDebug,
-	"derpmap":                 (*Handler).serveDERPMap,
-	"dial":                    (*Handler).serveDial,
-	"file-targets":            (*Handler).serveFileTargets,
-	"goroutines":              (*Handler).serveGoroutines,
-	"id-token":                (*Handler).serveIDToken,
-	"login-interactive":       (*Handler).serveLoginInteractive,
-	"logout":                  (*Handler).serveLogout,
-	"metrics":                 (*Handler).serveMetrics,
-	"open-bidi-pipe":          (*Handler).serveOpenBidiPipe,
-	"ping":                    (*Handler).servePing,
-	"prefs":                   (*Handler).servePrefs,
-	"profile":                 (*Handler).serveProfile,
-	"set-dns":                 (*Handler).serveSetDNS,
-	"set-expiry-sooner":       (*Handler).serveSetExpirySooner,
-	"status":                  (*Handler).serveStatus,
-	"tka/init":                (*Handler).serveTKAInit,
-	"tka/modify":              (*Handler).serveTKAModify,
-	"tka/status":              (*Handler).serveTKAStatus,
-	"upload-client-metrics":   (*Handler).serveUploadClientMetrics,
-	"whois":                   (*Handler).serveWhoIs,
-}
-
 func randHex(n int) string {
 	b := make([]byte, n)
 	rand.Read(b)
@@ -142,45 +99,68 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	if fn, ok := handlerForPath(r.URL.Path); ok {
-		fn(h, w, r)
-	} else {
-		http.NotFound(w, r)
+	if strings.HasPrefix(r.URL.Path, "/localapi/v0/files/") {
+		h.serveFiles(w, r)
+		return
 	}
-}
-
-// handlerForPath returns the LocalAPI handler for the provided Request.URI.Path.
-// (the path doesn't include any query parameters)
-func handlerForPath(urlPath string) (h localAPIHandler, ok bool) {
-	if urlPath == "/" {
-		return (*Handler).serveLocalAPIRoot, true
+	if strings.HasPrefix(r.URL.Path, "/localapi/v0/file-put/") {
+		h.serveFilePut(w, r)
+		return
 	}
-	suff, ok := strs.CutPrefix(urlPath, "/localapi/v0/")
-	if !ok {
-		// Currently all LocalAPI methods start with "/localapi/v0/" to signal
-		// to people that they're not necessarily stable APIs. In practice we'll
-		// probably need to keep them pretty stable anyway, but for now treat
-		// them as an internal implementation detail.
-		return nil, false
+	if strings.HasPrefix(r.URL.Path, "/localapi/v0/cert/") {
+		h.serveCert(w, r)
+		return
 	}
-	if fn, ok := handler[suff]; ok {
-		// Here we match exact handler suffixes like "status" or ones with a
-		// slash already in their name, like "tka/status".
-		return fn, true
+	switch r.URL.Path {
+	case "/localapi/v0/whois":
+		h.serveWhoIs(w, r)
+	case "/localapi/v0/goroutines":
+		h.serveGoroutines(w, r)
+	case "/localapi/v0/profile":
+		h.serveProfile(w, r)
+	case "/localapi/v0/status":
+		h.serveStatus(w, r)
+	case "/localapi/v0/logout":
+		h.serveLogout(w, r)
+	case "/localapi/v0/login-interactive":
+		h.serveLoginInteractive(w, r)
+	case "/localapi/v0/prefs":
+		h.servePrefs(w, r)
+	case "/localapi/v0/ping":
+		h.servePing(w, r)
+	case "/localapi/v0/check-prefs":
+		h.serveCheckPrefs(w, r)
+	case "/localapi/v0/check-ip-forwarding":
+		h.serveCheckIPForwarding(w, r)
+	case "/localapi/v0/bugreport":
+		h.serveBugReport(w, r)
+	case "/localapi/v0/file-targets":
+		h.serveFileTargets(w, r)
+	case "/localapi/v0/set-dns":
+		h.serveSetDNS(w, r)
+	case "/localapi/v0/derpmap":
+		h.serveDERPMap(w, r)
+	case "/localapi/v0/metrics":
+		h.serveMetrics(w, r)
+	case "/localapi/v0/debug":
+		h.serveDebug(w, r)
+	case "/localapi/v0/set-expiry-sooner":
+		h.serveSetExpirySooner(w, r)
+	case "/localapi/v0/dial":
+		h.serveDial(w, r)
+	case "/localapi/v0/id-token":
+		h.serveIDToken(w, r)
+	case "/localapi/v0/upload-client-metrics":
+		h.serveUploadClientMetrics(w, r)
+	case "/localapi/v0/tka/status":
+		h.serveTkaStatus(w, r)
+	case "/localapi/v0/tka/init":
+		h.serveTkaInit(w, r)
+	case "/":
+		io.WriteString(w, "tailscaled\n")
+	default:
+		http.Error(w, "404 not found", 404)
 	}
-	// Otherwise, it might be a prefix match like "files/*" which we look up
-	// by the prefix including first trailing slash.
-	if i := strings.IndexByte(suff, '/'); i != -1 {
-		suff = suff[:i+1]
-		if fn, ok := handler[suff]; ok {
-			return fn, true
-		}
-	}
-	return nil, false
-}
-
-func (*Handler) serveLocalAPIRoot(w http.ResponseWriter, r *http.Request) {
-	io.WriteString(w, "tailscaled\n")
 }

 // serveIDToken handles requests to get an OIDC ID token.
@@ -241,16 +221,6 @@ func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 	if note := r.FormValue("note"); len(note) > 0 {
 		h.logf("user bugreport note: %s", note)
 	}
-	hi, _ := json.Marshal(hostinfo.New())
-	h.logf("user bugreport hostinfo: %s", hi)
-	if err := health.OverallError(); err != nil {
-		h.logf("user bugreport health: %s", err.Error())
-	} else {
-		h.logf("user bugreport health: ok")
-	}
-	if defBool(r.FormValue("diagnose"), false) {
-		h.b.Doctor(r.Context(), logger.WithPrefix(h.logf, "diag: "))
-	}
 	w.Header().Set("Content-Type", "text/plain")
 	fmt.Fprintln(w, logMarker)
 }
@@ -345,24 +315,6 @@ func (h *Handler) serveDebug(w http.ResponseWriter, r *http.Request) {
 	io.WriteString(w, "done\n")
 }

-func (h *Handler) serveComponentDebugLogging(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "debug access denied", http.StatusForbidden)
-		return
-	}
-	component := r.FormValue("component")
-	secs, _ := strconv.Atoi(r.FormValue("secs"))
-	err := h.b.SetComponentDebugLogging(component, time.Now().Add(time.Duration(secs)*time.Second))
-	var res struct {
-		Error string
-	}
-	if err != nil {
-		res.Error = err.Error()
-	}
-	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(res)
-}
-
 // serveProfileFunc is the implementation of Handler.serveProfile, after auth,
 // for platforms where we want to link it in.
 var serveProfileFunc func(http.ResponseWriter, *http.Request)
@@ -765,16 +717,8 @@ func (h *Handler) serveDial(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	dial := func() (net.Conn, error) {
-		if strings.HasPrefix(portStr, "tailpipe-") {
-			// hostStr is expected to be a Tailscale IP at this point.
-			return h.b.DialTailpipe(r.Context(), hostStr, portStr)
-		}
-		addr := net.JoinHostPort(hostStr, portStr)
-		return h.b.Dialer().UserDial(r.Context(), "tcp", addr)
-	}
-
-	outConn, err := dial()
+	addr := net.JoinHostPort(hostStr, portStr)
+	outConn, err := h.b.Dialer().UserDial(r.Context(), "tcp", addr)
 	if err != nil {
 		http.Error(w, "dial failure: "+err.Error(), http.StatusBadGateway)
 		return
@@ -856,13 +800,13 @@ func (h *Handler) serveUploadClientMetrics(w http.ResponseWriter, r *http.Reques
 	json.NewEncoder(w).Encode(struct{}{})
 }

-func (h *Handler) serveTKAStatus(w http.ResponseWriter, r *http.Request) {
+func (h *Handler) serveTkaStatus(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "lock status access denied", http.StatusForbidden)
 		return
 	}
 	if r.Method != http.MethodGet {
-		http.Error(w, "use GET", http.StatusMethodNotAllowed)
+		http.Error(w, "use Get", http.StatusMethodNotAllowed)
 		return
 	}

@@ -875,7 +819,7 @@ func (h *Handler) serveTKAStatus(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }

-func (h *Handler) serveTKAInit(w http.ResponseWriter, r *http.Request) {
+func (h *Handler) serveTkaInit(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "lock init access denied", http.StatusForbidden)
 		return
@@ -908,63 +852,6 @@ func (h *Handler) serveTKAInit(w http.ResponseWriter, r *http.Request) {
 	w.Write(j)
 }

-func (h *Handler) serveTKAModify(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "network-lock modify access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != http.MethodPost {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-
-	type modifyRequest struct {
-		AddKeys    []tka.Key
-		RemoveKeys []tka.Key
-	}
-	var req modifyRequest
-	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
-		http.Error(w, "invalid JSON body", 400)
-		return
-	}
-
-	if err := h.b.NetworkLockModify(req.AddKeys, req.RemoveKeys); err != nil {
-		http.Error(w, "network-lock modify failed: "+err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	j, err := json.MarshalIndent(h.b.NetworkLockStatus(), "", "\t")
-	if err != nil {
-		http.Error(w, "JSON encoding error", 500)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.Write(j)
-}
-
-func (h *Handler) serveOpenBidiPipe(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPost {
-		http.Error(w, "use POST", http.StatusMethodNotAllowed)
-		return
-	}
-	name := r.FormValue("name")
-	if name != "" && !h.PermitWrite {
-		http.Error(w, "naming a bidi pipe requires write access", http.StatusForbidden)
-		return
-	}
-
-	w.Header().Set("Foo", "bar")
-	w.WriteHeader(http.StatusProcessing) // informational code 102
-
-	time.Sleep(time.Second)
-
-	w.Header().Set("Foo", "baz")
-	w.WriteHeader(http.StatusProcessing) // informational code 102
-
-	w.Header()["Foo"] = nil
-	io.WriteString(w, "the body")
-}
-
 func defBool(a string, def bool) bool {
 	if a == "" {
 		return def
--- a/ipn/prefs_test.go
+++ b/ipn/prefs_test.go
@@ -470,7 +470,7 @@ func TestLoadPrefsNotExist(t *testing.T) {
 	t.Fatalf("unexpected prefs=%#v, err=%v", p, err)
 }

-// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs handles corrupted input files.
+// TestLoadPrefsFileWithZeroInIt verifies that LoadPrefs hanldes corrupted input files.
 // See issue #954 for details.
 func TestLoadPrefsFileWithZeroInIt(t *testing.T) {
 	f, err := os.CreateTemp("", "TestLoadPrefsFileWithZeroInIt")
--- a/ipn/store.go
+++ b/ipn/store.go
@@ -6,8 +6,6 @@ package ipn

 import (
 	"errors"
-	"fmt"
-	"strconv"
 )

 // ErrStateNotExist is returned by StateStore.ReadState when the
@@ -37,7 +35,7 @@ const (
 	// StateKey "user-1234".
 	ServerModeStartKey = StateKey("server-mode-start-key")

-	// NLKeyStateKey is the key under which we store the node's
+	// NLKeyStateKey is the key under which we store the nodes'
 	// network-lock node key, in its key.NLPrivate.MarshalText representation.
 	NLKeyStateKey = StateKey("_nl-node-key")
 )
@@ -50,17 +48,3 @@ type StateStore interface {
 	// WriteState saves bs as the state associated with ID.
 	WriteState(id StateKey, bs []byte) error
 }
-
-// ReadStoreInt reads an integer from a StateStore.
-func ReadStoreInt(store StateStore, id StateKey) (int64, error) {
-	v, err := store.ReadState(id)
-	if err != nil {
-		return 0, err
-	}
-	return strconv.ParseInt(string(v), 10, 64)
-}
-
-// PutStoreInt puts an integer into a StateStore.
-func PutStoreInt(store StateStore, id StateKey, val int64) error {
-	return store.WriteState(id, fmt.Appendf(nil, "%d", val))
-}
--- a/licenses/android.md
+++ b/licenses/android.md
@@ -38,7 +38,7 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/777337dba4cf/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tailscale/tailscale-android](https://pkg.go.dev/github.com/tailscale/tailscale-android) ([BSD-3-Clause](https://github.com/tailscale/tailscale-android/blob/HEAD/LICENSE))
@@ -55,9 +55,9 @@ Client][].  See also the dependencies in the [Tailscale CLI][].
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
 - [golang.org/x/exp/shiny](https://pkg.go.dev/golang.org/x/exp/shiny) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/807a2327:shiny/LICENSE))
 - [golang.org/x/image](https://pkg.go.dev/golang.org/x/image) ([BSD-3-Clause](https://cs.opensource.google/go/x/image/+/a66eb644:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -27,7 +27,7 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/mdlayher/sdnotify](https://pkg.go.dev/github.com/mdlayher/sdnotify) ([MIT](https://github.com/mdlayher/sdnotify/blob/v1.0.0/LICENSE.md))
 - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
 - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/62f465106986/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
 - [github.com/tailscale/goupnp](https://pkg.go.dev/github.com/tailscale/goupnp) ([BSD-2-Clause](https://github.com/tailscale/goupnp/blob/c64d0f06ea05/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
@@ -39,9 +39,9 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
 - [golang.zx2c4.com/wireguard](https://pkg.go.dev/golang.zx2c4.com/wireguard) ([MIT](https://git.zx2c4.com/wireguard-go/tree/LICENSE?id=b51010ba13f0))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -58,7 +58,7 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/pkg/sftp](https://pkg.go.dev/github.com/pkg/sftp) ([BSD-2-Clause](https://github.com/pkg/sftp/blob/v1.13.4/LICENSE))
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
 - [github.com/tailscale/certstore](https://pkg.go.dev/github.com/tailscale/certstore) ([MIT](https://github.com/tailscale/certstore/blob/78d6e1c49d8d/LICENSE.md))
- - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/62f465106986/LICENSE))
+ - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/0b941c09a5e1/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
 - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
@@ -71,9 +71,9 @@ Some packages may only be included on certain architectures or operating systems
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/eb4f295c:LICENSE))
 - [golang.org/x/exp](https://pkg.go.dev/golang.org/x/exp) ([BSD-3-Clause](https://cs.opensource.google/go/x/exp/+/a9213eeb:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
 - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) ([BSD-3-Clause](https://cs.opensource.google/go/x/text/+/18b340fc:LICENSE))
 - [golang.org/x/time/rate](https://pkg.go.dev/golang.org/x/time/rate) ([BSD-3-Clause](https://cs.opensource.google/go/x/time/+/f0f3c7e8:LICENSE))
--- a/licenses/win.md
+++ b/licenses/win.md
@@ -0,0 +1,47 @@
+# Tailscale for Windows dependencies
+
+The following open source dependencies are used to build the [Tailscale client
+for windows][].  See also the dependencies in the [Tailscale CLI][].
+
+[Tailscale client for windows]: https://tailscale.com/kb/1022/install-windows/
+[Tailscale CLI]: ./tailscale.md
+
+## Go Packages
+
+
+ - [filippo.io/edwards25519](https://pkg.go.dev/filippo.io/edwards25519) ([BSD-3-Clause](https://github.com/FiloSottile/edwards25519/blob/v1.0.0-rc.1/LICENSE))
+ - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/909beea2cc74/LICENSE))
+ - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
+ - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
+ - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.4.0/LICENSE))
+ - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
+ - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/c00d1f31bab3/LICENSE))
+ - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/v1.0.0/license))
+ - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/d380b505068b/LICENSE.md))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.15.5/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.15.5/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.15.5/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/lxn/walk](https://pkg.go.dev/github.com/lxn/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/ed127cfb919a/LICENSE))
+ - [github.com/lxn/win](https://pkg.go.dev/github.com/lxn/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/c3f813abca9f/LICENSE))
+ - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.6.0/LICENSE.md))
+ - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.2.3/LICENSE.md))
+ - [github.com/mitchellh/go-ps](https://pkg.go.dev/github.com/mitchellh/go-ps) ([MIT](https://github.com/mitchellh/go-ps/blob/v1.0.0/LICENSE.md))
+ - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
+ - [github.com/x448/float16](https://pkg.go.dev/github.com/x448/float16) ([MIT](https://github.com/x448/float16/blob/v0.8.4/LICENSE))
+ - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
+ - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
+ - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
+ - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
+ - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
+ - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.4.10))
+ - [gopkg.in/Knetic/govaluate.v3](https://pkg.go.dev/gopkg.in/Knetic/govaluate.v3) ([MIT](https://github.com/Knetic/govaluate/blob/v3.0.0/LICENSE))
+ - [tailscale.com](https://pkg.go.dev/tailscale.com) ([BSD-3-Clause](https://github.com/tailscale/tailscale/blob/f81723ceac3f/LICENSE))
+
+## Additional Dependencies
+
+ - [Nullsoft Scriptable Install System](https://nsis.sourceforge.io/) ([zlib/libpng](https://nsis.sourceforge.io/License))
+ - [Wintun](https://www.wintun.net/) ([Prebuilt Binaries License](https://git.zx2c4.com/wintun/tree/prebuilt-binaries-license.txt))
+ - [wireguard-windows](https://git.zx2c4.com/wireguard-windows/) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -31,9 +31,9 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [go4.org/mem](https://pkg.go.dev/go4.org/mem) ([Apache-2.0](https://github.com/go4org/mem/blob/4f986261bf13/LICENSE))
 - [go4.org/netipx](https://pkg.go.dev/go4.org/netipx) ([BSD-3-Clause](https://github.com/go4org/netipx/blob/7e7bdc8411bf/LICENSE))
 - [golang.org/x/crypto](https://pkg.go.dev/golang.org/x/crypto) ([BSD-3-Clause](https://cs.opensource.google/go/x/crypto/+/6f7dac96:LICENSE))
- - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/bcab6841:LICENSE))
- - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/886fb937:LICENSE))
- - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/3c1f3524:LICENSE))
+ - [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) ([BSD-3-Clause](https://cs.opensource.google/go/x/net/+/c690dde0:LICENSE))
+ - [golang.org/x/sync/errgroup](https://pkg.go.dev/golang.org/x/sync/errgroup) ([BSD-3-Clause](https://cs.opensource.google/go/x/sync/+/0de741cf:LICENSE))
+ - [golang.org/x/sys](https://pkg.go.dev/golang.org/x/sys) ([BSD-3-Clause](https://cs.opensource.google/go/x/sys/+/c0bba94a:LICENSE))
 - [golang.org/x/term](https://pkg.go.dev/golang.org/x/term) ([BSD-3-Clause](https://cs.opensource.google/go/x/term/+/03fcf44c:LICENSE))
 - [golang.zx2c4.com/wintun](https://pkg.go.dev/golang.zx2c4.com/wintun) ([MIT](https://git.zx2c4.com/wintun-go/tree/LICENSE?id=415007cec224))
 - [golang.zx2c4.com/wireguard/windows/tunnel/winipcfg](https://pkg.go.dev/golang.zx2c4.com/wireguard/windows/tunnel/winipcfg) ([MIT](https://git.zx2c4.com/wireguard-windows/tree/COPYING?h=v0.5.3))
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@@ -70,24 +70,11 @@ func getLogTarget() string {
 	return getLogTargetOnce.v
 }

-// LogURL is the base URL for the configured logtail server, or the default.
-// It is guaranteed to not terminate with any forward slashes.
-func LogURL() string {
-	if v := getLogTarget(); v != "" {
-		return strings.TrimRight(v, "/")
-	}
-	return "https://" + logtail.DefaultHost
-}
-
 // LogHost returns the hostname only (without port) of the configured
 // logtail server, or the default.
-//
-// Deprecated: Use LogURL instead.
 func LogHost() string {
 	if v := getLogTarget(); v != "" {
-		if u, err := url.Parse(v); err == nil {
-			return u.Hostname()
-		}
+		return v
 	}
 	return logtail.DefaultHost
 }
@@ -609,7 +596,7 @@ func NewWithConfigPath(collection, dir, cmdName string) *Policy {
 		}
 	}

-	log.SetFlags(0) // other log flags are set on console, not here
+	log.SetFlags(0) // other logflags are set on console, not here
 	log.SetOutput(logOutput)

 	log.Printf("Program starting: v%v, Go %v: %#v",
--- a/logpolicy/logpolicy_test.go
+++ b/logpolicy/logpolicy_test.go
@@ -1,37 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package logpolicy
-
-import (
-	"os"
-	"reflect"
-	"testing"
-)
-
-func TestLogHost(t *testing.T) {
-	v := reflect.ValueOf(&getLogTargetOnce).Elem()
-	reset := func() {
-		v.Set(reflect.Zero(v.Type()))
-	}
-	defer reset()
-
-	tests := []struct {
-		env  string
-		want string
-	}{
-		{"", "log.tailscale.io"},
-		{"http://foo.com", "foo.com"},
-		{"https://foo.com", "foo.com"},
-		{"https://foo.com/", "foo.com"},
-		{"https://foo.com:123/", "foo.com"},
-	}
-	for _, tt := range tests {
-		reset()
-		os.Setenv("TS_LOG_TARGET", tt.env)
-		if got := LogHost(); got != tt.want {
-			t.Errorf("for env %q, got %q, want %q", tt.env, got, tt.want)
-		}
-	}
-}
--- a/logtail/id.go
+++ b/logtail/id.go
@@ -34,7 +34,7 @@ func NewPrivateID() (id PrivateID, err error) {
 func (id PrivateID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PrivateID.MarshalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PrivateID.MarhsalText: i=%d", i)
 	}
 	return b, nil
 }
@@ -122,7 +122,7 @@ func MustParsePublicID(s string) PublicID {
 func (id PublicID) MarshalText() ([]byte, error) {
 	b := make([]byte, hex.EncodedLen(len(id)))
 	if i := hex.Encode(b, id[:]); i != len(b) {
-		return nil, fmt.Errorf("logtail.PublicID.MarshalText: i=%d", i)
+		return nil, fmt.Errorf("logtail.PublicID.MarhsalText: i=%d", i)
 	}
 	return b, nil
 }
--- a/logtail/logtail.go
+++ b/logtail/logtail.go
@@ -44,13 +44,12 @@ type Encoder interface {

 type Config struct {
 	Collection     string           // collection name, a domain name
-	PrivateID      PrivateID        // private ID for the primary log stream
-	CopyPrivateID  PrivateID        // private ID for a log stream that is a superset of this log stream
+	PrivateID      PrivateID        // machine-specific private identifier
 	BaseURL        string           // if empty defaults to "https://log.tailscale.io"
 	HTTPC          *http.Client     // if empty defaults to http.DefaultClient
 	SkipClientTime bool             // if true, client_time is not written to logs
 	LowMemory      bool             // if true, logtail minimizes memory use
-	TimeNow        func() time.Time // if set, substitutes uses of time.Now
+	TimeNow        func() time.Time // if set, subsitutes uses of time.Now
 	Stderr         io.Writer        // if set, logs are sent here instead of os.Stderr
 	StderrLevel    int              // max verbosity level to write to stderr; 0 means the non-verbose messages only
 	Buffer         Buffer           // temp storage, if nil a MemoryBuffer
@@ -74,7 +73,7 @@ type Config struct {

 	// IncludeProcSequence, if true, results in an ephemeral sequence number
 	// being included in the logs. The sequence number is incremented for each
-	// log message sent, but is not persisted across process restarts.
+	// log message sent, but is not peristed across process restarts.
 	IncludeProcSequence bool
 }

@@ -113,16 +112,12 @@ func NewLogger(cfg Config, logf tslogger.Logf) *Logger {
 	stdLogf := func(f string, a ...any) {
 		fmt.Fprintf(cfg.Stderr, strings.TrimSuffix(f, "\n")+"\n", a...)
 	}
-	var urlSuffix string
-	if !cfg.CopyPrivateID.IsZero() {
-		urlSuffix = "?copyId=" + cfg.CopyPrivateID.String()
-	}
 	l := &Logger{
 		privateID:      cfg.PrivateID,
 		stderr:         cfg.Stderr,
 		stderrLevel:    int64(cfg.StderrLevel),
 		httpc:          cfg.HTTPC,
-		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String() + urlSuffix,
+		url:            cfg.BaseURL + "/c/" + cfg.Collection + "/" + cfg.PrivateID.String(),
 		lowMem:         cfg.LowMemory,
 		buffer:         cfg.Buffer,
 		skipClientTime: cfg.SkipClientTime,
@@ -524,7 +519,7 @@ func (l *Logger) encodeText(buf []byte, skipClientTime bool, procID uint32, proc
 		b = append(b, `"logtail": {`...)
 		if !skipClientTime {
 			b = append(b, `"client_time": "`...)
-			b = now.UTC().AppendFormat(b, time.RFC3339Nano)
+			b = now.AppendFormat(b, time.RFC3339Nano)
 			b = append(b, `",`...)
 		}
 		if procID != 0 {
@@ -617,7 +612,7 @@ func (l *Logger) encodeLocked(buf []byte, level int) []byte {
 	if !l.skipClientTime || l.procID != 0 || l.procSequence != 0 {
 		logtail := map[string]any{}
 		if !l.skipClientTime {
-			logtail["client_time"] = now.UTC().Format(time.RFC3339Nano)
+			logtail["client_time"] = now.Format(time.RFC3339Nano)
 		}
 		if l.procID != 0 {
 			logtail["proc_id"] = l.procID
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -381,7 +381,7 @@ func (m *Manager) NextPacket() ([]byte, error) {
 	return buf, nil
 }

-// Query executes a DNS query received from the given address. The query is
+// Query executes a DNS query recieved from the given address. The query is
 // provided in bs as a wire-encoded DNS query without any transport header.
 // This method is called for requests arriving over UDP and TCP.
 func (m *Manager) Query(ctx context.Context, bs []byte, from netip.AddrPort) ([]byte, error) {
@@ -540,7 +540,7 @@ func Cleanup(logf logger.Logf, interfaceName string) {
 		logf("creating dns cleanup: %v", err)
 		return
 	}
-	dns := NewManager(logf, oscfg, nil, &tsdial.Dialer{Logf: logf}, nil)
+	dns := NewManager(logf, oscfg, nil, new(tsdial.Dialer), nil)
 	if err := dns.Down(); err != nil {
 		logf("dns down: %v", err)
 	}
--- a/net/dns/manager_windows_test.go
+++ b/net/dns/manager_windows_test.go
@@ -274,7 +274,7 @@ func runTest(t *testing.T, isLocal bool) {
 	runCase := func(n int) {
 		t.Logf("Test case: %d domains\n", n)
 		if !isLocal {
-			// When !isLocal, we want to check that a GP notification occurred for
+			// When !isLocal, we want to check that a GP notification occured for
 			// every single test case.
 			trk, err = newGPNotificationTracker()
 			if err != nil {
--- a/net/dns/nm.go
+++ b/net/dns/nm.go
@@ -302,7 +302,7 @@ func (m *nmManager) GetBaseConfig() (OSConfig, error) {
 	for _, cfg := range cfgs {
 		if name, ok := cfg["interface"]; ok {
 			if s, ok := name.Value().(string); ok && s == m.interfaceName {
-				// Config for the tailscale interface, skip.
+				// Config for the taislcale interface, skip.
 				continue
 			}
 		}
--- a/net/dns/nrpt_windows.go
+++ b/net/dns/nrpt_windows.go
@@ -58,7 +58,7 @@ var (

 const _RP_FORCE = 1 // Flag for RefreshPolicyEx

-// nrptRuleDatabase encapsulates access to the Windows Name Resolution Policy
+// nrptRuleDatabase ensapsulates access to the Windows Name Resolution Policy
 // Table (NRPT).
 type nrptRuleDatabase struct {
 	logf               logger.Logf
--- a/net/dns/osconfig.go
+++ b/net/dns/osconfig.go
@@ -5,12 +5,9 @@
 package dns

 import (
-	"bufio"
 	"errors"
-	"fmt"
 	"net/netip"

-	"tailscale.com/types/logger"
 	"tailscale.com/util/dnsname"
 )

@@ -100,44 +97,6 @@ func (a OSConfig) Equal(b OSConfig) bool {
 	return true
 }

-// Format implements the fmt.Formatter interface to ensure that Hosts is
-// printed correctly (i.e. not as a bunch of pointers).
-//
-// Fixes https://github.com/tailscale/tailscale/issues/5669
-func (a OSConfig) Format(f fmt.State, verb rune) {
-	logger.ArgWriter(func(w *bufio.Writer) {
-		w.WriteString(`{Nameservers:[`)
-		for i, ns := range a.Nameservers {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", ns)
-		}
-		w.WriteString(`] SearchDomains:[`)
-		for i, domain := range a.SearchDomains {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", domain)
-		}
-		w.WriteString(`] MatchDomains:[`)
-		for i, domain := range a.MatchDomains {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", domain)
-		}
-		w.WriteString(`] Hosts:[`)
-		for i, host := range a.Hosts {
-			if i != 0 {
-				w.WriteString(" ")
-			}
-			fmt.Fprintf(w, "%+v", host)
-		}
-		w.WriteString(`]}`)
-	}).Format(f, verb)
-}
-
 // ErrGetBaseConfigNotSupported is the error
 // OSConfigurator.GetBaseConfig returns when the OSConfigurator
 // doesn't support reading the underlying configuration out of the OS.
--- a/net/dns/osconfig_test.go
+++ b/net/dns/osconfig_test.go
@@ -1,44 +0,0 @@
-// Copyright (c) 2022 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package dns
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	"tailscale.com/util/dnsname"
-)
-
-func TestOSConfigPrintable(t *testing.T) {
-	ocfg := OSConfig{
-		Hosts: []*HostEntry{
-			{
-				Addr:  netip.AddrFrom4([4]byte{100, 1, 2, 3}),
-				Hosts: []string{"server", "client"},
-			},
-			{
-				Addr:  netip.AddrFrom4([4]byte{100, 1, 2, 4}),
-				Hosts: []string{"otherhost"},
-			},
-		},
-		Nameservers: []netip.Addr{
-			netip.AddrFrom4([4]byte{8, 8, 8, 8}),
-		},
-		SearchDomains: []dnsname.FQDN{
-			dnsname.FQDN("foo.beta.tailscale.net."),
-			dnsname.FQDN("bar.beta.tailscale.net."),
-		},
-		MatchDomains: []dnsname.FQDN{
-			dnsname.FQDN("ts.com."),
-		},
-	}
-	s := fmt.Sprintf("%+v", ocfg)
-
-	const expected = `{Nameservers:[8.8.8.8] SearchDomains:[foo.beta.tailscale.net. bar.beta.tailscale.net.] MatchDomains:[ts.com.] Hosts:[&{Addr:100.1.2.3 Hosts:[server client]} &{Addr:100.1.2.4 Hosts:[otherhost]}]}`
-	if s != expected {
-		t.Errorf("format mismatch:\n   got: %s\n  want: %s", s, expected)
-	}
-}
--- a/net/dns/publicdns/publicdns.go
+++ b/net/dns/publicdns/publicdns.go
@@ -37,15 +37,15 @@ func DoHEndpointFromIP(ip netip.Addr) (dohBase string, dohOnly bool, ok bool) {
 	}

 	// NextDNS DoH URLs are of the form "https://dns.nextdns.io/c3a884"
-	// where the path component is the lower 12 bytes of the IPv6 address
+	// where the path component is the lower 8 bytes of the IPv6 address
 	// in lowercase hex without any zero padding.
 	if nextDNSv6RangeA.Contains(ip) || nextDNSv6RangeB.Contains(ip) {
 		a := ip.As16()
 		var sb strings.Builder
 		const base = "https://dns.nextdns.io/"
-		sb.Grow(len(base) + 12)
+		sb.Grow(len(base) + 8)
 		sb.WriteString(base)
-		for _, b := range bytes.TrimLeft(a[4:], "\x00") {
+		for _, b := range bytes.TrimLeft(a[8:], "\x00") {
 			fmt.Fprintf(&sb, "%02x", b)
 		}
 		return sb.String(), true, true
@@ -100,7 +100,7 @@ func DoHIPsOfBase(dohBase string) []netip.Addr {
 		// conventional for them and not required (it'll already be in the DoH path).
 		// (Really we shouldn't use either IPv4 or IPv6 anycast for DoH once we
 		// resolve "dns.nextdns.io".)
-		if b, err := hex.DecodeString(hexStr); err == nil && len(b) <= 12 && len(b) > 0 {
+		if b, err := hex.DecodeString(hexStr); err == nil && len(b) <= 8 && len(b) > 0 {
 			return []netip.Addr{
 				nextDNSv4One,
 				nextDNSv4Two,
@@ -215,7 +215,7 @@ var (
 // nextDNSv6Gen generates a NextDNS IPv6 address from the upper 8 bytes in the
 // provided ip and using id as the lowest 0-8 bytes.
 func nextDNSv6Gen(ip netip.Addr, id []byte) netip.Addr {
-	if len(id) > 12 {
+	if len(id) > 8 {
 		return netip.Addr{}
 	}
 	a := ip.As16()
--- a/net/dns/publicdns/publicdns_test.go
+++ b/net/dns/publicdns/publicdns_test.go
@@ -86,19 +86,6 @@ func TestDoHIPsOfBase(t *testing.T) {
 				"2a07:a8c1::c3:a884",
 			),
 		},
-		{
-			base: "https://dns.nextdns.io/112233445566778899aabbcc",
-			want: ips(
-				"45.90.28.0",
-				"45.90.30.0",
-				"2a07:a8c0:1122:3344:5566:7788:99aa:bbcc",
-				"2a07:a8c1:1122:3344:5566:7788:99aa:bbcc",
-			),
-		},
-		{
-			base: "https://dns.nextdns.io/112233445566778899aabbccdd",
-			want: ips(), // nothing; profile length is over 12 bytes
-		},
 		{
 			base: "https://dns.nextdns.io/c3a884/with/more/stuff",
 			want: ips(
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -180,7 +180,7 @@ type resolverAndDelay struct {
 type forwarder struct {
 	logf    logger.Logf
 	linkMon *monitor.Mon
-	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absorbs it
+	linkSel ForwardLinkSelector // TODO(bradfitz): remove this when tsdial.Dialer absords it
 	dialer  *tsdial.Dialer
 	dohSem  chan struct{}

@@ -502,7 +502,7 @@ func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDe
 		// Only known DoH providers are supported currently. Specifically, we
 		// only support DoH providers where we can TCP connect to them on port
 		// 443 at the same IP address they serve normal UDP DNS from (1.1.1.1,
-		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custom DoH providers
+		// 8.8.8.8, 9.9.9.9, etc.) That's why OpenDNS and custon DoH providers
 		// aren't currently supported. There's no backup DNS resolution path for
 		// them.
 		urlBase := rr.name.Addr
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -609,7 +609,7 @@ func (r *Resolver) resolveLocal(domain dnsname.FQDN, typ dns.Type) (netip.Addr,
 		metricDNSResolveLocalOKAll.Add(1)
 		return addrs[0], dns.RCodeSuccess

-	// Leave some record types explicitly unimplemented.
+	// Leave some some record types explicitly unimplemented.
 	// These types relate to recursive resolution or special
 	// DNS semantics and might be implemented in the future.
 	case dns.TypeNS, dns.TypeSOA, dns.TypeAXFR, dns.TypeHINFO:
--- a/net/dnscache/messagecache.go
+++ b/net/dnscache/messagecache.go
@@ -99,7 +99,7 @@ type msgResource struct {
 }

 // ErrCacheMiss is a sentinel error returned by MessageCache.ReplyFromCache
-// when the request can not be satisfied from cache.
+// when the request can not be satisified from cache.
 var ErrCacheMiss = errors.New("cache miss")

 var parserPool = &sync.Pool{
@@ -264,7 +264,7 @@ func asciiLowerName(n dnsmessage.Name) dnsmessage.Name {
 }

 // packDNSResponse builds a DNS response for the given question and
-// transaction ID. The response resource records will have the
+// transaction ID. The response resource records will have have the
 // same provided TTL.
 func packDNSResponse(q msgQ, txID uint16, ttl uint32, answers []msgResource) ([]byte, error) {
 	var baseMem []byte // TODO: guess a max size based on looping over answers?
--- a/net/flowtrack/flowtrack.go
+++ b/net/flowtrack/flowtrack.go
@@ -20,9 +20,9 @@ import (

 // Tuple is a 5-tuple of proto, source and destination IP and port.
 type Tuple struct {
-	Proto ipproto.Proto  `json:"proto"`
-	Src   netip.AddrPort `json:"src"`
-	Dst   netip.AddrPort `json:"dst"`
+	Proto ipproto.Proto
+	Src   netip.AddrPort
+	Dst   netip.AddrPort
 }

 func (t Tuple) String() string {
--- a/net/interfaces/interfaces.go
+++ b/net/interfaces/interfaces.go
@@ -441,13 +441,13 @@ func prefixesEqual(a, b []netip.Prefix) bool {

 // UseInterestingInterfaces is an InterfaceFilter that reports whether i is an interesting interface.
 // An interesting interface if it is (a) not owned by Tailscale and (b) routes interesting IP addresses.
-// See UseInterestingIPs for the definition of an interesting IP address.
+// See UseInterestingIPs for the defition of an interesting IP address.
 func UseInterestingInterfaces(i Interface, ips []netip.Prefix) bool {
 	return !isTailscaleInterface(i.Name, ips) && anyInterestingIP(ips)
 }

 // UseInterestingIPs is an IPFilter that reports whether ip is an interesting IP address.
-// An IP address is interesting if it is neither a loopback nor a link local unicast IP address.
+// An IP address is interesting if it is neither a lopback not a link local unicast IP address.
 func UseInterestingIPs(ip netip.Addr) bool {
 	return isInterestingIP(ip)
 }
@@ -455,7 +455,7 @@ func UseInterestingIPs(ip netip.Addr) bool {
 // UseAllInterfaces is an InterfaceFilter that includes all interfaces.
 func UseAllInterfaces(i Interface, ips []netip.Prefix) bool { return true }

-// UseAllIPs is an IPFilter that includes all IPs.
+// UseAllIPs is an IPFilter that includes all all IPs.
 func UseAllIPs(ips netip.Addr) bool { return true }

 func (s *State) HasPAC() bool { return s != nil && s.PAC != "" }
--- a/net/netcheck/netcheck.go
+++ b/net/netcheck/netcheck.go
@@ -13,7 +13,6 @@ import (
 	"fmt"
 	"io"
 	"log"
-	"math/rand"
 	"net"
 	"net/http"
 	"net/netip"
@@ -113,10 +112,6 @@ type Report struct {
 	GlobalV4 string // ip:port of global IPv4
 	GlobalV6 string // [ip]:port of global IPv6

-	// CaptivePortal is set when we think there's a captive portal that is
-	// intercepting HTTP traffic.
-	CaptivePortal opt.Bool
-
 	// TODO: update Clone when adding new fields
 }

@@ -161,7 +156,7 @@ type Client struct {

 	// GetSTUNConn4 optionally provides a func to return the
 	// connection to use for sending & receiving IPv4 packets. If
-	// nil, an ephemeral one is created as needed.
+	// nil, an emphemeral one is created as needed.
 	GetSTUNConn4 func() STUNConn

 	// GetSTUNConn6 is like GetSTUNConn4, but for IPv6.
@@ -180,10 +175,6 @@ type Client struct {
 	// If nil, portmap discovery is not done.
 	PortMapper *portmapper.Client // lazily initialized on first use

-	// For tests
-	testEnoughRegions      int
-	testCaptivePortalDelay time.Duration
-
 	mu       sync.Mutex            // guards following
 	nextFull bool                  // do a full region scan, even if last != nil
 	prev     map[time.Time]*Report // some previous reports
@@ -201,9 +192,6 @@ type STUNConn interface {
 }

 func (c *Client) enoughRegions() int {
-	if c.testEnoughRegions > 0 {
-		return c.testEnoughRegions
-	}
 	if c.Verbose {
 		// Abuse verbose a bit here so netcheck can show all region latencies
 		// in verbose mode.
@@ -212,14 +200,6 @@ func (c *Client) enoughRegions() int {
 	return 3
 }

-func (c *Client) captivePortalDelay() time.Duration {
-	if c.testCaptivePortalDelay > 0 {
-		return c.testCaptivePortalDelay
-	}
-	// Chosen semi-arbitrarily
-	return 200 * time.Millisecond
-}
-
 func (c *Client) logf(format string, a ...any) {
 	if c.Logf != nil {
 		c.Logf(format, a...)
@@ -803,35 +783,13 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 	}
 	c.curState = rs
 	last := c.last
-
-	// Even if we're doing a non-incremental update, we may want to try our
-	// preferred DERP region for captive portal detection. Save that, if we
-	// have it.
-	var preferredDERP int
-	if last != nil {
-		preferredDERP = last.PreferredDERP
-	}
-
 	now := c.timeNow()
-
-	doFull := false
 	if c.nextFull || now.Sub(c.lastFull) > 5*time.Minute {
-		doFull = true
-	}
-	// If the last report had a captive portal and reported no UDP access,
-	// it's possible that we didn't get a useful netcheck due to the
-	// captive portal blocking us. If so, make this report a full
-	// (non-incremental) one.
-	if !doFull && last != nil {
-		doFull = !last.UDP && last.CaptivePortal.EqualBool(true)
-	}
-	if doFull {
 		last = nil // causes makeProbePlan below to do a full (initial) plan
 		c.nextFull = false
 		c.lastFull = now
 		metricNumGetReportFull.Add(1)
 	}
-
 	rs.incremental = last != nil
 	c.mu.Unlock()

@@ -916,48 +874,6 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,

 	plan := makeProbePlan(dm, ifState, last)

-	// If we're doing a full probe, also check for a captive portal. We
-	// delay by a bit to wait for UDP STUN to finish, to avoid the probe if
-	// it's unnecessary.
-	captivePortalDone := syncs.ClosedChan()
-	captivePortalStop := func() {}
-	if !rs.incremental {
-		// NOTE(andrew): we can't simply add this goroutine to the
-		// `NewWaitGroupChan` below, since we don't wait for that
-		// waitgroup to finish when exiting this function and thus get
-		// a data race.
-		ch := make(chan struct{})
-		captivePortalDone = ch
-
-		tmr := time.AfterFunc(c.captivePortalDelay(), func() {
-			defer close(ch)
-			found, err := c.checkCaptivePortal(ctx, dm, preferredDERP)
-			if err != nil {
-				c.logf("[v1] checkCaptivePortal: %v", err)
-				return
-			}
-			rs.report.CaptivePortal.Set(found)
-		})
-
-		captivePortalStop = func() {
-			// Don't cancel our captive portal check if we're
-			// explicitly doing a verbose netcheck.
-			if c.Verbose {
-				return
-			}
-
-			if tmr.Stop() {
-				// Stopped successfully; need to close the
-				// signal channel ourselves.
-				close(ch)
-				return
-			}
-
-			// Did not stop; do nothing and it'll finish by itself
-			// and close the signal channel.
-		}
-	}
-
 	wg := syncs.NewWaitGroupChan()
 	wg.Add(len(plan))
 	for _, probeSet := range plan {
@@ -978,17 +894,9 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 	case <-stunTimer.C:
 	case <-ctx.Done():
 	case <-wg.DoneChan():
-		// All of our probes finished, so if we have >0 responses, we
-		// stop our captive portal check.
-		if rs.anyUDP() {
-			captivePortalStop()
-		}
 	case <-rs.stopProbeCh:
 		// Saw enough regions.
 		c.vlogf("saw enough regions; not waiting for rest")
-		// We can stop the captive portal check since we know that we
-		// got a bunch of STUN responses.
-		captivePortalStop()
 	}

 	rs.waitHairCheck(ctx)
@@ -1057,9 +965,6 @@ func (c *Client) GetReport(ctx context.Context, dm *tailcfg.DERPMap) (_ *Report,
 		wg.Wait()
 	}

-	// Wait for captive portal check before finishing the report.
-	<-captivePortalDone
-
 	return c.finishAndStoreReport(rs, dm), nil
 }

@@ -1074,54 +979,6 @@ func (c *Client) finishAndStoreReport(rs *reportState, dm *tailcfg.DERPMap) *Rep
 	return report
 }

-var noRedirectClient = &http.Client{
-	// No redirects allowed
-	CheckRedirect: func(req *http.Request, via []*http.Request) error {
-		return http.ErrUseLastResponse
-	},
-
-	// Remaining fields are the same as the default client.
-	Transport: http.DefaultClient.Transport,
-	Jar:       http.DefaultClient.Jar,
-	Timeout:   http.DefaultClient.Timeout,
-}
-
-// checkCaptivePortal reports whether or not we think the system is behind a
-// captive portal, detected by making a request to a URL that we know should
-// return a "204 No Content" response and checking if that's what we get.
-//
-// The boolean return is whether we think we have a captive portal.
-func (c *Client) checkCaptivePortal(ctx context.Context, dm *tailcfg.DERPMap, preferredDERP int) (bool, error) {
-	defer noRedirectClient.CloseIdleConnections()
-
-	// If we have a preferred DERP region with more than one node, try
-	// that; otherwise, pick a random one not marked as "Avoid".
-	if preferredDERP == 0 || dm.Regions[preferredDERP] == nil ||
-		(preferredDERP != 0 && len(dm.Regions[preferredDERP].Nodes) == 0) {
-		rids := make([]int, 0, len(dm.Regions))
-		for id, reg := range dm.Regions {
-			if reg == nil || reg.Avoid || len(reg.Nodes) == 0 {
-				continue
-			}
-			rids = append(rids, id)
-		}
-		preferredDERP = rids[rand.Intn(len(rids))]
-	}
-
-	node := dm.Regions[preferredDERP].Nodes[0]
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://"+node.HostName+"/generate_204", nil)
-	if err != nil {
-		return false, err
-	}
-	r, err := noRedirectClient.Do(req)
-	if err != nil {
-		return false, err
-	}
-	c.logf("[v2] checkCaptivePortal url=%q status_code=%d", req.URL.String(), r.StatusCode)
-
-	return r.StatusCode != 204, nil
-}
-
 // runHTTPOnlyChecks is the netcheck done by environments that can
 // only do HTTP requests, such as ws/wasm.
 func (c *Client) runHTTPOnlyChecks(ctx context.Context, last *Report, rs *reportState, dm *tailcfg.DERPMap) error {
@@ -1188,8 +1045,6 @@ func (c *Client) measureHTTPSLatency(ctx context.Context, reg *tailcfg.DERPRegio
 	var ip netip.Addr

 	dc := derphttp.NewNetcheckClient(c.logf)
-	defer dc.Close()
-
 	tlsConn, tcpConn, node, err := dc.DialRegionTLS(ctx, reg)
 	if err != nil {
 		return 0, ip, err
@@ -1345,9 +1200,6 @@ func (c *Client) logConciseReport(r *Report, dm *tailcfg.DERPMap) {
 		if r.GlobalV6 != "" {
 			fmt.Fprintf(w, " v6a=%v", r.GlobalV6)
 		}
-		if r.CaptivePortal != "" {
-			fmt.Fprintf(w, " captiveportal=%v", r.CaptivePortal)
-		}
 		fmt.Fprintf(w, " derp=%v", r.PreferredDERP)
 		if r.PreferredDERP != 0 {
 			fmt.Fprintf(w, " derpdist=")
--- a/net/netcheck/netcheck_test.go
+++ b/net/netcheck/netcheck_test.go
@@ -9,13 +9,11 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/http"
 	"net/netip"
 	"reflect"
 	"sort"
 	"strconv"
 	"strings"
-	"sync/atomic"
 	"testing"
 	"time"

@@ -117,9 +115,6 @@ func TestWorksWhenUDPBlocked(t *testing.T) {
 	// OS IPv6 test is irrelevant here, accept whatever the current
 	// machine has.
 	want.OSHasIPv6 = r.OSHasIPv6
-	// Captive portal test is irrelevant; accept what the current report
-	// has.
-	want.CaptivePortal = r.CaptivePortal

 	if !reflect.DeepEqual(r, want) {
 		t.Errorf("mismatch\n got: %+v\nwant: %+v\n", r, want)
@@ -666,57 +661,3 @@ func TestSortRegions(t *testing.T) {
 		t.Errorf("got %v; want %v", got, want)
 	}
 }
-
-func TestNoCaptivePortalWhenUDP(t *testing.T) {
-	// Override noRedirectClient to handle the /generate_204 endpoint
-	var generate204Called atomic.Bool
-	tr := RoundTripFunc(func(req *http.Request) *http.Response {
-		if !strings.HasSuffix(req.URL.String(), "/generate_204") {
-			panic("bad URL: " + req.URL.String())
-		}
-		generate204Called.Store(true)
-		return &http.Response{
-			StatusCode: http.StatusNoContent,
-			Header:     make(http.Header),
-		}
-	})
-
-	oldTransport := noRedirectClient.Transport
-	t.Cleanup(func() { noRedirectClient.Transport = oldTransport })
-	noRedirectClient.Transport = tr
-
-	stunAddr, cleanup := stuntest.Serve(t)
-	defer cleanup()
-
-	c := &Client{
-		Logf:              t.Logf,
-		UDPBindAddr:       "127.0.0.1:0",
-		testEnoughRegions: 1,
-
-		// Set the delay long enough that we have time to cancel it
-		// when our STUN probe succeeds.
-		testCaptivePortalDelay: 10 * time.Second,
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
-	defer cancel()
-
-	r, err := c.GetReport(ctx, stuntest.DERPMapOf(stunAddr.String()))
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Should not have called our captive portal function.
-	if generate204Called.Load() {
-		t.Errorf("captive portal check called; expected no call")
-	}
-	if r.CaptivePortal != "" {
-		t.Errorf("got CaptivePortal=%q, want empty", r.CaptivePortal)
-	}
-}
-
-type RoundTripFunc func(req *http.Request) *http.Response
-
-func (f RoundTripFunc) RoundTrip(req *http.Request) (*http.Response, error) {
-	return f(req), nil
-}
--- a/net/nettest/conn.go
+++ b/net/nettest/conn.go
@@ -6,7 +6,6 @@ package nettest

 import (
 	"net"
-	"net/netip"
 	"time"
 )

@@ -33,38 +32,20 @@ func NewConn(name string, maxBuf int) (Conn, Conn) {
 	return &connHalf{r: r, w: w}, &connHalf{r: w, w: r}
 }

-// NewTCPConn creates a pair of Conns that are wired together by pipes.
-func NewTCPConn(src, dst netip.AddrPort, maxBuf int) (local Conn, remote Conn) {
-	r := NewPipe(src.String(), maxBuf)
-	w := NewPipe(dst.String(), maxBuf)
-
-	lAddr := net.TCPAddrFromAddrPort(src)
-	rAddr := net.TCPAddrFromAddrPort(dst)
-
-	return &connHalf{r: r, w: w, remote: rAddr, local: lAddr}, &connHalf{r: w, w: r, remote: lAddr, local: rAddr}
-}
-
 type connAddr string

 func (a connAddr) Network() string { return "mem" }
 func (a connAddr) String() string  { return string(a) }

 type connHalf struct {
-	local, remote net.Addr
-	r, w          *Pipe
+	r, w *Pipe
 }

 func (c *connHalf) LocalAddr() net.Addr {
-	if c.local != nil {
-		return c.local
-	}
 	return connAddr(c.r.name)
 }

 func (c *connHalf) RemoteAddr() net.Addr {
-	if c.remote != nil {
-		return c.remote
-	}
 	return connAddr(c.w.name)
 }

--- a/Show More
+++ b/Show More