net/portmapper: fix UPnP probing, work against all ports

Prior to Tailscale 1.12 it detected UPnP on any port. Starting with Tailscale 1.11.x, it stopped detecting UPnP on all ports. Then start plumbing its discovered Location header port number to the code that was assuming port 5000. Fixes #2109 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2021-08-04 08:36:50 -07:00
327 changed files with 7645 additions and 11841 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,16 +0,0 @@
-# Documentation for this file can be found at:
-# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
-version: 2
-updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: "go.mod:"
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    commit-message:
-      prefix: ".github:"
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,71 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ main, release-branch/* ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  schedule:
-    - cron: '31 14 * * 5'
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
--- a/.github/workflows/cross-darwin.yml
+++ b/.github/workflows/cross-darwin.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-freebsd.yml
+++ b/.github/workflows/cross-freebsd.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-openbsd.yml
+++ b/.github/workflows/cross-openbsd.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/cross-windows.yml
+++ b/.github/workflows/cross-windows.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/depaware.yml
+++ b/.github/workflows/depaware.yml
@@ -14,9 +14,9 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/go_generate.yml
+++ b/.github/workflows/go_generate.yml
@@ -15,9 +15,9 @@ jobs:

    steps:
      - name: Set up Go
-        uses: actions/setup-go@v2.1.4
+        uses: actions/setup-go@v1
        with:
-          go-version: 1.17
+          go-version: 1.16

      - name: Check out code
        uses: actions/checkout@v2
@@ -26,13 +26,9 @@ jobs:

      - name: check 'go generate' is clean
        run: |
-          if [[ "${{github.ref}}" == release-branch/* ]]
-          then
-            pkgs=$(go list ./... | grep -v dnsfallback)
-          else
-            pkgs=$(go list ./...)
-          fi
-          go generate $pkgs
+          mkdir gentools
+          go build -o gentools/stringer golang.org/x/tools/cmd/stringer
+          PATH="$PATH:$(pwd)/gentools" go generate ./...
          echo
          echo
          git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -14,9 +14,9 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16

    - name: Check out code
      uses: actions/checkout@v1
--- a/.github/workflows/linux-race.yml
+++ b/.github/workflows/linux-race.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/linux32.yml
+++ b/.github/workflows/linux32.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16
      id: go

    - name: Check out code into the Go module directory
--- a/.github/workflows/staticcheck.yml
+++ b/.github/workflows/staticcheck.yml
@@ -14,9 +14,9 @@ jobs:

    steps:
    - name: Set up Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v1
      with:
-        go-version: 1.17
+        go-version: 1.16

    - name: Check out code
      uses: actions/checkout@v1
@@ -31,28 +31,16 @@ jobs:
      run: "staticcheck -version"

    - name: Run staticcheck (linux/amd64)
-      env:
-        GOOS: linux
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=linux GOARCH=amd64 staticcheck -- $(go list ./... | grep -v tempfork)"

    - name: Run staticcheck (darwin/amd64)
-      env:
-        GOOS: darwin
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=darwin GOARCH=amd64 staticcheck -- $(go list ./... | grep -v tempfork)"

    - name: Run staticcheck (windows/amd64)
-      env:
-        GOOS: windows
-        GOARCH: amd64
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=windows GOARCH=amd64 staticcheck -- $(go list ./... | grep -v tempfork)"

    - name: Run staticcheck (windows/386)
-      env:
-        GOOS: windows
-        GOARCH: "386"
-      run: "staticcheck -- $(go list ./... | grep -v tempfork)"
+      run: "GOOS=windows GOARCH=386 staticcheck -- $(go list ./... | grep -v tempfork)"

    - uses: k0kubun/action-slack@v2.0.0
      with:
--- a/.github/workflows/windows-race.yml
+++ b/.github/workflows/windows-race.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Install Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2
      with:
-        go-version: 1.17.x
+        go-version: 1.16.x

    - name: Checkout code
      uses: actions/checkout@v2
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -17,9 +17,9 @@ jobs:
    steps:

    - name: Install Go
-      uses: actions/setup-go@v2.1.4
+      uses: actions/setup-go@v2
      with:
-        go-version: 1.17.x
+        go-version: 1.16.x

    - name: Checkout code
      uses: actions/checkout@v2
--- a/.github/workflows/xe-experimental-vm-test.yml
+++ b/.github/workflows/xe-experimental-vm-test.yml
@@ -1,30 +1,31 @@
-name: VM
+name: "integration-vms"

 on:
  pull_request:
-    branches:
-      - '*'
+    paths:
+      - "tstest/integration/vms/**"
+  release:
+    types: [ created ]

 jobs:
-  ubuntu2004-LTS-cloud-base:
-    runs-on: [ self-hosted, linux, vm ]
+  experimental-linux-vm-test:
+    # To set up a new runner, see tstest/integration/vms/runner.nix
+    runs-on: [ self-hosted, linux, vm_integration_test ]

    if: "!contains(github.event.head_commit.message, '[ci skip]')"

    steps:
-      - name: Set up Go
-        uses: actions/setup-go@v1
-        with:
-          go-version: 1.17
-        id: go
-
      - name: Checkout Code
        uses: actions/checkout@v1

-      - name: Run VM tests
-        run: go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
+      - name: Download VM Images
+        run: go test ./tstest/integration/vms -run-vm-tests -run=Download -timeout=60m -no-s3
+        env:
+          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"
+
+      - name: Run VM tests
+        run: go test ./tstest/integration/vms -v -run-vm-tests
        env:
-          HOME: "/tmp"
          TMPDIR: "/tmp"
          XDG_CACHE_HOME: "/var/lib/ghrunner/cache"

--- a/4
+++ b/4
@@ -38,7 +38,7 @@
 #     $ docker exec tailscaled tailscale status


-FROM golang:1.17-alpine AS build-env
+FROM golang:1.16-alpine AS build-env

 WORKDIR /go/src/tailscale

@@ -61,6 +61,6 @@ RUN go install -tags=xversion -ldflags="\
      -X tailscale.com/version.GitCommit=$VERSION_GIT_HASH" \
      -v ./cmd/...

-FROM alpine:3.14
+FROM alpine:3.11
 RUN apk add --no-cache ca-certificates iptables iproute2
 COPY --from=build-env /go/bin/* /usr/local/bin/
--- a/5
+++ b/5
@@ -18,10 +18,7 @@ buildwindows:
 build386:
 	GOOS=linux GOARCH=386 go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled

-buildlinuxarm:
-	GOOS=linux GOARCH=arm go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-check: staticcheck vet depaware buildwindows build386 buildlinuxarm
+check: staticcheck vet depaware buildwindows build386

 staticcheck:
 	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ If your distro has conventions that preclude the use of
 distro's way, so that bug reports contain useful version information.

 We only guarantee to support the latest Go release and any Go beta or
-release candidate builds (currently Go 1.17) in module mode. It might
+release candidate builds (currently Go 1.16) in module mode. It might
 work in earlier Go versions or in GOPATH mode, but we're making no
 effort to keep those working.

--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.15.0
+1.13.0
--- a/api.md
+++ b/api.md
@@ -3,7 +3,7 @@
 The Tailscale API is a (mostly) RESTful API. Typically, POST bodies should be JSON encoded and responses will be JSON encoded.

 # Authentication
-Currently based on {some authentication method}. Visit the [admin panel](https://login.tailscale.com/admin) and navigate to the `Settings` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints (leave the password blank).
+Currently based on {some authentication method}. Visit the [admin panel](https://api.tailscale.com/admin) and navigate to the `Keys` page. Generate an API Key and keep it safe. Provide the key as the user key in basic auth when making calls to Tailscale API endpoints.

 # APIs

@@ -13,14 +13,11 @@ Currently based on {some authentication method}. Visit the [admin panel](https:/
  - Routes
    - [GET device routes](#device-routes-get)
    - [POST device routes](#device-routes-post)
-  - Authorize machine
-    - [POST device authorized](#device-authorized-post)
 * **[Tailnets](#tailnet)**
  - ACLs
    - [GET tailnet ACL](#tailnet-acl-get)
    - [POST tailnet ACL](#tailnet-acl-post): set ACL for a tailnet
    - [POST tailnet ACL preview](#tailnet-acl-preview-post): preview rule matches on an ACL for a resource
-	- [POST tailnet ACL validate](#tailnet-acl-validate-post): run validation tests against the tailnet's existing ACL
  - [Devices](#tailnet-devices)
    - [GET tailnet devices](#tailnet-devices-get)
  - [DNS](#tailnet-dns)
@@ -40,7 +37,7 @@ To find the deviceID of a particular device, you can use the ["GET /devices"](#g
 Find the device you're looking for and get the "id" field.
 This is your deviceID. 

-<a name=device-get></a>
+<a name=device-get></div>

 #### `GET /api/v2/device/:deviceid` - lists the details for a device
 Returns the details for the specified device.
@@ -129,7 +126,7 @@ Response
 }
 ```

-<a name=device-delete></a>
+<a name=device-delete></div>

 #### `DELETE /api/v2/device/:deviceID` - deletes the device from its tailnet
 Deletes the provided device from its tailnet. 
@@ -166,7 +163,7 @@ If the device is not owned by your tailnet:
 ```


-<a name=device-routes-get></a>
+<a name=device-routes-get></div>

 #### `GET /api/v2/device/:deviceID/routes` - fetch subnet routes that are advertised and enabled for a device

@@ -195,7 +192,7 @@ Response
 }
 ```

-<a name=device-routes-post></a>
+<a name=device-routes-post></div>

 #### `POST /api/v2/device/:deviceID/routes` - set the subnet routes that are enabled for a device

@@ -236,33 +233,6 @@ Response
 }
 ```

-<a name=device-authorized-post></a>
-
-#### `POST /api/v2/device/:deviceID/authorized` - authorize a device
-
-Marks a device as authorized, for Tailnets where device authorization is required.
-
-##### Parameters
-
-###### POST Body
-`authorized` - whether the device is authorized; only `true` is currently supported.
-```
-{
-  "authorized": true
-}
-```
-
-##### Example
-
-```
-curl 'https://api.tailscale.com/api/v2/device/11055/authorized' \
-u "tskey-yourapikey123:" \
--data-binary '{"authorized": true}'
-```
-
-The response is 2xx on success. The response body is currently an empty JSON
-object.
-
 ## Tailnet 
 A tailnet is the name of your Tailscale network. 
 You can find it in the top left corner of the [Admin Panel](https://login.tailscale.com/admin) beside the Tailscale logo.
@@ -503,7 +473,7 @@ Determines what rules match for a user on an ACL without saving the ACL to the s
 ###### Query Parameters
 `type` - can be 'user' or 'ipport'
 `previewFor` - if type=user, a user's email. If type=ipport, a IP address + port like "10.0.0.1:80".
-The provided ACL is queried with this parameter to determine which rules match.
+The provided ACL is queried with this paramater to determine which rules match.

 ###### POST Body
 ACL JSON or HuJSON (see https://tailscale.com/kb/1018/acls)
@@ -540,50 +510,6 @@ Response:
 {"matches":[{"users":["*"],"ports":["*:*"],"lineNumber":19}],"user":"user1@example.com"}
 ```

-<a name=tailnet-acl-validate-post></a>
-
-#### `POST /api/v2/tailnet/:tailnet/acl/validate` - run validation tests against the tailnet's active ACL
-
-Runs the provided ACL tests against the tailnet's existing ACL. This endpoint does not modify the ACL in any way.
-
-##### Parameters
-
-###### POST Body
-
-The POST body should be a JSON formatted array of ACL Tests.
-
-See https://tailscale.com/kb/1018/acls for more information on the format of ACL tests.
-
-##### Example
-```
-POST /api/v2/tailnet/example.com/acl/validate
-curl 'https://api.tailscale.com/api/v2/tailnet/example.com/acl/validate' \
-  -u "tskey-yourapikey123:" \
-  --data-binary '
-{
-  [
-    {"User": "user1@example.com", "Allow": ["example-host-1:22"], "Deny": ["example-host-2:100"]}
-  ]
-}'
-```
-
-Response:
-If all the tests pass, the response will be empty, with an http status code of 200.
-
-Failed test error response:
-A 400 http status code and the errors in the response body.  
-```
-{
-  "message":"test(s) failed",
-  "data":[
-           {
-             "user":"user1@example.com",
-             "errors":["address \"2.2.2.2:22\": want: Drop, got: Accept"]
-           }
-         ]
-}
-```
-
 <a name=tailnet-devices></a>

 ### Devices
--- a/chirp/chirp.go
+++ b/chirp/chirp.go
@@ -1,83 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Package chirp implements a client to communicate with the BIRD Internet
-// Routing Daemon.
-package chirp
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"strings"
-)
-
-// New creates a BIRDClient.
-func New(socket string) (*BIRDClient, error) {
-	conn, err := net.Dial("unix", socket)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
-	}
-	b := &BIRDClient{socket: socket, conn: conn, bs: bufio.NewScanner(conn)}
-	// Read and discard the first line as that is the welcome message.
-	if _, err := b.readLine(); err != nil {
-		return nil, err
-	}
-	return b, nil
-}
-
-// BIRDClient handles communication with the BIRD Internet Routing Daemon.
-type BIRDClient struct {
-	socket string
-	conn   net.Conn
-	bs     *bufio.Scanner
-}
-
-// Close closes the underlying connection to BIRD.
-func (b *BIRDClient) Close() error { return b.conn.Close() }
-
-// DisableProtocol disables the provided protocol.
-func (b *BIRDClient) DisableProtocol(protocol string) error {
-	out, err := b.exec("disable %s\n", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already disabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: disabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to disable %s: %v", protocol, out)
-}
-
-// EnableProtocol enables the provided protocol.
-func (b *BIRDClient) EnableProtocol(protocol string) error {
-	out, err := b.exec("enable %s\n", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already enabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: enabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to enable %s: %v", protocol, out)
-}
-
-func (b *BIRDClient) exec(cmd string, args ...interface{}) (string, error) {
-	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
-		return "", err
-	}
-	return b.readLine()
-}
-
-func (b *BIRDClient) readLine() (string, error) {
-	if !b.bs.Scan() {
-		return "", fmt.Errorf("reading response from bird failed")
-	}
-	if err := b.bs.Err(); err != nil {
-		return "", err
-	}
-	return b.bs.Text(), nil
-}
--- a/client/tailscale/example/servetls/servetls.go
+++ b/client/tailscale/example/servetls/servetls.go
@@ -1,29 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// The servetls program shows how to run an HTTPS server
-// using a Tailscale cert via LetsEncrypt.
-package main
-
-import (
-	"crypto/tls"
-	"io"
-	"log"
-	"net/http"
-
-	"tailscale.com/client/tailscale"
-)
-
-func main() {
-	s := &http.Server{
-		TLSConfig: &tls.Config{
-			GetCertificate: tailscale.GetCertificate,
-		},
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")
-		}),
-	}
-	log.Printf("Running TLS server on :443 ...")
-	log.Fatal(s.ListenAndServeTLS("", ""))
-}
--- a/client/tailscale/tailscale.go
+++ b/client/tailscale/tailscale.go
@@ -8,7 +8,6 @@ package tailscale
 import (
 	"bytes"
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -17,20 +16,15 @@ import (
 	"net"
 	"net/http"
 	"net/url"
-	"os/exec"
-	"runtime"
 	"strconv"
 	"strings"
-	"time"

-	"go4.org/mem"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/tailcfg"
-	"tailscale.com/version"
 )

 // TailscaledSocket is the tailscaled Unix socket.
@@ -87,15 +81,6 @@ func bestError(err error, body []byte) error {
 	return err
 }

-var onVersionMismatch func(clientVer, serverVer string)
-
-// SetVersionMismatchHandler sets f as the version mismatch handler
-// to be called when the client (the current process) has a version
-// number that doesn't match the server's declared version.
-func SetVersionMismatchHandler(f func(clientVer, serverVer string)) {
-	onVersionMismatch = f
-}
-
 func send(ctx context.Context, method, path string, wantStatus int, body io.Reader) ([]byte, error) {
 	req, err := http.NewRequestWithContext(ctx, method, "http://local-tailscaled.sock"+path, body)
 	if err != nil {
@@ -103,21 +88,9 @@ func send(ctx context.Context, method, path string, wantStatus int, body io.Read
 	}
 	res, err := DoLocalRequest(req)
 	if err != nil {
-		if ue, ok := err.(*url.Error); ok {
-			if oe, ok := ue.Err.(*net.OpError); ok && oe.Op == "dial" {
-				pathPrefix := path
-				if i := strings.Index(path, "?"); i != -1 {
-					pathPrefix = path[:i]
-				}
-				return nil, fmt.Errorf("Failed to connect to local Tailscale daemon for %s; %s Error: %w", pathPrefix, tailscaledConnectHint(), oe)
-			}
-		}
 		return nil, err
 	}
 	defer res.Body.Close()
-	if server := res.Header.Get("Tailscale-Version"); server != "" && server != version.Long && onVersionMismatch != nil {
-		onVersionMismatch(version.Long, server)
-	}
 	slurp, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return nil, err
@@ -154,18 +127,6 @@ func Goroutines(ctx context.Context) ([]byte, error) {
 	return get200(ctx, "/localapi/v0/goroutines")
 }

-// Profile returns a pprof profile of the Tailscale daemon.
-func Profile(ctx context.Context, pprofType string, sec int) ([]byte, error) {
-	var secArg string
-	if sec < 0 || sec > 300 {
-		return nil, errors.New("duration out of range")
-	}
-	if sec != 0 || pprofType == "profile" {
-		secArg = fmt.Sprint(sec)
-	}
-	return get200(ctx, fmt.Sprintf("/localapi/v0/profile?name=%s&seconds=%v", url.QueryEscape(pprofType), secArg))
-}
-
 // BugReport logs and returns a log marker that can be shared by the user with support.
 func BugReport(ctx context.Context, note string) (string, error) {
 	body, err := send(ctx, "POST", "/localapi/v0/bugreport?note="+url.QueryEscape(note), 200, nil)
@@ -332,99 +293,3 @@ func CurrentDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
 	}
 	return &derpMap, nil
 }
-
-// CertPair returns a cert and private key for the provided DNS domain.
-//
-// It returns a cached certificate from disk if it's still valid.
-func CertPair(ctx context.Context, domain string) (certPEM, keyPEM []byte, err error) {
-	res, err := send(ctx, "GET", "/localapi/v0/cert/"+domain+"?type=pair", 200, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	// with ?type=pair, the response PEM is first the one private
-	// key PEM block, then the cert PEM blocks.
-	i := mem.Index(mem.B(res), mem.S("--\n--"))
-	if i == -1 {
-		return nil, nil, fmt.Errorf("unexpected output: no delimiter")
-	}
-	i += len("--\n")
-	keyPEM, certPEM = res[:i], res[i:]
-	if mem.Contains(mem.B(certPEM), mem.S(" PRIVATE KEY-----")) {
-		return nil, nil, fmt.Errorf("unexpected output: key in cert")
-	}
-	return certPEM, keyPEM, nil
-}
-
-// GetCertificate fetches a TLS certificate for the TLS ClientHello in hi.
-//
-// It returns a cached certificate from disk if it's still valid.
-//
-// It's the right signature to use as the value of
-// tls.Config.GetCertificate.
-func GetCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi == nil || hi.ServerName == "" {
-		return nil, errors.New("no SNI ServerName")
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-	defer cancel()
-
-	name := hi.ServerName
-	if !strings.Contains(name, ".") {
-		if v, ok := ExpandSNIName(ctx, name); ok {
-			name = v
-		}
-	}
-	certPEM, keyPEM, err := CertPair(ctx, name)
-	if err != nil {
-		return nil, err
-	}
-	cert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return nil, err
-	}
-	return &cert, nil
-}
-
-// ExpandSNIName expands bare label name into the the most likely actual TLS cert name.
-func ExpandSNIName(ctx context.Context, name string) (fqdn string, ok bool) {
-	st, err := StatusWithoutPeers(ctx)
-	if err != nil {
-		return "", false
-	}
-	for _, d := range st.CertDomains {
-		if len(d) > len(name)+1 && strings.HasPrefix(d, name) && d[len(name)] == '.' {
-			return d, true
-		}
-	}
-	return "", false
-}
-
-// tailscaledConnectHint gives a little thing about why tailscaled (or
-// platform equivalent) is not answering localapi connections.
-//
-// It ends in a punctuation. See caller.
-func tailscaledConnectHint() string {
-	if runtime.GOOS != "linux" {
-		// TODO(bradfitz): flesh this out
-		return "not running?"
-	}
-	out, err := exec.Command("systemctl", "show", "tailscaled.service", "--no-page", "--property", "LoadState,ActiveState,SubState").Output()
-	if err != nil {
-		return "not running?"
-	}
-	// Parse:
-	// LoadState=loaded
-	// ActiveState=inactive
-	// SubState=dead
-	st := map[string]string{}
-	for _, line := range strings.Split(string(out), "\n") {
-		if i := strings.Index(line, "="); i != -1 {
-			st[line[:i]] = strings.TrimSpace(line[i+1:])
-		}
-	}
-	if st["LoadState"] == "loaded" &&
-		(st["SubState"] != "running" || st["ActiveState"] != "active") {
-		return "systemd tailscaled.service not running."
-	}
-	return "not running?"
-}
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -17,13 +17,16 @@ import (
 	"bytes"
 	"flag"
 	"fmt"
+	"go/ast"
+	"go/format"
+	"go/token"
 	"go/types"
+	"io/ioutil"
 	"log"
 	"os"
 	"strings"

 	"golang.org/x/tools/go/packages"
-	"tailscale.com/util/codegen"
 )

 var (
@@ -60,13 +63,37 @@ func main() {
 	pkg := pkgs[0]
 	buf := new(bytes.Buffer)
 	imports := make(map[string]struct{})
-	namedTypes := codegen.NamedTypes(pkg)
 	for _, typeName := range typeNames {
-		typ, ok := namedTypes[typeName]
-		if !ok {
+		found := false
+		for _, file := range pkg.Syntax {
+			//var fbuf bytes.Buffer
+			//ast.Fprint(&fbuf, pkg.Fset, file, nil)
+			//fmt.Println(fbuf.String())
+
+			for _, d := range file.Decls {
+				decl, ok := d.(*ast.GenDecl)
+				if !ok || decl.Tok != token.TYPE {
+					continue
+				}
+				for _, s := range decl.Specs {
+					spec, ok := s.(*ast.TypeSpec)
+					if !ok || spec.Name.Name != typeName {
+						continue
+					}
+					typeNameObj := pkg.TypesInfo.Defs[spec.Name]
+					typ, ok := typeNameObj.Type().(*types.Named)
+					if !ok {
+						continue
+					}
+					pkg := typeNameObj.Pkg()
+					gen(buf, imports, typeName, typ, pkg)
+					found = true
+				}
+			}
+		}
+		if !found {
 			log.Fatalf("could not find type %s", typeName)
 		}
-		gen(buf, imports, typ, pkg.Types)
 	}

 	w := func(format string, args ...interface{}) {
@@ -103,12 +130,17 @@ func main() {
 	fmt.Fprintf(contents, ")\n\n")
 	contents.Write(buf.Bytes())

+	out, err := format.Source(contents.Bytes())
+	if err != nil {
+		log.Fatalf("%s, in source:\n%s", err, contents.Bytes())
+	}
+
 	output := *flagOutput
 	if output == "" {
 		flag.Usage()
 		os.Exit(2)
 	}
-	if err := codegen.WriteFormatted(contents.Bytes(), output); err != nil {
+	if err := ioutil.WriteFile(output, out, 0644); err != nil {
 		log.Fatal(err)
 	}
 }
@@ -117,14 +149,13 @@ const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserve
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-// Code generated by the following command; DO NOT EDIT.
-//   tailscale.com/cmd/cloner -type %s
+// Code generated by tailscale.com/cmd/cloner -type %s; DO NOT EDIT.

 package %s

 `

-func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisPkg *types.Package) {
+func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types.Named, thisPkg *types.Package) {
 	pkgQual := func(pkg *types.Package) string {
 		if thisPkg == pkg {
 			return ""
@@ -136,89 +167,107 @@ func gen(buf *bytes.Buffer, imports map[string]struct{}, typ *types.Named, thisP
 		return types.TypeString(t, pkgQual)
 	}

-	t, ok := typ.Underlying().(*types.Struct)
-	if !ok {
-		return
-	}
+	switch t := typ.Underlying().(type) {
+	case *types.Struct:
+		// We generate two bits of code simultaneously while we walk the struct.
+		// One is the Clone method itself, which we write directly to buf.
+		// The other is a variable assignment that will fail if the struct
+		// changes without the Clone method getting regenerated.
+		// We write that to regenBuf, and then append it to buf at the end.
+		regenBuf := new(bytes.Buffer)
+		writeRegen := func(format string, args ...interface{}) {
+			fmt.Fprintf(regenBuf, format+"\n", args...)
+		}
+		writeRegen("// A compilation failure here means this code must be regenerated, with command:")
+		writeRegen("//   tailscale.com/cmd/cloner -type %s", *flagTypes)
+		writeRegen("var _%sNeedsRegeneration = %s(struct {", name, name)

-	name := typ.Obj().Name()
-	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
-	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
-	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
-	writef := func(format string, args ...interface{}) {
-		fmt.Fprintf(buf, "\t"+format+"\n", args...)
-	}
-	writef("if src == nil {")
-	writef("\treturn nil")
-	writef("}")
-	writef("dst := new(%s)", name)
-	writef("*dst = *src")
-	for i := 0; i < t.NumFields(); i++ {
-		fname := t.Field(i).Name()
-		ft := t.Field(i).Type()
-		if !codegen.ContainsPointers(ft) {
-			continue
+		name := typ.Obj().Name()
+		fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
+		fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
+		fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
+		writef := func(format string, args ...interface{}) {
+			fmt.Fprintf(buf, "\t"+format+"\n", args...)
 		}
-		if named, _ := ft.(*types.Named); named != nil && !hasBasicUnderlying(ft) {
-			writef("dst.%s = *src.%s.Clone()", fname, fname)
-			continue
-		}
-		switch ft := ft.Underlying().(type) {
-		case *types.Slice:
-			if codegen.ContainsPointers(ft.Elem()) {
-				n := importedName(ft.Elem())
-				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
-				writef("for i := range dst.%s {", fname)
-				if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
-				} else {
-					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
-				}
-				writef("}")
-			} else {
-				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
-			}
-		case *types.Pointer:
-			if named, _ := ft.Elem().(*types.Named); named != nil && codegen.ContainsPointers(ft.Elem()) {
-				writef("dst.%s = src.%s.Clone()", fname, fname)
+		writef("if src == nil {")
+		writef("\treturn nil")
+		writef("}")
+		writef("dst := new(%s)", name)
+		writef("*dst = *src")
+		for i := 0; i < t.NumFields(); i++ {
+			fname := t.Field(i).Name()
+			ft := t.Field(i).Type()
+
+			writeRegen("\t%s %s", fname, importedName(ft))
+
+			if !containsPointers(ft) {
 				continue
 			}
-			n := importedName(ft.Elem())
-			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = new(%s)", fname, n)
-			writef("\t*dst.%s = *src.%s", fname, fname)
-			if codegen.ContainsPointers(ft.Elem()) {
-				writef("\t" + `panic("TODO pointers in pointers")`)
+			if named, _ := ft.(*types.Named); named != nil && !hasBasicUnderlying(ft) {
+				writef("dst.%s = *src.%s.Clone()", fname, fname)
+				continue
 			}
-			writef("}")
-		case *types.Map:
-			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
-			if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
-				n := importedName(sliceType.Elem())
-				writef("\tfor k := range src.%s {", fname)
-				// use zero-length slice instead of nil to ensure
-				// the key is always copied.
-				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
-				writef("\t}")
-			} else if codegen.ContainsPointers(ft.Elem()) {
-				writef("\tfor k, v := range src.%s {", fname)
-				writef("\t\tdst.%s[k] = v.Clone()", fname)
-				writef("\t}")
-			} else {
-				writef("\tfor k, v := range src.%s {", fname)
-				writef("\t\tdst.%s[k] = v", fname)
-				writef("\t}")
+			switch ft := ft.Underlying().(type) {
+			case *types.Slice:
+				if containsPointers(ft.Elem()) {
+					n := importedName(ft.Elem())
+					writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
+					writef("for i := range dst.%s {", fname)
+					if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
+						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+					} else {
+						writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
+					}
+					writef("}")
+				} else {
+					writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
+				}
+			case *types.Pointer:
+				if named, _ := ft.Elem().(*types.Named); named != nil && containsPointers(ft.Elem()) {
+					writef("dst.%s = src.%s.Clone()", fname, fname)
+					continue
+				}
+				n := importedName(ft.Elem())
+				writef("if dst.%s != nil {", fname)
+				writef("\tdst.%s = new(%s)", fname, n)
+				writef("\t*dst.%s = *src.%s", fname, fname)
+				if containsPointers(ft.Elem()) {
+					writef("\t" + `panic("TODO pointers in pointers")`)
+				}
+				writef("}")
+			case *types.Map:
+				writef("if dst.%s != nil {", fname)
+				writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
+				if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
+					n := importedName(sliceType.Elem())
+					writef("\tfor k := range src.%s {", fname)
+					// use zero-length slice instead of nil to ensure
+					// the key is always copied.
+					writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
+					writef("\t}")
+				} else if containsPointers(ft.Elem()) {
+					writef("\tfor k, v := range src.%s {", fname)
+					writef("\t\tdst.%s[k] = v.Clone()", fname)
+					writef("\t}")
+				} else {
+					writef("\tfor k, v := range src.%s {", fname)
+					writef("\t\tdst.%s[k] = v", fname)
+					writef("\t}")
+				}
+				writef("}")
+			case *types.Struct:
+				writef(`panic("TODO struct %s")`, fname)
+			default:
+				writef(`panic(fmt.Sprintf("TODO: %T", ft))`)
 			}
-			writef("}")
-		default:
-			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}
-	}
-	writef("return dst")
-	fmt.Fprintf(buf, "}\n\n")
+		writef("return dst")
+		fmt.Fprintf(buf, "}\n\n")

-	buf.Write(codegen.AssertStructUnchanged(t, thisPkg, name, "Clone", imports))
+		writeRegen("}{})\n")
+
+		buf.Write(regenBuf.Bytes())
+	}
 }

 func hasBasicUnderlying(typ types.Type) bool {
@@ -229,3 +278,34 @@ func hasBasicUnderlying(typ types.Type) bool {
 		return false
 	}
 }
+
+func containsPointers(typ types.Type) bool {
+	switch typ.String() {
+	case "time.Time":
+		// time.Time contains a pointer that does not need copying
+		return false
+	case "inet.af/netaddr.IP":
+		return false
+	}
+	switch ft := typ.Underlying().(type) {
+	case *types.Array:
+		return containsPointers(ft.Elem())
+	case *types.Chan:
+		return true
+	case *types.Interface:
+		return true // a little too broad
+	case *types.Map:
+		return true
+	case *types.Pointer:
+		return true
+	case *types.Slice:
+		return true
+	case *types.Struct:
+		for i := 0; i < ft.NumFields(); i++ {
+			if containsPointers(ft.Field(i).Type()) {
+				return true
+			}
+		}
+	}
+	return false
+}
--- a/cmd/derper/cert.go
+++ b/cmd/derper/cert.go
@@ -1,95 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package main
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"net/http"
-	"path/filepath"
-	"regexp"
-
-	"golang.org/x/crypto/acme/autocert"
-)
-
-var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)
-
-type certProvider interface {
-	// TLSConfig creates a new TLS config suitable for net/http.Server servers.
-	TLSConfig() *tls.Config
-	// HTTPHandler handle ACME related request, if any.
-	HTTPHandler(fallback http.Handler) http.Handler
-}
-
-func certProviderByCertMode(mode, dir, hostname string) (certProvider, error) {
-	if dir == "" {
-		return nil, errors.New("missing required --certdir flag")
-	}
-	switch mode {
-	case "letsencrypt":
-		certManager := &autocert.Manager{
-			Prompt:     autocert.AcceptTOS,
-			HostPolicy: autocert.HostWhitelist(hostname),
-			Cache:      autocert.DirCache(dir),
-		}
-		if hostname == "derp.tailscale.com" {
-			certManager.HostPolicy = prodAutocertHostPolicy
-			certManager.Email = "security@tailscale.com"
-		}
-		return certManager, nil
-	case "manual":
-		return NewManualCertManager(dir, hostname)
-	default:
-		return nil, fmt.Errorf("unsupport cert mode: %q", mode)
-	}
-}
-
-type manualCertManager struct {
-	cert     *tls.Certificate
-	hostname string
-}
-
-// NewManualCertManager returns a cert provider which read certificate by given hostname on create.
-func NewManualCertManager(certdir, hostname string) (certProvider, error) {
-	keyname := unsafeHostnameCharacters.ReplaceAllString(hostname, "")
-	crtPath := filepath.Join(certdir, keyname+".crt")
-	keyPath := filepath.Join(certdir, keyname+".key")
-	cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-	if err != nil {
-		return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
-	}
-	// ensure hostname matches with the certificate
-	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-	if err != nil {
-		return nil, fmt.Errorf("can not load cert: %w", err)
-	}
-	if x509Cert.VerifyHostname(hostname) != nil {
-		return nil, errors.New("refuse to load cert: hostname mismatch with key")
-	}
-	return &manualCertManager{cert: &cert, hostname: hostname}, nil
-}
-
-func (m *manualCertManager) TLSConfig() *tls.Config {
-	return &tls.Config{
-		Certificates: nil,
-		NextProtos: []string{
-			"h2", "http/1.1", // enable HTTP/2
-		},
-		GetCertificate: m.getCertificate,
-	}
-}
-
-func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi.ServerName != m.hostname {
-		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
-	}
-	return m.cert, nil
-}
-
-func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
-	return fallback
-}
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -23,6 +23,7 @@ import (
 	"strings"
 	"time"

+	"golang.org/x/crypto/acme/autocert"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
@@ -38,7 +39,6 @@ var (
 	dev           = flag.Bool("dev", false, "run in localhost development mode")
 	addr          = flag.String("a", ":443", "server address")
 	configPath    = flag.String("c", "", "config file path")
-	certMode      = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
 	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
 	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
 	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
@@ -49,26 +49,6 @@ var (
 	verifyClients = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
 )

-var (
-	stats           = new(metrics.Set)
-	stunDisposition = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily  = &metrics.LabelMap{Label: "family"}
-
-	stunReadError  = stunDisposition.Get("read_error")
-	stunNotSTUN    = stunDisposition.Get("not_stun")
-	stunWriteError = stunDisposition.Get("write_error")
-	stunSuccess    = stunDisposition.Get("success")
-
-	stunIPv4 = stunAddrFamily.Get("ipv4")
-	stunIPv6 = stunAddrFamily.Get("ipv6")
-)
-
-func init() {
-	stats.Set("counter_requests", stunDisposition)
-	stats.Set("counter_addrfamily", stunAddrFamily)
-	expvar.Publish("stun", stats)
-}
-
 type config struct {
 	PrivateKey wgkey.Private
 }
@@ -137,11 +117,6 @@ func main() {
 		tsweb.DevMode = true
 	}

-	listenHost, _, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("invalid server address: %v", err)
-	}
-
 	var logPol *logpolicy.Policy
 	if *logCollection != "" {
 		logPol = logpolicy.New(*logCollection)
@@ -150,7 +125,7 @@ func main() {

 	cfg := loadConfig()

-	serveTLS := tsweb.IsProd443(*addr)
+	letsEncrypt := tsweb.IsProd443(*addr)

 	s := derp.NewServer(key.Private(cfg.PrivateKey), log.Printf)
 	s.SetVerifyClient(*verifyClients)
@@ -206,35 +181,33 @@ func main() {
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))

 	if *runSTUN {
-		go serveSTUN(listenHost)
+		go serveSTUN()
 	}

 	httpsrv := &http.Server{
 		Addr:    *addr,
 		Handler: mux,
-
-		// Set read/write timeout. For derper, this basically
-		// only affects TLS setup, as read/write deadlines are
-		// cleared on Hijack, which the DERP server does. But
-		// without this, we slowly accumulate stuck TLS
-		// handshake goroutines forever. This also affects
-		// /debug/ traffic, but 30 seconds is plenty for
-		// Prometheus/etc scraping.
-		ReadTimeout:  30 * time.Second,
-		WriteTimeout: 30 * time.Second,
 	}

-	if serveTLS {
+	var err error
+	if letsEncrypt {
+		if *certDir == "" {
+			log.Fatalf("missing required --certdir flag")
+		}
 		log.Printf("derper: serving on %s with TLS", *addr)
-		var certManager certProvider
-		certManager, err = certProviderByCertMode(*certMode, *certDir, *hostname)
-		if err != nil {
-			log.Fatalf("derper: can not start cert provider: %v", err)
+		certManager := &autocert.Manager{
+			Prompt:     autocert.AcceptTOS,
+			HostPolicy: autocert.HostWhitelist(*hostname),
+			Cache:      autocert.DirCache(*certDir),
+		}
+		if *hostname == "derp.tailscale.com" {
+			certManager.HostPolicy = prodAutocertHostPolicy
+			certManager.Email = "security@tailscale.com"
 		}
 		httpsrv.TLSConfig = certManager.TLSConfig()
-		getCert := httpsrv.TLSConfig.GetCertificate
+		letsEncryptGetCert := httpsrv.TLSConfig.GetCertificate
 		httpsrv.TLSConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			cert, err := getCert(hi)
+			cert, err := letsEncryptGetCert(hi)
 			if err != nil {
 				return nil, err
 			}
@@ -242,17 +215,7 @@ func main() {
 			return cert, nil
 		}
 		go func() {
-			port80srv := &http.Server{
-				Addr:        net.JoinHostPort(listenHost, "80"),
-				Handler:     certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}),
-				ReadTimeout: 30 * time.Second,
-				// Crank up WriteTimeout a bit more than usually
-				// necessary just so we can do long CPU profiles
-				// and not hit net/http/pprof's "profile
-				// duration exceeds server's WriteTimeout".
-				WriteTimeout: 5 * time.Minute,
-			}
-			err := port80srv.ListenAndServe()
+			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 			if err != nil {
 				if err != http.ErrServerClosed {
 					log.Fatal(err)
@@ -269,34 +232,45 @@ func main() {
 	}
 }

-func serveSTUN(host string) {
-
-	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, "3478"))
+func serveSTUN() {
+	pc, err := net.ListenPacket("udp", ":3478")
 	if err != nil {
 		log.Fatalf("failed to open STUN listener: %v", err)
 	}
 	log.Printf("running STUN server on %v", pc.LocalAddr())
-	serverSTUNListener(context.Background(), pc.(*net.UDPConn))
-}

-func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
-	var buf [64 << 10]byte
 	var (
-		n   int
-		ua  *net.UDPAddr
-		err error
+		stats           = new(metrics.Set)
+		stunDisposition = &metrics.LabelMap{Label: "disposition"}
+		stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+
+		stunReadError  = stunDisposition.Get("read_error")
+		stunNotSTUN    = stunDisposition.Get("not_stun")
+		stunWriteError = stunDisposition.Get("write_error")
+		stunSuccess    = stunDisposition.Get("success")
+
+		stunIPv4 = stunAddrFamily.Get("ipv4")
+		stunIPv6 = stunAddrFamily.Get("ipv6")
 	)
+	stats.Set("counter_requests", stunDisposition)
+	stats.Set("counter_addrfamily", stunAddrFamily)
+	expvar.Publish("stun", stats)
+
+	var buf [64 << 10]byte
 	for {
-		n, ua, err = pc.ReadFromUDP(buf[:])
+		n, addr, err := pc.ReadFrom(buf[:])
 		if err != nil {
-			if ctx.Err() != nil {
-				return
-			}
 			log.Printf("STUN ReadFrom: %v", err)
 			time.Sleep(time.Second)
 			stunReadError.Add(1)
 			continue
 		}
+		ua, ok := addr.(*net.UDPAddr)
+		if !ok {
+			log.Printf("STUN unexpected address %T %v", addr, addr)
+			stunReadError.Add(1)
+			continue
+		}
 		pkt := buf[:n]
 		if !stun.Is(pkt) {
 			stunNotSTUN.Add(1)
@@ -313,7 +287,7 @@ func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
 			stunIPv6.Add(1)
 		}
 		res := stun.Response(txid, ua.IP, uint16(ua.Port))
-		_, err = pc.WriteTo(res, ua)
+		_, err = pc.WriteTo(res, addr)
 		if err != nil {
 			stunWriteError.Add(1)
 		} else {
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -6,10 +6,7 @@ package main

 import (
 	"context"
-	"net"
 	"testing"
-
-	"tailscale.com/net/stun"
 )

 func TestProdAutocertHostPolicy(t *testing.T) {
@@ -34,36 +31,5 @@ func TestProdAutocertHostPolicy(t *testing.T) {
 			t.Errorf("f(%q) = %v; want %v", tt.in, got, tt.wantOK)
 		}
 	}
-}
-
-func BenchmarkServerSTUN(b *testing.B) {
-	b.ReportAllocs()
-	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer pc.Close()
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	go serverSTUNListener(ctx, pc.(*net.UDPConn))
-	addr := pc.LocalAddr().(*net.UDPAddr)
-
-	var resBuf [1500]byte
-	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-	for i := 0; i < b.N; i++ {
-		if _, err := cc.WriteToUDP(req, addr); err != nil {
-			b.Fatal(err)
-		}
-		_, _, err := cc.ReadFromUDP(resBuf[:])
-		if err != nil {
-			b.Fatal(err)
-		}
-	}

 }
--- a/cmd/microproxy/microproxy.go
+++ b/cmd/microproxy/microproxy.go
@@ -0,0 +1,173 @@
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// microproxy proxies incoming HTTPS connections to another
+// destination. Instead of managing its own TLS certificates, it
+// borrows issued certificates and keys from an autocert directory.
+package main
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"net/http/httputil"
+	"net/url"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"tailscale.com/logpolicy"
+	"tailscale.com/tsweb"
+)
+
+var (
+	addr          = flag.String("addr", ":4430", "server address")
+	certdir       = flag.String("certdir", "", "directory to borrow LetsEncrypt certificates from")
+	hostname      = flag.String("hostname", "", "hostname to serve")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	nodeExporter  = flag.String("node-exporter", "http://localhost:9100", "URL of the local prometheus node exporter")
+	goVarsURL     = flag.String("go-vars-url", "http://localhost:8383/debug/vars", "URL of a local Go server's /debug/vars endpoint")
+	insecure      = flag.Bool("insecure", false, "serve over http, for development")
+)
+
+func main() {
+	flag.Parse()
+
+	if *logCollection != "" {
+		logpolicy.New(*logCollection)
+	}
+
+	ne, err := url.Parse(*nodeExporter)
+	if err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *nodeExporter, err)
+	}
+	proxy := httputil.NewSingleHostReverseProxy(ne)
+	proxy.FlushInterval = time.Second
+
+	if _, err = url.Parse(*goVarsURL); err != nil {
+		log.Fatalf("Couldn't parse URL %q: %v", *goVarsURL, err)
+	}
+
+	mux := http.NewServeMux()
+	tsweb.Debugger(mux) // registers /debug/*
+	mux.Handle("/metrics", tsweb.Protected(proxy))
+	mux.Handle("/varz", tsweb.Protected(tsweb.StdHandler(&goVarsHandler{*goVarsURL}, tsweb.HandlerOptions{
+		Quiet200s: true,
+		Logf:      log.Printf,
+	})))
+
+	ch := &certHolder{
+		hostname: *hostname,
+		path:     filepath.Join(*certdir, *hostname),
+	}
+
+	httpsrv := &http.Server{
+		Addr:    *addr,
+		Handler: mux,
+	}
+
+	if !*insecure {
+		httpsrv.TLSConfig = &tls.Config{GetCertificate: ch.GetCertificate}
+		err = httpsrv.ListenAndServeTLS("", "")
+	} else {
+		err = httpsrv.ListenAndServe()
+	}
+	if err != nil && err != http.ErrServerClosed {
+		log.Fatal(err)
+	}
+}
+
+type goVarsHandler struct {
+	url string
+}
+
+func promPrint(w io.Writer, prefix string, obj map[string]interface{}) {
+	for k, i := range obj {
+		if prefix != "" {
+			k = prefix + "_" + k
+		}
+		switch v := i.(type) {
+		case map[string]interface{}:
+			promPrint(w, k, v)
+		case float64:
+			const saveConfigReject = "control_save_config_rejected_"
+			const saveConfig = "control_save_config_"
+			switch {
+			case strings.HasPrefix(k, saveConfigReject):
+				fmt.Fprintf(w, "control_save_config_rejected{reason=%q} %f\n", k[len(saveConfigReject):], v)
+			case strings.HasPrefix(k, saveConfig):
+				fmt.Fprintf(w, "control_save_config{reason=%q} %f\n", k[len(saveConfig):], v)
+			default:
+				fmt.Fprintf(w, "%s %f\n", k, v)
+			}
+		default:
+			fmt.Fprintf(w, "# Skipping key %q, unhandled type %T\n", k, v)
+		}
+	}
+}
+
+func (h *goVarsHandler) ServeHTTPReturn(w http.ResponseWriter, r *http.Request) error {
+	resp, err := http.Get(h.url)
+	if err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+	defer resp.Body.Close()
+	var mon map[string]interface{}
+	if err := json.NewDecoder(resp.Body).Decode(&mon); err != nil {
+		return tsweb.Error(http.StatusInternalServerError, "fetch failed", err)
+	}
+
+	w.WriteHeader(http.StatusOK)
+	promPrint(w, "", mon)
+	return nil
+}
+
+// certHolder loads and caches a TLS certificate from disk, reloading
+// it every hour.
+type certHolder struct {
+	hostname string // only hostname allowed in SNI
+	path     string // path of certificate+key combined PEM file
+
+	mu     sync.Mutex
+	cert   *tls.Certificate // cached parsed cert+key
+	loaded time.Time
+}
+
+func (c *certHolder) GetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	if ch.ServerName != c.hostname {
+		return nil, fmt.Errorf("wrong client SNI %q", ch.ServerName)
+	}
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if time.Since(c.loaded) > time.Hour {
+		if err := c.loadLocked(); err != nil {
+			log.Printf("Reloading cert %q: %v", c.path, err)
+			// continue anyway, we might be able to serve off the stale cert.
+		}
+	}
+	return c.cert, nil
+}
+
+// load reloads the TLS certificate and key from disk. Caller must
+// hold mu.
+func (c *certHolder) loadLocked() error {
+	bs, err := ioutil.ReadFile(c.path)
+	if err != nil {
+		return fmt.Errorf("reading %q: %v", c.path, err)
+	}
+	cert, err := tls.X509KeyPair(bs, bs)
+	if err != nil {
+		return fmt.Errorf("parsing %q: %v", c.path, err)
+	}
+
+	c.cert = &cert
+	c.loaded = time.Now()
+	return nil
+}
--- a/cmd/speedtest/speedtest.go
+++ b/cmd/speedtest/speedtest.go
@@ -23,7 +23,7 @@ import (
 	"text/tabwriter"
 	"time"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/net/speedtest"
 )

--- a/cmd/tailscale/cli/bugreport.go
+++ b/cmd/tailscale/cli/bugreport.go
@@ -9,7 +9,7 @@ import (
 	"errors"
 	"fmt"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 )

--- a/cmd/tailscale/cli/cert.go
+++ b/cmd/tailscale/cli/cert.go
@@ -1,107 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package cli
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"flag"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-	"strings"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/atomicfile"
-	"tailscale.com/client/tailscale"
-)
-
-var certCmd = &ffcli.Command{
-	Name:       "cert",
-	Exec:       runCert,
-	ShortHelp:  "get TLS certs",
-	ShortUsage: "cert [flags] <domain>",
-	FlagSet: (func() *flag.FlagSet {
-		fs := flag.NewFlagSet("cert", flag.ExitOnError)
-		fs.StringVar(&certArgs.certFile, "cert-file", "", "output cert file; defaults to DOMAIN.crt")
-		fs.StringVar(&certArgs.keyFile, "key-file", "", "output cert file; defaults to DOMAIN.key")
-		fs.BoolVar(&certArgs.serve, "serve-demo", false, "if true, serve on port :443 using the cert as a demo, instead of writing out the files to disk")
-		return fs
-	})(),
-}
-
-var certArgs struct {
-	certFile string
-	keyFile  string
-	serve    bool
-}
-
-func runCert(ctx context.Context, args []string) error {
-	if certArgs.serve {
-		s := &http.Server{
-			TLSConfig: &tls.Config{
-				GetCertificate: tailscale.GetCertificate,
-			},
-			Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-				if r.TLS != nil && !strings.Contains(r.Host, ".") && r.Method == "GET" {
-					if v, ok := tailscale.ExpandSNIName(r.Context(), r.Host); ok {
-						http.Redirect(w, r, "https://"+v+r.URL.Path, http.StatusTemporaryRedirect)
-						return
-					}
-				}
-				fmt.Fprintf(w, "<h1>Hello from Tailscale</h1>It works.")
-			}),
-		}
-		log.Printf("running TLS server on :443 ...")
-		return s.ListenAndServeTLS("", "")
-	}
-
-	if len(args) != 1 {
-		return fmt.Errorf("Usage: tailscale cert [flags] <domain>")
-	}
-	domain := args[0]
-
-	if certArgs.certFile == "" {
-		certArgs.certFile = domain + ".crt"
-	}
-	if certArgs.keyFile == "" {
-		certArgs.keyFile = domain + ".key"
-	}
-	certPEM, keyPEM, err := tailscale.CertPair(ctx, domain)
-	if err != nil {
-		return err
-	}
-	certChanged, err := writeIfChanged(certArgs.certFile, certPEM, 0644)
-	if err != nil {
-		return err
-	}
-	if certChanged {
-		fmt.Printf("Wrote public cert to %v\n", certArgs.certFile)
-	} else {
-		fmt.Printf("Public cert unchanged at %v\n", certArgs.certFile)
-	}
-	keyChanged, err := writeIfChanged(certArgs.keyFile, keyPEM, 0600)
-	if err != nil {
-		return err
-	}
-	if keyChanged {
-		fmt.Printf("Wrote private key to %v\n", certArgs.keyFile)
-	} else {
-		fmt.Printf("Private key unchanged at %v\n", certArgs.keyFile)
-	}
-	return nil
-}
-
-func writeIfChanged(filename string, contents []byte, mode os.FileMode) (changed bool, err error) {
-	if old, err := os.ReadFile(filename); err == nil && bytes.Equal(contents, old) {
-		return false, nil
-	}
-	if err := atomicfile.WriteFile(filename, contents, mode); err != nil {
-		return false, err
-	}
-	return true, nil
-}
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -19,11 +19,10 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
-	"sync"
 	"syscall"
 	"text/tabwriter"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
@@ -83,13 +82,6 @@ func Run(args []string) error {
 		args = []string{"version"}
 	}

-	var warnOnce sync.Once
-	tailscale.SetVersionMismatchHandler(func(clientVer, serverVer string) {
-		warnOnce.Do(func() {
-			fmt.Fprintf(os.Stderr, "Warning: client version %q != tailscaled server version %q\n", clientVer, serverVer)
-		})
-	})
-
 	rootfs := flag.NewFlagSet("tailscale", flag.ExitOnError)
 	rootfs.StringVar(&rootArgs.socket, "socket", paths.DefaultTailscaledSocket(), "path to tailscaled's unix socket")

@@ -115,7 +107,6 @@ change in the future.
 			webCmd,
 			fileCmd,
 			bugReportCmd,
-			certCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -17,7 +17,6 @@ import (
 	"inet.af/netaddr"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tstest"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
 )
@@ -608,7 +607,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			var warnBuf tstest.MemLogger
+			var warnBuf bytes.Buffer
+			warnf := func(format string, a ...interface{}) {
+				fmt.Fprintf(&warnBuf, format, a...)
+			}
 			goos := tt.goos
 			if goos == "" {
 				goos = "linux"
@@ -617,7 +619,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 			if st == nil {
 				st = new(ipnstate.Status)
 			}
-			got, err := prefsFromUpArgs(tt.args, warnBuf.Logf, st, goos)
+			got, err := prefsFromUpArgs(tt.args, warnf, st, goos)
 			gotErr := fmt.Sprint(err)
 			if tt.wantErr != "" {
 				if tt.wantErr != gotErr {
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -16,7 +16,7 @@ import (
 	"runtime"
 	"strings"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/paths"
@@ -34,18 +34,13 @@ var debugCmd = &ffcli.Command{
 		fs.BoolVar(&debugArgs.derpMap, "derp", false, "If true, dump DERP map")
 		fs.BoolVar(&debugArgs.pretty, "pretty", false, "If true, pretty-print output (for --prefs)")
 		fs.BoolVar(&debugArgs.netMap, "netmap", true, "whether to include netmap in --ipn mode")
-		fs.BoolVar(&debugArgs.env, "env", false, "dump environment")
 		fs.BoolVar(&debugArgs.localCreds, "local-creds", false, "print how to connect to local tailscaled")
 		fs.StringVar(&debugArgs.file, "file", "", "get, delete:NAME, or NAME")
-		fs.StringVar(&debugArgs.cpuFile, "cpu-profile", "", "if non-empty, grab a CPU profile for --profile-sec seconds and write it to this file; - for stdout")
-		fs.StringVar(&debugArgs.memFile, "mem-profile", "", "if non-empty, grab a memory profile and write it to this file; - for stdout")
-		fs.IntVar(&debugArgs.cpuSec, "profile-seconds", 15, "number of seconds to run a CPU profile for, when --cpu-profile is non-empty")
 		return fs
 	})(),
 }

 var debugArgs struct {
-	env        bool
 	localCreds bool
 	goroutines bool
 	ipn        bool
@@ -54,39 +49,12 @@ var debugArgs struct {
 	file       string
 	prefs      bool
 	pretty     bool
-	cpuSec     int
-	cpuFile    string
-	memFile    string
-}
-
-func writeProfile(dst string, v []byte) error {
-	if dst == "-" {
-		_, err := os.Stdout.Write(v)
-		return err
-	}
-	return os.WriteFile(dst, v, 0600)
-}
-
-func outName(dst string) string {
-	if dst == "-" {
-		return "stdout"
-	}
-	if runtime.GOOS == "darwin" {
-		return fmt.Sprintf("%s (warning: sandboxed macOS binaries write to Library/Containers; use - to write to stdout and redirect to file instead)", dst)
-	}
-	return dst
 }

 func runDebug(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		return errors.New("unknown arguments")
 	}
-	if debugArgs.env {
-		for _, e := range os.Environ() {
-			fmt.Println(e)
-		}
-		return nil
-	}
 	if debugArgs.localCreds {
 		port, token, err := safesocket.LocalTCPPortAndToken()
 		if err == nil {
@@ -100,28 +68,6 @@ func runDebug(ctx context.Context, args []string) error {
 		fmt.Printf("curl --unix-socket %s http://foo/localapi/v0/status\n", paths.DefaultTailscaledSocket())
 		return nil
 	}
-	if out := debugArgs.cpuFile; out != "" {
-		log.Printf("Capturing CPU profile for %v seconds ...", debugArgs.cpuSec)
-		if v, err := tailscale.Profile(ctx, "profile", debugArgs.cpuSec); err != nil {
-			return err
-		} else {
-			if err := writeProfile(out, v); err != nil {
-				return err
-			}
-			log.Printf("CPU profile written to %s", outName(out))
-		}
-	}
-	if out := debugArgs.memFile; out != "" {
-		log.Printf("Capturing memory profile ...")
-		if v, err := tailscale.Profile(ctx, "heap", 0); err != nil {
-			return err
-		} else {
-			if err := writeProfile(out, v); err != nil {
-				return err
-			}
-			log.Printf("Memory profile written to %s", outName(out))
-		}
-	}
 	if debugArgs.prefs {
 		prefs, err := tailscale.GetPrefs(ctx)
 		if err != nil {
--- a/cmd/tailscale/cli/diag.go
+++ b/cmd/tailscale/cli/diag.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux || windows || darwin
 // +build linux windows darwin

 package cli
--- a/cmd/tailscale/cli/diag_other.go
+++ b/cmd/tailscale/cli/diag_other.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !linux && !windows && !darwin
 // +build !linux,!windows,!darwin

 package cli
--- a/cmd/tailscale/cli/down.go
+++ b/cmd/tailscale/cli/down.go
@@ -10,7 +10,7 @@ import (
 	"log"
 	"os"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 )
--- a/cmd/tailscale/cli/file.go
+++ b/cmd/tailscale/cli/file.go
@@ -23,7 +23,7 @@ import (
 	"time"
 	"unicode/utf8"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"golang.org/x/time/rate"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
@@ -91,7 +91,7 @@ func runCp(ctx context.Context, args []string) error {
 	} else if hadBrackets && (err != nil || !ip.Is6()) {
 		return errors.New("unexpected brackets around target")
 	}
-	ip, _, err := tailscaleIPFromArg(ctx, target)
+	ip, err := tailscaleIPFromArg(ctx, target)
 	if err != nil {
 		return err
 	}
--- a/cmd/tailscale/cli/ip.go
+++ b/cmd/tailscale/cli/ip.go
@@ -10,7 +10,7 @@ import (
 	"flag"
 	"fmt"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn/ipnstate"
@@ -46,7 +46,7 @@ func runIP(ctx context.Context, args []string) error {

 	v4, v6 := ipArgs.want4, ipArgs.want6
 	if v4 && v6 {
-		return errors.New("tailscale ip -4 and -6 are mutually exclusive")
+		return errors.New("tailscale up -4 and -6 are mutually exclusive")
 	}
 	if !v4 && !v6 {
 		v4, v6 = true, true
@@ -57,7 +57,7 @@ func runIP(ctx context.Context, args []string) error {
 	}
 	ips := st.TailscaleIPs
 	if of != "" {
-		ip, _, err := tailscaleIPFromArg(ctx, of)
+		ip, err := tailscaleIPFromArg(ctx, of)
 		if err != nil {
 			return err
 		}
@@ -101,12 +101,5 @@ func peerMatchingIP(st *ipnstate.Status, ipStr string) (ps *ipnstate.PeerStatus,
 			}
 		}
 	}
-	if ps := st.Self; ps != nil {
-		for _, pip := range ps.TailscaleIPs {
-			if ip == pip {
-				return ps, true
-			}
-		}
-	}
 	return nil, false
 }
--- a/cmd/tailscale/cli/logout.go
+++ b/cmd/tailscale/cli/logout.go
@@ -9,7 +9,7 @@ import (
 	"log"
 	"strings"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 )

--- a/cmd/tailscale/cli/netcheck.go
+++ b/cmd/tailscale/cli/netcheck.go
@@ -18,7 +18,7 @@ import (
 	"strings"
 	"time"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netcheck"
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -14,7 +14,7 @@ import (
 	"strings"
 	"time"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -84,14 +84,10 @@ func runPing(ctx context.Context, args []string) error {
 	go func() { pumpErr <- pump(ctx, bc, c) }()

 	hostOrIP := args[0]
-	ip, self, err := tailscaleIPFromArg(ctx, hostOrIP)
+	ip, err := tailscaleIPFromArg(ctx, hostOrIP)
 	if err != nil {
 		return err
 	}
-	if self {
-		fmt.Printf("%v is local Tailscale IP\n", ip)
-		return nil
-	}

 	if pingArgs.verbose && ip != hostOrIP {
 		log.Printf("lookup %q => %q", hostOrIP, ip)
@@ -111,10 +107,6 @@ func runPing(ctx context.Context, args []string) error {
 		case pr := <-prc:
 			timer.Stop()
 			if pr.Err != "" {
-				if pr.IsLocalIP {
-					fmt.Println(pr.Err)
-					return nil
-				}
 				return errors.New(pr.Err)
 			}
 			latency := time.Duration(pr.LatencySeconds * float64(time.Second)).Round(time.Millisecond)
@@ -155,39 +147,33 @@ func runPing(ctx context.Context, args []string) error {
 	}
 }

-func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, self bool, err error) {
+func tailscaleIPFromArg(ctx context.Context, hostOrIP string) (ip string, err error) {
 	// If the argument is an IP address, use it directly without any resolution.
 	if net.ParseIP(hostOrIP) != nil {
-		return hostOrIP, false, nil
+		return hostOrIP, nil
 	}

 	// Otherwise, try to resolve it first from the network peer list.
 	st, err := tailscale.Status(ctx)
 	if err != nil {
-		return "", false, err
-	}
-	match := func(ps *ipnstate.PeerStatus) bool {
-		return strings.EqualFold(hostOrIP, dnsOrQuoteHostname(st, ps)) || hostOrIP == ps.DNSName
+		return "", err
 	}
 	for _, ps := range st.Peer {
-		if match(ps) {
+		if hostOrIP == dnsOrQuoteHostname(st, ps) || hostOrIP == ps.DNSName {
 			if len(ps.TailscaleIPs) == 0 {
-				return "", false, errors.New("node found but lacks an IP")
+				return "", errors.New("node found but lacks an IP")
 			}
-			return ps.TailscaleIPs[0].String(), false, nil
+			return ps.TailscaleIPs[0].String(), nil
 		}
 	}
-	if match(st.Self) && len(st.Self.TailscaleIPs) > 0 {
-		return st.Self.TailscaleIPs[0].String(), true, nil
-	}

 	// Finally, use DNS.
 	var res net.Resolver
 	if addrs, err := res.LookupHost(ctx, hostOrIP); err != nil {
-		return "", false, fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
+		return "", fmt.Errorf("error looking up IP of %q: %v", hostOrIP, err)
 	} else if len(addrs) == 0 {
-		return "", false, fmt.Errorf("no IPs found for %q", hostOrIP)
+		return "", fmt.Errorf("no IPs found for %q", hostOrIP)
 	} else {
-		return addrs[0], false, nil
+		return addrs[0], nil
 	}
 }
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -14,14 +14,16 @@ import (
 	"net/http"
 	"os"
 	"strings"
+	"time"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"github.com/toqueteos/webbrowser"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/interfaces"
+	"tailscale.com/tstime/mono"
 	"tailscale.com/util/dnsname"
 )

@@ -61,7 +63,7 @@ func runStatus(ctx context.Context, args []string) error {
 	if statusArgs.json {
 		if statusArgs.active {
 			for peer, ps := range st.Peer {
-				if !ps.Active {
+				if !peerActive(ps) {
 					delete(st.Peer, peer)
 				}
 			}
@@ -122,21 +124,14 @@ func runStatus(ctx context.Context, args []string) error {
 	case ipn.NeedsMachineAuth.String():
 		fmt.Println("Machine is not yet authorized by tailnet admin.")
 		os.Exit(1)
-	case ipn.Running.String(), ipn.Starting.String():
+	case ipn.Running.String():
 		// Run below.
 	}

-	if len(st.Health) > 0 {
-		fmt.Printf("# Health check:\n")
-		for _, m := range st.Health {
-			fmt.Printf("#     - %s\n", m)
-		}
-		fmt.Println()
-	}
-
 	var buf bytes.Buffer
 	f := func(format string, a ...interface{}) { fmt.Fprintf(&buf, format, a...) }
 	printPS := func(ps *ipnstate.PeerStatus) {
+		active := peerActive(ps)
 		f("%-15s %-20s %-12s %-7s ",
 			firstIPString(ps.TailscaleIPs),
 			dnsOrQuoteHostname(st, ps),
@@ -145,7 +140,7 @@ func runStatus(ctx context.Context, args []string) error {
 		)
 		relay := ps.Relay
 		anyTraffic := ps.TxBytes != 0 || ps.RxBytes != 0
-		if !ps.Active {
+		if !active {
 			if ps.ExitNode {
 				f("idle; exit node")
 			} else if anyTraffic {
@@ -184,7 +179,8 @@ func runStatus(ctx context.Context, args []string) error {
 		}
 		ipnstate.SortPeers(peers)
 		for _, ps := range peers {
-			if statusArgs.active && !ps.Active {
+			active := peerActive(ps)
+			if statusArgs.active && !active {
 				continue
 			}
 			printPS(ps)
@@ -194,6 +190,13 @@ func runStatus(ctx context.Context, args []string) error {
 	return nil
 }

+// peerActive reports whether ps has recent activity.
+//
+// TODO: have the server report this bool instead.
+func peerActive(ps *ipnstate.PeerStatus) bool {
+	return !ps.LastWrite.IsZero() && mono.Since(ps.LastWrite) < 2*time.Minute
+}
+
 func dnsOrQuoteHostname(st *ipnstate.Status, ps *ipnstate.PeerStatus) string {
 	baseName := dnsname.TrimSuffix(ps.DNSName, st.MagicDNSSuffix)
 	if baseName != "" {
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -17,7 +17,7 @@ import (
 	"sync"

 	shellquote "github.com/kballard/go-shellquote"
-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
@@ -372,8 +372,8 @@ func runUp(ctx context.Context, args []string) error {
 	c, bc, pumpCtx, cancel := connect(ctx)
 	defer cancel()

-	running := make(chan bool, 1)         // gets value once in state ipn.Running
-	gotEngineUpdate := make(chan bool, 1) // gets value upon an engine update
+	startingOrRunning := make(chan bool, 1) // gets value once starting or running
+	gotEngineUpdate := make(chan bool, 1)   // gets value upon an engine update
 	pumpErr := make(chan error, 1)
 	go func() { pumpErr <- pump(pumpCtx, bc, c) }()

@@ -408,14 +408,14 @@ func runUp(ctx context.Context, args []string) error {
 			case ipn.NeedsMachineAuth:
 				printed = true
 				fmt.Fprintf(os.Stderr, "\nTo authorize your machine, visit (as admin):\n\n\t%s\n\n", prefs.AdminPageURL())
-			case ipn.Running:
+			case ipn.Starting, ipn.Running:
 				// Done full authentication process
 				if printed {
 					// Only need to print an update if we printed the "please click" message earlier.
 					fmt.Fprintf(os.Stderr, "Success.\n")
 				}
 				select {
-				case running <- true:
+				case startingOrRunning <- true:
 				default:
 				}
 				cancel()
@@ -478,29 +478,17 @@ func runUp(ctx context.Context, args []string) error {
 		}
 	}

-	// This whole 'up' mechanism is too complicated and results in
-	// hairy stuff like this select. We're ultimately waiting for
-	// 'running' to be done, but even in the case where
-	// it succeeds, other parts may shut down concurrently so we
-	// need to prioritize reads from 'running' if it's
-	// readable; its send does happen before the pump mechanism
-	// shuts down. (Issue 2333)
 	select {
-	case <-running:
+	case <-startingOrRunning:
 		return nil
 	case <-pumpCtx.Done():
 		select {
-		case <-running:
+		case <-startingOrRunning:
 			return nil
 		default:
 		}
 		return pumpCtx.Err()
 	case err := <-pumpErr:
-		select {
-		case <-running:
-			return nil
-		default:
-		}
 		return err
 	}
 }
--- a/cmd/tailscale/cli/version.go
+++ b/cmd/tailscale/cli/version.go
@@ -10,7 +10,7 @@ import (
 	"fmt"
 	"log"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/version"
 )
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -7,7 +7,6 @@ package cli
 import (
 	"bytes"
 	"context"
-	"crypto/tls"
 	_ "embed"
 	"encoding/json"
 	"encoding/xml"
@@ -20,12 +19,11 @@ import (
 	"net/http"
 	"net/http/cgi"
 	"net/url"
-	"os"
 	"os/exec"
 	"runtime"
 	"strings"

-	"github.com/peterbourgon/ff/v3/ffcli"
+	"github.com/peterbourgon/ff/v2/ffcli"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/tailcfg"
@@ -85,29 +83,6 @@ var webArgs struct {
 	cgi    bool
 }

-func tlsConfigFromEnvironment() *tls.Config {
-	crt := os.Getenv("TLS_CRT_PEM")
-	key := os.Getenv("TLS_KEY_PEM")
-	if crt == "" || key == "" {
-		return nil
-	}
-
-	// We support passing in the complete certificate and key from environment
-	// variables because pfSense stores its cert+key in the PHP config. We populate
-	// TLS_CRT_PEM and TLS_KEY_PEM from PHP code before starting tailscale web.
-	// These are the PEM-encoded Certificate and Private Key.
-
-	cert, err := tls.X509KeyPair([]byte(crt), []byte(key))
-	if err != nil {
-		log.Printf("tlsConfigFromEnvironment: %v", err)
-
-		// Fallback to unencrypted HTTP.
-		return nil
-	}
-
-	return &tls.Config{Certificates: []tls.Certificate{cert}}
-}
-
 func runWeb(ctx context.Context, args []string) error {
 	if len(args) > 0 {
 		log.Fatalf("too many non-flag arguments: %q", args)
@@ -121,20 +96,8 @@ func runWeb(ctx context.Context, args []string) error {
 		return nil
 	}

-	tlsConfig := tlsConfigFromEnvironment()
-	if tlsConfig != nil {
-		server := &http.Server{
-			Addr:      webArgs.listen,
-			TLSConfig: tlsConfig,
-			Handler:   http.HandlerFunc(webHandler),
-		}
-
-		log.Printf("web server runNIng on: https://%s", server.Addr)
-		return server.ListenAndServeTLS("", "")
-	} else {
-		log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
-		return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
-	}
+	log.Printf("web server running on: %s", urlOfListenAddr(webArgs.listen))
+	return http.ListenAndServe(webArgs.listen, http.HandlerFunc(webHandler))
 }

 // urlOfListenAddr parses a given listen address into a formatted URL
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -28,7 +28,7 @@
 		<div class="flex items-center justify-end space-x-2 w-2/3">
 			{{ with .Profile.LoginName }}
 			<div class="text-right truncate leading-4">
-				<h4 class="truncate leading-normal">{{.}}</h4>
+				<h4 class="truncate">{{.}}</h4>
 				<a href="#" class="text-xs text-gray-500 hover:text-gray-700 js-loginButton">Switch account</a>
 			</div>
 			{{ end }}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -4,10 +4,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/kballard/go-shellquote                            from tailscale.com/cmd/tailscale/cli
-     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
-        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
-        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
-        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
+     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli
+        github.com/peterbourgon/ff/v2                                from github.com/peterbourgon/ff/v2/ffcli
+        github.com/peterbourgon/ff/v2/ffcli                          from tailscale.com/cmd/tailscale/cli
+        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2
        github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
        github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
@@ -20,7 +20,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
        inet.af/netaddr                                              from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/atomicfile                                     from tailscale.com/ipn+
+        rsc.io/goversion/version                                     from tailscale.com/version
+        tailscale.com/atomicfile                                     from tailscale.com/ipn
        tailscale.com/client/tailscale                               from tailscale.com/cmd/tailscale/cli+
        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale+
        tailscale.com/cmd/tailscale/cli                              from tailscale.com/cmd/tailscale
@@ -31,13 +32,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
-        tailscale.com/kube                                           from tailscale.com/ipn
-     💣 tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/net/netcheck                                   from tailscale.com/cmd/tailscale/cli
-        tailscale.com/net/netknob                                    from tailscale.com/net/netns
        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp+
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
@@ -45,21 +44,19 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-     💣 tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscale/cli+
        tailscale.com/safesocket                                     from tailscale.com/cmd/tailscale/cli+
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
+     💣 tailscale.com/tstime/mono                                    from tailscale.com/cmd/tailscale/cli+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
        tailscale.com/types/empty                                    from tailscale.com/ipn
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
        tailscale.com/types/key                                      from tailscale.com/derp+
        tailscale.com/types/logger                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/netmap                                   from tailscale.com/ipn
        tailscale.com/types/opt                                      from tailscale.com/net/netcheck+
-        tailscale.com/types/pad32                                    from tailscale.com/derp
        tailscale.com/types/persist                                  from tailscale.com/ipn
        tailscale.com/types/preftype                                 from tailscale.com/cmd/tailscale/cli+
        tailscale.com/types/structs                                  from tailscale.com/ipn+
@@ -78,7 +75,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from crypto/tls+
        golang.org/x/crypto/hkdf                                     from crypto/tls
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/derp+
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/derp
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
@@ -102,8 +99,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/time/rate                                       from tailscale.com/cmd/tailscale/cli+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip
+        compress/flate                                               from compress/gzip+
        compress/gzip                                                from net/http
+        compress/zlib                                                from debug/elf+
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
        crypto                                                       from crypto/ecdsa+
@@ -126,6 +124,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
        embed                                                        from tailscale.com/cmd/tailscale/cli
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -137,9 +139,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        encoding/xml                                                 from tailscale.com/cmd/tailscale/cli+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/derp+
-        flag                                                         from github.com/peterbourgon/ff/v3+
+        flag                                                         from github.com/peterbourgon/ff/v2+
        fmt                                                          from compress/flate+
-        hash                                                         from crypto+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnstate+
@@ -166,10 +169,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        os/exec                                                      from github.com/toqueteos/webbrowser+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
        os/user                                                      from tailscale.com/util/groupmember
-        path                                                         from html/template+
+        path                                                         from debug/dwarf+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/tailscale/goupnp/httpu+
+        regexp                                                       from rsc.io/goversion/version+
        regexp/syntax                                                from regexp
        runtime/debug                                                from golang.org/x/sync/singleflight
        sort                                                         from compress/flate+
@@ -178,7 +181,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
        syscall                                                      from crypto/rand+
-        text/tabwriter                                               from github.com/peterbourgon/ff/v3/ffcli+
+        text/tabwriter                                               from github.com/peterbourgon/ff/v2/ffcli+
        text/template                                                from html/template
        text/template/parse                                          from html/template+
        time                                                         from compress/gzip+
--- a/cmd/tailscaled/debug.go
+++ b/cmd/tailscaled/debug.go
@@ -35,7 +35,6 @@ import (
 )

 var debugArgs struct {
-	ifconfig  bool // print network state once and exit
 	monitor   bool
 	getURL    string
 	derpCheck string
@@ -46,7 +45,6 @@ var debugModeFunc = debugMode // so it can be addressable

 func debugMode(args []string) error {
 	fs := flag.NewFlagSet("debug", flag.ExitOnError)
-	fs.BoolVar(&debugArgs.ifconfig, "ifconfig", false, "If true, print network interface state")
 	fs.BoolVar(&debugArgs.monitor, "monitor", false, "If true, run link monitor forever. Precludes all other options.")
 	fs.BoolVar(&debugArgs.portmap, "portmap", false, "If true, run portmap debugging. Precludes all other options.")
 	fs.StringVar(&debugArgs.getURL, "get-url", "", "If non-empty, fetch provided URL.")
@@ -61,11 +59,8 @@ func debugMode(args []string) error {
 	if debugArgs.derpCheck != "" {
 		return checkDerp(ctx, debugArgs.derpCheck)
 	}
-	if debugArgs.ifconfig {
-		return runMonitor(ctx, false)
-	}
 	if debugArgs.monitor {
-		return runMonitor(ctx, true)
+		return runMonitor(ctx)
 	}
 	if debugArgs.portmap {
 		return debugPortmap(ctx)
@@ -76,7 +71,7 @@ func debugMode(args []string) error {
 	return errors.New("only --monitor is available at the moment")
 }

-func runMonitor(ctx context.Context, loop bool) error {
+func runMonitor(ctx context.Context) error {
 	dump := func(st *interfaces.State) {
 		j, _ := json.MarshalIndent(st, "", "    ")
 		os.Stderr.Write(j)
@@ -93,13 +88,8 @@ func runMonitor(ctx context.Context, loop bool) error {
 		log.Printf("Link monitor fired. New state:")
 		dump(st)
 	})
-	if loop {
-		log.Printf("Starting link change monitor; initial state:")
-	}
+	log.Printf("Starting link change monitor; initial state:")
 	dump(mon.InterfaceState())
-	if !loop {
-		return nil
-	}
 	mon.Start()
 	log.Printf("Started link change monitor; waiting...")
 	select {}
@@ -138,18 +128,11 @@ func getURL(ctx context.Context, urlStr string) error {
 		if err == nil && auth != "" {
 			tr.ProxyConnectHeader.Set("Proxy-Authorization", auth)
 		}
-		log.Printf("tshttpproxy.GetAuthHeader(%v) got: auth of %d bytes, err=%v", proxyURL, len(auth), err)
 		const truncLen = 20
 		if len(auth) > truncLen {
 			auth = fmt.Sprintf("%s...(%d total bytes)", auth[:truncLen], len(auth))
 		}
-		if auth != "" {
-			// We used log.Printf above (for timestamps).
-			// Use fmt.Printf here instead just to appease
-			// a security scanner, despite log.Printf only
-			// going to stdout.
-			fmt.Printf("... Proxy-Authorization = %q\n", auth)
-		}
+		log.Printf("tshttpproxy.GetAuthHeader(%v) for Proxy-Auth: = %q, %v", proxyURL, auth, err)
 	}
 	res, err := tr.RoundTrip(req)
 	if err != nil {
@@ -224,20 +207,6 @@ func debugPortmap(ctx context.Context) error {
 	defer cancel()

 	portmapper.VerboseLogs = true
-	switch os.Getenv("TS_DEBUG_PORTMAP_TYPE") {
-	case "":
-	case "pmp":
-		portmapper.DisablePCP = true
-		portmapper.DisableUPnP = true
-	case "pcp":
-		portmapper.DisablePMP = true
-		portmapper.DisableUPnP = true
-	case "upnp":
-		portmapper.DisablePCP = true
-		portmapper.DisablePMP = true
-	default:
-		log.Fatalf("TS_DEBUG_PORTMAP_TYPE must be one of pmp,pcp,upnp")
-	}

 	done := make(chan bool, 1)

@@ -281,13 +250,6 @@ func debugPortmap(ctx context.Context) error {
 	}
 	logf("gw=%v; self=%v", gw, selfIP)

-	uc, err := net.ListenPacket("udp", "0.0.0.0:0")
-	if err != nil {
-		return err
-	}
-	defer uc.Close()
-	c.SetLocalPort(uint16(uc.LocalAddr().(*net.UDPAddr).Port))
-
 	res, err := c.Probe(ctx)
 	if err != nil {
 		return fmt.Errorf("Probe: %v", err)
@@ -299,6 +261,13 @@ func debugPortmap(ctx context.Context) error {
 		return nil
 	}

+	uc, err := net.ListenPacket("udp", "0.0.0.0:0")
+	if err != nil {
+		return err
+	}
+	defer uc.Close()
+	c.SetLocalPort(uint16(uc.LocalAddr().(*net.UDPAddr).Port))
+
 	if ext, ok := c.GetCachedMappingOrStartCreatingOne(); ok {
 		logf("mapping: %v", ext)
 	} else {
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -8,37 +8,28 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   W 💣 github.com/go-ole/go-ole                                     from github.com/go-ole/go-ole/oleutil+
   W 💣 github.com/go-ole/go-ole/oleutil                             from tailscale.com/wgengine/winnet
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns
+        github.com/golang/snappy                                     from github.com/klauspost/compress/zstd
        github.com/google/btree                                      from inet.af/netstack/tcpip/header+
-   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
-   L    github.com/insomniacslk/dhcp/iana                            from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/insomniacslk/dhcp/interfaces                      from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/insomniacslk/dhcp/rfc1035label                    from github.com/insomniacslk/dhcp/dhcpv4
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/wgengine/monitor
   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-        github.com/klauspost/compress                                from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/fse                            from github.com/klauspost/compress/huff0
        github.com/klauspost/compress/huff0                          from github.com/klauspost/compress/zstd
-        github.com/klauspost/compress/internal/snapref               from github.com/klauspost/compress/zstd
        github.com/klauspost/compress/zstd                           from tailscale.com/smallzstd
        github.com/klauspost/compress/zstd/internal/xxhash           from github.com/klauspost/compress/zstd
   L 💣 github.com/mdlayher/netlink                                  from tailscale.com/wgengine/monitor+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/mdlayher/netlink+
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
   W    github.com/pkg/errors                                        from github.com/tailscale/certstore
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
-        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2+
+        github.com/tailscale/goupnp                                  from github.com/tailscale/goupnp/dcps/internetgateway2
        github.com/tailscale/goupnp/dcps/internetgateway2            from tailscale.com/net/portmapper
        github.com/tailscale/goupnp/httpu                            from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
-   L    github.com/u-root/uio/rand                                   from github.com/insomniacslk/dhcp/dhcpv4
-   L    github.com/u-root/uio/ubinary                                from github.com/u-root/uio/uio
-   L    github.com/u-root/uio/uio                                    from github.com/insomniacslk/dhcp/dhcpv4+
     💣 go4.org/intern                                               from inet.af/netaddr
     💣 go4.org/mem                                                  from tailscale.com/derp+
        go4.org/unsafe/assume-no-moving-gc                           from go4.org/intern
@@ -50,7 +41,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.zx2c4.com/wireguard/ratelimiter                       from golang.zx2c4.com/wireguard/device
        golang.zx2c4.com/wireguard/replay                            from golang.zx2c4.com/wireguard/device
        golang.zx2c4.com/wireguard/rwcancel                          from golang.zx2c4.com/wireguard/device+
-        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device
+        golang.zx2c4.com/wireguard/tai64n                            from golang.zx2c4.com/wireguard/device+
     💣 golang.zx2c4.com/wireguard/tun                               from golang.zx2c4.com/wireguard/device+
   W 💣 golang.zx2c4.com/wireguard/tun/wintun                        from golang.zx2c4.com/wireguard/tun+
   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
@@ -75,7 +66,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/tcpip/network/hash                          from inet.af/netstack/tcpip/network/ipv4+
        inet.af/netstack/tcpip/network/internal/fragmentation        from inet.af/netstack/tcpip/network/ipv4+
        inet.af/netstack/tcpip/network/internal/ip                   from inet.af/netstack/tcpip/network/ipv4+
-        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/wgengine/netstack+
+        inet.af/netstack/tcpip/network/ipv4                          from tailscale.com/wgengine/netstack
        inet.af/netstack/tcpip/network/ipv6                          from tailscale.com/wgengine/netstack
        inet.af/netstack/tcpip/ports                                 from inet.af/netstack/tcpip/stack+
        inet.af/netstack/tcpip/seqnum                                from inet.af/netstack/tcpip/header+
@@ -89,8 +80,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        inet.af/netstack/waiter                                      from inet.af/netstack/tcpip+
        inet.af/peercred                                             from tailscale.com/ipn/ipnserver
   W 💣 inet.af/wf                                                   from tailscale.com/wf
+        rsc.io/goversion/version                                     from tailscale.com/version
        tailscale.com/atomicfile                                     from tailscale.com/ipn+
-  LD    tailscale.com/chirp                                          from tailscale.com/cmd/tailscaled
        tailscale.com/client/tailscale                               from tailscale.com/derp
        tailscale.com/client/tailscale/apitype                       from tailscale.com/ipn/ipnlocal+
        tailscale.com/control/controlclient                          from tailscale.com/ipn/ipnlocal+
@@ -106,14 +97,13 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/ipn/ipnstate                                   from tailscale.com/ipn+
        tailscale.com/ipn/localapi                                   from tailscale.com/ipn/ipnserver
        tailscale.com/ipn/policy                                     from tailscale.com/ipn/ipnlocal
-        tailscale.com/kube                                           from tailscale.com/ipn
        tailscale.com/log/filelogger                                 from tailscale.com/ipn/ipnserver
        tailscale.com/log/logheap                                    from tailscale.com/control/controlclient
        tailscale.com/logpolicy                                      from tailscale.com/cmd/tailscaled
        tailscale.com/logtail                                        from tailscale.com/logpolicy
        tailscale.com/logtail/backoff                                from tailscale.com/control/controlclient+
        tailscale.com/logtail/filch                                  from tailscale.com/logpolicy
-     💣 tailscale.com/metrics                                        from tailscale.com/derp
+        tailscale.com/metrics                                        from tailscale.com/derp
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dns/resolver                               from tailscale.com/wgengine+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
@@ -121,7 +111,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
     💣 tailscale.com/net/interfaces                                 from tailscale.com/cmd/tailscaled+
        tailscale.com/net/netcheck                                   from tailscale.com/wgengine/magicsock
-        tailscale.com/net/netknob                                    from tailscale.com/ipn/localapi+
        tailscale.com/net/netns                                      from tailscale.com/control/controlclient+
     💣 tailscale.com/net/netstat                                    from tailscale.com/ipn/ipnserver
        tailscale.com/net/packet                                     from tailscale.com/wgengine+
@@ -133,17 +122,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn/ipnlocal+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/control/controlclient+
        tailscale.com/net/tstun                                      from tailscale.com/cmd/tailscaled+
-     💣 tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
+        tailscale.com/paths                                          from tailscale.com/cmd/tailscaled+
        tailscale.com/portlist                                       from tailscale.com/ipn/ipnlocal
        tailscale.com/safesocket                                     from tailscale.com/ipn/ipnserver+
        tailscale.com/smallzstd                                      from tailscale.com/ipn/ipnserver+
-     💣 tailscale.com/syncs                                          from tailscale.com/net/interfaces+
+        tailscale.com/syncs                                          from tailscale.com/net/interfaces+
        tailscale.com/tailcfg                                        from tailscale.com/control/controlclient+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter
-        tailscale.com/types/dnstype                                  from tailscale.com/ipn/ipnlocal+
        tailscale.com/types/empty                                    from tailscale.com/control/controlclient+
        tailscale.com/types/flagtype                                 from tailscale.com/cmd/tailscaled
        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
@@ -152,7 +140,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/types/netmap                                   from tailscale.com/control/controlclient+
        tailscale.com/types/nettype                                  from tailscale.com/wgengine/magicsock
        tailscale.com/types/opt                                      from tailscale.com/control/controlclient+
-        tailscale.com/types/pad32                                    from tailscale.com/net/tstun+
        tailscale.com/types/persist                                  from tailscale.com/control/controlclient+
        tailscale.com/types/preftype                                 from tailscale.com/ipn+
        tailscale.com/types/structs                                  from tailscale.com/control/controlclient+
@@ -162,7 +149,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/dnsname                                   from tailscale.com/ipn/ipnstate+
  LW    tailscale.com/util/endian                                    from tailscale.com/net/netns+
        tailscale.com/util/groupmember                               from tailscale.com/ipn/ipnserver
-        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
+        tailscale.com/util/lineread                                  from tailscale.com/control/controlclient+
        tailscale.com/util/osshare                                   from tailscale.com/cmd/tailscaled+
        tailscale.com/util/pidowner                                  from tailscale.com/ipn/ipnserver
        tailscale.com/util/racebuild                                 from tailscale.com/logpolicy
@@ -170,7 +157,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/uniq                                      from tailscale.com/wgengine/magicsock
        tailscale.com/util/winutil                                   from tailscale.com/logpolicy+
        tailscale.com/version                                        from tailscale.com/cmd/tailscaled+
-        tailscale.com/version/distro                                 from tailscale.com/cmd/tailscaled+
+        tailscale.com/version/distro                                 from tailscale.com/control/controlclient+
   W    tailscale.com/wf                                             from tailscale.com/cmd/tailscaled
        tailscale.com/wgengine                                       from tailscale.com/cmd/tailscaled+
        tailscale.com/wgengine/filter                                from tailscale.com/control/controlclient+
@@ -182,16 +169,15 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/wgengine/wgcfg/nmcfg                           from tailscale.com/ipn/ipnlocal
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
-        golang.org/x/crypto/acme                                     from tailscale.com/ipn/localapi
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device
+        golang.org/x/crypto/blake2s                                  from golang.zx2c4.com/wireguard/device+
        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
        golang.org/x/crypto/chacha20poly1305                         from crypto/tls+
        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
        golang.org/x/crypto/curve25519                               from crypto/tls+
        golang.org/x/crypto/hkdf                                     from crypto/tls
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/derp+
+        golang.org/x/crypto/nacl/box                                 from tailscale.com/control/controlclient+
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/poly1305                                 from golang.org/x/crypto/chacha20poly1305+
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
@@ -221,8 +207,9 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/time/rate                                       from inet.af/netstack/tcpip/stack+
        bufio                                                        from compress/flate+
        bytes                                                        from bufio+
-        compress/flate                                               from compress/gzip
+        compress/flate                                               from compress/gzip+
        compress/gzip                                                from internal/profile+
+        compress/zlib                                                from debug/elf+
        container/heap                                               from inet.af/netstack/tcpip/transport/tcp
        container/list                                               from crypto/tls+
        context                                                      from crypto/tls+
@@ -246,6 +233,10 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        crypto/tls                                                   from github.com/tcnksm/go-httpstat+
        crypto/x509                                                  from crypto/tls+
        crypto/x509/pkix                                             from crypto/x509+
+        debug/dwarf                                                  from debug/elf+
+        debug/elf                                                    from rsc.io/goversion/version
+        debug/macho                                                  from rsc.io/goversion/version
+        debug/pe                                                     from rsc.io/goversion/version
        embed                                                        from tailscale.com/net/dns+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
@@ -259,7 +250,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        expvar                                                       from tailscale.com/derp+
        flag                                                         from tailscale.com/cmd/tailscaled+
        fmt                                                          from compress/flate+
-        hash                                                         from crypto+
+        hash                                                         from compress/zlib+
+        hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
@@ -278,16 +270,16 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        net                                                          from crypto/tls+
        net/http                                                     from expvar+
        net/http/httptrace                                           from github.com/tcnksm/go-httpstat+
-        net/http/httputil                                            from tailscale.com/ipn/localapi+
+        net/http/httputil                                            from tailscale.com/ipn/localapi
        net/http/internal                                            from net/http+
-        net/http/pprof                                               from tailscale.com/cmd/tailscaled+
+        net/http/pprof                                               from tailscale.com/cmd/tailscaled
        net/textproto                                                from golang.org/x/net/http/httpguts+
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
        os/exec                                                      from github.com/coreos/go-iptables/iptables+
        os/signal                                                    from tailscale.com/cmd/tailscaled+
        os/user                                                      from github.com/godbus/dbus/v5+
-        path                                                         from github.com/godbus/dbus/v5+
+        path                                                         from debug/dwarf+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/coreos/go-iptables/iptables+
--- a/cmd/tailscaled/proxy.go
+++ b/cmd/tailscaled/proxy.go
@@ -1,79 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// HTTP proxy code
-
-package main
-
-import (
-	"context"
-	"io"
-	"net"
-	"net/http"
-	"net/http/httputil"
-	"strings"
-)
-
-// httpProxyHandler returns an HTTP proxy http.Handler using the
-// provided backend dialer.
-func httpProxyHandler(dialer func(ctx context.Context, netw, addr string) (net.Conn, error)) http.Handler {
-	rp := &httputil.ReverseProxy{
-		Director: func(r *http.Request) {}, // no change
-		Transport: &http.Transport{
-			DialContext: dialer,
-		},
-	}
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.Method != "CONNECT" {
-			backURL := r.RequestURI
-			if strings.HasPrefix(backURL, "/") || backURL == "*" {
-				http.Error(w, "bogus RequestURI; must be absolute URL or CONNECT", 400)
-				return
-			}
-			rp.ServeHTTP(w, r)
-			return
-		}
-
-		// CONNECT support:
-
-		dst := r.RequestURI
-		c, err := dialer(r.Context(), "tcp", dst)
-		if err != nil {
-			w.Header().Set("Tailscale-Connect-Error", err.Error())
-			http.Error(w, err.Error(), 500)
-			return
-		}
-		defer c.Close()
-
-		cc, ccbuf, err := w.(http.Hijacker).Hijack()
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-			return
-		}
-		defer cc.Close()
-
-		io.WriteString(cc, "HTTP/1.1 200 OK\r\n\r\n")
-
-		var clientSrc io.Reader = ccbuf
-		if ccbuf.Reader.Buffered() == 0 {
-			// In the common case (with no
-			// buffered data), read directly from
-			// the underlying client connection to
-			// save some memory, letting the
-			// bufio.Reader/Writer get GC'ed.
-			clientSrc = cc
-		}
-
-		errc := make(chan error, 1)
-		go func() {
-			_, err := io.Copy(cc, c)
-			errc <- err
-		}()
-		go func() {
-			_, err := io.Copy(c, clientSrc)
-			errc <- err
-		}()
-		<-errc
-	})
-}
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -32,7 +32,6 @@ import (
 	"tailscale.com/ipn/ipnserver"
 	"tailscale.com/logpolicy"
 	"tailscale.com/net/dns"
-	"tailscale.com/net/netns"
 	"tailscale.com/net/socks5/tssocks"
 	"tailscale.com/net/tstun"
 	"tailscale.com/paths"
@@ -69,26 +68,19 @@ func defaultTunName() string {
 }

 var args struct {
-	// tunname is a /dev/net/tun tunnel name ("tailscale0"), the
-	// string "userspace-networking", "tap:TAPNAME[:BRIDGENAME]"
-	// or comma-separated list thereof.
-	tunname string
-
-	cleanup        bool
-	debug          string
-	port           uint16
-	statepath      string
-	socketpath     string
-	birdSocketPath string
-	verbose        int
-	socksAddr      string // listen address for SOCKS5 server
-	httpProxyAddr  string // listen address for HTTP proxy server
+	cleanup    bool
+	debug      string
+	tunname    string // tun name, "userspace-networking", or comma-separated list thereof
+	port       uint16
+	statepath  string
+	socketpath string
+	verbose    int
+	socksAddr  string // listen address for SOCKS5 server
 }

 var (
-	installSystemDaemon   func([]string) error                      // non-nil on some platforms
-	uninstallSystemDaemon func([]string) error                      // non-nil on some platforms
-	createBIRDClient      func(string) (wgengine.BIRDClient, error) // non-nil on some platforms
+	installSystemDaemon   func([]string) error // non-nil on some platforms
+	uninstallSystemDaemon func([]string) error // non-nil on some platforms
 )

 var subCommands = map[string]*func([]string) error{
@@ -111,12 +103,10 @@ func main() {
 	flag.BoolVar(&args.cleanup, "cleanup", false, "clean up system state and exit")
 	flag.StringVar(&args.debug, "debug", "", "listen address ([ip]:port) of optional debug server")
 	flag.StringVar(&args.socksAddr, "socks5-server", "", `optional [ip]:port to run a SOCK5 server (e.g. "localhost:1080")`)
-	flag.StringVar(&args.httpProxyAddr, "http-proxy-server", "", `optional [ip]:port to run an HTTP proxy (e.g. "localhost:8080")`)
 	flag.StringVar(&args.tunname, "tun", defaultTunName(), `tunnel interface name; use "userspace-networking" (beta) to not use TUN`)
 	flag.Var(flagtype.PortValue(&args.port, 0), "port", "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
-	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "path of state file; use 'kube:<secret-name>' to use Kubernetes secrets")
+	flag.StringVar(&args.statepath, "state", paths.DefaultTailscaledStateFile(), "path of state file")
 	flag.StringVar(&args.socketpath, "socket", paths.DefaultTailscaledSocket(), "path of the service unix socket")
-	flag.StringVar(&args.birdSocketPath, "bird-socket", "", "path of the bird unix socket")
 	flag.BoolVar(&printVersion, "version", false, "print version information and exit")

 	if len(os.Args) > 1 {
@@ -148,7 +138,7 @@ func main() {
 		os.Exit(0)
 	}

-	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") && !args.cleanup {
+	if runtime.GOOS == "darwin" && os.Getuid() != 0 && !strings.Contains(args.tunname, "userspace-networking") {
 		log.SetFlags(0)
 		log.Fatalf("tailscaled requires root; use sudo tailscaled (or use --tun=userspace-networking)")
 	}
@@ -158,11 +148,6 @@ func main() {
 		log.Fatalf("--socket is required")
 	}

-	if args.birdSocketPath != "" && createBIRDClient == nil {
-		log.SetFlags(0)
-		log.Fatalf("--bird-socket is not supported on %s", runtime.GOOS)
-	}
-
 	err := run()

 	// Remove file sharing from Windows shell (noop in non-windows)
@@ -174,34 +159,6 @@ func main() {
 	}
 }

-func trySynologyMigration(p string) error {
-	if runtime.GOOS != "linux" || distro.Get() != distro.Synology {
-		return nil
-	}
-
-	fi, err := os.Stat(p)
-	if err == nil && fi.Size() > 0 || !os.IsNotExist(err) {
-		return err
-	}
-	// File is empty or doesn't exist, try reading from the old path.
-
-	const oldPath = "/var/packages/Tailscale/etc/tailscaled.state"
-	if _, err := os.Stat(oldPath); err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return err
-	}
-
-	if err := os.Chown(oldPath, os.Getuid(), os.Getgid()); err != nil {
-		return err
-	}
-	if err := os.Rename(oldPath, p); err != nil {
-		return err
-	}
-	return nil
-}
-
 func ipnServerOpts() (o ipnserver.Options) {
 	// Allow changing the OS-specific IPN behavior for tests
 	// so we can e.g. test Windows-specific behaviors on Linux.
@@ -264,9 +221,6 @@ func run() error {
 	if args.statepath == "" {
 		log.Fatalf("--state is required")
 	}
-	if err := trySynologyMigration(args.statepath); err != nil {
-		log.Printf("error in synology migration: %v", err)
-	}

 	var debugMux *http.ServeMux
 	if args.debug != "" {
@@ -280,8 +234,19 @@ func run() error {
 	}
 	pol.Logtail.SetLinkMonitor(linkMon)

-	socksListener := mustStartTCPListener("SOCKS5", args.socksAddr)
-	httpProxyListener := mustStartTCPListener("HTTP proxy", args.httpProxyAddr)
+	var socksListener net.Listener
+	if args.socksAddr != "" {
+		var err error
+		socksListener, err = net.Listen("tcp", args.socksAddr)
+		if err != nil {
+			log.Fatalf("SOCKS5 listener: %v", err)
+		}
+		if strings.HasSuffix(args.socksAddr, ":0") {
+			// Log kernel-selected port number so integration tests
+			// can find it portably.
+			log.Printf("SOCKS5 listening on %v", socksListener.Addr())
+		}
+	}

 	e, useNetstack, err := createEngine(logf, linkMon)
 	if err != nil {
@@ -295,19 +260,11 @@ func run() error {
 		ns = mustStartNetstack(logf, e, onlySubnets)
 	}

-	if socksListener != nil || httpProxyListener != nil {
+	if socksListener != nil {
 		srv := tssocks.NewServer(logger.WithPrefix(logf, "socks5: "), e, ns)
-		if httpProxyListener != nil {
-			hs := &http.Server{Handler: httpProxyHandler(srv.Dialer)}
-			go func() {
-				log.Fatalf("HTTP proxy exited: %v", hs.Serve(httpProxyListener))
-			}()
-		}
-		if socksListener != nil {
-			go func() {
-				log.Fatalf("SOCKS5 server exited: %v", srv.Serve(socksListener))
-			}()
-		}
+		go func() {
+			log.Fatalf("SOCKS5 server exited: %v", srv.Serve(socksListener))
+		}()
 	}

 	e = wgengine.NewWatchdog(e)
@@ -374,9 +331,9 @@ func shouldWrapNetstack() bool {
 		return true
 	}
 	switch runtime.GOOS {
-	case "windows", "darwin", "freebsd":
+	case "windows", "darwin":
 		// Enable on Windows and tailscaled-on-macOS (this doesn't
-		// affect the GUI clients), and on FreeBSD.
+		// affect the GUI clients).
 		return true
 	}
 	return false
@@ -387,17 +344,7 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.
 		ListenPort:  args.port,
 		LinkMonitor: linkMon,
 	}
-
 	useNetstack = name == "userspace-networking"
-	netns.SetEnabled(!useNetstack)
-
-	if args.birdSocketPath != "" && createBIRDClient != nil {
-		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
-		conf.BIRDClient, err = createBIRDClient(args.birdSocketPath)
-		if err != nil {
-			return nil, false, err
-		}
-	}
 	if !useNetstack {
 		dev, devName, err := tstun.New(logf, name)
 		if err != nil {
@@ -405,12 +352,6 @@ func tryEngine(logf logger.Logf, linkMon *monitor.Mon, name string) (e wgengine.
 			return nil, false, err
 		}
 		conf.Tun = dev
-		if strings.HasPrefix(name, "tap:") {
-			conf.IsTAP = true
-			e, err := wgengine.NewUserspaceEngine(logf, conf)
-			return e, false, err
-		}
-
 		r, err := router.New(logf, dev, linkMon)
 		if err != nil {
 			dev.Close()
@@ -467,19 +408,3 @@ func mustStartNetstack(logf logger.Logf, e wgengine.Engine, onlySubnets bool) *n
 	}
 	return ns
 }
-
-func mustStartTCPListener(name, addr string) net.Listener {
-	if addr == "" {
-		return nil
-	}
-	ln, err := net.Listen("tcp", addr)
-	if err != nil {
-		log.Fatalf("%v listener: %v", name, err)
-	}
-	if strings.HasSuffix(addr, ":0") {
-		// Log kernel-selected port number so integration tests
-		// can find it portably.
-		log.Printf("%v listening on %v", name, ln.Addr())
-	}
-	return ln
-}
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -15,7 +15,7 @@ Restart=on-failure
 RuntimeDirectory=tailscale
 RuntimeDirectoryMode=0755
 StateDirectory=tailscale
-StateDirectoryMode=0700
+StateDirectoryMode=0750
 CacheDirectory=tailscale
 CacheDirectoryMode=0750
 Type=notify
--- a/cmd/tailscaled/tailscaled_bird.go
+++ b/cmd/tailscaled/tailscaled_bird.go
@@ -1,19 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build linux || darwin || freebsd || openbsd
-// +build linux darwin freebsd openbsd
-
-package main
-
-import (
-	"tailscale.com/chirp"
-	"tailscale.com/wgengine"
-)
-
-func init() {
-	createBIRDClient = func(ctlSocket string) (wgengine.BIRDClient, error) {
-		return chirp.New(ctlSocket)
-	}
-}
--- a/cmd/tailscaled/tailscaled_notwindows.go
+++ b/cmd/tailscaled/tailscaled_notwindows.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 package main // import "tailscale.com/cmd/tailscaled"
--- a/cmd/testcontrol/testcontrol.go
+++ b/cmd/testcontrol/testcontrol.go
@@ -1,98 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// Program testcontrol runs a simple test control server.
-package main
-
-import (
-	"flag"
-	"log"
-	"net/http"
-	"testing"
-
-	"tailscale.com/tstest/integration"
-	"tailscale.com/tstest/integration/testcontrol"
-	"tailscale.com/types/logger"
-)
-
-var (
-	flagNFake = flag.Int("nfake", 0, "number of fake nodes to add to network")
-)
-
-func main() {
-	flag.Parse()
-
-	var t fakeTB
-	derpMap := integration.RunDERPAndSTUN(t, logger.Discard, "127.0.0.1")
-
-	control := &testcontrol.Server{
-		DERPMap:         derpMap,
-		ExplicitBaseURL: "http://127.0.0.1:9911",
-	}
-	for i := 0; i < *flagNFake; i++ {
-		control.AddFakeNode()
-	}
-	mux := http.NewServeMux()
-	mux.Handle("/", control)
-	addr := "127.0.0.1:9911"
-	log.Printf("listening on %s", addr)
-	err := http.ListenAndServe(addr, mux)
-	log.Fatal(err)
-}
-
-type fakeTB struct {
-	*testing.T
-}
-
-func (t fakeTB) Cleanup(_ func()) {}
-func (t fakeTB) Error(args ...interface{}) {
-	t.Fatal(args...)
-}
-func (t fakeTB) Errorf(format string, args ...interface{}) {
-	t.Fatalf(format, args...)
-}
-func (t fakeTB) Fail() {
-	t.Fatal("failed")
-}
-func (t fakeTB) FailNow() {
-	t.Fatal("failed")
-}
-func (t fakeTB) Failed() bool {
-	return false
-}
-func (t fakeTB) Fatal(args ...interface{}) {
-	log.Fatal(args...)
-}
-func (t fakeTB) Fatalf(format string, args ...interface{}) {
-	log.Fatalf(format, args...)
-}
-func (t fakeTB) Helper() {}
-func (t fakeTB) Log(args ...interface{}) {
-	log.Print(args...)
-}
-func (t fakeTB) Logf(format string, args ...interface{}) {
-	log.Printf(format, args...)
-}
-func (t fakeTB) Name() string {
-	return "faketest"
-}
-func (t fakeTB) Setenv(key string, value string) {
-	panic("not implemented")
-}
-func (t fakeTB) Skip(args ...interface{}) {
-	t.Fatal("skipped")
-}
-func (t fakeTB) SkipNow() {
-	t.Fatal("skipnow")
-}
-func (t fakeTB) Skipf(format string, args ...interface{}) {
-	t.Logf(format, args...)
-	t.Fatal("skipped")
-}
-func (t fakeTB) Skipped() bool {
-	return false
-}
-func (t fakeTB) TempDir() string {
-	panic("not implemented")
-}
--- a/cmd/tsshd/tsshd.go
+++ b/cmd/tsshd/tsshd.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows
 // +build !windows

 // The tsshd binary is an SSH server that accepts connections
--- a/cmd/tsshd/tsshd_windows.go
+++ b/cmd/tsshd/tsshd_windows.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build windows
 // +build windows

 package main
--- a/control/controlclient/client.go
+++ b/control/controlclient/client.go
@@ -69,7 +69,7 @@ type Client interface {
 	SetNetInfo(*tailcfg.NetInfo)
 	// UpdateEndpoints changes the Endpoint structure that will be sent
 	// in subsequent node registration requests.
-	// The localPort field is unused except for integration tests in another repo.
+	// TODO: localPort seems to be obsolete, remove it.
 	// TODO: a server-side change would let us simply upload this
 	// in a separate http request. It has nothing to do with the rest of
 	// the state machine.
--- a/control/controlclient/controlclient_test.go
+++ b/control/controlclient/controlclient_test.go
@@ -75,3 +75,10 @@ func TestStatusEqual(t *testing.T) {
 		}
 	}
 }
+
+func TestOSVersion(t *testing.T) {
+	if osVersion == nil {
+		t.Skip("not available for OS")
+	}
+	t.Logf("Got: %#q", osVersion())
+}
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -7,6 +7,7 @@ package controlclient
 import (
 	"bytes"
 	"context"
+	"crypto/rand"
 	"encoding/binary"
 	"encoding/json"
 	"errors"
@@ -19,6 +20,7 @@ import (
 	"net/url"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"reflect"
 	"runtime"
 	"strconv"
@@ -27,11 +29,10 @@ import (
 	"sync/atomic"
 	"time"

-	"go4.org/mem"
+	"golang.org/x/crypto/nacl/box"
 	"inet.af/netaddr"
 	"tailscale.com/control/controlknobs"
 	"tailscale.com/health"
-	"tailscale.com/hostinfo"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/log/logheap"
 	"tailscale.com/net/dnscache"
@@ -41,13 +42,14 @@ import (
 	"tailscale.com/net/tlsdial"
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/opt"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/wgkey"
+	"tailscale.com/util/dnsname"
 	"tailscale.com/util/systemd"
+	"tailscale.com/version"
 	"tailscale.com/wgengine/monitor"
 )

@@ -62,14 +64,14 @@ type Direct struct {
 	logf                   logger.Logf
 	linkMon                *monitor.Mon // or nil
 	discoPubKey            tailcfg.DiscoKey
-	getMachinePrivKey      func() (key.MachinePrivate, error)
+	getMachinePrivKey      func() (wgkey.Private, error)
 	debugFlags             []string
 	keepSharerAndUserSplit bool
 	skipIPForwardingCheck  bool
 	pinger                 Pinger

 	mu           sync.Mutex // mutex guards the following fields
-	serverKey    key.MachinePublic
+	serverKey    wgkey.Key
 	persist      persist.Persist
 	authKey      string
 	tryingNewKey wgkey.Private
@@ -83,12 +85,12 @@ type Direct struct {
 }

 type Options struct {
-	Persist              persist.Persist                    // initial persistent data
-	GetMachinePrivateKey func() (key.MachinePrivate, error) // returns the machine key to use
-	ServerURL            string                             // URL of the tailcontrol server
-	AuthKey              string                             // optional node auth key for auto registration
-	TimeNow              func() time.Time                   // time.Now implementation used by Client
-	Hostinfo             *tailcfg.Hostinfo                  // non-nil passes ownership, nil means to use default using os.Hostname, etc
+	Persist              persist.Persist               // initial persistent data
+	GetMachinePrivateKey func() (wgkey.Private, error) // returns the machine key to use
+	ServerURL            string                        // URL of the tailcontrol server
+	AuthKey              string                        // optional node auth key for auto registration
+	TimeNow              func() time.Time              // time.Now implementation used by Client
+	Hostinfo             *tailcfg.Hostinfo             // non-nil passes ownership, nil means to use default using os.Hostname, etc
 	DiscoPublicKey       tailcfg.DiscoKey
 	NewDecompressor      func() (Decompressor, error)
 	KeepAlive            bool
@@ -182,13 +184,53 @@ func NewDirect(opts Options) (*Direct, error) {
 		pinger:                 opts.Pinger,
 	}
 	if opts.Hostinfo == nil {
-		c.SetHostinfo(hostinfo.New())
+		c.SetHostinfo(NewHostinfo())
 	} else {
 		c.SetHostinfo(opts.Hostinfo)
 	}
 	return c, nil
 }

+var osVersion func() string // non-nil on some platforms
+
+func NewHostinfo() *tailcfg.Hostinfo {
+	hostname, _ := os.Hostname()
+	hostname = dnsname.FirstLabel(hostname)
+	var osv string
+	if osVersion != nil {
+		osv = osVersion()
+	}
+	return &tailcfg.Hostinfo{
+		IPNVersion: version.Long,
+		Hostname:   hostname,
+		OS:         version.OS(),
+		OSVersion:  osv,
+		Package:    packageType(),
+		GoArch:     runtime.GOARCH,
+	}
+}
+
+func packageType() string {
+	switch runtime.GOOS {
+	case "windows":
+		if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
+			return "choco"
+		}
+	case "darwin":
+		// Using tailscaled or IPNExtension?
+		exe, _ := os.Executable()
+		return filepath.Base(exe)
+	case "linux":
+		// Report whether this is in a snap.
+		// See https://snapcraft.io/docs/environment-variables
+		// We just look at two somewhat arbitrarily.
+		if os.Getenv("SNAP_NAME") != "" && os.Getenv("SNAP") != "" {
+			return "snap"
+		}
+	}
+	return ""
+}
+
 // SetHostinfo clones the provided Hostinfo and remembers it for the
 // next update. It reports whether the Hostinfo has changed.
 func (c *Direct) SetHostinfo(hi *tailcfg.Hostinfo) bool {
@@ -320,7 +362,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		if err != nil {
 			return regen, opt.URL, err
 		}
-		c.logf("control server key %s from %s", serverKey.ShortString(), c.serverURL)
+		c.logf("control server key %s from %s", serverKey.HexString(), c.serverURL)

 		c.mu.Lock()
 		c.serverKey = serverKey
@@ -398,13 +440,13 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 		c.logf("RegisterRequest: %s", j)
 	}

-	bodyData, err := encode(request, serverKey, machinePrivKey)
+	bodyData, err := encode(request, &serverKey, &machinePrivKey)
 	if err != nil {
 		return regen, opt.URL, err
 	}
 	body := bytes.NewReader(bodyData)

-	u := fmt.Sprintf("%s/machine/%s", c.serverURL, machinePrivKey.Public().UntypedHexString())
+	u := fmt.Sprintf("%s/machine/%s", c.serverURL, machinePrivKey.Public().HexString())
 	req, err := http.NewRequest("POST", u, body)
 	if err != nil {
 		return regen, opt.URL, err
@@ -422,7 +464,7 @@ func (c *Direct) doLogin(ctx context.Context, opt loginOpt) (mustRegen bool, new
 			res.StatusCode, strings.TrimSpace(string(msg)))
 	}
 	resp := tailcfg.RegisterResponse{}
-	if err := decode(res, &resp, serverKey, machinePrivKey); err != nil {
+	if err := decode(res, &resp, &serverKey, &machinePrivKey); err != nil {
 		c.logf("error decoding RegisterResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
 		return regen, opt.URL, fmt.Errorf("register request: %v", err)
 	}
@@ -636,7 +678,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		request.ReadOnly = true
 	}

-	bodyData, err := encode(request, serverKey, machinePrivKey)
+	bodyData, err := encode(request, &serverKey, &machinePrivKey)
 	if err != nil {
 		vlogf("netmap: encode: %v", err)
 		return err
@@ -645,9 +687,9 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()

-	machinePubKey := machinePrivKey.Public()
+	machinePubKey := tailcfg.MachineKey(machinePrivKey.Public())
 	t0 := time.Now()
-	u := fmt.Sprintf("%s/machine/%s/map", serverURL, machinePubKey.UntypedHexString())
+	u := fmt.Sprintf("%s/machine/%s/map", serverURL, machinePubKey.HexString())

 	req, err := http.NewRequestWithContext(ctx, "POST", u, bytes.NewReader(bodyData))
 	if err != nil {
@@ -734,7 +776,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		vlogf("netmap: read body after %v", time.Since(t0).Round(time.Millisecond))

 		var resp tailcfg.MapResponse
-		if err := c.decodeMsg(msg, &resp, machinePrivKey); err != nil {
+		if err := c.decodeMsg(msg, &resp, &machinePrivKey); err != nil {
 			vlogf("netmap: decode error: %v")
 			return err
 		}
@@ -788,6 +830,28 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 			return errors.New("MapResponse lacked node")
 		}

+		// Temporarily (2020-06-29) support removing all but
+		// discovery-supporting nodes during development, for
+		// less noise.
+		if Debug.OnlyDisco {
+			anyOld, numDisco := false, 0
+			for _, p := range nm.Peers {
+				if p.DiscoKey.IsZero() {
+					anyOld = true
+				} else {
+					numDisco++
+				}
+			}
+			if anyOld {
+				filtered := make([]*tailcfg.Node, 0, numDisco)
+				for _, p := range nm.Peers {
+					if !p.DiscoKey.IsZero() {
+						filtered = append(filtered, p)
+					}
+				}
+				nm.Peers = filtered
+			}
+		}
 		if Debug.StripEndpoints {
 			for _, p := range resp.Peers {
 				// We need at least one endpoint here for now else
@@ -801,21 +865,22 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 		}

 		// Get latest localPort. This might've changed if
-		// a lite map update occurred meanwhile. This only affects
+		// a lite map update occured meanwhile. This only affects
 		// the end-to-end test.
 		// TODO(bradfitz): remove the NetworkMap.LocalPort field entirely.
 		c.mu.Lock()
 		nm.LocalPort = c.localPort
 		c.mu.Unlock()

-		// Occasionally print the netmap header.
-		// This is handy for debugging, and our logs processing
-		// pipeline depends on it. (TODO: Remove this dependency.)
-		// Code elsewhere prints netmap diffs every time they are received.
+		// Printing the netmap can be extremely verbose, but is very
+		// handy for debugging. Let's limit how often we do it.
+		// Code elsewhere prints netmap diffs every time, so this
+		// occasional full dump, plus incremental diffs, should do
+		// the job.
 		now := c.timeNow()
 		if now.Sub(c.lastPrintMap) >= 5*time.Minute {
 			c.lastPrintMap = now
-			c.logf("[v1] new network map[%d]:\n%s", i, nm.VeryConcise())
+			c.logf("[v1] new network map[%d]:\n%s", i, nm.Concise())
 		}

 		c.mu.Lock()
@@ -830,7 +895,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, cb func(*netm
 	return nil
 }

-func decode(res *http.Response, v interface{}, serverKey key.MachinePublic, mkey key.MachinePrivate) error {
+func decode(res *http.Response, v interface{}, serverKey *wgkey.Key, mkey *wgkey.Private) error {
 	defer res.Body.Close()
 	msg, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<20))
 	if err != nil {
@@ -849,14 +914,14 @@ var (

 var jsonEscapedZero = []byte(`\u0000`)

-func (c *Direct) decodeMsg(msg []byte, v interface{}, machinePrivKey key.MachinePrivate) error {
+func (c *Direct) decodeMsg(msg []byte, v interface{}, machinePrivKey *wgkey.Private) error {
 	c.mu.Lock()
 	serverKey := c.serverKey
 	c.mu.Unlock()

-	decrypted, ok := machinePrivKey.OpenFrom(serverKey, msg)
-	if !ok {
-		return errors.New("cannot decrypt response")
+	decrypted, err := decryptMsg(msg, &serverKey, machinePrivKey)
+	if err != nil {
+		return err
 	}
 	var b []byte
 	if c.newDecompressor == nil {
@@ -888,10 +953,10 @@ func (c *Direct) decodeMsg(msg []byte, v interface{}, machinePrivKey key.Machine

 }

-func decodeMsg(msg []byte, v interface{}, serverKey key.MachinePublic, machinePrivKey key.MachinePrivate) error {
-	decrypted, ok := machinePrivKey.OpenFrom(serverKey, msg)
-	if !ok {
-		return errors.New("cannot decrypt response")
+func decodeMsg(msg []byte, v interface{}, serverKey *wgkey.Key, machinePrivKey *wgkey.Private) error {
+	decrypted, err := decryptMsg(msg, serverKey, machinePrivKey)
+	if err != nil {
+		return err
 	}
 	if bytes.Contains(decrypted, jsonEscapedZero) {
 		log.Printf("[unexpected] zero byte in controlclient decodeMsg into %T: %q", v, decrypted)
@@ -902,7 +967,23 @@ func decodeMsg(msg []byte, v interface{}, serverKey key.MachinePublic, machinePr
 	return nil
 }

-func encode(v interface{}, serverKey key.MachinePublic, mkey key.MachinePrivate) ([]byte, error) {
+func decryptMsg(msg []byte, serverKey *wgkey.Key, mkey *wgkey.Private) ([]byte, error) {
+	var nonce [24]byte
+	if len(msg) < len(nonce)+1 {
+		return nil, fmt.Errorf("response missing nonce, len=%d", len(msg))
+	}
+	copy(nonce[:], msg)
+	msg = msg[len(nonce):]
+
+	pub, pri := (*[32]byte)(serverKey), (*[32]byte)(mkey)
+	decrypted, ok := box.Open(nil, msg, &nonce, pub, pri)
+	if !ok {
+		return nil, fmt.Errorf("cannot decrypt response (len %d + nonce %d = %d)", len(msg), len(nonce), len(msg)+len(nonce))
+	}
+	return decrypted, nil
+}
+
+func encode(v interface{}, serverKey *wgkey.Key, mkey *wgkey.Private) ([]byte, error) {
 	b, err := json.Marshal(v)
 	if err != nil {
 		return nil, err
@@ -912,32 +993,38 @@ func encode(v interface{}, serverKey key.MachinePublic, mkey key.MachinePrivate)
 			log.Printf("MapRequest: %s", b)
 		}
 	}
-	return mkey.SealTo(serverKey, b), nil
+	var nonce [24]byte
+	if _, err := io.ReadFull(rand.Reader, nonce[:]); err != nil {
+		panic(err)
+	}
+	pub, pri := (*[32]byte)(serverKey), (*[32]byte)(mkey)
+	msg := box.Seal(nonce[:], b, &nonce, pub, pri)
+	return msg, nil
 }

-func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (key.MachinePublic, error) {
+func loadServerKey(ctx context.Context, httpc *http.Client, serverURL string) (wgkey.Key, error) {
 	req, err := http.NewRequest("GET", serverURL+"/key", nil)
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("create control key request: %v", err)
+		return wgkey.Key{}, fmt.Errorf("create control key request: %v", err)
 	}
 	req = req.WithContext(ctx)
 	res, err := httpc.Do(req)
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key: %v", err)
+		return wgkey.Key{}, fmt.Errorf("fetch control key: %v", err)
 	}
 	defer res.Body.Close()
 	b, err := ioutil.ReadAll(io.LimitReader(res.Body, 1<<16))
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key response: %v", err)
+		return wgkey.Key{}, fmt.Errorf("fetch control key response: %v", err)
 	}
 	if res.StatusCode != 200 {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key: %d: %s", res.StatusCode, string(b))
+		return wgkey.Key{}, fmt.Errorf("fetch control key: %d: %s", res.StatusCode, string(b))
 	}
-	k, err := key.ParseMachinePublicUntyped(mem.B(b))
+	key, err := wgkey.ParseHex(string(b))
 	if err != nil {
-		return key.MachinePublic{}, fmt.Errorf("fetch control key: %v", err)
+		return wgkey.Key{}, fmt.Errorf("fetch control key: %v", err)
 	}
-	return k, nil
+	return key, nil
 }

 // Debug contains temporary internal-only debug knobs.
@@ -947,18 +1034,21 @@ var Debug = initDebug()
 type debug struct {
 	NetMap         bool
 	ProxyDNS       bool
+	OnlyDisco      bool
 	Disco          bool
 	StripEndpoints bool // strip endpoints from control (only use disco messages)
 	StripCaps      bool // strip all local node's control-provided capabilities
 }

 func initDebug() debug {
+	use := os.Getenv("TS_DEBUG_USE_DISCO")
 	return debug{
 		NetMap:         envBool("TS_DEBUG_NETMAP"),
 		ProxyDNS:       envBool("TS_DEBUG_PROXY_DNS"),
 		StripEndpoints: envBool("TS_DEBUG_STRIP_ENDPOINTS"),
 		StripCaps:      envBool("TS_DEBUG_STRIP_CAPS"),
-		Disco:          os.Getenv("TS_DEBUG_USE_DISCO") == "" || envBool("TS_DEBUG_USE_DISCO"),
+		OnlyDisco:      use == "only",
+		Disco:          use == "only" || use == "" || envBool("TS_DEBUG_USE_DISCO"),
 	}
 }

@@ -1185,13 +1275,13 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
 		return errors.New("getMachinePrivKey returned zero key")
 	}

-	bodyData, err := encode(req, serverKey, machinePrivKey)
+	bodyData, err := encode(req, &serverKey, &machinePrivKey)
 	if err != nil {
 		return err
 	}
 	body := bytes.NewReader(bodyData)

-	u := fmt.Sprintf("%s/machine/%s/set-dns", c.serverURL, machinePrivKey.Public().UntypedHexString())
+	u := fmt.Sprintf("%s/machine/%s/set-dns", c.serverURL, machinePrivKey.Public().HexString())
 	hreq, err := http.NewRequestWithContext(ctx, "POST", u, body)
 	if err != nil {
 		return err
@@ -1206,66 +1296,10 @@ func (c *Direct) SetDNS(ctx context.Context, req *tailcfg.SetDNSRequest) error {
 		return fmt.Errorf("set-dns response: %v, %.200s", res.Status, strings.TrimSpace(string(msg)))
 	}
 	var setDNSRes struct{} // no fields yet
-	if err := decode(res, &setDNSRes, serverKey, machinePrivKey); err != nil {
+	if err := decode(res, &setDNSRes, &serverKey, &machinePrivKey); err != nil {
 		c.logf("error decoding SetDNSResponse with server key %s and machine key %s: %v", serverKey, machinePrivKey.Public(), err)
 		return fmt.Errorf("set-dns-response: %v", err)
 	}

 	return nil
 }
-
-// tsmpPing sends a Ping to pr.IP, and sends an http request back to pr.URL
-// with ping response data.
-func tsmpPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pinger Pinger) error {
-	var err error
-	if pr.URL == "" {
-		return errors.New("invalid PingRequest with no URL")
-	}
-	if pr.IP.IsZero() {
-		return errors.New("PingRequest without IP")
-	}
-	if !strings.Contains(pr.Types, "TSMP") {
-		return fmt.Errorf("PingRequest with no TSMP in Types, got %q", pr.Types)
-	}
-
-	now := time.Now()
-	pinger.Ping(pr.IP, true, func(res *ipnstate.PingResult) {
-		// Currently does not check for error since we just return if it fails.
-		err = postPingResult(now, logf, c, pr, res)
-	})
-	return err
-}
-
-func postPingResult(now time.Time, logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, res *ipnstate.PingResult) error {
-	if res.Err != "" {
-		return errors.New(res.Err)
-	}
-	duration := time.Since(now)
-	if pr.Log {
-		logf("TSMP ping to %v completed in %v seconds. pinger.Ping took %v seconds", pr.IP, res.LatencySeconds, duration.Seconds())
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
-	defer cancel()
-
-	jsonPingRes, err := json.Marshal(res)
-	if err != nil {
-		return err
-	}
-	// Send the results of the Ping, back to control URL.
-	req, err := http.NewRequestWithContext(ctx, "POST", pr.URL, bytes.NewBuffer(jsonPingRes))
-	if err != nil {
-		return fmt.Errorf("http.NewRequestWithContext(%q): %w", pr.URL, err)
-	}
-	if pr.Log {
-		logf("tsmpPing: sending ping results to %v ...", pr.URL)
-	}
-	t0 := time.Now()
-	_, err = c.Do(req)
-	d := time.Since(t0).Round(time.Millisecond)
-	if err != nil {
-		return fmt.Errorf("tsmpPing error: %w to %v (after %v)", err, pr.URL, d)
-	} else if pr.Log {
-		logf("tsmpPing complete to %v (after %v)", pr.URL, d)
-	}
-	return nil
-}
--- a/control/controlclient/direct_test.go
+++ b/control/controlclient/direct_test.go
@@ -6,29 +6,27 @@ package controlclient

 import (
 	"encoding/json"
-	"net/http"
-	"net/http/httptest"
 	"testing"
-	"time"

 	"inet.af/netaddr"
-	"tailscale.com/hostinfo"
-	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
+	"tailscale.com/types/wgkey"
 )

 func TestNewDirect(t *testing.T) {
-	hi := hostinfo.New()
+	hi := NewHostinfo()
 	ni := tailcfg.NetInfo{LinkType: "wired"}
 	hi.NetInfo = &ni

-	k := key.NewMachine()
+	key, err := wgkey.NewPrivate()
+	if err != nil {
+		t.Error(err)
+	}
 	opts := Options{
 		ServerURL: "https://example.com",
 		Hostinfo:  hi,
-		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
-			return k, nil
+		GetMachinePrivateKey: func() (wgkey.Private, error) {
+			return key, nil
 		},
 	}
 	c, err := NewDirect(opts)
@@ -58,7 +56,7 @@ func TestNewDirect(t *testing.T) {
 	if changed {
 		t.Errorf("c.SetHostinfo(hi) want false got %v", changed)
 	}
-	hi = hostinfo.New()
+	hi = NewHostinfo()
 	hi.Hostname = "different host name"
 	changed = c.SetHostinfo(hi)
 	if !changed {
@@ -94,52 +92,14 @@ func fakeEndpoints(ports ...uint16) (ret []tailcfg.Endpoint) {
 	return
 }

-func TestTsmpPing(t *testing.T) {
-	hi := hostinfo.New()
-	ni := tailcfg.NetInfo{LinkType: "wired"}
-	hi.NetInfo = &ni
-
-	k := key.NewMachine()
-	opts := Options{
-		ServerURL: "https://example.com",
-		Hostinfo:  hi,
-		GetMachinePrivateKey: func() (key.MachinePrivate, error) {
-			return k, nil
-		},
+func TestNewHostinfo(t *testing.T) {
+	hi := NewHostinfo()
+	if hi == nil {
+		t.Fatal("no Hostinfo")
 	}
-
-	c, err := NewDirect(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	pingRes := &ipnstate.PingResult{
-		IP:       "123.456.7890",
-		Err:      "",
-		NodeName: "testnode",
-	}
-
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		defer r.Body.Close()
-		body := new(ipnstate.PingResult)
-		if err := json.NewDecoder(r.Body).Decode(body); err != nil {
-			t.Fatal(err)
-		}
-		if pingRes.IP != body.IP {
-			t.Fatalf("PingResult did not have the correct IP : got %v, expected : %v", body.IP, pingRes.IP)
-		}
-		w.WriteHeader(200)
-	}))
-	defer ts.Close()
-
-	now := time.Now()
-
-	pr := &tailcfg.PingRequest{
-		URL: ts.URL,
-	}
-
-	err = postPingResult(now, t.Logf, c.httpc, pr, pingRes)
+	j, err := json.MarshalIndent(hi, "  ", "")
 	if err != nil {
 		t.Fatal(err)
 	}
+	t.Logf("Got: %s", j)
 }
--- a/control/controlclient/hostinfo_linux.go
+++ b/control/controlclient/hostinfo_linux.go
@@ -2,31 +2,24 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build linux && !android
 // +build linux,!android

-package hostinfo
+package controlclient

 import (
 	"bytes"
 	"fmt"
 	"io/ioutil"
-	"os"
 	"strings"
 	"syscall"

+	"tailscale.com/hostinfo"
 	"tailscale.com/util/lineread"
 	"tailscale.com/version/distro"
 )

 func init() {
 	osVersion = osVersionLinux
-
-	if v, _ := os.ReadFile("/sys/firmware/devicetree/base/model"); len(v) > 0 {
-		// Look up "Raspberry Pi 4 Model B Rev 1.2",
-		// etc. Usually set on ARM SBCs.
-		SetDeviceModel(strings.Trim(string(v), "\x00\r\n\t "))
-	}
 }

 func osVersionLinux() string {
@@ -61,10 +54,10 @@ func osVersionLinux() string {
 		}
 		attrBuf.WriteByte(byte(b))
 	}
-	if inContainer() {
+	if hostinfo.InContainer() {
 		attrBuf.WriteString("; container")
 	}
-	if env := GetEnvType(); env != "" {
+	if env := hostinfo.GetEnvType(); env != "" {
 		fmt.Fprintf(&attrBuf, "; env=%s", env)
 	}
 	attr := attrBuf.String()
--- a/control/controlclient/hostinfo_windows.go
+++ b/control/controlclient/hostinfo_windows.go
@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-package hostinfo
+package controlclient

 import (
 	"os/exec"
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -12,7 +12,6 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/wgkey"
@@ -32,7 +31,7 @@ type mapSession struct {
 	privateNodeKey         wgkey.Private
 	logf                   logger.Logf
 	vlogf                  logger.Logf
-	machinePubKey          key.MachinePublic
+	machinePubKey          tailcfg.MachineKey
 	keepSharerAndUserSplit bool // see Options.KeepSharerAndUserSplit

 	// Fields storing state over the the coards of multiple MapResponses.
@@ -44,7 +43,6 @@ type mapSession struct {
 	collectServices        bool
 	previousPeers          []*tailcfg.Node // for delta-purposes
 	lastDomain             string
-	lastHealth             []string

 	// netMapBuilding is non-nil during a netmapForResponse call,
 	// containing the value to be returned, once fully populated.
@@ -106,9 +104,6 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 	if resp.Domain != "" {
 		ms.lastDomain = resp.Domain
 	}
-	if resp.Health != nil {
-		ms.lastHealth = resp.Health
-	}

 	nm := &netmap.NetworkMap{
 		NodeKey:         tailcfg.NodeKey(ms.privateNodeKey.Public()),
@@ -122,7 +117,6 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		CollectServices: ms.collectServices,
 		DERPMap:         ms.lastDERPMap,
 		Debug:           resp.Debug,
-		ControlHealth:   ms.lastHealth,
 	}
 	ms.netMapBuilding = nm

--- a/control/controlclient/sign.go
+++ b/control/controlclient/sign.go
@@ -10,34 +10,22 @@ import (
 	"fmt"
 	"time"

-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
+	"tailscale.com/types/wgkey"
 )

 var (
-	errNoCertStore                 = errors.New("no certificate store")
-	errCertificateNotConfigured    = errors.New("no certificate subject configured")
-	errUnsupportedSignatureVersion = errors.New("unsupported signature version")
+	errNoCertStore              = errors.New("no certificate store")
+	errCertificateNotConfigured = errors.New("no certificate subject configured")
 )

 // HashRegisterRequest generates the hash required sign or verify a
-// tailcfg.RegisterRequest.
-func HashRegisterRequest(
-	version tailcfg.SignatureType, ts time.Time, serverURL string, deviceCert []byte,
-	serverPubKey, machinePubKey key.MachinePublic) ([]byte, error) {
+// tailcfg.RegisterRequest with tailcfg.SignatureV1.
+func HashRegisterRequest(ts time.Time, serverURL string, deviceCert []byte, serverPubKey, machinePubKey wgkey.Key) []byte {
 	h := crypto.SHA256.New()

 	// hash.Hash.Write never returns an error, so we don't check for one here.
-	switch version {
-	case tailcfg.SignatureV1:
-		fmt.Fprintf(h, "%s%s%s%s%s",
-			ts.UTC().Format(time.RFC3339), serverURL, deviceCert, serverPubKey.ShortString(), machinePubKey.ShortString())
-	case tailcfg.SignatureV2:
-		fmt.Fprintf(h, "%s%s%s%s%s",
-			ts.UTC().Format(time.RFC3339), serverURL, deviceCert, serverPubKey, machinePubKey)
-	default:
-		return nil, errUnsupportedSignatureVersion
-	}
+	fmt.Fprintf(h, "%s%s%s%s%s",
+		ts.UTC().Format(time.RFC3339), serverURL, deviceCert, serverPubKey, machinePubKey)

-	return h.Sum(nil), nil
+	return h.Sum(nil)
 }
--- a/control/controlclient/sign_supported.go
+++ b/control/controlclient/sign_supported.go
@@ -2,7 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build windows && cgo
 // +build windows,cgo

 // darwin,cgo is also supported by certstore but machineCertificateSubject will
@@ -21,7 +20,7 @@ import (

 	"github.com/tailscale/certstore"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
+	"tailscale.com/types/wgkey"
 	"tailscale.com/util/winutil"
 )

@@ -125,7 +124,7 @@ func findIdentity(subject string, st certstore.Store) (certstore.Identity, []*x5
 // using that identity's public key. In addition to the signature, the full
 // certificate chain is included so that the control server can validate the
 // certificate from a copy of the root CA's certificate.
-func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey key.MachinePublic) (err error) {
+func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey wgkey.Key) (err error) {
 	defer func() {
 		if err != nil {
 			err = fmt.Errorf("signRegisterRequest: %w", err)
@@ -167,11 +166,7 @@ func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverP
 		req.DeviceCert = append(req.DeviceCert, c.Raw...)
 	}

-	req.SignatureType = tailcfg.SignatureV2
-	h, err := HashRegisterRequest(req.SignatureType, req.Timestamp.UTC(), serverURL, req.DeviceCert, serverPubKey, machinePubKey)
-	if err != nil {
-		return fmt.Errorf("hash: %w", err)
-	}
+	h := HashRegisterRequest(req.Timestamp.UTC(), serverURL, req.DeviceCert, serverPubKey, machinePubKey)

 	req.Signature, err = signer.Sign(nil, h, &rsa.PSSOptions{
 		SaltLength: rsa.PSSSaltLengthEqualsHash,
@@ -180,6 +175,7 @@ func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverP
 	if err != nil {
 		return fmt.Errorf("sign: %w", err)
 	}
+	req.SignatureType = tailcfg.SignatureV1

 	return nil
 }
--- a/control/controlclient/sign_unsupported.go
+++ b/control/controlclient/sign_unsupported.go
@@ -2,17 +2,16 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build !windows || !cgo
 // +build !windows !cgo

 package controlclient

 import (
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
+	"tailscale.com/types/wgkey"
 )

 // signRegisterRequest on non-supported platforms always returns errNoCertStore.
-func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey key.MachinePublic) error {
+func signRegisterRequest(req *tailcfg.RegisterRequest, serverURL string, serverPubKey, machinePubKey wgkey.Key) error {
 	return errNoCertStore
 }
--- a/derp/derp.go
+++ b/derp/derp.go
@@ -101,20 +101,6 @@ const (

 	framePing = frameType(0x12) // 8 byte ping payload, to be echoed back in framePong
 	framePong = frameType(0x13) // 8 byte payload, the contents of the ping being replied to
-
-	// frameHealth is sent from server to client to tell the client
-	// if their connection is unhealthy somehow. Currently the only unhealthy state
-	// is whether the connection is detected as a duplicate.
-	// The entire frame body is the text of the error message. An empty message
-	// clears the error state.
-	frameHealth = frameType(0x14)
-
-	// frameRestarting is sent from server to client for the
-	// server to declare that it's restarting. Payload is two big
-	// endian uint32 durations in milliseconds: when to reconnect,
-	// and how long to try total. See ServerRestartingMessage docs for
-	// more details on how the client should interpret them.
-	frameRestarting = frameType(0x15)
 )

 var bin = binary.BigEndian
--- a/derp/derp_client.go
+++ b/derp/derp_client.go
@@ -7,7 +7,6 @@ package derp
 import (
 	"bufio"
 	crand "crypto/rand"
-	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -16,7 +15,6 @@ import (
 	"time"

 	"golang.org/x/crypto/nacl/box"
-	"golang.org/x/time/rate"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -33,9 +31,8 @@ type Client struct {
 	canAckPings bool
 	isProber    bool

-	wmu  sync.Mutex // hold while writing to bw
-	bw   *bufio.Writer
-	rate *rate.Limiter // if non-nil, rate limiter to use
+	wmu sync.Mutex // hold while writing to bw
+	bw  *bufio.Writer

 	// Owned by Recv:
 	peeked  int   // bytes to discard on next Recv
@@ -219,12 +216,7 @@ func (c *Client) send(dstKey key.Public, pkt []byte) (ret error) {

 	c.wmu.Lock()
 	defer c.wmu.Unlock()
-	if c.rate != nil {
-		pktLen := frameHeaderLen + len(dstKey) + len(pkt)
-		if !c.rate.AllowN(time.Now(), pktLen) {
-			return nil // drop
-		}
-	}
+
 	if err := writeFrameHeader(c.bw, frameSendPacket, uint32(len(dstKey)+len(pkt))); err != nil {
 		return err
 	}
@@ -360,22 +352,7 @@ type PeerPresentMessage key.Public
 func (PeerPresentMessage) msg() {}

 // ServerInfoMessage is sent by the server upon first connect.
-type ServerInfoMessage struct {
-	// TokenBucketBytesPerSecond is how many bytes per second the
-	// server says it will accept, including all framing bytes.
-	//
-	// Zero means unspecified. There might be a limit, but the
-	// client need not try to respect it.
-	TokenBucketBytesPerSecond int
-
-	// TokenBucketBytesBurst is how many bytes the server will
-	// allow to burst, temporarily violating
-	// TokenBucketBytesPerSecond.
-	//
-	// Zero means unspecified. There might be a limit, but the
-	// client need not try to respect it.
-	TokenBucketBytesBurst int
-}
+type ServerInfoMessage struct{}

 func (ServerInfoMessage) msg() {}

@@ -392,40 +369,6 @@ type KeepAliveMessage struct{}

 func (KeepAliveMessage) msg() {}

-// HealthMessage is a one-way message from server to client, declaring the
-// connection health state.
-type HealthMessage struct {
-	// Problem, if non-empty, is a description of why the connection
-	// is unhealthy.
-	//
-	// The empty string means the connection is healthy again.
-	//
-	// The default condition is healthy, so the server doesn't
-	// broadcast a HealthMessage until a problem exists.
-	Problem string
-}
-
-func (HealthMessage) msg() {}
-
-// ServerRestartingMessage is a one-way message from server to client,
-// advertising that the server is restarting.
-type ServerRestartingMessage struct {
-	// ReconnectIn is an advisory duration that the client should wait
-	// before attempting to reconnect. It might be zero.
-	// It exists for the server to smear out the reconnects.
-	ReconnectIn time.Duration
-
-	// TryFor is an advisory duration for how long the client
-	// should attempt to reconnect before giving up and proceeding
-	// with its normal connection failure logic. The interval
-	// between retries is undefined for now.
-	// A server should not send a TryFor duration more than a few
-	// seconds.
-	TryFor time.Duration
-}
-
-func (ServerRestartingMessage) msg() {}
-
 // Recv reads a message from the DERP server.
 //
 // The returned message may alias memory owned by the Client; it
@@ -497,16 +440,12 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			// needing to wait an RTT to discover the version at startup.
 			// We'd prefer to give the connection to the client (magicsock)
 			// to start writing as soon as possible.
-			si, err := c.parseServerInfo(b)
+			_, err := c.parseServerInfo(b)
 			if err != nil {
 				return nil, fmt.Errorf("invalid server info frame: %v", err)
 			}
-			sm := ServerInfoMessage{
-				TokenBucketBytesPerSecond: si.TokenBucketBytesPerSecond,
-				TokenBucketBytesBurst:     si.TokenBucketBytesBurst,
-			}
-			c.setSendRateLimiter(sm)
-			return sm, nil
+			// TODO: add the results of parseServerInfo to ServerInfoMessage if we ever need it.
+			return ServerInfoMessage{}, nil
 		case frameKeepAlive:
 			// A one-way keep-alive message that doesn't require an acknowledgement.
 			// This predated framePing/framePong.
@@ -547,32 +486,6 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			}
 			copy(pm[:], b[:])
 			return pm, nil
-
-		case frameHealth:
-			return HealthMessage{Problem: string(b[:])}, nil
-
-		case frameRestarting:
-			var m ServerRestartingMessage
-			if n < 8 {
-				c.logf("[unexpected] dropping short server restarting frame")
-				continue
-			}
-			m.ReconnectIn = time.Duration(binary.BigEndian.Uint32(b[0:4])) * time.Millisecond
-			m.TryFor = time.Duration(binary.BigEndian.Uint32(b[4:8])) * time.Millisecond
-			return m, nil
 		}
 	}
 }
-
-func (c *Client) setSendRateLimiter(sm ServerInfoMessage) {
-	c.wmu.Lock()
-	defer c.wmu.Unlock()
-
-	if sm.TokenBucketBytesPerSecond == 0 {
-		c.rate = nil
-	} else {
-		c.rate = rate.NewLimiter(
-			rate.Limit(sm.TokenBucketBytesPerSecond),
-			sm.TokenBucketBytesBurst)
-	}
-}
--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -41,10 +41,8 @@ import (
 	"tailscale.com/client/tailscale"
 	"tailscale.com/disco"
 	"tailscale.com/metrics"
-	"tailscale.com/syncs"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/pad32"
 	"tailscale.com/version"
 )

@@ -78,20 +76,12 @@ const (
 	writeTimeout            = 2 * time.Second
 )

-// dupPolicy is a temporary (2021-08-30) mechanism to change the policy
-// of how duplicate connection for the same key are handled.
-type dupPolicy int8
+const host64bit = (^uint(0) >> 32) & 1 // 1 on 64-bit, 0 on 32-bit

-const (
-	// lastWriterIsActive is a dupPolicy where the connection
-	// to send traffic for a peer is the active one.
-	lastWriterIsActive dupPolicy = iota
-
-	// disableFighters is a dupPolicy that detects if peers
-	// are trying to send interleaved with each other and
-	// then disables all of them.
-	disableFighters
-)
+// pad32bit is 4 on 32-bit machines and 0 on 64-bit.
+// It exists so the Server struct's atomic fields can be aligned to 8
+// byte boundaries. (As tested by GOARCH=386 go test, etc)
+const pad32bit = 4 - host64bit*4 // 0 on 64-bit, 4 on 32-bit

 // Server is a DERP server.
 type Server struct {
@@ -106,31 +96,31 @@ type Server struct {
 	meshKey     string
 	limitedLogf logger.Logf
 	metaCert    []byte // the encoded x509 cert to send after LetsEncrypt cert+intermediate
-	dupPolicy   dupPolicy

 	// Counters:
+	_                            [pad32bit]byte
 	packetsSent, bytesSent       expvar.Int
 	packetsRecv, bytesRecv       expvar.Int
 	packetsRecvByKind            metrics.LabelMap
 	packetsRecvDisco             *expvar.Int
 	packetsRecvOther             *expvar.Int
-	_                            pad32.Four
+	_                            [pad32bit]byte
 	packetsDropped               expvar.Int
 	packetsDroppedReason         metrics.LabelMap
 	packetsDroppedReasonCounters []*expvar.Int // indexed by dropReason
 	packetsDroppedType           metrics.LabelMap
 	packetsDroppedTypeDisco      *expvar.Int
 	packetsDroppedTypeOther      *expvar.Int
-	_                            pad32.Four
+	_                            [pad32bit]byte
 	packetsForwardedOut          expvar.Int
 	packetsForwardedIn           expvar.Int
 	peerGoneFrames               expvar.Int // number of peer gone frames sent
 	accepts                      expvar.Int
 	curClients                   expvar.Int
 	curHomeClients               expvar.Int // ones with preferred
-	dupClientKeys                expvar.Int // current number of public keys we have 2+ connections for
-	dupClientConns               expvar.Int // current number of connections sharing a public key
-	dupClientConnTotal           expvar.Int // total number of accepted connections when a dup key existed
+	clientsReplaced              expvar.Int
+	clientsReplaceLimited        expvar.Int
+	clientsReplaceSleeping       expvar.Int
 	unknownFrames                expvar.Int
 	homeMovesIn                  expvar.Int // established clients announce home server moves in
 	homeMovesOut                 expvar.Int // established clients announce home server moves out
@@ -146,7 +136,7 @@ type Server struct {
 	mu       sync.Mutex
 	closed   bool
 	netConns map[Conn]chan struct{} // chan is closed when conn closes
-	clients  map[key.Public]clientSet
+	clients  map[key.Public]*sclient
 	watchers map[*sclient]bool // mesh peer -> true
 	// clientsMesh tracks all clients in the cluster, both locally
 	// and to mesh peers.  If the value is nil, that means the
@@ -164,115 +154,9 @@ type Server struct {
 	keyOfAddr map[netaddr.IPPort]key.Public
 }

-// clientSet represents 1 or more *sclients.
-//
-// The two implementations are singleClient and *dupClientSet.
-//
-// In the common case, client should only have one connection to the
-// DERP server for a given key. When they're connected multiple times,
-// we record their set of connections in dupClientSet and keep their
-// connections open to make them happy (to keep them from spinning,
-// etc) and keep track of which is the latest connection. If only the last
-// is sending traffic, that last one is the active connection and it
-// gets traffic.  Otherwise, in the case of a cloned node key, the
-// whole set of dups doesn't receive data frames.
-//
-// All methods should only be called while holding Server.mu.
-//
-// TODO(bradfitz): Issue 2746: in the future we'll send some sort of
-// "health_error" frame to them that'll communicate to the end users
-// that they cloned a device key, and we'll also surface it in the
-// admin panel, etc.
-type clientSet interface {
-	// ActiveClient returns the most recently added client to
-	// the set, as long as it hasn't been disabled, in which
-	// case it returns nil.
-	ActiveClient() *sclient
-
-	// Len returns the number of clients in the set.
-	Len() int
-
-	// ForeachClient calls f for each client in the set.
-	ForeachClient(f func(*sclient))
-}
-
-// singleClient is a clientSet of a single connection.
-// This is the common case.
-type singleClient struct{ c *sclient }
-
-func (s singleClient) ActiveClient() *sclient         { return s.c }
-func (s singleClient) Len() int                       { return 1 }
-func (s singleClient) ForeachClient(f func(*sclient)) { f(s.c) }
-
-// A dupClientSet is a clientSet of more than 1 connection.
-//
-// This can occur in some reasonable cases (temporarily while users
-// are changing networks) or in the case of a cloned key. In the
-// cloned key case, both peers are speaking and the clients get
-// disabled.
-//
-// All fields are guarded by Server.mu.
-type dupClientSet struct {
-	// set is the set of connected clients for sclient.key.
-	// The values are all true.
-	set map[*sclient]bool
-
-	// last is the most recent addition to set, or nil if the most
-	// recent one has since disconnected and nobody else has send
-	// data since.
-	last *sclient
-
-	// sendHistory is a log of which members of set have sent
-	// frames to the derp server, with adjacent duplicates
-	// removed. When a member of set is removed, the same
-	// element(s) are removed from sendHistory.
-	sendHistory []*sclient
-}
-
-func (s *dupClientSet) ActiveClient() *sclient {
-	if s.last != nil && !s.last.isDisabled.Get() {
-		return s.last
-	}
-	return nil
-}
-func (s *dupClientSet) Len() int { return len(s.set) }
-func (s *dupClientSet) ForeachClient(f func(*sclient)) {
-	for c := range s.set {
-		f(c)
-	}
-}
-
-// removeClient removes c from s and reports whether it was in s
-// to begin with.
-func (s *dupClientSet) removeClient(c *sclient) bool {
-	n := len(s.set)
-	delete(s.set, c)
-	if s.last == c {
-		s.last = nil
-	}
-	if len(s.set) == n {
-		return false
-	}
-
-	trim := s.sendHistory[:0]
-	for _, v := range s.sendHistory {
-		if s.set[v] && (len(trim) == 0 || trim[len(trim)-1] != v) {
-			trim = append(trim, v)
-		}
-	}
-	for i := len(trim); i < len(s.sendHistory); i++ {
-		s.sendHistory[i] = nil
-	}
-	s.sendHistory = trim
-	if s.last == nil && len(s.sendHistory) > 0 {
-		s.last = s.sendHistory[len(s.sendHistory)-1]
-	}
-	return true
-}
-
 // PacketForwarder is something that can forward packets.
 //
-// It's mostly an interface for circular dependency reasons; the
+// It's mostly an inteface for circular dependency reasons; the
 // typical implementation is derphttp.Client. The other implementation
 // is a multiForwarder, which this package creates as needed if a
 // public key gets more than one PacketForwarder registered for it.
@@ -306,7 +190,7 @@ func NewServer(privateKey key.Private, logf logger.Logf) *Server {
 		packetsRecvByKind:    metrics.LabelMap{Label: "kind"},
 		packetsDroppedReason: metrics.LabelMap{Label: "reason"},
 		packetsDroppedType:   metrics.LabelMap{Label: "type"},
-		clients:              map[key.Public]clientSet{},
+		clients:              map[key.Public]*sclient{},
 		clientsMesh:          map[key.Public]PacketForwarder{},
 		netConns:             map[Conn]chan struct{}{},
 		memSys0:              ms.Sys,
@@ -466,48 +350,39 @@ func (s *Server) MetaCert() []byte { return s.metaCert }

 // registerClient notes that client c is now authenticated and ready for packets.
 //
-// If c.key is connected more than once, the earlier connection(s) are
-// placed in a non-active state where we read from them (primarily to
-// observe EOFs/timeouts) but won't send them frames on the assumption
-// that they're dead.
-func (s *Server) registerClient(c *sclient) {
+// If c's public key was already connected with a different
+// connection, the prior one is closed, unless it's fighting rapidly
+// with another client with the same key, in which case the returned
+// ok is false, and the caller should wait the provided duration
+// before trying again.
+func (s *Server) registerClient(c *sclient) (ok bool, d time.Duration) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-
-	set := s.clients[c.key]
-	switch set := set.(type) {
-	case nil:
-		s.clients[c.key] = singleClient{c}
-	case singleClient:
-		s.dupClientKeys.Add(1)
-		s.dupClientConns.Add(2) // both old and new count
-		s.dupClientConnTotal.Add(1)
-		old := set.ActiveClient()
-		old.isDup.Set(true)
-		c.isDup.Set(true)
-		s.clients[c.key] = &dupClientSet{
-			last: c,
-			set: map[*sclient]bool{
-				old: true,
-				c:   true,
-			},
-			sendHistory: []*sclient{old},
+	old := s.clients[c.key]
+	if old == nil {
+		c.logf("adding connection")
+	} else {
+		// Take over the old rate limiter, discarding the one
+		// our caller just made.
+		c.replaceLimiter = old.replaceLimiter
+		if rr := c.replaceLimiter.ReserveN(timeNow(), 1); rr.OK() {
+			if d := rr.DelayFrom(timeNow()); d > 0 {
+				s.clientsReplaceLimited.Add(1)
+				return false, d
+			}
 		}
-	case *dupClientSet:
-		s.dupClientConns.Add(1)     // the gauge
-		s.dupClientConnTotal.Add(1) // the counter
-		c.isDup.Set(true)
-		set.set[c] = true
-		set.last = c
-		set.sendHistory = append(set.sendHistory, c)
+		s.clientsReplaced.Add(1)
+		c.logf("adding connection, replacing %s", old.remoteAddr)
+		go old.nc.Close()
 	}
-
+	s.clients[c.key] = c
 	if _, ok := s.clientsMesh[c.key]; !ok {
 		s.clientsMesh[c.key] = nil // just for varz of total users in cluster
 	}
 	s.keyOfAddr[c.remoteIPPort] = c.key
 	s.curClients.Add(1)
 	s.broadcastPeerStateChangeLocked(c.key, true)
+	return true, 0
 }

 // broadcastPeerStateChangeLocked enqueues a message to all watchers
@@ -526,12 +401,8 @@ func (s *Server) broadcastPeerStateChangeLocked(peer key.Public, present bool) {
 func (s *Server) unregisterClient(c *sclient) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-
-	set := s.clients[c.key]
-	switch set := set.(type) {
-	case nil:
-		c.logf("[unexpected]; clients map is empty")
-	case singleClient:
+	cur := s.clients[c.key]
+	if cur == c {
 		c.logf("removing connection")
 		delete(s.clients, c.key)
 		if v, ok := s.clientsMesh[c.key]; ok && v == nil {
@@ -539,28 +410,7 @@ func (s *Server) unregisterClient(c *sclient) {
 			s.notePeerGoneFromRegionLocked(c.key)
 		}
 		s.broadcastPeerStateChangeLocked(c.key, false)
-	case *dupClientSet:
-		if set.removeClient(c) {
-			s.dupClientConns.Add(-1)
-		} else {
-			c.logf("[unexpected]; dup client set didn't shrink")
-		}
-		if set.Len() == 1 {
-			s.dupClientConns.Add(-1) // again; for the original one's
-			s.dupClientKeys.Add(-1)
-			var remain *sclient
-			for remain = range set.set {
-				break
-			}
-			if remain == nil {
-				panic("unexpected nil remain from single element dup set")
-			}
-			remain.isDisabled.Set(false)
-			remain.isDup.Set(false)
-			s.clients[c.key] = singleClient{remain}
-		}
 	}
-
 	if c.canMesh {
 		delete(s.watchers, c)
 	}
@@ -587,15 +437,9 @@ func (s *Server) notePeerGoneFromRegionLocked(key key.Public) {
 	// or move them over to the active client (in case a replaced client
 	// connection is being unregistered).
 	for pubKey, connNum := range s.sentTo[key] {
-		set, ok := s.clients[pubKey]
-		if !ok {
-			continue
+		if peer, ok := s.clients[pubKey]; ok && peer.connNum == connNum {
+			go peer.requestPeerGoneWrite(key)
 		}
-		set.ForeachClient(func(peer *sclient) {
-			if peer.connNum == connNum {
-				go peer.requestPeerGoneWrite(key)
-			}
-		})
 	}
 	delete(s.sentTo, key)
 }
@@ -665,6 +509,12 @@ func (s *Server) accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string, connN
 		discoSendQueue: make(chan pkt, perClientSendQueueDepth),
 		peerGone:       make(chan key.Public),
 		canMesh:        clientInfo.MeshKey != "" && clientInfo.MeshKey == s.meshKey,
+
+		// Allow kicking out previous connections once a
+		// minute, with a very high burst of 100. Once a
+		// minute is less than the client's 2 minute
+		// inactivity timeout.
+		replaceLimiter: rate.NewLimiter(rate.Every(time.Minute), 100),
 	}

 	if c.canMesh {
@@ -674,7 +524,15 @@ func (s *Server) accept(nc Conn, brw *bufio.ReadWriter, remoteAddr string, connN
 		c.info = *clientInfo
 	}

-	s.registerClient(c)
+	for {
+		ok, d := s.registerClient(c)
+		if ok {
+			break
+		}
+		s.clientsReplaceSleeping.Add(1)
+		timeSleep(d)
+		s.clientsReplaceSleeping.Add(-1)
+	}
 	defer s.unregisterClient(c)

 	err = s.sendServerInfo(c.bw, clientKey)
@@ -718,7 +576,6 @@ func (c *sclient) run(ctx context.Context) error {
 			}
 			return fmt.Errorf("client %x: readFrameHeader: %w", c.key, err)
 		}
-		c.s.noteClientActivity(c)
 		switch ft {
 		case frameNotePreferred:
 			err = c.handleFrameNotePreferred(ft, fl)
@@ -783,15 +640,9 @@ func (c *sclient) handleFrameClosePeer(ft frameType, fl uint32) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()

-	if set, ok := s.clients[targetKey]; ok {
-		if set.Len() == 1 {
-			c.logf("frameClosePeer closing peer %x", targetKey)
-		} else {
-			c.logf("frameClosePeer closing peer %x (%d connections)", targetKey, set.Len())
-		}
-		set.ForeachClient(func(target *sclient) {
-			go target.nc.Close()
-		})
+	if target, ok := s.clients[targetKey]; ok {
+		c.logf("frameClosePeer closing peer %x", targetKey)
+		go target.nc.Close()
 	} else {
 		c.logf("frameClosePeer failed to find peer %x", targetKey)
 	}
@@ -813,25 +664,15 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 	}
 	s.packetsForwardedIn.Add(1)

-	var dstLen int
-	var dst *sclient
-
 	s.mu.Lock()
-	if set, ok := s.clients[dstKey]; ok {
-		dstLen = set.Len()
-		dst = set.ActiveClient()
-	}
+	dst := s.clients[dstKey]
 	if dst != nil {
 		s.notePeerSendLocked(srcKey, dst)
 	}
 	s.mu.Unlock()

 	if dst == nil {
-		reason := dropReasonUnknownDestOnFwd
-		if dstLen > 1 {
-			reason = dropReasonDupClient
-		}
-		s.recordDrop(contents, srcKey, dstKey, reason)
+		s.recordDrop(contents, srcKey, dstKey, dropReasonUnknownDestOnFwd)
 		return nil
 	}

@@ -864,18 +705,12 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 	}

 	var fwd PacketForwarder
-	var dstLen int
-	var dst *sclient
-
 	s.mu.Lock()
-	if set, ok := s.clients[dstKey]; ok {
-		dstLen = set.Len()
-		dst = set.ActiveClient()
-	}
-	if dst != nil {
-		s.notePeerSendLocked(c.key, dst)
-	} else if dstLen < 1 {
+	dst := s.clients[dstKey]
+	if dst == nil {
 		fwd = s.clientsMesh[dstKey]
+	} else {
+		s.notePeerSendLocked(c.key, dst)
 	}
 	s.mu.Unlock()

@@ -888,11 +723,7 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 			}
 			return nil
 		}
-		reason := dropReasonUnknownDest
-		if dstLen > 1 {
-			reason = dropReasonDupClient
-		}
-		s.recordDrop(contents, c.key, dstKey, reason)
+		s.recordDrop(contents, c.key, dstKey, dropReasonUnknownDest)
 		return nil
 	}

@@ -916,7 +747,6 @@ const (
 	dropReasonQueueHead                          // destination queue is full, dropped packet at queue head
 	dropReasonQueueTail                          // destination queue is full, dropped packet at queue tail
 	dropReasonWriteError                         // OS write() failed
-	dropReasonDupClient                          // the public key is connected 2+ times (active/active, fighting)
 )

 func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.Public, reason dropReason) {
@@ -1026,62 +856,8 @@ func (s *Server) sendServerKey(lw *lazyBufioWriter) error {
 	return err
 }

-func (s *Server) noteClientActivity(c *sclient) {
-	if !c.isDup.Get() {
-		// Fast path for clients that aren't in a dup set.
-		return
-	}
-	if c.isDisabled.Get() {
-		// If they're already disabled, no point checking more.
-		return
-	}
-	s.mu.Lock()
-	defer s.mu.Unlock()
-
-	ds, ok := s.clients[c.key].(*dupClientSet)
-	if !ok {
-		// It became unduped in between the isDup fast path check above
-		// and the mutex check. Nothing to do.
-		return
-	}
-
-	if s.dupPolicy == lastWriterIsActive {
-		ds.last = c
-	} else if ds.last == nil {
-		// If we didn't have a primary, let the current
-		// speaker be the primary.
-		ds.last = c
-	}
-
-	if sh := ds.sendHistory; len(sh) != 0 && sh[len(sh)-1] == c {
-		// The client c was the last client to make activity
-		// in this set and it was already recorded. Nothing to
-		// do.
-		return
-	}
-
-	// If we saw this connection send previously, then consider
-	// the group fighting and disable them all.
-	if s.dupPolicy == disableFighters {
-		for _, prior := range ds.sendHistory {
-			if prior == c {
-				ds.ForeachClient(func(c *sclient) {
-					c.isDisabled.Set(true)
-				})
-				break
-			}
-		}
-	}
-
-	// Append this client to the list of clients who spoke last.
-	ds.sendHistory = append(ds.sendHistory, c)
-}
-
 type serverInfo struct {
 	Version int `json:"version,omitempty"`
-
-	TokenBucketBytesPerSecond int `json:",omitempty"`
-	TokenBucketBytesBurst     int `json:",omitempty"`
 }

 func (s *Server) sendServerInfo(bw *lazyBufioWriter, clientKey key.Public) error {
@@ -1209,16 +985,14 @@ type sclient struct {
 	key            key.Public
 	info           clientInfo
 	logf           logger.Logf
-	done           <-chan struct{}  // closed when connection closes
-	remoteAddr     string           // usually ip:port from net.Conn.RemoteAddr().String()
-	remoteIPPort   netaddr.IPPort   // zero if remoteAddr is not ip:port.
-	sendQueue      chan pkt         // packets queued to this client; never closed
-	discoSendQueue chan pkt         // important packets queued to this client; never closed
-	peerGone       chan key.Public  // write request that a previous sender has disconnected (not used by mesh peers)
-	meshUpdate     chan struct{}    // write request to write peerStateChange
-	canMesh        bool             // clientInfo had correct mesh token for inter-region routing
-	isDup          syncs.AtomicBool // whether more than 1 sclient for key is connected
-	isDisabled     syncs.AtomicBool // whether sends to this peer are disabled due to active/active dups
+	done           <-chan struct{} // closed when connection closes
+	remoteAddr     string          // usually ip:port from net.Conn.RemoteAddr().String()
+	remoteIPPort   netaddr.IPPort  // zero if remoteAddr is not ip:port.
+	sendQueue      chan pkt        // packets queued to this client; never closed
+	discoSendQueue chan pkt        // important packets queued to this client; never closed
+	peerGone       chan key.Public // write request that a previous sender has disconnected (not used by mesh peers)
+	meshUpdate     chan struct{}   // write request to write peerStateChange
+	canMesh        bool            // clientInfo had correct mesh token for inter-region routing

 	// replaceLimiter controls how quickly two connections with
 	// the same client key can kick each other off the server by
@@ -1507,7 +1281,7 @@ func (s *Server) AddPacketForwarder(dst key.Public, fwd PacketForwarder) {
 			return
 		}
 		if m, ok := prev.(multiForwarder); ok {
-			if _, ok := m[fwd]; ok {
+			if _, ok := m[fwd]; !ok {
 				// Duplicate registration of same forwarder in set; ignore.
 				return
 			}
@@ -1617,16 +1391,15 @@ func (s *Server) ExpVar() expvar.Var {
 	m := new(metrics.Set)
 	m.Set("gauge_memstats_sys0", expvar.Func(func() interface{} { return int64(s.memSys0) }))
 	m.Set("gauge_watchers", s.expVarFunc(func() interface{} { return len(s.watchers) }))
-	m.Set("gauge_current_file_descriptors", expvar.Func(func() interface{} { return metrics.CurrentFDs() }))
 	m.Set("gauge_current_connections", &s.curClients)
 	m.Set("gauge_current_home_connections", &s.curHomeClients)
 	m.Set("gauge_clients_total", expvar.Func(func() interface{} { return len(s.clientsMesh) }))
 	m.Set("gauge_clients_local", expvar.Func(func() interface{} { return len(s.clients) }))
 	m.Set("gauge_clients_remote", expvar.Func(func() interface{} { return len(s.clientsMesh) - len(s.clients) }))
-	m.Set("gauge_current_dup_client_keys", &s.dupClientKeys)
-	m.Set("gauge_current_dup_client_conns", &s.dupClientConns)
-	m.Set("counter_total_dup_client_conns", &s.dupClientConnTotal)
 	m.Set("accepts", &s.accepts)
+	m.Set("clients_replaced", &s.clientsReplaced)
+	m.Set("clients_replace_limited", &s.clientsReplaceLimited)
+	m.Set("gauge_clients_replace_sleeping", &s.clientsReplaceSleeping)
 	m.Set("bytes_received", &s.bytesRecv)
 	m.Set("bytes_sent", &s.bytesSent)
 	m.Set("packets_dropped", &s.packetsDropped)
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -403,11 +403,8 @@ func TestSendFreeze(t *testing.T) {
 	t.Logf("TEST COMPLETE, cancelling sender")
 	cancel()
 	t.Logf("closing connections")
-	// Close bob before alice.
-	// Starting with alice can cause a PeerGoneMessage to reach
-	// bob before bob is closed, causing a test flake (issue 2668).
-	bobConn.Close()
 	aliceConn.Close()
+	bobConn.Close()
 	cathyConn.Close()

 	for i := 0; i < cap(errCh); i++ {
@@ -665,7 +662,7 @@ func pubAll(b byte) (ret key.Public) {

 func TestForwarderRegistration(t *testing.T) {
 	s := &Server{
-		clients:     make(map[key.Public]clientSet),
+		clients:     make(map[key.Public]*sclient),
 		clientsMesh: map[key.Public]PacketForwarder{},
 	}
 	want := func(want map[key.Public]PacketForwarder) {
@@ -715,7 +712,6 @@ func TestForwarderRegistration(t *testing.T) {
 	// Adding a dup for a user.
 	wantCounter(&s.multiForwarderCreated, 0)
 	s.AddPacketForwarder(u1, testFwd(100))
-	s.AddPacketForwarder(u1, testFwd(100)) // dup to trigger dup path
 	want(map[key.Public]PacketForwarder{
 		u1: multiForwarder{
 			testFwd(1):   1,
@@ -748,7 +744,7 @@ func TestForwarderRegistration(t *testing.T) {
 		key:  u1,
 		logf: logger.Discard,
 	}
-	s.clients[u1] = singleClient{u1c}
+	s.clients[u1] = u1c
 	s.RemovePacketForwarder(u1, testFwd(100))
 	want(map[key.Public]PacketForwarder{
 		u1: nil,
@@ -768,7 +764,7 @@ func TestForwarderRegistration(t *testing.T) {
 	// Now pretend u1 was already connected locally (so clientsMesh[u1] is nil), and then we heard
 	// that they're also connected to a peer of ours. That sholdn't transition the forwarder
 	// from nil to the new one, not a multiForwarder.
-	s.clients[u1] = singleClient{u1c}
+	s.clients[u1] = u1c
 	s.clientsMesh[u1] = nil
 	want(map[key.Public]PacketForwarder{
 		u1: nil,
@@ -817,33 +813,6 @@ func TestClientRecv(t *testing.T) {
 			},
 			want: PingMessage{1, 2, 3, 4, 5, 6, 7, 8},
 		},
-		{
-			name: "health_bad",
-			input: []byte{
-				byte(frameHealth), 0, 0, 0, 3,
-				byte('B'), byte('A'), byte('D'),
-			},
-			want: HealthMessage{Problem: "BAD"},
-		},
-		{
-			name: "health_ok",
-			input: []byte{
-				byte(frameHealth), 0, 0, 0, 0,
-			},
-			want: HealthMessage{},
-		},
-		{
-			name: "server_restarting",
-			input: []byte{
-				byte(frameRestarting), 0, 0, 0, 8,
-				0, 0, 0, 1,
-				0, 0, 0, 2,
-			},
-			want: ServerRestartingMessage{
-				ReconnectIn: 1 * time.Millisecond,
-				TryFor:      2 * time.Millisecond,
-			},
-		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -881,248 +850,125 @@ func TestClientSendPong(t *testing.T) {

 }

-func TestServerDupClients(t *testing.T) {
-	serverPriv := newPrivateKey(t)
-	var s *Server
+func TestServerReplaceClients(t *testing.T) {
+	defer func() {
+		timeSleep = time.Sleep
+		timeNow = time.Now
+	}()

-	clientPriv := newPrivateKey(t)
-	clientPub := clientPriv.Public()
+	var (
+		mu     sync.Mutex
+		now    = time.Unix(123, 0)
+		sleeps int
+		slept  time.Duration
+	)
+	timeSleep = func(d time.Duration) {
+		mu.Lock()
+		defer mu.Unlock()
+		sleeps++
+		slept += d
+		now = now.Add(d)
+	}
+	timeNow = func() time.Time {
+		mu.Lock()
+		defer mu.Unlock()
+		return now
+	}

-	var c1, c2, c3 *sclient
-	var clientName map[*sclient]string
+	serverPrivateKey := newPrivateKey(t)
+	var logger logger.Logf = logger.Discard
+	const debug = false
+	if debug {
+		logger = t.Logf
+	}

-	// run starts a new test case and resets clients back to their zero values.
-	run := func(name string, dupPolicy dupPolicy, f func(t *testing.T)) {
-		s = NewServer(serverPriv, t.Logf)
-		s.dupPolicy = dupPolicy
-		c1 = &sclient{key: clientPub, logf: logger.WithPrefix(t.Logf, "c1: ")}
-		c2 = &sclient{key: clientPub, logf: logger.WithPrefix(t.Logf, "c2: ")}
-		c3 = &sclient{key: clientPub, logf: logger.WithPrefix(t.Logf, "c3: ")}
-		clientName = map[*sclient]string{
-			c1: "c1",
-			c2: "c2",
-			c3: "c3",
+	s := NewServer(serverPrivateKey, logger)
+	defer s.Close()
+
+	priv := newPrivateKey(t)
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer ln.Close()
+
+	connNum := 0
+	connect := func() *Client {
+		connNum++
+		cout, err := net.Dial("tcp", ln.Addr().String())
+		if err != nil {
+			t.Fatal(err)
 		}
-		t.Run(name, f)
+
+		cin, err := ln.Accept()
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		brwServer := bufio.NewReadWriter(bufio.NewReader(cin), bufio.NewWriter(cin))
+		go s.Accept(cin, brwServer, fmt.Sprintf("test-client-%d", connNum))
+
+		brw := bufio.NewReadWriter(bufio.NewReader(cout), bufio.NewWriter(cout))
+		c, err := NewClient(priv, cout, brw, logger)
+		if err != nil {
+			t.Fatalf("client %d: %v", connNum, err)
+		}
+		return c
 	}
-	runBothWays := func(name string, f func(t *testing.T)) {
-		run(name+"_disablefighters", disableFighters, f)
-		run(name+"_lastwriteractive", lastWriterIsActive, f)
-	}
-	wantSingleClient := func(t *testing.T, want *sclient) {
+
+	wantVar := func(v *expvar.Int, want int64) {
 		t.Helper()
-		switch s := s.clients[want.key].(type) {
-		case singleClient:
-			if s.c != want {
-				t.Error("wrong single client")
+		if got := v.Value(); got != want {
+			t.Errorf("got %d; want %d", got, want)
+		}
+	}
+
+	wantClosed := func(c *Client) {
+		t.Helper()
+		for {
+			m, err := c.Recv()
+			if err != nil {
+				t.Logf("got expected error: %v", err)
 				return
 			}
-			if want.isDup.Get() {
-				t.Errorf("unexpected isDup on singleClient")
+			switch m.(type) {
+			case ServerInfoMessage:
+				continue
+			default:
+				t.Fatalf("client got %T; wanted an error", m)
 			}
-			if want.isDisabled.Get() {
-				t.Errorf("unexpected isDisabled on singleClient")
-			}
-		case nil:
-			t.Error("no clients for key")
-		case *dupClientSet:
-			t.Error("unexpected multiple clients for key")
-		}
-	}
-	wantNoClient := func(t *testing.T) {
-		t.Helper()
-		switch s := s.clients[clientPub].(type) {
-		case nil:
-			// Good.
-			return
-		default:
-			t.Errorf("got %T; want empty", s)
-		}
-	}
-	wantDupSet := func(t *testing.T) *dupClientSet {
-		t.Helper()
-		switch s := s.clients[clientPub].(type) {
-		case *dupClientSet:
-			return s
-		default:
-			t.Fatalf("wanted dup set; got %T", s)
-			return nil
-		}
-	}
-	wantActive := func(t *testing.T, want *sclient) {
-		t.Helper()
-		set, ok := s.clients[clientPub]
-		if !ok {
-			t.Error("no set for key")
-			return
-		}
-		got := set.ActiveClient()
-		if got != want {
-			t.Errorf("active client = %q; want %q", clientName[got], clientName[want])
-		}
-	}
-	checkDup := func(t *testing.T, c *sclient, want bool) {
-		t.Helper()
-		if got := c.isDup.Get(); got != want {
-			t.Errorf("client %q isDup = %v; want %v", clientName[c], got, want)
-		}
-	}
-	checkDisabled := func(t *testing.T, c *sclient, want bool) {
-		t.Helper()
-		if got := c.isDisabled.Get(); got != want {
-			t.Errorf("client %q isDisabled = %v; want %v", clientName[c], got, want)
-		}
-	}
-	wantDupConns := func(t *testing.T, want int) {
-		t.Helper()
-		if got := s.dupClientConns.Value(); got != int64(want) {
-			t.Errorf("dupClientConns = %v; want %v", got, want)
-		}
-	}
-	wantDupKeys := func(t *testing.T, want int) {
-		t.Helper()
-		if got := s.dupClientKeys.Value(); got != int64(want) {
-			t.Errorf("dupClientKeys = %v; want %v", got, want)
 		}
 	}

-	// Common case: a single client comes and goes, with no dups.
-	runBothWays("one_comes_and_goes", func(t *testing.T) {
-		wantNoClient(t)
-		s.registerClient(c1)
-		wantSingleClient(t, c1)
-		s.unregisterClient(c1)
-		wantNoClient(t)
-	})
+	c1 := connect()
+	waitConnect(t, c1)
+	c2 := connect()
+	waitConnect(t, c2)
+	wantVar(&s.clientsReplaced, 1)
+	wantClosed(c1)

-	// A still somewhat common case: a single client was
-	// connected and then their wifi dies or laptop closes
-	// or they switch networks and connect from a
-	// different network. They have two connections but
-	// it's not very bad. Only their new one is
-	// active. The last one, being dead, doesn't send and
-	// thus the new one doesn't get disabled.
-	runBothWays("small_overlap_replacement", func(t *testing.T) {
-		wantNoClient(t)
-		s.registerClient(c1)
-		wantSingleClient(t, c1)
-		wantActive(t, c1)
-		wantDupKeys(t, 0)
-		wantDupKeys(t, 0)
+	for i := 0; i < 100+5; i++ {
+		c := connect()
+		defer c.nc.Close()
+		if s.clientsReplaceLimited.Value() == 0 && i < 90 {
+			continue
+		}
+		t.Logf("for %d: replaced=%d, limited=%d, sleeping=%d", i,
+			s.clientsReplaced.Value(),
+			s.clientsReplaceLimited.Value(),
+			s.clientsReplaceSleeping.Value(),
+		)
+	}

-		s.registerClient(c2) // wifi dies; c2 replacement connects
-		wantDupSet(t)
-		wantDupConns(t, 2)
-		wantDupKeys(t, 1)
-		checkDup(t, c1, true)
-		checkDup(t, c2, true)
-		checkDisabled(t, c1, false)
-		checkDisabled(t, c2, false)
-		wantActive(t, c2) // sends go to the replacement
-
-		s.unregisterClient(c1) // c1 finally times out
-		wantSingleClient(t, c2)
-		checkDup(t, c2, false) // c2 is longer a dup
-		wantActive(t, c2)
-		wantDupConns(t, 0)
-		wantDupKeys(t, 0)
-	})
-
-	// Key cloning situation with concurrent clients, both trying
-	// to write.
-	run("concurrent_dups_get_disabled", disableFighters, func(t *testing.T) {
-		wantNoClient(t)
-		s.registerClient(c1)
-		wantSingleClient(t, c1)
-		wantActive(t, c1)
-		s.registerClient(c2)
-		wantDupSet(t)
-		wantDupKeys(t, 1)
-		wantDupConns(t, 2)
-		wantActive(t, c2)
-		checkDup(t, c1, true)
-		checkDup(t, c2, true)
-		checkDisabled(t, c1, false)
-		checkDisabled(t, c2, false)
-
-		s.noteClientActivity(c2)
-		checkDisabled(t, c1, false)
-		checkDisabled(t, c2, false)
-		s.noteClientActivity(c1)
-		checkDisabled(t, c1, true)
-		checkDisabled(t, c2, true)
-		wantActive(t, nil)
-
-		s.registerClient(c3)
-		wantActive(t, c3)
-		checkDisabled(t, c3, false)
-		wantDupKeys(t, 1)
-		wantDupConns(t, 3)
-
-		s.unregisterClient(c3)
-		wantActive(t, nil)
-		wantDupKeys(t, 1)
-		wantDupConns(t, 2)
-
-		s.unregisterClient(c2)
-		wantSingleClient(t, c1)
-		wantDupKeys(t, 0)
-		wantDupConns(t, 0)
-	})
-
-	// Key cloning with an A->B->C->A series instead.
-	run("concurrent_dups_three_parties", disableFighters, func(t *testing.T) {
-		wantNoClient(t)
-		s.registerClient(c1)
-		s.registerClient(c2)
-		s.registerClient(c3)
-		s.noteClientActivity(c1)
-		checkDisabled(t, c1, true)
-		checkDisabled(t, c2, true)
-		checkDisabled(t, c3, true)
-		wantActive(t, nil)
-	})
-
-	run("activity_promotes_primary_when_nil", disableFighters, func(t *testing.T) {
-		wantNoClient(t)
-
-		// Last registered client is the active one...
-		s.registerClient(c1)
-		wantActive(t, c1)
-		s.registerClient(c2)
-		wantActive(t, c2)
-		s.registerClient(c3)
-		s.noteClientActivity(c2)
-		wantActive(t, c3)
-
-		// But if the last one goes away, the one with the
-		// most recent activity wins.
-		s.unregisterClient(c3)
-		wantActive(t, c2)
-	})
-
-	run("concurrent_dups_three_parties_last_writer", lastWriterIsActive, func(t *testing.T) {
-		wantNoClient(t)
-
-		s.registerClient(c1)
-		wantActive(t, c1)
-		s.registerClient(c2)
-		wantActive(t, c2)
-
-		s.noteClientActivity(c1)
-		checkDisabled(t, c1, false)
-		checkDisabled(t, c2, false)
-		wantActive(t, c1)
-
-		s.noteClientActivity(c2)
-		checkDisabled(t, c1, false)
-		checkDisabled(t, c2, false)
-		wantActive(t, c2)
-
-		s.unregisterClient(c2)
-		checkDisabled(t, c1, false)
-		wantActive(t, c1)
-	})
+	mu.Lock()
+	defer mu.Unlock()
+	if sleeps == 0 {
+		t.Errorf("no sleeps")
+	}
+	if slept == 0 {
+		t.Errorf("total sleep duration was 0")
+	}
 }

 func TestLimiter(t *testing.T) {
@@ -1244,80 +1090,3 @@ func TestParseSSOutput(t *testing.T) {
 		t.Errorf("parseSSOutput expected non-empty map")
 	}
 }
-
-type countWriter struct {
-	mu     sync.Mutex
-	writes int
-	bytes  int64
-}
-
-func (w *countWriter) Write(p []byte) (n int, err error) {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	w.writes++
-	w.bytes += int64(len(p))
-	return len(p), nil
-}
-
-func (w *countWriter) Stats() (writes int, bytes int64) {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	return w.writes, w.bytes
-}
-
-func (w *countWriter) ResetStats() {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	w.writes, w.bytes = 0, 0
-}
-
-func TestClientSendRateLimiting(t *testing.T) {
-	cw := new(countWriter)
-	c := &Client{
-		bw: bufio.NewWriter(cw),
-	}
-	c.setSendRateLimiter(ServerInfoMessage{})
-
-	pkt := make([]byte, 1000)
-	if err := c.send(key.Public{}, pkt); err != nil {
-		t.Fatal(err)
-	}
-	writes1, bytes1 := cw.Stats()
-	if writes1 != 1 {
-		t.Errorf("writes = %v, want 1", writes1)
-	}
-
-	// Flood should all succeed.
-	cw.ResetStats()
-	for i := 0; i < 1000; i++ {
-		if err := c.send(key.Public{}, pkt); err != nil {
-			t.Fatal(err)
-		}
-	}
-	writes1K, bytes1K := cw.Stats()
-	if writes1K != 1000 {
-		t.Logf("writes = %v; want 1000", writes1K)
-	}
-	if got, want := bytes1K, bytes1*1000; got != want {
-		t.Logf("bytes = %v; want %v", got, want)
-	}
-
-	// Set a rate limiter
-	cw.ResetStats()
-	c.setSendRateLimiter(ServerInfoMessage{
-		TokenBucketBytesPerSecond: 1,
-		TokenBucketBytesBurst:     int(bytes1 * 2),
-	})
-	for i := 0; i < 1000; i++ {
-		if err := c.send(key.Public{}, pkt); err != nil {
-			t.Fatal(err)
-		}
-	}
-	writesLimited, bytesLimited := cw.Stats()
-	if writesLimited == 0 || writesLimited == writes1K {
-		t.Errorf("limited conn's write count = %v; want non-zero, less than 1k", writesLimited)
-	}
-	if bytesLimited < bytes1*2 || bytesLimited >= bytes1K {
-		t.Errorf("limited conn's bytes count = %v; want >=%v, <%v", bytesLimited, bytes1K*2, bytes1K)
-	}
-}
--- a/derp/dropreason_string.go
+++ b/derp/dropreason_string.go
@@ -18,12 +18,11 @@ func _() {
 	_ = x[dropReasonQueueHead-3]
 	_ = x[dropReasonQueueTail-4]
 	_ = x[dropReasonWriteError-5]
-	_ = x[dropReasonDupClient-6]
 }

-const _dropReason_name = "UnknownDestUnknownDestOnFwdGoneQueueHeadQueueTailWriteErrorDupClient"
+const _dropReason_name = "UnknownDestUnknownDestOnFwdGoneQueueHeadQueueTailWriteError"

-var _dropReason_index = [...]uint8{0, 11, 27, 31, 40, 49, 59, 68}
+var _dropReason_index = [...]uint8{0, 11, 27, 31, 40, 49, 59}

 func (i dropReason) String() string {
 	if i < 0 || i >= dropReason(len(_dropReason_index)-1) {
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -57,16 +57,6 @@ func LooksLikeDiscoWrapper(p []byte) bool {
 	return string(p[:len(Magic)]) == Magic
 }

-// Source returns the slice of p that represents the
-// disco public key source, and whether p looks like
-// a disco message.
-func Source(p []byte) (src []byte, ok bool) {
-	if !LooksLikeDiscoWrapper(p) {
-		return nil, false
-	}
-	return p[len(Magic):][:keyLen], true
-}
-
 // Parse parses the encrypted part of the message from inside the
 // nacl secretbox.
 func Parse(p []byte) (Message, error) {
--- a/disco/disco_fuzzer.go
+++ b/disco/disco_fuzzer.go
@@ -1,7 +1,6 @@
 // Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
-//go:build gofuzz
 // +build gofuzz

 package disco
--- a/docs/bird/sample_bird.conf
+++ b/docs/bird/sample_bird.conf
@@ -1,16 +0,0 @@
-log syslog all;
-
-protocol device {
-  scan time 10;
-}
-
-protocol bgp {
-  local as 64001;
-  neighbor 10.40.2.101 as 64002;
-  ipv4 {
-    import none;
-    export all;
-  };
-}
-
-include "tailscale_bird.conf";
--- a/docs/bird/tailscale_bird.conf
+++ b/docs/bird/tailscale_bird.conf
@@ -1,4 +0,0 @@
-protocol static tailscale {
-  ipv4;
-  route 100.64.0.0/10 via "tailscale0";
-}
--- a/docs/k8s/README.md
+++ b/docs/k8s/README.md
@@ -1,20 +0,0 @@
-# Using Kubernetes Secrets as the state store for Tailscale
-Tailscale supports using Kubernetes Secrets as the state store, however there is some configuration required in order for it to work.
-
-**Note: this only works if `tailscaled` runs inside a pod in the cluster.**
-
-1. Create a service account for Tailscale (optional)
-   ```
-   kubectl create -f sa.yaml
-   ```
-
-1. Create role and role bindings for the service account
-   ```
-   kubectl create -f role.yaml
-   kubectl create -f rolebinding.yaml
-   ```
-
-1. Launch `tailscaled` with a Kubernetes Secret as the state store.
-   ```
-   tailscaled --state=kube:tailscale
-   ```
--- a/docs/k8s/role.yaml
+++ b/docs/k8s/role.yaml
@@ -1,10 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: default
-  name: tailscale
-rules:
- apiGroups: [""] # "" indicates the core API group
-  resourceNames: ["tailscale"]
-  resources: ["secrets"]
-  verbs: ["create", "get", "update"]
--- a/docs/k8s/rolebinding.yaml
+++ b/docs/k8s/rolebinding.yaml
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: default
-  name: tailscale
-subjects:
- kind: ServiceAccount
-  name: tailscale
-roleRef:
-  kind: Role
-  name: tailscale
-  apiGroup: rbac.authorization.k8s.io
--- a/docs/k8s/sa.yaml
+++ b/docs/k8s/sa.yaml
@@ -1,5 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tailscale
-  namespace: default
--- a/go.mod
+++ b/go.mod
@@ -1,195 +1,54 @@
 module tailscale.com

-go 1.17
+go 1.16

 require (
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
 	github.com/aws/aws-sdk-go v1.38.52
 	github.com/coreos/go-iptables v0.6.0
-	github.com/creack/pty v1.1.16
+	github.com/creack/pty v1.1.9
 	github.com/dave/jennifer v1.4.1
-	github.com/frankban/quicktest v1.13.1
-	github.com/gliderlabs/ssh v0.3.3
+	github.com/frankban/quicktest v1.13.0
+	github.com/gliderlabs/ssh v0.3.2
 	github.com/go-multierror/multierror v1.0.2
 	github.com/go-ole/go-ole v1.2.5
-	github.com/godbus/dbus/v5 v5.0.5
+	github.com/godbus/dbus/v5 v5.0.4
 	github.com/google/go-cmp v0.5.6
-	github.com/google/uuid v1.3.0
+	github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f
+	github.com/google/uuid v1.1.2
 	github.com/goreleaser/nfpm v1.10.3
 	github.com/iancoleman/strcase v0.2.0
-	github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e
 	github.com/jsimonetti/rtnetlink v0.0.0-20210525051524-4cc836578190
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/klauspost/compress v1.13.6
+	github.com/klauspost/compress v1.12.2
 	github.com/mdlayher/netlink v1.4.1
 	github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697
-	github.com/miekg/dns v1.1.43
+	github.com/miekg/dns v1.1.42
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/pborman/getopt v1.1.0
-	github.com/peterbourgon/ff/v3 v3.1.0
-	github.com/pkg/sftp v1.13.4
+	github.com/peterbourgon/ff/v2 v2.0.0
+	github.com/pkg/sftp v1.13.0
 	github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3
 	github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027
-	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20200924210142-dde312d0d6a2
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
-	github.com/ulikunitz/xz v0.5.10 // indirect
 	go4.org/mem v0.0.0-20201119185036-c04c5a6ff174
-	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
-	golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f
+	golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e
+	golang.org/x/net v0.0.0-20210614182718-04defd469f4e
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34
+	golang.org/x/sys v0.0.0-20210616094352-59db8d763f22
 	golang.org/x/term v0.0.0-20210503060354-a79de5458b56
 	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6
-	golang.org/x/tools v0.1.7
-	golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c
-	golang.zx2c4.com/wireguard/windows v0.4.9
-	honnef.co/go/tools v0.2.1
+	golang.org/x/tools v0.1.2
+	golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0
+	golang.zx2c4.com/wireguard/windows v0.3.16
+	honnef.co/go/tools v0.1.4
 	inet.af/netaddr v0.0.0-20210721214506-ce7a8ad02cc1
 	inet.af/netstack v0.0.0-20210622165351-29b14ebc044e
 	inet.af/peercred v0.0.0-20210318190834-4259e17bb763
 	inet.af/wf v0.0.0-20210516214145-a5343001b756
-)
-
-require (
-	4d63.com/gochecknoglobals v0.0.0-20201008074935-acfc0b28355a // indirect
-	github.com/BurntSushi/toml v0.3.1 // indirect
-	github.com/Djarvur/go-err113 v0.1.0 // indirect
-	github.com/Masterminds/goutils v1.1.0 // indirect
-	github.com/Masterminds/semver v1.5.0 // indirect
-	github.com/Masterminds/semver/v3 v3.1.1 // indirect
-	github.com/Masterminds/sprig v2.22.0+incompatible // indirect
-	github.com/Microsoft/go-winio v0.4.16 // indirect
-	github.com/OpenPeeDeeP/depguard v1.0.1 // indirect
-	github.com/blakesmith/ar v0.0.0-20190502131153-809d4375e1fb // indirect
-	github.com/bombsimon/wsl/v3 v3.1.0 // indirect
-	github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e // indirect
-	github.com/daixiang0/gci v0.2.7 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/denis-tingajkin/go-header v0.3.1 // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
-	github.com/fatih/color v1.10.0 // indirect
-	github.com/fsnotify/fsnotify v1.4.9 // indirect
-	github.com/go-critic/go-critic v0.5.2 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.0.0 // indirect
-	github.com/go-git/go-git/v5 v5.2.0 // indirect
-	github.com/go-toolsmith/astcast v1.0.0 // indirect
-	github.com/go-toolsmith/astcopy v1.0.0 // indirect
-	github.com/go-toolsmith/astequal v1.0.0 // indirect
-	github.com/go-toolsmith/astfmt v1.0.0 // indirect
-	github.com/go-toolsmith/astp v1.0.0 // indirect
-	github.com/go-toolsmith/strparse v1.0.0 // indirect
-	github.com/go-toolsmith/typep v1.0.2 // indirect
-	github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b // indirect
-	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/gofrs/flock v0.8.0 // indirect
-	github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 // indirect
-	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
-	github.com/golangci/errcheck v0.0.0-20181223084120-ef45e06d44b6 // indirect
-	github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613 // indirect
-	github.com/golangci/gocyclo v0.0.0-20180528144436-0a533e8fa43d // indirect
-	github.com/golangci/gofmt v0.0.0-20190930125516-244bba706f1a // indirect
-	github.com/golangci/golangci-lint v1.33.0 // indirect
-	github.com/golangci/ineffassign v0.0.0-20190609212857-42439a7714cc // indirect
-	github.com/golangci/lint-1 v0.0.0-20191013205115-297bf364a8e0 // indirect
-	github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca // indirect
-	github.com/golangci/misspell v0.3.5 // indirect
-	github.com/golangci/prealloc v0.0.0-20180630174525-215b22d4de21 // indirect
-	github.com/golangci/revgrep v0.0.0-20180812185044-276a5c0a1039 // indirect
-	github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/goterm v0.0.0-20190703233501-fc88cf888a3f // indirect
-	github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1 // indirect
-	github.com/goreleaser/chglog v0.1.2 // indirect
-	github.com/goreleaser/fileglob v0.3.1 // indirect
-	github.com/gostaticanalysis/analysisutil v0.6.1 // indirect
-	github.com/gostaticanalysis/comment v1.4.1 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/huandu/xstrings v1.3.2 // indirect
-	github.com/imdario/mergo v0.3.11 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jgautheron/goconst v0.0.0-20201117150253-ccae5bf973f3 // indirect
-	github.com/jingyugao/rowserrcheck v0.0.0-20191204022205-72ab7603b68a // indirect
-	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
-	github.com/kisielk/gotool v1.0.0 // indirect
-	github.com/kr/fs v0.1.0 // indirect
-	github.com/kr/pretty v0.3.0 // indirect
-	github.com/kr/text v0.2.0 // indirect
-	github.com/kunwardeep/paralleltest v1.0.2 // indirect
-	github.com/kyoh86/exportloopref v0.1.8 // indirect
-	github.com/magiconair/properties v1.8.4 // indirect
-	github.com/maratori/testpackage v1.0.1 // indirect
-	github.com/matoous/godox v0.0.0-20200801072554-4fb83dc2941e // indirect
-	github.com/mattn/go-colorable v0.1.8 // indirect
-	github.com/mattn/go-isatty v0.0.12 // indirect
-	github.com/mbilski/exhaustivestruct v1.1.0 // indirect
-	github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00 // indirect
-	github.com/mitchellh/copystructure v1.0.0 // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.1 // indirect
-	github.com/moricho/tparallel v0.2.1 // indirect
-	github.com/nakabonne/nestif v0.3.0 // indirect
-	github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d // indirect
-	github.com/nishanths/exhaustive v0.1.0 // indirect
-	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7 // indirect
-	github.com/pelletier/go-toml v1.8.1 // indirect
-	github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d // indirect
-	github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/polyfloyd/go-errorlint v0.0.0-20201127212506-19bd8db6546f // indirect
-	github.com/quasilyte/go-ruleguard v0.2.1 // indirect
-	github.com/quasilyte/regex/syntax v0.0.0-20200805063351-8f842688393c // indirect
-	github.com/rogpeppe/go-internal v1.6.2 // indirect
-	github.com/ryancurrah/gomodguard v1.1.0 // indirect
-	github.com/ryanrolds/sqlclosecheck v0.3.0 // indirect
-	github.com/sassoftware/go-rpmutils v0.0.0-20190420191620-a8f1baeba37b // indirect
-	github.com/securego/gosec/v2 v2.5.0 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
-	github.com/sirupsen/logrus v1.7.0 // indirect
-	github.com/sonatard/noctx v0.0.1 // indirect
-	github.com/sourcegraph/go-diff v0.6.1 // indirect
-	github.com/spf13/afero v1.5.1 // indirect
-	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/cobra v1.1.1 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/spf13/viper v1.7.1 // indirect
-	github.com/ssgreg/nlreturn/v2 v2.1.0 // indirect
-	github.com/stretchr/objx v0.3.0 // indirect
-	github.com/stretchr/testify v1.7.0 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b // indirect
-	github.com/tetafro/godot v1.3.2 // indirect
-	github.com/timakin/bodyclose v0.0.0-20200424151742-cb6215831a94 // indirect
-	github.com/tomarrell/wrapcheck v0.0.0-20201130113247-1683564d9756 // indirect
-	github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa // indirect
-	github.com/u-root/uio v0.0.0-20210528114334-82958018845c // indirect
-	github.com/ultraware/funlen v0.0.3 // indirect
-	github.com/ultraware/whitespace v0.0.4 // indirect
-	github.com/uudashr/gocognit v1.0.1 // indirect
-	github.com/xanzy/ssh-agent v0.3.0 // indirect
-	go4.org/intern v0.0.0-20210108033219-3eb7198706b2 // indirect
-	go4.org/unsafe/assume-no-moving-gc v0.0.0-20201222180813-1025295fd063 // indirect
-	golang.org/x/mod v0.4.2 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
-	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
-	mvdan.cc/gofumpt v0.0.0-20201129102820-5c11c50e9475 // indirect
-	mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed // indirect
-	mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b // indirect
-	mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 // indirect
+	rsc.io/goversion v1.2.0
 )
--- a/go.sum
+++ b/go.sum
@@ -67,11 +67,13 @@ github.com/bombsimon/wsl/v3 v3.1.0 h1:E5SRssoBgtVFPcYWUOFJEcgaySgdtTNYzsSKDOY7ss
 github.com/bombsimon/wsl/v3 v3.1.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e h1:hHg27A0RSSp2Om9lubZpiMgVbvn39bsUmW9U5h0twqc=
 github.com/cavaliercoder/go-cpio v0.0.0-20180626203310-925f9528c45e/go.mod h1:oDpT4efm8tSYHXV5tHSdRvBet/b/QzxZ+XyyPehvm3A=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cilium/ebpf v0.5.0 h1:E1KshmrMEtkMP2UjlWzfmUV1owWY+BnbL5FxxuatnrU=
 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
@@ -80,9 +82,8 @@ github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3Ee
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/creack/pty v1.1.9 h1:uDmaGzcdjhF4i/plgjmEsriH11Y0o7RKapEf/LDaM3w=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.16 h1:vfetlOf3A+9YKggibynnX9mnFjuSVvkRj+IWpcTSLEQ=
-github.com/creack/pty v1.1.16/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/daixiang0/gci v0.2.4/go.mod h1:+AV8KmHTGxxwp/pY84TLQfFKp2vuKXXJVzF3kD/hfR4=
 github.com/daixiang0/gci v0.2.7 h1:bosLNficubzJZICsVzxuyNc6oAbdz0zcqLG2G/RxtY4=
 github.com/daixiang0/gci v0.2.7/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc=
@@ -98,15 +99,17 @@ github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8
 github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
-github.com/fanliao/go-promise v0.0.0-20141029170127-1890db352a72/go.mod h1:PjfxuH4FZdUyfMdtBio2lsRr1AKEaVPwelzuHuh8Lqc=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
 github.com/fatih/color v1.10.0 h1:s36xzo75JdqLaaWoiEHk767eHiwo0598uUxyfiPkDsg=
 github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGEBuJM=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/frankban/quicktest v1.13.1 h1:xVm/f9seEhZFL9+n5kv5XLrGwy6elc4V9v/XFY2vmd8=
-github.com/frankban/quicktest v1.13.1/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
+github.com/frankban/quicktest v1.13.0 h1:yNZif1OkDfNoDfb9zZa9aXIpejNR4F23Wely0c+Qdqk=
+github.com/frankban/quicktest v1.13.0/go.mod h1:qLE0fzW0VuyUAJgPU19zByoIr0HtCHN/r/VLSOOIySU=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
@@ -114,8 +117,8 @@ github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeME
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
 github.com/gliderlabs/ssh v0.2.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
-github.com/gliderlabs/ssh v0.3.3 h1:mBQ8NiOgDkINJrZtoizkC3nDNYgSaWtxyem6S2XHBtA=
-github.com/gliderlabs/ssh v0.3.3/go.mod h1:ZSS+CUoKHDrqVakTfTWUlKSr9MtMFkC4UvtQKD7O914=
+github.com/gliderlabs/ssh v0.3.2 h1:gcfd1Aj/9RQxvygu4l3sak711f/5+VOwBw9C/7+N4EI=
+github.com/gliderlabs/ssh v0.3.2/go.mod h1:U7qILu1NlMHj9FlMhZLlkCdDnU1DBEAqr0aevW3Awn0=
 github.com/go-critic/go-critic v0.5.2 h1:3RJdgf6u4NZUumoP8nzbqiiNT8e1tC2Oc7jlgqre/IA=
 github.com/go-critic/go-critic v0.5.2/go.mod h1:cc0+HvdE3lFpqLecgqMaJcvWWH77sLdBp+wLGPM1Yyo=
 github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
@@ -159,12 +162,13 @@ github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b h1:khEcpUM4yFcxg4
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/godbus/dbus/v5 v5.0.5 h1:9Eg0XUhQxtkV8ykTMKtMMYY72g4NgxtRq4jgh4Ih5YM=
-github.com/godbus/dbus/v5 v5.0.5/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.0.4 h1:9349emZab16e7zQvpmsbtjc18ykshndd8y2PG3sgJbA=
+github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.8.0 h1:MSdYClljsF3PbENUUEx85nkWfJSGfzYI9yEBZOJz6CY=
 github.com/gofrs/flock v0.8.0/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -177,12 +181,16 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA=
+github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 h1:23T5iq8rbUYlhpt5DB4XJkc6BU31uODLD1o1gKvZmD0=
 github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4=
 github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM=
@@ -229,6 +237,8 @@ github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f h1:7MmqygqdeJtziBUpm4Z9ThROFZUaVGaePMfcDnluf1E=
+github.com/google/goexpect v0.0.0-20210430020637-ab937bf7fd6f/go.mod h1:n1ej5+FqyEytMt/mugVDZLIiqTMO+vsrgY+kM6ohzN0=
 github.com/google/goterm v0.0.0-20190703233501-fc88cf888a3f h1:5CjVwnuUcp5adK4gmY6i72gpVFVnZDP2h5TmPScB6u4=
 github.com/google/goterm v0.0.0-20190703233501-fc88cf888a3f/go.mod h1:nOFQdrUlIlx6M6ODdSpBj1NVA+VgLC6kmw60mkw34H4=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
@@ -238,9 +248,8 @@ github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm4
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1 h1:BRIy5qQZKSC/nthA5ueW547F73BV5hMoIoxhPfhxa3k=
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
-github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gookit/color v1.3.1/go.mod h1:R3ogXq2B9rTbXoSHJ1HyUVAZ3poOJHpd9nQmyGZsfvQ=
@@ -288,7 +297,6 @@ github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/J
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/huandu/xstrings v1.3.2 h1:L18LIDzqlW6xN2rEkpdV8+oL/IXWJ1APd+vsdYy4Wdw=
 github.com/huandu/xstrings v1.3.2/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/hugelgupf/socketpair v0.0.0-20190730060125-05d35a94e714/go.mod h1:2Goc3h8EklBH5mspfHFxBnEoURQCGzQQH1ga9Myjvis=
 github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/imdario/mergo v0.3.9/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
@@ -296,8 +304,6 @@ github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e h1:sgh63o+pm5kcdrgyYaCIoeD7mccyL6MscVmy+DvY6C4=
-github.com/insomniacslk/dhcp v0.0.0-20210621130208-1cac67f12b1e/go.mod h1:h+MxyHxRg9NH3terB1nfRIUaQEcI0XOVkdR9LNBlp8E=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
@@ -320,7 +326,6 @@ github.com/josharian/native v0.0.0-20200817173448-b6b71def0850/go.mod h1:7X/rasw
 github.com/jsimonetti/rtnetlink v0.0.0-20190606172950-9527aa82566a/go.mod h1:Oz+70psSo5OFh8DBl0Zv2ACw7Esh6pPUphlvZG9x7uw=
 github.com/jsimonetti/rtnetlink v0.0.0-20200117123717-f846d4f6c1f4/go.mod h1:WGuG/smIU4J/54PblvSbh+xvCZmpJnFgr3ds6Z55XMQ=
 github.com/jsimonetti/rtnetlink v0.0.0-20201009170750-9c6f07d100c1/go.mod h1:hqoO/u39cqLeBLebZ8fWdE96O7FxrAsRYhnVOdgHxok=
-github.com/jsimonetti/rtnetlink v0.0.0-20201110080708-d2c240429e6c/go.mod h1:huN4d1phzjhlOsNIjFsw2SVRbwIHj3fJDMEU2SDPTmg=
 github.com/jsimonetti/rtnetlink v0.0.0-20201216134343-bde56ed16391/go.mod h1:cR77jAZG3Y3bsb8hF6fHJbFoyFukLFOkQ98S0pQz3xw=
 github.com/jsimonetti/rtnetlink v0.0.0-20201220180245-69540ac93943/go.mod h1:z4c53zj6Eex712ROyh8WI0ihysb5j2ROyV42iNogmAs=
 github.com/jsimonetti/rtnetlink v0.0.0-20210122163228-8d122574c736/go.mod h1:ZXpIyOK59ZnN7J0BV99cZUPmsqDRZ3eq5X+st7u/oSA=
@@ -342,17 +347,16 @@ github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.0/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.13.6 h1:P76CopJELS0TiO2mebmnzgWaajssP/EszplttgQxcgc=
-github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
+github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8=
+github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
-github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
-github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -387,7 +391,6 @@ github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpe
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mbilski/exhaustivestruct v1.1.0 h1:4ykwscnAFeHJruT+EY3M3vdeP8uXMh0VV2E61iR7XD8=
 github.com/mbilski/exhaustivestruct v1.1.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc=
-github.com/mdlayher/ethernet v0.0.0-20190606142754-0394541c37b7/go.mod h1:U6ZQobyTjI/tJyq2HG+i/dfSoFUt8/aZCM+GKtmFk/Y=
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43 h1:WgyLFv10Ov49JAQI/ZLUkCZ7VJS3r74hwFIGXJsgZlY=
 github.com/mdlayher/ethtool v0.0.0-20210210192532-2b88debcdd43/go.mod h1:+t7E0lkKfbBsebllff1xdTmyJt8lH37niI6kwFk9OTo=
 github.com/mdlayher/genetlink v1.0.0 h1:OoHN1OdyEIkScEmRgxLEe2M9U8ClMytqA5niynLtfj0=
@@ -403,15 +406,13 @@ github.com/mdlayher/netlink v1.3.0/go.mod h1:xK/BssKuwcRXHrtN04UBkwQ6dY9VviGGuri
 github.com/mdlayher/netlink v1.4.0/go.mod h1:dRJi5IABcZpBD2A3D0Mv/AiX8I9uDEu5oGkAVrekmf8=
 github.com/mdlayher/netlink v1.4.1 h1:I154BCU+mKlIf7BgcAJB2r7QjveNPty6uNY1g9ChVfI=
 github.com/mdlayher/netlink v1.4.1/go.mod h1:e4/KuJ+s8UhfUpO9z00/fDZZmhSrs+oxyqAS9cNgn6Q=
-github.com/mdlayher/raw v0.0.0-20190606142536-fef19f00fc18/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
-github.com/mdlayher/raw v0.0.0-20191009151244-50f2db8cc065/go.mod h1:7EpbotpCmVZcu+KCX4g9WaRNuu11uyhiW7+Le1dKawg=
 github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697 h1:PBb7ld5cQGfxHF2pKvb/ydtuPwdRaltGI4e0QSCuiNI=
 github.com/mdlayher/sdnotify v0.0.0-20210228150836-ea3ec207d697/go.mod h1:HtjVsQfsrBm1GDcDTUFn4ZXhftxTwO/hxrvEiRc61U4=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00 h1:qEtkL8n1DAHpi5/AOgAckwGQUlMe4+jhL/GMt+GKIks=
 github.com/mdlayher/socket v0.0.0-20210307095302-262dc9984e00/go.mod h1:GAFlyu4/XV68LkQKYzKhIo/WW7j3Zi0YRAz/BOoanUc=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.43 h1:JKfpVSCB84vrAmHzyrsxB5NAr5kLoMXZArPSw7Qlgyg=
-github.com/miekg/dns v1.1.43/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
+github.com/miekg/dns v1.1.42 h1:gWGe42RGaIqXQZ+r3WUGEKBEtvPHY2SXo4dqixDNxuY=
+github.com/miekg/dns v1.1.42/go.mod h1:+evo5L0630/F6ca/Z9+GAqzhjGyn8/c+TBaOyfEl0V4=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
@@ -466,9 +467,9 @@ github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/9
 github.com/pelletier/go-toml v1.6.0/go.mod h1:5N711Q9dKgbdkxHL+MEfF31hpT7l0S0s/t2kKREewys=
 github.com/pelletier/go-toml v1.8.1 h1:1Nf83orprkJyknT6h7zbuEGUEjcyVlCxSUGTENmNCRM=
 github.com/pelletier/go-toml v1.8.1/go.mod h1:T2/BmBdy8dvIRq1a/8aqjN41wvWlN4lrapLU/GW4pbc=
+github.com/peterbourgon/ff/v2 v2.0.0 h1:lx0oYI5qr/FU1xnpNhQ+EZM04gKgn46jyYvGEEqBBbY=
+github.com/peterbourgon/ff/v2 v2.0.0/go.mod h1:xjwr+t+SjWm4L46fcj/D+Ap+6ME7+HqFzaP22pP5Ggk=
 github.com/peterbourgon/ff/v3 v3.0.0/go.mod h1:UILIFjRH5a/ar8TjXYLTkIvSvekZqPm5Eb/qbGk6CT0=
-github.com/peterbourgon/ff/v3 v3.1.0 h1:5JAeDK5j/zhKFjyHEZQXwXBoDijERaos10RE+xamOsY=
-github.com/peterbourgon/ff/v3 v3.1.0/go.mod h1:XNJLY8EIl6MjMVjBS4F0+G0LYoAqs0DTa4rmHHukKDE=
 github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d h1:CdDQnGF8Nq9ocOS/xlSptM1N3BbrA6/kmaep5ggwaIA=
 github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw=
 github.com/pkg/diff v0.0.0-20200914180035-5b29258ca4f7 h1:+/+DxvQaYifJ+grD4klzrS5y+KJXldn/2YTl5JG+vZ8=
@@ -478,8 +479,8 @@ github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
-github.com/pkg/sftp v1.13.4 h1:Lb0RYJCmgUcBgZosfoi9Y9sbl6+LJgOIgk/2Y4YjMFg=
-github.com/pkg/sftp v1.13.4/go.mod h1:LzqnAvaD5TWeNBsZpfKxSYn1MbjWwOsCIAFFJbpIsK8=
+github.com/pkg/sftp v1.13.0 h1:Riw6pgOKK41foc1I1Uu03CjvbLZDXeGpInycM4shXoI=
+github.com/pkg/sftp v1.13.0/go.mod h1:41g+FIPlQUTDCveupEmEA65IoiQFrtgCeDopC4ajGIM=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/polyfloyd/go-errorlint v0.0.0-20201006195004-351e25ade6e3/go.mod h1:wi9BfjxjF/bwiZ701TzmfKu6UKC357IOAtNr0Td0Lvw=
@@ -490,6 +491,7 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
@@ -506,7 +508,6 @@ github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6So
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.5.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
-github.com/rogpeppe/go-internal v1.6.2 h1:aIihoIOHCiLZHxyoNQ+ABL4NKhFTgKLBdMLyEAh98m0=
 github.com/rogpeppe/go-internal v1.6.2/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/ryancurrah/gomodguard v1.1.0 h1:DWbye9KyMgytn8uYpuHkwf0RHqAYO6Ay/D0TbCpPtVU=
@@ -572,17 +573,14 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3 h1:fEubocuQkrlcuYeXelhYq/YcKvVVe1Ah7saQEtj98Mo=
 github.com/tailscale/certstore v0.0.0-20210528134328-066c94b793d3/go.mod h1:2P+hpOwd53e7JMX/L4f3VXkv1G+33ES6IWZSrkIeWNs=
 github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027 h1:lK99QQdH3yBWY6aGilF+IRlQIdmhzLrsEmF6JgN+Ryw=
 github.com/tailscale/depaware v0.0.0-20201214215404-77d1e9757027/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
-github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
-github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20200924210142-dde312d0d6a2 h1:reREUgl2FG+o7YCsrZB8XLjnuKv5hEIWtnOdAbRAXZI=
@@ -606,11 +604,8 @@ github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa h1:RC4maTWLK
 github.com/tommy-muehle/go-mnd v1.3.1-0.20200224220436-e6f9a994e8fa/go.mod h1:dSUh0FtTP8VhvkL1S+gUR1OKd9ZnSaozuI6r3m6wOig=
 github.com/toqueteos/webbrowser v1.2.0 h1:tVP/gpK69Fx+qMJKsLE7TD8LuGWPnEV71wBN9rrstGQ=
 github.com/toqueteos/webbrowser v1.2.0/go.mod h1:XWoZq4cyp9WeUeak7w7LXRUQf1F1ATJMir8RTqb4ayM=
-github.com/u-root/uio v0.0.0-20210528114334-82958018845c h1:BFvcl34IGnw8yvJi8hlqLFo9EshRInwWBs2M5fGWzQA=
-github.com/u-root/uio v0.0.0-20210528114334-82958018845c/go.mod h1:LpEX5FO/cB+WF4TYGY1V5qktpaZLkKkSegbr0V4eYXA=
+github.com/ulikunitz/xz v0.5.7 h1:YvTNdFzX6+W5m9msiYg/zpkSURPPtOlzbqYjrFn7Yt4=
 github.com/ulikunitz/xz v0.5.7/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
-github.com/ulikunitz/xz v0.5.10 h1:t92gobL9l3HE202wg3rlk19F6X+JOxl9BBrCCMYEYd8=
-github.com/ulikunitz/xz v0.5.10/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ultraware/funlen v0.0.3 h1:5ylVWm8wsNwH5aWo9438pwvsK0QiqVuUrt9bn7S/iLA=
 github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA=
 github.com/ultraware/whitespace v0.0.4 h1:If7Va4cM03mpgrNH9k49/VOicWpGoG70XPBFFODYDsg=
@@ -631,7 +626,7 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/ziutek/telnet v0.0.0-20180329124119-c3b780dc415b/go.mod h1:IZpXDfkJ6tWD3PhBK5YzgQT+xJWh7OsdwiG8hA2MkO4=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
@@ -659,11 +654,10 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200728195943-123391ffb6de/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
+golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e h1:gsTQYXdTw2Gq7RBsWvlQ91b+aEQ6bXFUngBGuR8sPpI=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20210817164053-32db794688a5 h1:HWj/xjIHfjYU5nVXpTM0s39J9CbLn7Cc5a7IC5rwsMQ=
-golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -705,7 +699,6 @@ golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190419010253-1f3472d942ba/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
@@ -728,10 +721,10 @@ golang.org/x/net v0.0.0-20201216054612-986b41b23924/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f h1:w6wWR0H+nyVpbSAQbzVEIACVyr/h8l/BEkY6Sokc7Eg=
-golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q=
+golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -762,11 +755,9 @@ golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190411185658-b44545bcd369/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190418153312-f0ce4c0180be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606122018-79a91cf218c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -786,7 +777,6 @@ golang.org/x/sys v0.0.0-20200602225109-6fdc65e7d980/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201101102859-da207088b7d1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201109165425-215b40eba54c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201118182958-a01c418693c7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -800,15 +790,14 @@ golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210301091718-77cc2087c03b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 h1:RqytpXGR1iVNX7psjB3ff8y7sNFinVFvkx1c8SjBkio=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34 h1:GkvMjFtXUmahfDtashnc1mnrCtuBVcwse5QV2lUk/tI=
-golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56 h1:b8jxX3zqjpqb2LklXPzKSGJhzyxCOZSz8ncv8Nv+y7w=
@@ -819,8 +808,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99 h1:ZEXtoJu1S0ie/EmdYnjY3CqaCCZxnldL+K1ftMITD2Q=
+golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6 h1:Vv0JUPWTyeqUq42B2WJ1FeIDjjvGKoA2Ss+Ts0lAVbs=
@@ -844,6 +833,7 @@ golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
@@ -879,17 +869,17 @@ golang.org/x/tools v0.0.0-20201121010211-780cb80bd7fb/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
-golang.org/x/tools v0.1.7 h1:6j8CgantCy3yc8JGBqkDLMKWqZ0RDU2g1HVgacojGWQ=
-golang.org/x/tools v0.1.7/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
+golang.org/x/tools v0.1.2 h1:kRBLX7v7Af8W7Gdbbc908OJcdgtK8bOz9Uaj8/F1ACA=
+golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c h1:IsAez/yRA23H/i9A02IHbYnmtVOs7DsP3aVP2cu5SNE=
-golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
-golang.zx2c4.com/wireguard/windows v0.4.9 h1:anmrpqbgh8DYkjEe2iML53+W34GUUvbQqKFx0SLBOd4=
-golang.zx2c4.com/wireguard/windows v0.4.9/go.mod h1:v7w/8FC48tTBm1IzScDVPEEb0/GjLta+T0ybpP9UWRg=
+golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0 h1:qINUmOnDCCF7i14oomDDkGmlda7BSDTGfge77/aqdfk=
+golang.zx2c4.com/wireguard v0.0.0-20210624150102-15b24b6179e0/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
+golang.zx2c4.com/wireguard/windows v0.3.16 h1:S42i0kp3SFHZm1mMFTtiU3OnEQJ0GRVOVlMkBhSDTZI=
+golang.zx2c4.com/wireguard/windows v0.3.16/go.mod h1:f80rkFY2CKQklps1GHE15k/M4Tq78aofbr1iQM5MTVY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -911,16 +901,22 @@ google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a h1:Ob5/580gVHBJZgXnff1cZDbG+xLtMVE5mDRTe+nIsX4=
 google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.31.0 h1:T7P4R73V3SSDPhH7WW7ATbfViLtmamH0DKrP3f9AuDI=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -953,10 +949,11 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.6/go.mod h1:pyyisuGw24ruLjrr1ddx39WE0y9OooInRzEYLhQB2YY=
-honnef.co/go/tools v0.2.1 h1:/EPr//+UMMXwMTkXvCCoaJDq8cpjMO80Ou+L4PDo2mY=
-honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
+honnef.co/go/tools v0.1.4 h1:SadWOkti5uVN1FAMgxn165+Mw00fuQKyk4Gyn/inxNQ=
+honnef.co/go/tools v0.1.4/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
 inet.af/netaddr v0.0.0-20210515010201-ad03edc7c841/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
 inet.af/netaddr v0.0.0-20210721214506-ce7a8ad02cc1 h1:mxmfTV6kjXTlFqqFETnG9FQZzNFc6AKunZVAgQ3b7WA=
 inet.af/netaddr v0.0.0-20210721214506-ce7a8ad02cc1/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
@@ -976,3 +973,5 @@ mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jC
 mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7 h1:kAREL6MPwpsk1/PQPFD3Eg7WAQR5mPTWZJaBiG5LDbY=
 mvdan.cc/unparam v0.0.0-20200501210554-b37ab49443f7/go.mod h1:HGC5lll35J70Y5v7vCGb9oLhHoScFwkHDJm/05RdSTc=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/goversion v1.2.0 h1:SPn+NLTiAG7w30IRK/DKp1BjvpWabYgxlLp/+kx5J8w=
+rsc.io/goversion v1.2.0/go.mod h1:Eih9y/uIBS3ulggl7KNJ09xGSLcuNaLgmvvqa07sgfo=
--- a/health/health.go
+++ b/health/health.go
@@ -9,7 +9,6 @@ package health
 import (
 	"errors"
 	"fmt"
-	"os"
 	"sort"
 	"sync"
 	"sync/atomic"
@@ -33,14 +32,12 @@ var (
 	lastStreamedMapResponse time.Time
 	derpHomeRegion          int
 	derpRegionConnected     = map[int]bool{}
-	derpRegionHealthProblem = map[int]string{}
 	derpRegionLastFrame     = map[int]time.Time{}
 	lastMapRequestHeard     time.Time // time we got a 200 from control for a MapRequest
 	ipnState                string
 	ipnWantRunning          bool
 	anyInterfaceUp          = true // until told otherwise
 	udp4Unbound             bool
-	controlHealth           []string
 )

 // Subsystem is the name of a subsystem whose health can be monitored.
@@ -142,13 +139,6 @@ func setLocked(key Subsystem, err error) {
 	}
 }

-func SetControlHealth(problems []string) {
-	mu.Lock()
-	defer mu.Unlock()
-	controlHealth = problems
-	selfCheckLocked()
-}
-
 // GotStreamedMapResponse notes that we got a tailcfg.MapResponse
 // message in streaming mode, even if it's just a keep-alive message.
 func GotStreamedMapResponse() {
@@ -201,19 +191,6 @@ func SetDERPRegionConnectedState(region int, connected bool) {
 	selfCheckLocked()
 }

-// SetDERPRegionHealth sets or clears any problem associated with the
-// provided DERP region.
-func SetDERPRegionHealth(region int, problem string) {
-	mu.Lock()
-	defer mu.Unlock()
-	if problem == "" {
-		delete(derpRegionHealthProblem, region)
-	} else {
-		derpRegionHealthProblem[region] = problem
-	}
-	selfCheckLocked()
-}
-
 func NoteDERPRegionReceivedFrame(region int) {
 	mu.Lock()
 	defer mu.Unlock()
@@ -264,18 +241,6 @@ func selfCheckLocked() {
 	setLocked(SysOverall, overallErrorLocked())
 }

-// OverallError returns a summary of the health state.
-//
-// If there are multiple problems, the error will be of type
-// multierror.MultipleErrors.
-func OverallError() error {
-	mu.Lock()
-	defer mu.Unlock()
-	return overallErrorLocked()
-}
-
-var fakeErrForTesting = os.Getenv("TS_DEBUG_FAKE_HEALTH_ERROR")
-
 func overallErrorLocked() error {
 	if !anyInterfaceUp {
 		return errors.New("network down")
@@ -323,15 +288,6 @@ func overallErrorLocked() error {
 		}
 		errs = append(errs, fmt.Errorf("%v: %w", sys, err))
 	}
-	for regionID, problem := range derpRegionHealthProblem {
-		errs = append(errs, fmt.Errorf("derp%d: %v", regionID, problem))
-	}
-	for _, s := range controlHealth {
-		errs = append(errs, errors.New(s))
-	}
-	if e := fakeErrForTesting; len(errs) == 0 && e != "" {
-		return errors.New(e)
-	}
 	sort.Slice(errs, func(i, j int) bool {
 		// Not super efficient (stringifying these in a sort), but probably max 2 or 3 items.
 		return errs[i].Error() < errs[j].Error()
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -4,64 +4,20 @@

 // Package hostinfo answers questions about the host environment that Tailscale is
 // running on.
+//
+// TODO(bradfitz): move more of control/controlclient/hostinfo_* into this package.
 package hostinfo

 import (
 	"io"
 	"os"
-	"path/filepath"
 	"runtime"
 	"sync/atomic"

 	"go4.org/mem"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/dnsname"
 	"tailscale.com/util/lineread"
-	"tailscale.com/version"
 )

-var osVersion func() string // non-nil on some platforms
-
-// New returns a partially populated Hostinfo for the current host.
-func New() *tailcfg.Hostinfo {
-	hostname, _ := os.Hostname()
-	hostname = dnsname.FirstLabel(hostname)
-	var osv string
-	if osVersion != nil {
-		osv = osVersion()
-	}
-	return &tailcfg.Hostinfo{
-		IPNVersion:  version.Long,
-		Hostname:    hostname,
-		OS:          version.OS(),
-		OSVersion:   osv,
-		Package:     packageType(),
-		GoArch:      runtime.GOARCH,
-		DeviceModel: deviceModel(),
-	}
-}
-
-func packageType() string {
-	switch runtime.GOOS {
-	case "windows":
-		if _, err := os.Stat(`C:\ProgramData\chocolatey\lib\tailscale`); err == nil {
-			return "choco"
-		}
-	case "darwin":
-		// Using tailscaled or IPNExtension?
-		exe, _ := os.Executable()
-		return filepath.Base(exe)
-	case "linux":
-		// Report whether this is in a snap.
-		// See https://snapcraft.io/docs/environment-variables
-		// We just look at two somewhat arbitrarily.
-		if os.Getenv("SNAP_NAME") != "" && os.Getenv("SNAP") != "" {
-			return "snap"
-		}
-	}
-	return ""
-}
-
 // EnvType represents a known environment type.
 // The empty string, the default, means unknown.
 type EnvType string
@@ -72,7 +28,6 @@ const (
 	Heroku          = EnvType("hr")
 	AzureAppService = EnvType("az")
 	AWSFargate      = EnvType("fg")
-	FlyDotIo        = EnvType("fly")
 )

 var envType atomic.Value // of EnvType
@@ -86,16 +41,6 @@ func GetEnvType() EnvType {
 	return e
 }

-var deviceModelAtomic atomic.Value // of string
-
-// SetDeviceModel sets the device model for use in Hostinfo updates.
-func SetDeviceModel(model string) { deviceModelAtomic.Store(model) }
-
-func deviceModel() string {
-	s, _ := deviceModelAtomic.Load().(string)
-	return s
-}
-
 func getEnvType() EnvType {
 	if inKnative() {
 		return KNative
@@ -112,14 +57,11 @@ func getEnvType() EnvType {
 	if inAWSFargate() {
 		return AWSFargate
 	}
-	if inFlyDotIo() {
-		return FlyDotIo
-	}
 	return ""
 }

-// inContainer reports whether we're running in a container.
-func inContainer() bool {
+// InContainer reports whether we're running in a container.
+func InContainer() bool {
 	if runtime.GOOS != "linux" {
 		return false
 	}
@@ -184,10 +126,3 @@ func inAWSFargate() bool {
 	}
 	return false
 }
-
-func inFlyDotIo() bool {
-	if os.Getenv("FLY_APP_NAME") != "" && os.Getenv("FLY_REGION") != "" {
-		return true
-	}
-	return false
-}
--- a/hostinfo/hostinfo_freebsd.go
+++ b/hostinfo/hostinfo_freebsd.go
@@ -1,60 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build freebsd
-// +build freebsd
-
-package hostinfo
-
-import (
-	"fmt"
-	"os"
-	"os/exec"
-	"strings"
-
-	"golang.org/x/sys/unix"
-	"tailscale.com/version/distro"
-)
-
-func init() {
-	osVersion = osVersionFreebsd
-}
-
-func osVersionFreebsd() string {
-	un := unix.Utsname{}
-	unix.Uname(&un)
-
-	var attrBuf strings.Builder
-	attrBuf.WriteString("; version=")
-	for _, b := range un.Release {
-		if b == 0 {
-			break
-		}
-		attrBuf.WriteByte(byte(b))
-	}
-	attr := attrBuf.String()
-
-	version := "FreeBSD"
-	switch distro.Get() {
-	case distro.Pfsense:
-		b, _ := os.ReadFile("/etc/version")
-		version = fmt.Sprintf("pfSense %s", b)
-	case distro.OPNsense:
-		b, err := exec.Command("opnsense-version").Output()
-		if err == nil {
-			version = string(b)
-		} else {
-			version = "OPNsense"
-		}
-	case distro.TrueNAS:
-		b, err := os.ReadFile("/etc/version")
-		if err == nil {
-			version = string(b)
-		} else {
-			version = "TrueNAS"
-		}
-	}
-	// the /etc/version files end in a newline
-	return fmt.Sprintf("%s%s", strings.TrimSuffix(version, "\n"), attr)
-}
--- a/hostinfo/hostinfo_test.go
+++ b/hostinfo/hostinfo_test.go
@@ -1,29 +0,0 @@
-// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package hostinfo
-
-import (
-	"encoding/json"
-	"testing"
-)
-
-func TestNew(t *testing.T) {
-	hi := New()
-	if hi == nil {
-		t.Fatal("no Hostinfo")
-	}
-	j, err := json.MarshalIndent(hi, "  ", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-	t.Logf("Got: %s", j)
-}
-
-func TestOSVersion(t *testing.T) {
-	if osVersion == nil {
-		t.Skip("not available for OS")
-	}
-	t.Logf("Got: %#q", osVersion())
-}
--- a/ipn/ipnlocal/dnsconfig_test.go
+++ b/ipn/ipnlocal/dnsconfig_test.go
@@ -1,312 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package ipnlocal
-
-import (
-	"encoding/json"
-	"reflect"
-	"testing"
-
-	"inet.af/netaddr"
-	"tailscale.com/ipn"
-	"tailscale.com/net/dns"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
-	"tailscale.com/types/dnstype"
-	"tailscale.com/types/netmap"
-	"tailscale.com/util/dnsname"
-)
-
-func ipps(ippStrs ...string) (ipps []netaddr.IPPrefix) {
-	for _, s := range ippStrs {
-		if ip, err := netaddr.ParseIP(s); err == nil {
-			ipps = append(ipps, netaddr.IPPrefixFrom(ip, ip.BitLen()))
-			continue
-		}
-		ipps = append(ipps, netaddr.MustParseIPPrefix(s))
-	}
-	return
-}
-
-func ips(ss ...string) (ips []netaddr.IP) {
-	for _, s := range ss {
-		ips = append(ips, netaddr.MustParseIP(s))
-	}
-	return
-}
-
-func TestDNSConfigForNetmap(t *testing.T) {
-	tests := []struct {
-		name    string
-		nm      *netmap.NetworkMap
-		os      string // version.OS value; empty means linux
-		prefs   *ipn.Prefs
-		want    *dns.Config
-		wantLog string
-	}{
-		{
-			name:  "empty",
-			nm:    &netmap.NetworkMap{},
-			prefs: &ipn.Prefs{},
-			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
-				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-			},
-		},
-		{
-			name: "self_name_and_peers",
-			nm: &netmap.NetworkMap{
-				Name:      "myname.net",
-				Addresses: ipps("100.101.101.101"),
-				Peers: []*tailcfg.Node{
-					{
-						Name:      "peera.net",
-						Addresses: ipps("100.102.0.1", "100.102.0.2", "fe75::1001", "fe75::1002"),
-					},
-					{
-						Name:      "b.net",
-						Addresses: ipps("100.102.0.1", "100.102.0.2", "fe75::2"),
-					},
-					{
-						Name:      "v6-only.net",
-						Addresses: ipps("fe75::3"), // no IPv4, so we don't ignore IPv6
-					},
-				},
-			},
-			prefs: &ipn.Prefs{},
-			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
-				Hosts: map[dnsname.FQDN][]netaddr.IP{
-					"b.net.":       ips("100.102.0.1", "100.102.0.2"),
-					"myname.net.":  ips("100.101.101.101"),
-					"peera.net.":   ips("100.102.0.1", "100.102.0.2"),
-					"v6-only.net.": ips("fe75::3"),
-				},
-			},
-		},
-		{
-			name: "extra_records",
-			nm: &netmap.NetworkMap{
-				Name:      "myname.net",
-				Addresses: ipps("100.101.101.101"),
-				DNS: tailcfg.DNSConfig{
-					ExtraRecords: []tailcfg.DNSRecord{
-						{Name: "foo.com", Value: "1.2.3.4"},
-						{Name: "bar.com", Value: "1::6"},
-						{Name: "sdlfkjsdklfj", Type: "IGNORE"},
-					},
-				},
-			},
-			prefs: &ipn.Prefs{},
-			want: &dns.Config{
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
-				Hosts: map[dnsname.FQDN][]netaddr.IP{
-					"myname.net.": ips("100.101.101.101"),
-					"foo.com.":    ips("1.2.3.4"),
-					"bar.com.":    ips("1::6"),
-				},
-			},
-		},
-		{
-			name: "corp_dns_misc",
-			nm: &netmap.NetworkMap{
-				Name: "host.some.domain.net.",
-				DNS: tailcfg.DNSConfig{
-					Proxied: true,
-					Domains: []string{"foo.com", "bar.com"},
-				},
-			},
-			prefs: &ipn.Prefs{
-				CorpDNS: true,
-			},
-			want: &dns.Config{
-				Hosts: map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{
-					"0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.": nil,
-					"100.100.in-addr.arpa.":             nil,
-					"101.100.in-addr.arpa.":             nil,
-					"102.100.in-addr.arpa.":             nil,
-					"103.100.in-addr.arpa.":             nil,
-					"104.100.in-addr.arpa.":             nil,
-					"105.100.in-addr.arpa.":             nil,
-					"106.100.in-addr.arpa.":             nil,
-					"107.100.in-addr.arpa.":             nil,
-					"108.100.in-addr.arpa.":             nil,
-					"109.100.in-addr.arpa.":             nil,
-					"110.100.in-addr.arpa.":             nil,
-					"111.100.in-addr.arpa.":             nil,
-					"112.100.in-addr.arpa.":             nil,
-					"113.100.in-addr.arpa.":             nil,
-					"114.100.in-addr.arpa.":             nil,
-					"115.100.in-addr.arpa.":             nil,
-					"116.100.in-addr.arpa.":             nil,
-					"117.100.in-addr.arpa.":             nil,
-					"118.100.in-addr.arpa.":             nil,
-					"119.100.in-addr.arpa.":             nil,
-					"120.100.in-addr.arpa.":             nil,
-					"121.100.in-addr.arpa.":             nil,
-					"122.100.in-addr.arpa.":             nil,
-					"123.100.in-addr.arpa.":             nil,
-					"124.100.in-addr.arpa.":             nil,
-					"125.100.in-addr.arpa.":             nil,
-					"126.100.in-addr.arpa.":             nil,
-					"127.100.in-addr.arpa.":             nil,
-					"64.100.in-addr.arpa.":              nil,
-					"65.100.in-addr.arpa.":              nil,
-					"66.100.in-addr.arpa.":              nil,
-					"67.100.in-addr.arpa.":              nil,
-					"68.100.in-addr.arpa.":              nil,
-					"69.100.in-addr.arpa.":              nil,
-					"70.100.in-addr.arpa.":              nil,
-					"71.100.in-addr.arpa.":              nil,
-					"72.100.in-addr.arpa.":              nil,
-					"73.100.in-addr.arpa.":              nil,
-					"74.100.in-addr.arpa.":              nil,
-					"75.100.in-addr.arpa.":              nil,
-					"76.100.in-addr.arpa.":              nil,
-					"77.100.in-addr.arpa.":              nil,
-					"78.100.in-addr.arpa.":              nil,
-					"79.100.in-addr.arpa.":              nil,
-					"80.100.in-addr.arpa.":              nil,
-					"81.100.in-addr.arpa.":              nil,
-					"82.100.in-addr.arpa.":              nil,
-					"83.100.in-addr.arpa.":              nil,
-					"84.100.in-addr.arpa.":              nil,
-					"85.100.in-addr.arpa.":              nil,
-					"86.100.in-addr.arpa.":              nil,
-					"87.100.in-addr.arpa.":              nil,
-					"88.100.in-addr.arpa.":              nil,
-					"89.100.in-addr.arpa.":              nil,
-					"90.100.in-addr.arpa.":              nil,
-					"91.100.in-addr.arpa.":              nil,
-					"92.100.in-addr.arpa.":              nil,
-					"93.100.in-addr.arpa.":              nil,
-					"94.100.in-addr.arpa.":              nil,
-					"95.100.in-addr.arpa.":              nil,
-					"96.100.in-addr.arpa.":              nil,
-					"97.100.in-addr.arpa.":              nil,
-					"98.100.in-addr.arpa.":              nil,
-					"99.100.in-addr.arpa.":              nil,
-					"some.domain.net.":                  nil,
-				},
-				SearchDomains: []dnsname.FQDN{
-					"foo.com.",
-					"bar.com.",
-				},
-			},
-		},
-		{
-			name: "android_does_need_fallbacks",
-			os:   "android",
-			nm: &netmap.NetworkMap{
-				DNS: tailcfg.DNSConfig{
-					FallbackResolvers: []dnstype.Resolver{
-						{Addr: "8.8.4.4"},
-					},
-					Routes: map[string][]dnstype.Resolver{
-						"foo.com.": {{Addr: "1.2.3.4"}},
-					},
-				},
-			},
-			prefs: &ipn.Prefs{
-				CorpDNS: true,
-			},
-			want: &dns.Config{
-				Hosts: map[dnsname.FQDN][]netaddr.IP{},
-				DefaultResolvers: []dnstype.Resolver{
-					{Addr: "8.8.4.4:53"},
-				},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{
-					"foo.com.": {{Addr: "1.2.3.4:53"}},
-				},
-			},
-		},
-		{
-			name: "android_does_NOT_need_fallbacks",
-			os:   "android",
-			nm: &netmap.NetworkMap{
-				DNS: tailcfg.DNSConfig{
-					Resolvers: []dnstype.Resolver{
-						{Addr: "8.8.8.8"},
-					},
-					FallbackResolvers: []dnstype.Resolver{
-						{Addr: "8.8.4.4"},
-					},
-					Routes: map[string][]dnstype.Resolver{
-						"foo.com.": {{Addr: "1.2.3.4"}},
-					},
-				},
-			},
-			prefs: &ipn.Prefs{
-				CorpDNS: true,
-			},
-			want: &dns.Config{
-				Hosts: map[dnsname.FQDN][]netaddr.IP{},
-				DefaultResolvers: []dnstype.Resolver{
-					{Addr: "8.8.8.8:53"},
-				},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{
-					"foo.com.": {{Addr: "1.2.3.4:53"}},
-				},
-			},
-		},
-		{
-			name: "exit_nodes_need_fallbacks",
-			nm: &netmap.NetworkMap{
-				DNS: tailcfg.DNSConfig{
-					FallbackResolvers: []dnstype.Resolver{
-						{Addr: "8.8.4.4"},
-					},
-				},
-			},
-			prefs: &ipn.Prefs{
-				CorpDNS:    true,
-				ExitNodeID: "some-id",
-			},
-			want: &dns.Config{
-				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
-				DefaultResolvers: []dnstype.Resolver{
-					{Addr: "8.8.4.4:53"},
-				},
-			},
-		},
-		{
-			name: "not_exit_node_NOT_need_fallbacks",
-			nm: &netmap.NetworkMap{
-				DNS: tailcfg.DNSConfig{
-					FallbackResolvers: []dnstype.Resolver{
-						{Addr: "8.8.4.4"},
-					},
-				},
-			},
-			prefs: &ipn.Prefs{
-				CorpDNS: true,
-			},
-			want: &dns.Config{
-				Hosts:  map[dnsname.FQDN][]netaddr.IP{},
-				Routes: map[dnsname.FQDN][]dnstype.Resolver{},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			verOS := tt.os
-			if verOS == "" {
-				verOS = "linux"
-			}
-			var log tstest.MemLogger
-			got := dnsConfigForNetmap(tt.nm, tt.prefs, log.Logf, verOS)
-			if !reflect.DeepEqual(got, tt.want) {
-				gotj, _ := json.MarshalIndent(got, "", "\t")
-				wantj, _ := json.MarshalIndent(tt.want, "", "\t")
-				t.Errorf("wrong\n got: %s\n\nwant: %s\n", gotj, wantj)
-			}
-			if got := log.String(); got != tt.wantLog {
-				t.Errorf("log output wrong\n got: %q\nwant: %q\n", got, tt.wantLog)
-			}
-		})
-	}
-}
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -25,12 +25,10 @@ import (
 	"syscall"
 	"time"

-	"github.com/go-multierror/multierror"
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/health"
-	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/policy"
@@ -40,7 +38,6 @@ import (
 	"tailscale.com/paths"
 	"tailscale.com/portlist"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -110,7 +107,7 @@ type LocalBackend struct {
 	userID         string       // current controlling user ID (for Windows, primarily)
 	prefs          *ipn.Prefs
 	inServerMode   bool
-	machinePrivKey key.MachinePrivate
+	machinePrivKey wgkey.Private
 	state          ipn.State
 	capFileSharing bool // whether netMap contains the file sharing capability
 	// hostinfo is mutated in-place while mu is held.
@@ -293,7 +290,7 @@ func (b *LocalBackend) Prefs() *ipn.Prefs {
 	defer b.mu.Unlock()
 	p := b.prefs.Clone()
 	if p != nil && p.Persist != nil {
-		p.Persist.LegacyFrontendPrivateMachineKey = key.MachinePrivate{}
+		p.Persist.LegacyFrontendPrivateMachineKey = wgkey.Private{}
 		p.Persist.PrivateNodeKey = wgkey.Private{}
 		p.Persist.OldPrivateNodeKey = wgkey.Private{}
 	}
@@ -332,17 +329,6 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 		s.Version = version.Long
 		s.BackendState = b.state.String()
 		s.AuthURL = b.authURLSticky
-
-		if err := health.OverallError(); err != nil {
-			switch e := err.(type) {
-			case multierror.MultipleErrors:
-				for _, err := range e {
-					s.Health = append(s.Health, err.Error())
-				}
-			default:
-				s.Health = append(s.Health, err.Error())
-			}
-		}
 		if b.netMap != nil {
 			s.MagicDNSSuffix = b.netMap.MagicDNSSuffix()
 			s.CertDomains = append([]string(nil), b.netMap.DNS.CertDomains...)
@@ -601,12 +587,18 @@ func (b *LocalBackend) findExitNodeIDLocked(nm *netmap.NetworkMap) (prefsChanged
 func (b *LocalBackend) setWgengineStatus(s *wgengine.Status, err error) {
 	if err != nil {
 		b.logf("wgengine status error: %v", err)
-		b.broadcastStatusChanged()
+
+		b.statusLock.Lock()
+		b.statusChanged.Broadcast()
+		b.statusLock.Unlock()
 		return
 	}
 	if s == nil {
 		b.logf("[unexpected] non-error wgengine update with status=nil: %v", s)
-		b.broadcastStatusChanged()
+
+		b.statusLock.Lock()
+		b.statusChanged.Broadcast()
+		b.statusLock.Unlock()
 		return
 	}

@@ -614,42 +606,19 @@ func (b *LocalBackend) setWgengineStatus(s *wgengine.Status, err error) {
 	es := b.parseWgStatusLocked(s)
 	cc := b.cc
 	b.engineStatus = es
-	needUpdateEndpoints := !endpointsEqual(s.LocalAddrs, b.endpoints)
-	if needUpdateEndpoints {
-		b.endpoints = append([]tailcfg.Endpoint{}, s.LocalAddrs...)
-	}
+	b.endpoints = append([]tailcfg.Endpoint{}, s.LocalAddrs...)
 	b.mu.Unlock()

 	if cc != nil {
-		if needUpdateEndpoints {
-			cc.UpdateEndpoints(0, s.LocalAddrs)
-		}
+		cc.UpdateEndpoints(0, s.LocalAddrs)
 		b.stateMachine()
 	}
-	b.broadcastStatusChanged()
-	b.send(ipn.Notify{Engine: &es})
-}

-func (b *LocalBackend) broadcastStatusChanged() {
-	// The sync.Cond docs say: "It is allowed but not required for the caller to hold c.L during the call."
-	// In this particular case, we must acquire b.statusLock. Otherwise we might broadcast before
-	// the waiter (in requestEngineStatusAndWait) starts to wait, in which case
-	// the waiter can get stuck indefinitely. See PR 2865.
 	b.statusLock.Lock()
 	b.statusChanged.Broadcast()
 	b.statusLock.Unlock()
-}

-func endpointsEqual(x, y []tailcfg.Endpoint) bool {
-	if len(x) != len(y) {
-		return false
-	}
-	for i := range x {
-		if x[i] != y[i] {
-			return false
-		}
-	}
-	return true
+	b.send(ipn.Notify{Engine: &es})
 }

 func (b *LocalBackend) SetNotifyCallback(notify func(ipn.Notify)) {
@@ -760,7 +729,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		return nil
 	}

-	hostinfo := hostinfo.New()
+	hostinfo := controlclient.NewHostinfo()
 	hostinfo.BackendLogID = b.backendLogID
 	hostinfo.FrontendLogID = opts.FrontendLogID

@@ -813,6 +782,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {

 	b.inServerMode = b.prefs.ForceDaemon
 	b.serverURL = b.prefs.ControlURLOrDefault()
+	hostinfo.RoutableIPs = append(hostinfo.RoutableIPs, b.prefs.AdvertiseRoutes...)
+	hostinfo.RequestTags = append(hostinfo.RequestTags, b.prefs.AdvertiseTags...)
 	if b.inServerMode || runtime.GOOS == "windows" {
 		b.logf("Start: serverMode=%v", b.inServerMode)
 	}
@@ -879,9 +850,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		DiscoPublicKey:       discoPublic,
 		DebugFlags:           debugFlags,
 		LinkMonitor:          b.e.GetLinkMonitor(),
-		Pinger:               b.e,

-		// Don't warn about broken Linux IP forwarding when
+		// Don't warn about broken Linux IP forwading when
 		// netstack is being used.
 		SkipIPForwardingCheck: isNetstack,
 	})
@@ -990,7 +960,7 @@ func (b *LocalBackend) updateFilter(netMap *netmap.NetworkMap, prefs *ipn.Prefs)
 		b.logf("netmap packet filter: (shields up)")
 		b.e.SetFilter(filter.NewShieldsUpFilter(localNets, logNets, oldFilter, b.logf))
 	} else {
-		b.logf("netmap packet filter: %v filters", len(packetFilter))
+		b.logf("netmap packet filter: %v", packetFilter)
 		b.e.SetFilter(filter.New(packetFilter, localNets, logNets, oldFilter, b.logf))
 	}
 }
@@ -1256,22 +1226,22 @@ func (b *LocalBackend) popBrowserAuthNow() {
 // For testing lazy machine key generation.
 var panicOnMachineKeyGeneration, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_PANIC_MACHINE_KEY"))

-func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (key.MachinePrivate, error) {
+func (b *LocalBackend) createGetMachinePrivateKeyFunc() func() (wgkey.Private, error) {
 	var cache atomic.Value
-	return func() (key.MachinePrivate, error) {
+	return func() (wgkey.Private, error) {
 		if panicOnMachineKeyGeneration {
 			panic("machine key generated")
 		}
-		if v, ok := cache.Load().(key.MachinePrivate); ok {
+		if v, ok := cache.Load().(wgkey.Private); ok {
 			return v, nil
 		}
 		b.mu.Lock()
 		defer b.mu.Unlock()
-		if v, ok := cache.Load().(key.MachinePrivate); ok {
+		if v, ok := cache.Load().(wgkey.Private); ok {
 			return v, nil
 		}
 		if err := b.initMachineKeyLocked(); err != nil {
-			return key.MachinePrivate{}, err
+			return wgkey.Private{}, err
 		}
 		cache.Store(b.machinePrivKey)
 		return b.machinePrivKey, nil
@@ -1289,7 +1259,7 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		return nil
 	}

-	var legacyMachineKey key.MachinePrivate
+	var legacyMachineKey wgkey.Private
 	if b.prefs.Persist != nil {
 		legacyMachineKey = b.prefs.Persist.LegacyFrontendPrivateMachineKey
 	}
@@ -1302,7 +1272,7 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		if b.machinePrivKey.IsZero() {
 			return fmt.Errorf("invalid zero key stored in %v key of %v", ipn.MachineKeyStateKey, b.store)
 		}
-		if !legacyMachineKey.IsZero() && !legacyMachineKey.Equal(b.machinePrivKey) {
+		if !legacyMachineKey.IsZero() && !bytes.Equal(legacyMachineKey[:], b.machinePrivKey[:]) {
 			b.logf("frontend-provided legacy machine key ignored; used value from server state")
 		}
 		return nil
@@ -1323,7 +1293,11 @@ func (b *LocalBackend) initMachineKeyLocked() (err error) {
 		b.machinePrivKey = legacyMachineKey
 	} else {
 		b.logf("generating new machine key")
-		b.machinePrivKey = key.NewMachine()
+		var err error
+		b.machinePrivKey, err = wgkey.NewPrivate()
+		if err != nil {
+			return fmt.Errorf("initializing new machine key: %w", err)
+		}
 	}

 	keyText, _ = b.machinePrivKey.MarshalText()
@@ -1437,6 +1411,16 @@ func (b *LocalBackend) InServerMode() bool {
 	return b.inServerMode
 }

+// getEngineStatus returns a copy of b.engineStatus.
+//
+// TODO(bradfitz): remove this and use Status() throughout.
+func (b *LocalBackend) getEngineStatus() ipn.EngineStatus {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	return b.engineStatus
+}
+
 // Login implements Backend.
 func (b *LocalBackend) Login(token *tailcfg.Oauth2Token) {
 	b.mu.Lock()
@@ -1594,6 +1578,7 @@ func (b *LocalBackend) setPrefsLockedOnEntry(caller string, newp *ipn.Prefs) {

 	oldHi := b.hostinfo
 	newHi := oldHi.Clone()
+	newHi.RoutableIPs = append([]netaddr.IPPrefix(nil), b.prefs.AdvertiseRoutes...)
 	applyPrefsToHostinfo(newHi, newp)
 	b.hostinfo = newHi
 	hostInfoChanged := !oldHi.Equal(newHi)
@@ -1735,7 +1720,7 @@ func (b *LocalBackend) blockEngineUpdates(block bool) {
 func (b *LocalBackend) authReconfig() {
 	b.mu.Lock()
 	blocked := b.blocked
-	prefs := b.prefs
+	uc := b.prefs
 	nm := b.netMap
 	hasPAC := b.prevIfState.HasPAC()
 	disableSubnetsIfPAC := nm != nil && nm.Debug != nil && nm.Debug.DisableSubnetsIfPAC.EqualBool(true)
@@ -1749,16 +1734,16 @@ func (b *LocalBackend) authReconfig() {
 		b.logf("authReconfig: netmap not yet valid. Skipping.")
 		return
 	}
-	if !prefs.WantRunning {
+	if !uc.WantRunning {
 		b.logf("authReconfig: skipping because !WantRunning.")
 		return
 	}

 	var flags netmap.WGConfigFlags
-	if prefs.RouteAll {
+	if uc.RouteAll {
 		flags |= netmap.AllowSubnetRoutes
 	}
-	if prefs.AllowSingleHosts {
+	if uc.AllowSingleHosts {
 		flags |= netmap.AllowSingleHosts
 	}
 	if hasPAC && disableSubnetsIfPAC {
@@ -1768,32 +1753,16 @@ func (b *LocalBackend) authReconfig() {
 		}
 	}

-	cfg, err := nmcfg.WGCfg(nm, b.logf, flags, prefs.ExitNodeID)
+	cfg, err := nmcfg.WGCfg(nm, b.logf, flags, uc.ExitNodeID)
 	if err != nil {
 		b.logf("wgcfg: %v", err)
 		return
 	}

-	rcfg := b.routerConfig(cfg, prefs)
-	dcfg := dnsConfigForNetmap(nm, prefs, b.logf, version.OS())
+	rcfg := b.routerConfig(cfg, uc)

-	err = b.e.Reconfig(cfg, rcfg, dcfg, nm.Debug)
-	if err == wgengine.ErrNoChanges {
-		return
-	}
-	b.logf("[v1] authReconfig: ra=%v dns=%v 0x%02x: %v", prefs.RouteAll, prefs.CorpDNS, flags, err)
-
-	b.initPeerAPIListener()
-}
-
-// dnsConfigForNetmap returns a *dns.Config for the given netmap,
-// prefs, and client OS version.
-//
-// The versionOS is a Tailscale-style version ("iOS", "macOS") and not
-// a runtime.GOOS.
-func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Logf, versionOS string) *dns.Config {
-	dcfg := &dns.Config{
-		Routes: map[dnsname.FQDN][]dnstype.Resolver{},
+	dcfg := dns.Config{
+		Routes: map[dnsname.FQDN][]netaddr.IPPort{},
 		Hosts:  map[dnsname.FQDN][]netaddr.IP{},
 	}

@@ -1810,7 +1779,6 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		if err != nil {
 			return // TODO: propagate error?
 		}
-		have4 := tsaddr.PrefixesContainsFunc(addrs, func(p netaddr.IPPrefix) bool { return p.IP().Is4() })
 		var ips []netaddr.IP
 		for _, addr := range addrs {
 			// Remove IPv6 addresses for now, as we don't
@@ -1820,7 +1788,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 			// https://github.com/tailscale/tailscale/issues/1152
 			// tracks adding the right capability reporting to
 			// enable AAAA in MagicDNS.
-			if addr.IP().Is6() && have4 {
+			if addr.IP().Is6() {
 				continue
 			}
 			ips = append(ips, addr.IP())
@@ -1851,113 +1819,99 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, prefs *ipn.Prefs, logf logger.Log
 		dcfg.Hosts[fqdn] = append(dcfg.Hosts[fqdn], ip)
 	}

-	if !prefs.CorpDNS {
-		return dcfg
-	}
+	if uc.CorpDNS {
+		addDefault := func(resolvers []tailcfg.DNSResolver) {
+			for _, resolver := range resolvers {
+				res, err := parseResolver(resolver)
+				if err != nil {
+					b.logf("skipping bad resolver: %v", err.Error())
+					continue
+				}
+				dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, res)
+			}
+		}

-	addDefault := func(resolvers []dnstype.Resolver) {
-		for _, r := range resolvers {
-			dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, normalizeResolver(r))
+		addDefault(nm.DNS.Resolvers)
+		for suffix, resolvers := range nm.DNS.Routes {
+			fqdn, err := dnsname.ToFQDN(suffix)
+			if err != nil {
+				b.logf("[unexpected] non-FQDN route suffix %q", suffix)
+			}
+			for _, resolver := range resolvers {
+				res, err := parseResolver(resolver)
+				if err != nil {
+					b.logf(err.Error())
+					continue
+				}
+				dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], res)
+			}
+		}
+		for _, dom := range nm.DNS.Domains {
+			fqdn, err := dnsname.ToFQDN(dom)
+			if err != nil {
+				b.logf("[unexpected] non-FQDN search domain %q", dom)
+			}
+			dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
+		}
+		if nm.DNS.Proxied { // actually means "enable MagicDNS"
+			for _, dom := range magicDNSRootDomains(nm) {
+				dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
+			}
+		}
+
+		// Set FallbackResolvers as the default resolvers in the
+		// scenarios that can't handle a purely split-DNS config. See
+		// https://github.com/tailscale/tailscale/issues/1743 for
+		// details.
+		switch {
+		case len(dcfg.DefaultResolvers) != 0:
+			// Default resolvers already set.
+		case !uc.ExitNodeID.IsZero():
+			// When using exit nodes, it's very likely the LAN
+			// resolvers will become unreachable. So, force use of the
+			// fallback resolvers until we implement DNS forwarding to
+			// exit nodes.
+			//
+			// This is especially important on Apple OSes, where
+			// adding the default route to the tunnel interface makes
+			// it "primary", and we MUST provide VPN-sourced DNS
+			// settings or we break all DNS resolution.
+			//
+			// https://github.com/tailscale/tailscale/issues/1713
+			addDefault(nm.DNS.FallbackResolvers)
+		case len(dcfg.Routes) == 0:
+			// No settings requiring split DNS, no problem.
+		case version.OS() == "android":
+			// We don't support split DNS at all on Android yet.
+			addDefault(nm.DNS.FallbackResolvers)
 		}
 	}

-	addDefault(nm.DNS.Resolvers)
-	for suffix, resolvers := range nm.DNS.Routes {
-		fqdn, err := dnsname.ToFQDN(suffix)
-		if err != nil {
-			logf("[unexpected] non-FQDN route suffix %q", suffix)
-		}
-
-		// Create map entry even if len(resolvers) == 0; Issue 2706.
-		// This lets the control plane send ExtraRecords for which we
-		// can authoritatively answer "name not exists" for when the
-		// control plane also sends this explicit but empty route
-		// making it as something we handle.
-		//
-		// While we're already populating it, might as well size the
-		// slice appropriately.
-		dcfg.Routes[fqdn] = make([]dnstype.Resolver, 0, len(resolvers))
-
-		for _, r := range resolvers {
-			dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], normalizeResolver(r))
-		}
-	}
-	for _, dom := range nm.DNS.Domains {
-		fqdn, err := dnsname.ToFQDN(dom)
-		if err != nil {
-			logf("[unexpected] non-FQDN search domain %q", dom)
-		}
-		dcfg.SearchDomains = append(dcfg.SearchDomains, fqdn)
-	}
-	if nm.DNS.Proxied { // actually means "enable MagicDNS"
-		for _, dom := range magicDNSRootDomains(nm) {
-			dcfg.Routes[dom] = nil // resolve internally with dcfg.Hosts
-		}
+	err = b.e.Reconfig(cfg, rcfg, &dcfg, nm.Debug)
+	if err == wgengine.ErrNoChanges {
+		return
 	}
+	b.logf("[v1] authReconfig: ra=%v dns=%v 0x%02x: %v", uc.RouteAll, uc.CorpDNS, flags, err)

-	// Set FallbackResolvers as the default resolvers in the
-	// scenarios that can't handle a purely split-DNS config. See
-	// https://github.com/tailscale/tailscale/issues/1743 for
-	// details.
-	switch {
-	case len(dcfg.DefaultResolvers) != 0:
-		// Default resolvers already set.
-	case !prefs.ExitNodeID.IsZero():
-		// When using exit nodes, it's very likely the LAN
-		// resolvers will become unreachable. So, force use of the
-		// fallback resolvers until we implement DNS forwarding to
-		// exit nodes.
-		//
-		// This is especially important on Apple OSes, where
-		// adding the default route to the tunnel interface makes
-		// it "primary", and we MUST provide VPN-sourced DNS
-		// settings or we break all DNS resolution.
-		//
-		// https://github.com/tailscale/tailscale/issues/1713
-		addDefault(nm.DNS.FallbackResolvers)
-	case len(dcfg.Routes) == 0:
-		// No settings requiring split DNS, no problem.
-	case versionOS == "android":
-		// We don't support split DNS at all on Android yet.
-		addDefault(nm.DNS.FallbackResolvers)
-	}
-
-	return dcfg
+	b.initPeerAPIListener()
 }

-func normalizeResolver(cfg dnstype.Resolver) dnstype.Resolver {
-	if ip, err := netaddr.ParseIP(cfg.Addr); err == nil {
-		// Add 53 here for bare IPs for consistency with previous data type.
-		return dnstype.Resolver{
-			Addr: netaddr.IPPortFrom(ip, 53).String(),
-		}
+func parseResolver(cfg tailcfg.DNSResolver) (netaddr.IPPort, error) {
+	ip, err := netaddr.ParseIP(cfg.Addr)
+	if err != nil {
+		return netaddr.IPPort{}, fmt.Errorf("[unexpected] non-IP resolver %q", cfg.Addr)
 	}
-	return cfg
+	return netaddr.IPPortFrom(ip, 53), nil
 }

-// TailscaleVarRoot returns the root directory of Tailscale's writable
+// tailscaleVarRoot returns the root directory of Tailscale's writable
 // storage area. (e.g. "/var/lib/tailscale")
-//
-// It returns an empty string if there's no configured or discovered
-// location.
-func (b *LocalBackend) TailscaleVarRoot() string {
+func tailscaleVarRoot() string {
 	switch runtime.GOOS {
 	case "ios", "android":
 		dir, _ := paths.AppSharedDir.Load().(string)
 		return dir
 	}
-	// Temporary (2021-09-27) transitional fix for #2927 (Synology
-	// cert dir) on the way towards a more complete fix
-	// (#2932). It fixes any case where the state file is provided
-	// to tailscaled explicitly when it's not in the default
-	// location.
-	if fs, ok := b.store.(*ipn.FileStore); ok {
-		if fp := fs.Path(); fp != "" {
-			if dir := filepath.Dir(fp); strings.EqualFold(filepath.Base(dir), "tailscale") {
-				return dir
-			}
-		}
-	}
 	stateFile := paths.DefaultTailscaledStateFile()
 	if stateFile == "" {
 		return ""
@@ -1969,7 +1923,7 @@ func (b *LocalBackend) fileRootLocked(uid tailcfg.UserID) string {
 	if v := b.directFileRoot; v != "" {
 		return v
 	}
-	varRoot := b.TailscaleVarRoot()
+	varRoot := tailscaleVarRoot()
 	if varRoot == "" {
 		b.logf("peerapi disabled; no state directory")
 		return ""
@@ -2262,8 +2216,6 @@ func applyPrefsToHostinfo(hi *tailcfg.Hostinfo, prefs *ipn.Prefs) {
 	if m := prefs.DeviceModel; m != "" {
 		hi.DeviceModel = m
 	}
-	hi.RoutableIPs = append(prefs.AdvertiseRoutes[:0:0], prefs.AdvertiseRoutes...)
-	hi.RequestTags = append(prefs.AdvertiseTags[:0:0], prefs.AdvertiseTags...)
 	hi.ShieldsUp = prefs.ShieldsUp
 }

@@ -2351,7 +2303,6 @@ func (b *LocalBackend) nextState() ipn.State {
 		blocked     = b.blocked
 		wantRunning = b.prefs.WantRunning
 		loggedOut   = b.prefs.LoggedOut
-		st          = b.engineStatus
 	)
 	b.mu.Unlock()

@@ -2363,22 +2314,22 @@ func (b *LocalBackend) nextState() ipn.State {
 			// Auth was interrupted or waiting for URL visit,
 			// so it won't proceed without human help.
 			return ipn.NeedsLogin
-		}
-		switch state {
-		case ipn.Stopped:
+		} else if state == ipn.Stopped {
 			// If we were already in the Stopped state, then
 			// we can assume auth is in good shape (or we would
 			// have been in NeedsLogin), so transition to Starting
 			// right away.
 			return ipn.Starting
-		case ipn.NoState:
+		} else if state == ipn.NoState {
 			// Our first time connecting to control, and we
 			// don't know if we'll NeedsLogin or not yet.
 			// UIs should print "Loading..." in this state.
 			return ipn.NoState
-		case ipn.Starting, ipn.Running, ipn.NeedsLogin:
+		} else if state == ipn.Starting ||
+			state == ipn.Running ||
+			state == ipn.NeedsLogin {
 			return state
-		default:
+		} else {
 			b.logf("unexpected no-netmap state transition for %v", state)
 			return state
 		}
@@ -2393,7 +2344,7 @@ func (b *LocalBackend) nextState() ipn.State {
 		// (if we get here, we know MachineAuthorized == true)
 		return ipn.Starting
 	case state == ipn.Starting:
-		if st.NumLive > 0 || st.LiveDERPs > 0 {
+		if st := b.getEngineStatus(); st.NumLive > 0 || st.LiveDERPs > 0 {
 			return ipn.Running
 		} else {
 			return state
@@ -2563,12 +2514,6 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	}
 	b.maybePauseControlClientLocked()

-	if nm != nil {
-		health.SetControlHealth(nm.ControlHealth)
-	} else {
-		health.SetControlHealth(nil)
-	}
-
 	// Determine if file sharing is enabled
 	fs := hasCapability(nm, tailcfg.CapabilityFileSharing)
 	if fs != b.capFileSharing {
@@ -2634,7 +2579,7 @@ func (b *LocalBackend) OperatorUserID() string {
 // TestOnlyPublicKeys returns the current machine and node public
 // keys. Used in tests only to facilitate automated node authorization
 // in the test harness.
-func (b *LocalBackend) TestOnlyPublicKeys() (machineKey key.MachinePublic, nodeKey tailcfg.NodeKey) {
+func (b *LocalBackend) TestOnlyPublicKeys() (machineKey tailcfg.MachineKey, nodeKey tailcfg.NodeKey) {
 	b.mu.Lock()
 	prefs := b.prefs
 	machinePrivKey := b.machinePrivKey
@@ -2646,7 +2591,7 @@ func (b *LocalBackend) TestOnlyPublicKeys() (machineKey key.MachinePublic, nodeK

 	mk := machinePrivKey.Public()
 	nk := prefs.Persist.PrivateNodeKey.Public()
-	return mk, tailcfg.NodeKey(nk)
+	return tailcfg.MachineKey(mk), tailcfg.NodeKey(nk)
 }

 func (b *LocalBackend) WaitingFiles() ([]apitype.WaitingFile, error) {
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -443,7 +443,6 @@ func TestLazyMachineKeyGeneration(t *testing.T) {
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
-	t.Cleanup(eng.Close)
 	lb, err := NewLocalBackend(logf, "logid", store, eng)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
--- a/ipn/ipnlocal/loglines_test.go
+++ b/ipn/ipnlocal/loglines_test.go
@@ -52,7 +52,6 @@ func TestLocalLogLines(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	t.Cleanup(e.Close)

 	lb, err := NewLocalBackend(logf, idA.String(), store, e)
 	if err != nil {
--- a/ipn/ipnlocal/peerapi_macios_ext.go
+++ b/ipn/ipnlocal/peerapi_macios_ext.go
@@ -2,9 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

-//go:build ts_macext && (darwin || ios)
-// +build ts_macext
-// +build darwin ios
+// +build darwin,ts_macext ios,ts_macext

 package ipnlocal

--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -20,13 +20,16 @@ import (
 	"testing"

 	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
 )

 type peerAPITestEnv struct {
 	ph     *peerAPIHandler
 	rr     *httptest.ResponseRecorder
-	logBuf tstest.MemLogger
+	logBuf bytes.Buffer
+}
+
+func (e *peerAPITestEnv) logf(format string, a ...interface{}) {
+	fmt.Fprintf(&e.logBuf, format, a...)
 }

 type check func(*testing.T, *peerAPITestEnv)
@@ -400,7 +403,7 @@ func TestHandlePeerAPI(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			var e peerAPITestEnv
 			lb := &LocalBackend{
-				logf:           e.logBuf.Logf,
+				logf:           e.logf,
 				capFileSharing: tt.capSharing,
 			}
 			e.ph = &peerAPIHandler{
--- a/ipn/ipnlocal/state_test.go
+++ b/ipn/ipnlocal/state_test.go
@@ -17,7 +17,6 @@ import (
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/empty"
-	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
 	"tailscale.com/types/persist"
@@ -86,7 +85,6 @@ func (nt *notifyThrottler) drain(count int) []ipn.Notify {
 // in the controlclient.Client, so by controlling it, we can check that
 // the state machine works as expected.
 type mockControl struct {
-	tb         testing.TB
 	opts       controlclient.Options
 	logf       logger.Logf
 	statusFunc func(controlclient.Status)
@@ -95,12 +93,12 @@ type mockControl struct {
 	calls       []string
 	authBlocked bool
 	persist     persist.Persist
-	machineKey  key.MachinePrivate
+	machineKey  wgkey.Private
 }

-func newMockControl(tb testing.TB) *mockControl {
+func newMockControl() *mockControl {
 	return &mockControl{
-		tb:          tb,
+		calls:       []string{},
 		authBlocked: true,
 	}
 }
@@ -158,14 +156,15 @@ func (cc *mockControl) called(s string) {
 	cc.calls = append(cc.calls, s)
 }

-// assertCalls fails the test if the list of functions that have been called since the
-// last time assertCall was run does not match want.
-func (cc *mockControl) assertCalls(want ...string) {
-	cc.tb.Helper()
+// getCalls returns the list of functions that have been called since the
+// last time getCalls was run.
+func (cc *mockControl) getCalls() []string {
 	cc.mu.Lock()
 	defer cc.mu.Unlock()
-	qt.Assert(cc.tb, cc.calls, qt.DeepEquals, want)
-	cc.calls = nil
+
+	r := cc.calls
+	cc.calls = []string{}
+	return r
 }

 // setAuthBlocked changes the return value of AuthCantContinue.
@@ -284,9 +283,8 @@ func TestStateMachine(t *testing.T) {
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
-	t.Cleanup(e.Close)

-	cc := newMockControl(t)
+	cc := newMockControl()
 	b, err := NewLocalBackend(logf, "logid", store, e)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
@@ -321,7 +319,7 @@ func TestStateMachine(t *testing.T) {

 	// Check that it hasn't called us right away.
 	// The state machine should be idle until we call Start().
-	cc.assertCalls()
+	c.Assert(cc.getCalls(), qt.HasLen, 0)

 	// Start the state machine.
 	// Since !WantRunning by default, it'll create a controlclient,
@@ -331,12 +329,12 @@ func TestStateMachine(t *testing.T) {
 	c.Assert(b.Start(ipn.Options{StateKey: ipn.GlobalDaemonStateKey}), qt.IsNil)
 	{
 		// BUG: strictly, it should pause, not unpause, here, since !WantRunning.
-		cc.assertCalls("New", "unpause")
+		c.Assert([]string{"New", "unpause"}, qt.DeepEquals, cc.getCalls())

 		nn := notifies.drain(2)
-		cc.assertCalls()
-		c.Assert(nn[0].Prefs, qt.IsNotNil)
-		c.Assert(nn[1].State, qt.IsNotNil)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
 		prefs := *nn[0].Prefs
 		// Note: a totally fresh system has Prefs.LoggedOut=false by
 		// default. We are logged out, but not because the user asked
@@ -356,12 +354,12 @@ func TestStateMachine(t *testing.T) {
 	c.Assert(b.Start(ipn.Options{StateKey: ipn.GlobalDaemonStateKey}), qt.IsNil)
 	{
 		// BUG: strictly, it should pause, not unpause, here, since !WantRunning.
-		cc.assertCalls("Shutdown", "unpause", "New", "unpause")
+		c.Assert([]string{"Shutdown", "unpause", "New", "unpause"}, qt.DeepEquals, cc.getCalls())

 		nn := notifies.drain(2)
-		cc.assertCalls()
-		c.Assert(nn[0].Prefs, qt.IsNotNil)
-		c.Assert(nn[1].State, qt.IsNotNil)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
 		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
@@ -375,7 +373,7 @@ func TestStateMachine(t *testing.T) {
 	notifies.expect(0)
 	b.Login(nil)
 	{
-		cc.assertCalls("Login")
+		c.Assert(cc.getCalls(), qt.DeepEquals, []string{"Login"})
 		notifies.drain(0)
 		// Note: WantRunning isn't true yet. It'll switch to true
 		// after a successful login finishes.
@@ -391,14 +389,14 @@ func TestStateMachine(t *testing.T) {
 	url1 := "http://localhost:1/1"
 	cc.send(nil, url1, false, nil)
 	{
-		cc.assertCalls("unpause")
+		c.Assert(cc.getCalls(), qt.DeepEquals, []string{"unpause"})

 		// ...but backend eats that notification, because the user
 		// didn't explicitly request interactive login yet, and
 		// we're already in NeedsLogin state.
 		nn := notifies.drain(1)

-		c.Assert(nn[0].Prefs, qt.IsNotNil)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
 		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 	}
@@ -412,8 +410,12 @@ func TestStateMachine(t *testing.T) {
 	b.StartLoginInteractive()
 	{
 		nn := notifies.drain(1)
-		cc.assertCalls("unpause")
-		c.Assert(nn[0].BrowseToURL, qt.IsNotNil)
+		// BUG: UpdateEndpoints shouldn't be called yet.
+		// We're still not logged in so there's nothing we can do
+		// with it. (And empirically, it's providing an empty list
+		// of endpoints.)
+		c.Assert([]string{"UpdateEndpoints", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].BrowseToURL, qt.Not(qt.IsNil))
 		c.Assert(url1, qt.Equals, *nn[0].BrowseToURL)
 	}

@@ -428,7 +430,7 @@ func TestStateMachine(t *testing.T) {
 	{
 		notifies.drain(0)
 		// backend asks control for another login sequence
-		cc.assertCalls("Login")
+		c.Assert([]string{"Login"}, qt.DeepEquals, cc.getCalls())
 	}

 	// Provide a new interactive login URL.
@@ -437,12 +439,13 @@ func TestStateMachine(t *testing.T) {
 	url2 := "http://localhost:1/2"
 	cc.send(nil, url2, false, nil)
 	{
-		cc.assertCalls("unpause", "unpause")
+		// BUG: UpdateEndpoints again, this is getting silly.
+		c.Assert([]string{"UpdateEndpoints", "unpause", "unpause"}, qt.DeepEquals, cc.getCalls())

 		// This time, backend should emit it to the UI right away,
 		// because the UI is anxiously awaiting a new URL to visit.
 		nn := notifies.drain(1)
-		c.Assert(nn[0].BrowseToURL, qt.IsNotNil)
+		c.Assert(nn[0].BrowseToURL, qt.Not(qt.IsNil))
 		c.Assert(url2, qt.Equals, *nn[0].BrowseToURL)
 	}

@@ -457,6 +460,8 @@ func TestStateMachine(t *testing.T) {
 	cc.send(nil, "", true, &netmap.NetworkMap{})
 	{
 		nn := notifies.drain(3)
+		// BUG: still too soon for UpdateEndpoints.
+		//
 		// Arguably it makes sense to unpause now, since the machine
 		// authorization status is part of the netmap.
 		//
@@ -465,10 +470,10 @@ func TestStateMachine(t *testing.T) {
 		// wait until it gets into Starting.
 		// TODO: (Currently this test doesn't detect that bug, but
 		// it's visible in the logs)
-		cc.assertCalls("unpause", "unpause", "unpause")
-		c.Assert(nn[0].LoginFinished, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(nn[2].State, qt.IsNotNil)
+		c.Assert([]string{"unpause", "unpause", "UpdateEndpoints", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[2].State, qt.Not(qt.IsNil))
 		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user1")
 		c.Assert(ipn.NeedsMachineAuth, qt.Equals, *nn[2].State)
 	}
@@ -487,8 +492,8 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(1)
-		cc.assertCalls("unpause", "unpause", "unpause")
-		c.Assert(nn[0].State, qt.IsNotNil)
+		c.Assert([]string{"unpause", "unpause", "UpdateEndpoints", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
 	}

@@ -510,10 +515,10 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(2)
-		cc.assertCalls("pause")
+		c.Assert([]string{"pause"}, qt.DeepEquals, cc.getCalls())
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
 		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
 	}

@@ -527,11 +532,12 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(2)
+		// BUG: UpdateEndpoints isn't needed here.
 		// BUG: Login isn't needed here. We never logged out.
-		cc.assertCalls("Login", "unpause", "unpause")
+		c.Assert([]string{"Login", "unpause", "UpdateEndpoints", "unpause"}, qt.DeepEquals, cc.getCalls())
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
 		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
 		c.Assert(store.sawWrite(), qt.IsTrue)
 	}
@@ -548,11 +554,11 @@ func TestStateMachine(t *testing.T) {
 	c.Assert(b.Start(ipn.Options{StateKey: ipn.GlobalDaemonStateKey}), qt.IsNil)
 	{
 		nn := notifies.drain(1)
-		cc.assertCalls()
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(nn[0].LoginFinished, qt.IsNotNil)
-		c.Assert(nn[0].NetMap, qt.IsNotNil)
-		c.Assert(nn[0].Prefs, qt.IsNotNil)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
+		c.Assert(nn[0].NetMap, qt.Not(qt.IsNil))
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 	}

 	// undo the state hack above.
@@ -565,9 +571,9 @@ func TestStateMachine(t *testing.T) {
 	b.Logout()
 	{
 		nn := notifies.drain(2)
-		cc.assertCalls("pause", "StartLogout", "pause")
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
+		c.Assert([]string{"pause", "StartLogout", "pause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
 		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning, qt.IsFalse)
@@ -582,8 +588,8 @@ func TestStateMachine(t *testing.T) {
 	cc.send(nil, "", false, nil)
 	{
 		nn := notifies.drain(1)
-		cc.assertCalls("unpause", "unpause")
-		c.Assert(nn[0].State, qt.IsNotNil)
+		c.Assert([]string{"unpause", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
@@ -598,8 +604,8 @@ func TestStateMachine(t *testing.T) {
 		notifies.drain(0)
 		// BUG: the backend has already called StartLogout, and we're
 		// still logged out. So it shouldn't call it again.
-		cc.assertCalls("StartLogout", "unpause")
-		cc.assertCalls()
+		c.Assert([]string{"StartLogout", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
@@ -612,7 +618,7 @@ func TestStateMachine(t *testing.T) {
 	cc.send(nil, "", false, nil)
 	{
 		notifies.drain(0)
-		cc.assertCalls("unpause", "unpause")
+		c.Assert(cc.getCalls(), qt.DeepEquals, []string{"unpause", "unpause"})
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
@@ -626,7 +632,8 @@ func TestStateMachine(t *testing.T) {
 	// I guess, since that's supposed to be synchronous.
 	{
 		notifies.drain(0)
-		cc.assertCalls("Logout", "unpause")
+		c.Assert([]string{"Logout", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
@@ -639,12 +646,22 @@ func TestStateMachine(t *testing.T) {
 	cc.send(nil, "", false, nil)
 	{
 		notifies.drain(0)
-		cc.assertCalls("unpause", "unpause")
+		c.Assert(cc.getCalls(), qt.DeepEquals, []string{"unpause", "unpause"})
 		c.Assert(b.Prefs().LoggedOut, qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
 	}

+	// Shut down the backend.
+	t.Logf("\n\nShutdown")
+	notifies.expect(0)
+	b.Shutdown()
+	{
+		notifies.drain(0)
+		// BUG: I expect a transition to ipn.NoState here.
+		c.Assert(cc.getCalls(), qt.DeepEquals, []string{"Shutdown"})
+	}
+
 	// Oh, you thought we were done? Ha! Now we have to test what
 	// happens if the user exits and restarts while logged out.
 	// Note that it's explicitly okay to call b.Start() over and over
@@ -658,13 +675,14 @@ func TestStateMachine(t *testing.T) {
 	c.Assert(b.Start(ipn.Options{StateKey: ipn.GlobalDaemonStateKey}), qt.IsNil)
 	{
 		// BUG: We already called Shutdown(), no need to do it again.
+		// BUG: Way too soon for UpdateEndpoints.
 		// BUG: don't unpause because we're not logged in.
-		cc.assertCalls("Shutdown", "unpause", "New", "unpause")
+		c.Assert([]string{"Shutdown", "unpause", "New", "UpdateEndpoints", "unpause"}, qt.DeepEquals, cc.getCalls())

 		nn := notifies.drain(2)
-		cc.assertCalls()
-		c.Assert(nn[0].Prefs, qt.IsNotNil)
-		c.Assert(nn[1].State, qt.IsNotNil)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsTrue)
 		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
@@ -684,10 +702,10 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(3)
-		cc.assertCalls("unpause", "unpause", "unpause")
-		c.Assert(nn[0].LoginFinished, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(nn[2].State, qt.IsNotNil)
+		c.Assert([]string{"unpause", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[2].State, qt.Not(qt.IsNil))
 		// Prefs after finishing the login, so LoginName updated.
 		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user2")
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsFalse)
@@ -704,10 +722,10 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(2)
-		cc.assertCalls("pause")
+		c.Assert([]string{"pause"}, qt.DeepEquals, cc.getCalls())
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
 		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsFalse)
 	}
@@ -719,14 +737,16 @@ func TestStateMachine(t *testing.T) {
 	{
 		// NOTE: cc.Shutdown() is correct here, since we didn't call
 		// b.Shutdown() explicitly ourselves.
+		// BUG: UpdateEndpoints should be called here since we're not WantRunning.
 		// Note: unpause happens because ipn needs to get at least one netmap
 		//  on startup, otherwise UIs can't show the node list, login
 		//  name, etc when in state ipn.Stopped.
 		//  Arguably they shouldn't try. But they currently do.
 		nn := notifies.drain(2)
-		cc.assertCalls("Shutdown", "unpause", "New", "Login", "unpause")
-		c.Assert(nn[0].Prefs, qt.IsNotNil)
-		c.Assert(nn[1].State, qt.IsNotNil)
+		c.Assert([]string{"Shutdown", "unpause", "New", "UpdateEndpoints", "Login", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[1].State, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.WantRunning, qt.IsFalse)
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
 		c.Assert(ipn.Stopped, qt.Equals, *nn[1].State)
@@ -748,7 +768,7 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		notifies.drain(0)
-		cc.assertCalls("pause", "pause")
+		c.Assert([]string{"pause", "pause"}, qt.DeepEquals, cc.getCalls())
 	}

 	// Request connection.
@@ -761,10 +781,10 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(2)
-		cc.assertCalls("Login", "unpause", "unpause")
+		c.Assert([]string{"Login", "unpause"}, qt.DeepEquals, cc.getCalls())
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
 		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
 	}

@@ -777,10 +797,10 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(2)
-		cc.assertCalls("pause")
+		c.Assert([]string{"pause"}, qt.DeepEquals, cc.getCalls())
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
 		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
 	}

@@ -800,8 +820,8 @@ func TestStateMachine(t *testing.T) {
 		//
 		// Because the login hasn't yet completed, the old login
 		// is still valid, so it's correct that we stay paused.
-		cc.assertCalls("Login", "pause", "pause")
-		c.Assert(nn[0].BrowseToURL, qt.IsNotNil)
+		c.Assert([]string{"Login", "pause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].BrowseToURL, qt.Not(qt.IsNil))
 		c.Assert(*nn[0].BrowseToURL, qt.Equals, url3)
 	}

@@ -822,10 +842,10 @@ func TestStateMachine(t *testing.T) {
 		//  and !WantRunning. But since it's a fresh and successful
 		//  new login, WantRunning is true, so there was never a
 		//  reason to pause().
-		cc.assertCalls("pause", "unpause", "unpause")
-		c.Assert(nn[0].LoginFinished, qt.IsNotNil)
-		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(nn[2].State, qt.IsNotNil)
+		c.Assert([]string{"pause", "unpause"}, qt.DeepEquals, cc.getCalls())
+		c.Assert(nn[0].LoginFinished, qt.Not(qt.IsNil))
+		c.Assert(nn[1].Prefs, qt.Not(qt.IsNil))
+		c.Assert(nn[2].State, qt.Not(qt.IsNil))
 		// Prefs after finishing the login, so LoginName updated.
 		c.Assert(nn[1].Prefs.Persist.LoginName, qt.Equals, "user3")
 		c.Assert(nn[1].Prefs.LoggedOut, qt.IsFalse)
@@ -841,11 +861,11 @@ func TestStateMachine(t *testing.T) {
 	{
 		// NOTE: cc.Shutdown() is correct here, since we didn't call
 		// b.Shutdown() ourselves.
-		cc.assertCalls("Shutdown", "unpause", "New", "Login", "unpause")
+		c.Assert([]string{"Shutdown", "unpause", "New", "UpdateEndpoints", "Login", "unpause"}, qt.DeepEquals, cc.getCalls())

 		nn := notifies.drain(1)
-		cc.assertCalls()
-		c.Assert(nn[0].Prefs, qt.IsNotNil)
+		c.Assert(cc.getCalls(), qt.HasLen, 0)
+		c.Assert(nn[0].Prefs, qt.Not(qt.IsNil))
 		c.Assert(nn[0].Prefs.LoggedOut, qt.IsFalse)
 		c.Assert(nn[0].Prefs.WantRunning, qt.IsTrue)
 		c.Assert(ipn.NoState, qt.Equals, b.State())
@@ -860,10 +880,10 @@ func TestStateMachine(t *testing.T) {
 	})
 	{
 		nn := notifies.drain(1)
-		cc.assertCalls("unpause", "unpause", "unpause")
+		c.Assert([]string{"unpause", "unpause"}, qt.DeepEquals, cc.getCalls())
 		// NOTE: No LoginFinished message since no interactive
 		// login was needed.
-		c.Assert(nn[0].State, qt.IsNotNil)
+		c.Assert(nn[0].State, qt.Not(qt.IsNil))
 		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
 		// NOTE: No prefs change this time. WantRunning stays true.
 		// We were in Starting in the first place, so that doesn't
@@ -897,67 +917,3 @@ func (s *testStateStorage) sawWrite() bool {
 	s.awaitWrite()
 	return v
 }
-
-func TestWGEngineStatusRace(t *testing.T) {
-	t.Skip("test fails")
-	c := qt.New(t)
-	logf := t.Logf
-	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
-	c.Assert(err, qt.IsNil)
-	t.Cleanup(eng.Close)
-	b, err := NewLocalBackend(logf, "logid", new(ipn.MemoryStore), eng)
-	c.Assert(err, qt.IsNil)
-
-	cc := newMockControl(t)
-	b.SetControlClientGetterForTesting(func(opts controlclient.Options) (controlclient.Client, error) {
-		cc.mu.Lock()
-		defer cc.mu.Unlock()
-		cc.logf = opts.Logf
-		return cc, nil
-	})
-
-	var state ipn.State
-	b.SetNotifyCallback(func(n ipn.Notify) {
-		if n.State != nil {
-			state = *n.State
-		}
-	})
-	wantState := func(want ipn.State) {
-		c.Assert(want, qt.Equals, state)
-	}
-
-	// Start with the zero value.
-	wantState(ipn.NoState)
-
-	// Start the backend.
-	err = b.Start(ipn.Options{StateKey: ipn.GlobalDaemonStateKey})
-	c.Assert(err, qt.IsNil)
-	wantState(ipn.NeedsLogin)
-
-	// Assert that we are logged in and authorized.
-	cc.send(nil, "", true, &netmap.NetworkMap{
-		MachineStatus: tailcfg.MachineAuthorized,
-	})
-	wantState(ipn.Starting)
-
-	// Simulate multiple concurrent callbacks from wgengine.
-	// Any single callback with DERPS > 0 is enough to transition
-	// from Starting to Running, at which point we stay there.
-	// Thus if these callbacks occurred serially, in any order,
-	// we would end up in state ipn.Running.
-	// The same should thus be true if these callbacks occur concurrently.
-	var wg sync.WaitGroup
-	for i := 0; i < 100; i++ {
-		wg.Add(1)
-		go func(i int) {
-			defer wg.Done()
-			n := 0
-			if i == 0 {
-				n = 1
-			}
-			b.setWgengineStatus(&wgengine.Status{DERPs: n}, nil)
-		}(i)
-	}
-	wg.Wait()
-	wantState(ipn.Running)
-}
--- a/ipn/ipnserver/server.go
+++ b/ipn/ipnserver/server.go
@@ -20,7 +20,6 @@ import (
 	"os/exec"
 	"os/signal"
 	"os/user"
-	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
@@ -38,7 +37,6 @@ import (
 	"tailscale.com/log/filelogger"
 	"tailscale.com/logtail/backoff"
 	"tailscale.com/net/netstat"
-	"tailscale.com/paths"
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/types/logger"
@@ -583,28 +581,6 @@ func (s *server) writeToClients(n ipn.Notify) {
 	}
 }

-// tryWindowsAppDataMigration attempts to copy the Windows state file
-// from its old location to the new location. (Issue 2856)
-//
-// Tailscale 1.14 and before stored state under %LocalAppData%
-// (usually "C:\WINDOWS\system32\config\systemprofile\AppData\Local"
-// when tailscaled.exe is running as a non-user system service).
-// However it is frequently cleared for almost any reason: Windows
-// updates, System Restore, even various System Cleaner utilities.
-//
-// Returns a string of the path to use for the state file.
-// This will be a fallback %LocalAppData% path if migration fails,
-// a %ProgramData% path otherwise.
-func tryWindowsAppDataMigration(logf logger.Logf, path string) string {
-	if path != paths.DefaultTailscaledStateFile() {
-		// If they're specifying a non-default path, just trust that they know
-		// what they are doing.
-		return path
-	}
-	oldFile := filepath.Join(os.Getenv("LocalAppData"), "Tailscale", "server-state.conf")
-	return paths.TryConfigFileMigration(logf, oldFile, path)
-}
-
 // Run runs a Tailscale backend service.
 // The getEngine func is called repeatedly, once per connection, until it returns an engine successfully.
 func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (wgengine.Engine, error), opts Options) error {
@@ -637,28 +613,14 @@ func Run(ctx context.Context, logf logger.Logf, logid string, getEngine func() (

 	var store ipn.StateStore
 	if opts.StatePath != "" {
-		const kubePrefix = "kube:"
-		path := opts.StatePath
-		switch {
-		case strings.HasPrefix(path, kubePrefix):
-			secretName := strings.TrimPrefix(path, kubePrefix)
-			store, err = ipn.NewKubeStore(secretName)
-			if err != nil {
-				return fmt.Errorf("ipn.NewKubeStore(%q): %v", secretName, err)
-			}
-		default:
-			if runtime.GOOS == "windows" {
-				path = tryWindowsAppDataMigration(logf, path)
-			}
-			store, err = ipn.NewFileStore(path)
-			if err != nil {
-				return fmt.Errorf("ipn.NewFileStore(%q): %v", path, err)
-			}
+		store, err = ipn.NewFileStore(opts.StatePath)
+		if err != nil {
+			return fmt.Errorf("ipn.NewFileStore(%q): %v", opts.StatePath, err)
 		}
 		if opts.AutostartStateKey == "" {
 			autoStartKey, err := store.ReadState(ipn.ServerModeStartKey)
 			if err != nil && err != ipn.ErrStateNotExist {
-				return fmt.Errorf("calling ReadState on %s: %w", path, err)
+				return fmt.Errorf("calling ReadState on %s: %w", opts.StatePath, err)
 			}
 			key := string(autoStartKey)
 			if strings.HasPrefix(key, "user-") {
--- a/ipn/ipnserver/server_test.go
+++ b/ipn/ipnserver/server_test.go
@@ -60,7 +60,7 @@ func TestRunMultipleAccepts(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	t.Cleanup(eng.Close)
+	defer eng.Close()

 	opts := ipnserver.Options{
 		SocketPath: socketPath,
--- a/ipn/ipnstate/ipnstate.go
+++ b/ipn/ipnstate/ipnstate.go
@@ -20,6 +20,7 @@ import (

 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/tstime/mono"
 	"tailscale.com/types/key"
 	"tailscale.com/util/dnsname"
 )
@@ -38,11 +39,6 @@ type Status struct {
 	TailscaleIPs []netaddr.IP // Tailscale IP(s) assigned to this node
 	Self         *PeerStatus

-	// Health contains health check problems.
-	// Empty means everything is good. (or at least that no known
-	// problems are detected)
-	Health []string
-
 	// MagicDNSSuffix is the network's MagicDNS suffix for nodes
 	// in the network such as "userfoo.tailscale.net".
 	// There are no surrounding dots.
@@ -95,19 +91,12 @@ type PeerStatus struct {
 	RxBytes       int64
 	TxBytes       int64
 	Created       time.Time // time registered with tailcontrol
-	LastWrite     time.Time // time last packet sent
+	LastWrite     mono.Time // time last packet sent
 	LastSeen      time.Time // last seen to tailcontrol
 	LastHandshake time.Time // with local wireguard
 	KeepAlive     bool
 	ExitNode      bool // true if this is the currently selected exit node.

-	// Active is whether the node was recently active. The
-	// definition is somewhat undefined but has historically and
-	// currently means that there was some packet sent to this
-	// peer in the past two minutes. That definition is subject to
-	// change.
-	Active bool
-
 	PeerAPIURL   []string
 	Capabilities []string `json:",omitempty"`

@@ -289,9 +278,6 @@ func (sb *StatusBuilder) AddPeer(peer key.Public, st *PeerStatus) {
 	if st.ShareeNode {
 		e.ShareeNode = true
 	}
-	if st.Active {
-		e.Active = true
-	}
 }

 type StatusUpdater interface {
@@ -335,7 +321,7 @@ table tbody tr:nth-child(even) td { background-color: #f5f5f5; }
 	f("<tr><th>Peer</th><th>OS</th><th>Node</th><th>Owner</th><th>Rx</th><th>Tx</th><th>Activity</th><th>Connection</th></tr>\n")
 	f("</thead>\n<tbody>\n")

-	now := time.Now()
+	now := mono.Now()

 	var peers []*PeerStatus
 	for _, peer := range st.Peers() {
@@ -392,7 +378,9 @@ table tbody tr:nth-child(even) td { background-color: #f5f5f5; }
 		)
 		f("<td>")

-		if ps.Active {
+		// TODO: let server report this active bool instead
+		active := !ps.LastWrite.IsZero() && mono.Since(ps.LastWrite) < 2*time.Minute
+		if active {
 			if ps.Relay != "" && ps.CurAddr == "" {
 				f("relay <b>%s</b>", html.EscapeString(ps.Relay))
 			} else if ps.CurAddr != "" {
@@ -456,10 +444,6 @@ type PingResult struct {
 	// running the server on.
 	PeerAPIPort uint16 `json:",omitempty"`

-	// IsLocalIP is whether the ping request error is due to it being
-	// a ping to the local node.
-	IsLocalIP bool `json:",omitempty"`
-
 	// TODO(bradfitz): details like whether port mapping was used on either side? (Once supported)
 }

--- a/ipn/localapi/cert.go
+++ b/ipn/localapi/cert.go
@@ -1,449 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build !ios && !android
-// +build !ios,!android
-
-package localapi
-
-import (
-	"bytes"
-	"context"
-	"crypto"
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/json"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"net"
-	"net/http"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"golang.org/x/crypto/acme"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/types/logger"
-)
-
-// Process-wide cache. (A new *Handler is created per connection,
-// effectively per request)
-var (
-	// acmeMu guards all ACME operations, so concurrent requests
-	// for certs don't slam ACME. The first will go through and
-	// populate the on-disk cache and the rest should use that.
-	acmeMu sync.Mutex
-
-	renewMu        sync.Mutex // lock order: don't hold acmeMu and renewMu at the same time
-	lastRenewCheck = map[string]time.Time{}
-)
-
-func (h *Handler) certDir() (string, error) {
-	d := h.b.TailscaleVarRoot()
-	if d == "" {
-		return "", errors.New("no TailscaleVarRoot")
-	}
-	full := filepath.Join(d, "certs")
-	if err := os.MkdirAll(full, 0700); err != nil {
-		return "", err
-	}
-	return full, nil
-}
-
-var acmeDebug, _ = strconv.ParseBool(os.Getenv("TS_DEBUG_ACME"))
-
-func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "cert access denied", http.StatusForbidden)
-		return
-	}
-	dir, err := h.certDir()
-	if err != nil {
-		h.logf("certDir: %v", err)
-		http.Error(w, "failed to get cert dir", 500)
-		return
-	}
-
-	domain := strings.TrimPrefix(r.URL.Path, "/localapi/v0/cert/")
-	if domain == r.URL.Path {
-		http.Error(w, "internal handler config wired wrong", 500)
-		return
-	}
-
-	now := time.Now()
-	logf := logger.WithPrefix(h.logf, fmt.Sprintf("cert(%q): ", domain))
-	traceACME := func(v interface{}) {
-		if !acmeDebug {
-			return
-		}
-		j, _ := json.MarshalIndent(v, "", "\t")
-		log.Printf("acme %T: %s", v, j)
-	}
-
-	if pair, ok := h.getCertPEMCached(dir, domain, now); ok {
-		future := now.AddDate(0, 0, 14)
-		if h.shouldStartDomainRenewal(dir, domain, future) {
-			logf("starting async renewal")
-			// Start renewal in the background.
-			go h.getCertPEM(context.Background(), logf, traceACME, dir, domain, future)
-		}
-		serveKeyPair(w, r, pair)
-		return
-	}
-
-	pair, err := h.getCertPEM(r.Context(), logf, traceACME, dir, domain, now)
-	if err != nil {
-		logf("getCertPEM: %v", err)
-		http.Error(w, fmt.Sprint(err), 500)
-		return
-	}
-	serveKeyPair(w, r, pair)
-}
-
-func (h *Handler) shouldStartDomainRenewal(dir, domain string, future time.Time) bool {
-	renewMu.Lock()
-	defer renewMu.Unlock()
-	now := time.Now()
-	if last, ok := lastRenewCheck[domain]; ok && now.Sub(last) < time.Minute {
-		// We checked very recently. Don't bother reparsing &
-		// validating the x509 cert.
-		return false
-	}
-	lastRenewCheck[domain] = now
-	_, ok := h.getCertPEMCached(dir, domain, future)
-	return !ok
-}
-
-func serveKeyPair(w http.ResponseWriter, r *http.Request, p *keyPair) {
-	w.Header().Set("Content-Type", "text/plain")
-	switch r.URL.Query().Get("type") {
-	case "", "crt", "cert":
-		w.Write(p.certPEM)
-	case "key":
-		w.Write(p.keyPEM)
-	case "pair":
-		w.Write(p.keyPEM)
-		w.Write(p.certPEM)
-	default:
-		http.Error(w, `invalid type; want "cert" (default), "key", or "pair"`, 400)
-	}
-}
-
-type keyPair struct {
-	certPEM []byte
-	keyPEM  []byte
-	cached  bool
-}
-
-func keyFile(dir, domain string) string  { return filepath.Join(dir, domain+".key") }
-func certFile(dir, domain string) string { return filepath.Join(dir, domain+".crt") }
-
-// getCertPEMCached returns a non-nil keyPair and true if a cached
-// keypair for domain exists on disk in dir that is valid at the
-// provided now time.
-func (h *Handler) getCertPEMCached(dir, domain string, now time.Time) (p *keyPair, ok bool) {
-	if keyPEM, err := os.ReadFile(keyFile(dir, domain)); err == nil {
-		certPEM, _ := os.ReadFile(certFile(dir, domain))
-		if validCertPEM(domain, keyPEM, certPEM, now) {
-			return &keyPair{certPEM: certPEM, keyPEM: keyPEM, cached: true}, true
-		}
-	}
-	return nil, false
-}
-
-func (h *Handler) getCertPEM(ctx context.Context, logf logger.Logf, traceACME func(interface{}), dir, domain string, now time.Time) (*keyPair, error) {
-	acmeMu.Lock()
-	defer acmeMu.Unlock()
-
-	if p, ok := h.getCertPEMCached(dir, domain, now); ok {
-		return p, nil
-	}
-
-	key, err := acmeKey(dir)
-	if err != nil {
-		return nil, fmt.Errorf("acmeKey: %w", err)
-	}
-	ac := &acme.Client{Key: key}
-
-	a, err := ac.GetReg(ctx, "" /* pre-RFC param */)
-	switch {
-	case err == nil:
-		// Great, already registered.
-		logf("already had ACME account.")
-	case err == acme.ErrNoAccount:
-		a, err = ac.Register(ctx, new(acme.Account), acme.AcceptTOS)
-		if err == acme.ErrAccountAlreadyExists {
-			// Potential race. Double check.
-			a, err = ac.GetReg(ctx, "" /* pre-RFC param */)
-		}
-		if err != nil {
-			return nil, fmt.Errorf("acme.Register: %w", err)
-		}
-		logf("registered ACME account.")
-		traceACME(a)
-	default:
-		return nil, fmt.Errorf("acme.GetReg: %w", err)
-
-	}
-	if a.Status != acme.StatusValid {
-		return nil, fmt.Errorf("unexpected ACME account status %q", a.Status)
-	}
-
-	// Before hitting LetsEncrypt, see if this is a domain that Tailscale will do DNS challenges for.
-	st := h.b.StatusWithoutPeers()
-	if err := checkCertDomain(st, domain); err != nil {
-		return nil, err
-	}
-
-	order, err := ac.AuthorizeOrder(ctx, []acme.AuthzID{{Type: "dns", Value: domain}})
-	if err != nil {
-		return nil, err
-	}
-	traceACME(order)
-
-	for _, aurl := range order.AuthzURLs {
-		az, err := ac.GetAuthorization(ctx, aurl)
-		if err != nil {
-			return nil, err
-		}
-		traceACME(az)
-		for _, ch := range az.Challenges {
-			if ch.Type == "dns-01" {
-				rec, err := ac.DNS01ChallengeRecord(ch.Token)
-				if err != nil {
-					return nil, err
-				}
-				key := "_acme-challenge." + domain
-
-				var resolver net.Resolver
-				var ok bool
-				txts, _ := resolver.LookupTXT(ctx, key)
-				for _, txt := range txts {
-					if txt == rec {
-						ok = true
-						logf("TXT record already existed")
-						break
-					}
-				}
-				if !ok {
-					err = h.b.SetDNS(ctx, key, rec)
-					if err != nil {
-						return nil, fmt.Errorf("SetDNS %q => %q: %w", key, rec, err)
-					}
-					logf("did SetDNS")
-				}
-
-				chal, err := ac.Accept(ctx, ch)
-				if err != nil {
-					return nil, fmt.Errorf("Accept: %v", err)
-				}
-				traceACME(chal)
-				break
-			}
-		}
-	}
-
-	wait0 := time.Now()
-	orderURI := order.URI
-	for {
-		order, err = ac.WaitOrder(ctx, orderURI)
-		if err == nil {
-			break
-		}
-		if oe, ok := err.(*acme.OrderError); ok && oe.Status == acme.StatusInvalid {
-			if time.Since(wait0) > 2*time.Minute {
-				return nil, errors.New("timeout waiting for order to not be invalid")
-			}
-			log.Printf("order invalid; waiting...")
-			select {
-			case <-time.After(5 * time.Second):
-				continue
-			case <-ctx.Done():
-				return nil, ctx.Err()
-			}
-		}
-		return nil, fmt.Errorf("WaitOrder: %v", err)
-	}
-	traceACME(order)
-
-	certPrivKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-	var privPEM bytes.Buffer
-	if err := encodeECDSAKey(&privPEM, certPrivKey); err != nil {
-		return nil, err
-	}
-	if err := ioutil.WriteFile(keyFile(dir, domain), privPEM.Bytes(), 0600); err != nil {
-		return nil, err
-	}
-
-	csr, err := certRequest(certPrivKey, domain, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	der, _, err := ac.CreateOrderCert(ctx, order.FinalizeURL, csr, true)
-	if err != nil {
-		return nil, fmt.Errorf("CreateOrder: %v", err)
-	}
-
-	var certPEM bytes.Buffer
-	for _, b := range der {
-		pb := &pem.Block{Type: "CERTIFICATE", Bytes: b}
-		if err := pem.Encode(&certPEM, pb); err != nil {
-			return nil, err
-		}
-	}
-	if err := ioutil.WriteFile(certFile(dir, domain), certPEM.Bytes(), 0644); err != nil {
-		return nil, err
-	}
-
-	return &keyPair{certPEM: certPEM.Bytes(), keyPEM: privPEM.Bytes()}, nil
-}
-
-// certRequest generates a CSR for the given common name cn and optional SANs.
-func certRequest(key crypto.Signer, cn string, ext []pkix.Extension, san ...string) ([]byte, error) {
-	req := &x509.CertificateRequest{
-		Subject:         pkix.Name{CommonName: cn},
-		DNSNames:        san,
-		ExtraExtensions: ext,
-	}
-	return x509.CreateCertificateRequest(rand.Reader, req, key)
-}
-
-func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error {
-	b, err := x509.MarshalECPrivateKey(key)
-	if err != nil {
-		return err
-	}
-	pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}
-	return pem.Encode(w, pb)
-}
-
-// parsePrivateKey is a copy of x/crypto/acme's parsePrivateKey.
-//
-// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
-// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
-// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
-//
-// Inspired by parsePrivateKey in crypto/tls/tls.go.
-func parsePrivateKey(der []byte) (crypto.Signer, error) {
-	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
-		return key, nil
-	}
-	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
-		switch key := key.(type) {
-		case *rsa.PrivateKey:
-			return key, nil
-		case *ecdsa.PrivateKey:
-			return key, nil
-		default:
-			return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping")
-		}
-	}
-	if key, err := x509.ParseECPrivateKey(der); err == nil {
-		return key, nil
-	}
-
-	return nil, errors.New("acme/autocert: failed to parse private key")
-}
-
-func acmeKey(dir string) (crypto.Signer, error) {
-	pemName := filepath.Join(dir, "acme-account.key.pem")
-	if v, err := ioutil.ReadFile(pemName); err == nil {
-		priv, _ := pem.Decode(v)
-		if priv == nil || !strings.Contains(priv.Type, "PRIVATE") {
-			return nil, errors.New("acme/autocert: invalid account key found in cache")
-		}
-		return parsePrivateKey(priv.Bytes)
-	}
-
-	privKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-	var pemBuf bytes.Buffer
-	if err := encodeECDSAKey(&pemBuf, privKey); err != nil {
-		return nil, err
-	}
-	if err := ioutil.WriteFile(pemName, pemBuf.Bytes(), 0600); err != nil {
-		return nil, err
-	}
-	return privKey, nil
-}
-
-func validCertPEM(domain string, keyPEM, certPEM []byte, now time.Time) bool {
-	if len(keyPEM) == 0 || len(certPEM) == 0 {
-		return false
-	}
-	tlsCert, err := tls.X509KeyPair(certPEM, keyPEM)
-	if err != nil {
-		return false
-	}
-	var leaf *x509.Certificate
-	intermediates := x509.NewCertPool()
-	for i, certDER := range tlsCert.Certificate {
-		cert, err := x509.ParseCertificate(certDER)
-		if err != nil {
-			return false
-		}
-		if i == 0 {
-			leaf = cert
-		} else {
-			intermediates.AddCert(cert)
-		}
-	}
-	if leaf == nil {
-		return false
-	}
-	_, err = leaf.Verify(x509.VerifyOptions{
-		DNSName:       domain,
-		CurrentTime:   now,
-		Intermediates: intermediates,
-	})
-	return err == nil
-}
-
-func checkCertDomain(st *ipnstate.Status, domain string) error {
-	if domain == "" {
-		return errors.New("missing domain name")
-	}
-	for _, d := range st.CertDomains {
-		if d == domain {
-			return nil
-		}
-	}
-	// Transitional way while server doesn't yet populate CertDomains: also permit the client
-	// attempting Self.DNSName.
-	okay := st.CertDomains[:len(st.CertDomains):len(st.CertDomains)]
-	if st.Self != nil {
-		if v := strings.Trim(st.Self.DNSName, "."); v != "" {
-			if v == domain {
-				return nil
-			}
-			okay = append(okay, v)
-		}
-	}
-	switch len(okay) {
-	case 0:
-		return errors.New("your Tailscale account does not support getting TLS certs")
-	case 1:
-		return fmt.Errorf("invalid domain %q; only %q is permitted", domain, okay[0])
-	default:
-		return fmt.Errorf("invalid domain %q; must be one of %q", domain, okay)
-	}
-}
--- a/ipn/localapi/disabled_stubs.go
+++ b/ipn/localapi/disabled_stubs.go
@@ -1,17 +0,0 @@
-// Copyright (c) 2021 Tailscale Inc & AUTHORS All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-//go:build ios || android
-// +build ios android
-
-package localapi
-
-import (
-	"net/http"
-	"runtime"
-)
-
-func (h *Handler) serveCert(w http.ResponseWriter, r *http.Request) {
-	http.Error(w, "disabled on "+runtime.GOOS, http.StatusNotFound)
-}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .15.0
 .13.0